Details
-
Bug
-
Resolution: Unresolved
-
P1: Critical
-
None
-
6.9
-
None
-
macOS
Description
To reproduce, run tests/manual/quickcontrols/menus and then close it.
09:41:03: Starting /Users/mitch/dev/qt-dev2-debug-non-fw/qtdeclarative/tests/manual/quickcontrols/menus/appmenus.app/Contents/MacOS/appmenus...
QML debugging is enabled. Only use this in a safe environment.
qml: checked of "" changed to true
qml: checked of "" changed to true
qml: checked of "" changed to true
qml: checked of "" changed to true
2024-12-04 09:41:09.801 appmenus[90607:30197970] +[IMKClient subclass]: chose IMKClient_Modern
2024-12-04 09:41:09.802 appmenus[90607:30197970] +[IMKInputSession subclass]: chose IMKInputSession_Modern
qml: triggered "&Quit"
=================================================================
==90607==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040004a9e90 at pc 0x00011abbb688 bp 0x00016af11f10 sp 0x00016af11f08
WRITE of size 4 at 0x6040004a9e90 thread T0
#0 0x11abbb684 in int std::__1::__cxx_atomic_fetch_add[abi:se180100]<int>(std::__1::__cxx_atomic_base_impl<int>*, int, std::__1::memory_order) cxx_atomic_impl.h:449
#1 0x11abbb450 in std::__1::__atomic_base<int, true>::fetch_add[abi:se180100](int, std::__1::memory_order) atomic_base.h:156
#2 0x11abbb410 in bool QAtomicOps<int>::ref<int>(std::__1::atomic<int>&) qatomic_cxx11.h:259
#3 0x11abbb3c4 in QBasicAtomicInteger<int>::ref() qbasicatomic.h:47
#4 0x11abbb398 in QArrayData::ref() qarraydata.h:59
#5 0x11abbc55c in QArrayDataPointer<char16_t>::ref() qarraydatapointer.h:451
#6 0x11abbc4a8 in QArrayDataPointer<char16_t>::QArrayDataPointer(QArrayDataPointer<char16_t> const&) qarraydatapointer.h:40
#7 0x11abbc2e0 in QArrayDataPointer<char16_t>::QArrayDataPointer(QArrayDataPointer<char16_t> const&) qarraydatapointer.h:39
#8 0x11b600928 in QArrayDataPointer<char16_t>::operator=(QArrayDataPointer<char16_t> const&) qarraydatapointer.h:71
#9 0x11b5f0f68 in QString::operator=(QString const&) qstring.cpp:2832
#10 0x11ba80938 in AppleUnifiedLogger::messageHandler(QtMsgType, QMessageLogContext const&, QString const&, QString const&) qcore_mac.mm:134
#11 0x11acb2c40 in AppleUnifiedLogger::messageHandler(QtMsgType, QMessageLogContext const&, QString const&) qcore_mac_p.h:242
#12 0x11aca7bf8 in qDefaultMessageHandler(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:2042
#13 0x11aca6b60 in qt_message_print(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:2096
#14 0x11ac99398 in qt_message(QtMsgType, QMessageLogContext const&, char const*, char*) qlogging.cpp:379
#15 0x11c3ce460 in QMessageLogger::warning(char const*, ...) const qlogging.cpp:634
#16 0x11b221508 in QObjectPrivate::~QObjectPrivate() qobject.cpp:199
#17 0x11b222188 in QObjectPrivate::~QObjectPrivate() qobject.cpp:187
#18 0x11b2221b4 in QObjectPrivate::~QObjectPrivate() qobject.cpp:187
#19 0x11b271d94 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) qscopedpointer.h:24
#20 0x11b271cd0 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData>>::~QScopedPointer() qscopedpointer.h:81
#21 0x11b229020 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData>>::~QScopedPointer() qscopedpointer.h:79
#22 0x11b22a2cc in QObject::~QObject() qobject.cpp:1149
#23 0x109c72b64 in QQuickPixmapCache::~QQuickPixmapCache() qquickpixmapcache.cpp:1229
#24 0x109c72ad0 in QQuickPixmapCache::~QQuickPixmapCache() qquickpixmapcache.cpp:1227
#25 0x190e16994 in __cxa_finalize_ranges+0x1d8 (libsystem_c.dylib:arm64e+0x28994)
#26 0x190e16758 in exit+0x28 (libsystem_c.dylib:arm64e+0x28758)
#27 0x190f7e948 in dyld4::LibSystemHelpers::exit(int) const+0x10 (libdyld.dylib:arm64e+0x1d948)
#28 0x190bd82c4 (<unknown module>)
0x6040004a9e90 is located 0 bytes inside of 46-byte region [0x6040004a9e90,0x6040004a9ebe)
freed by thread T0 here:
#0 0x10718cd40 in free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54d40)
#1 0x11abc1534 in QArrayDataPointer<char16_t>::~QArrayDataPointer() qarraydatapointer.h:110
#2 0x11abb0ac4 in QArrayDataPointer<char16_t>::~QArrayDataPointer() qarraydatapointer.h:107
#3 0x11abbc1b8 in QString::~QString() qstring.h:1332
#4 0x11abaddf0 in QString::~QString() qstring.h:1332
#5 0x190e16994 in __cxa_finalize_ranges+0x1d8 (libsystem_c.dylib:arm64e+0x28994)
#6 0x190e16758 in exit+0x28 (libsystem_c.dylib:arm64e+0x28758)
#7 0x190f7e948 in dyld4::LibSystemHelpers::exit(int) const+0x10 (libdyld.dylib:arm64e+0x1d948)
#8 0x190bd82c4 (<unknown module>)
previously allocated by thread T0 here:
#0 0x10718cc04 in malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54c04)
#1 0x11b7b4dcc in allocateData(long long) qarraydata.cpp:139
#2 0x11b7b37a4 in allocateHelper(long long, long long, long long, QArrayData::AllocationOption) qarraydata.cpp:181
#3 0x11b7b3ed4 in QArrayData::allocate2(QArrayData**, long long, QArrayData::AllocationOption) qarraydata.cpp:220
#4 0x11b684f34 in QTypedArrayData<char16_t>::allocate(long long, QArrayData::AllocationOption) qarraydata.h:139
#5 0x11b5fe3a0 in QArrayDataPointer<char16_t>::QArrayDataPointer(long long, long long, QArrayData::AllocationOption) qarraydatapointer.h:58
#6 0x11b5ff064 in QString::QString(long long, Qt::Initialization) qstring.cpp:2538
#7 0x11b5ff320 in QString::QString(long long, Qt::Initialization) qstring.cpp:2534
#8 0x11ba7eec0 in QString::fromCFString(__CFString const*) qcore_foundation.mm:190
#9 0x11ba80c54 in AppleUnifiedLogger::messageHandler(QtMsgType, QMessageLogContext const&, QString const&, QString const&)::$_0::operator()() const qcore_mac.mm:130
#10 0x11ba808f8 in AppleUnifiedLogger::messageHandler(QtMsgType, QMessageLogContext const&, QString const&, QString const&) qcore_mac.mm:127
#11 0x11acb2c40 in AppleUnifiedLogger::messageHandler(QtMsgType, QMessageLogContext const&, QString const&) qcore_mac_p.h:242
#12 0x11aca7bf8 in qDefaultMessageHandler(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:2042
#13 0x11aca6b60 in qt_message_print(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:2096
#14 0x11ac99398 in qt_message(QtMsgType, QMessageLogContext const&, char const*, char*) qlogging.cpp:379
#15 0x11ac98ff8 in QMessageLogger::debug(char const*, ...) const qlogging.cpp:396
#16 0x11775b3e0 in writeToConsole(QV4::FunctionObject const*, QV4::Value const*, int, ConsoleLogTypes, bool) qqmlbuiltinfunctions.cpp:1871
#17 0x1177574c0 in QV4::ConsoleObject::method_log(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) qqmlbuiltinfunctions.cpp:1904
#18 0x1170d1198 in QV4::DynamicFunctionObject::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) qv4functionobject.cpp:191
#19 0x116e11cd0 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const qv4functionobject_p.h:187
#20 0x1173e20bc in QV4::Runtime::CallQmlContextPropertyLookup::call(QV4::ExecutionEngine*, unsigned int, QV4::Value*, int) qv4runtime.cpp:1468
#21 0x11752c6ec in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) qv4vme_moth.cpp:833
#22 0x1175196f8 in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) qv4vme_moth.cpp:487
#23 0x1170b1fb8 in QV4::doCall(QV4::Function*, QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) qv4function.cpp:52
#24 0x1170b03f4 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) qv4function.cpp:77
#25 0x1170c0e80 in QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*)::$_0::operator()(QV4::Value const*, QV4::Value const*, int) const qv4function.cpp:28
#26 0x1170af664 in bool QV4::convertAndCall<QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*)::$_0>(QV4::ExecutionEngine*, QObject*, void**, QMetaType const*, int, QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*)::$_0) qv4jscall_p.h:199
#27 0x1170aeea0 in QV4::Function::call(QObject*, void**, QMetaType const*, int, QV4::ExecutionContext*) qv4function.cpp:25
#28 0x117993418 in QQmlJavaScriptExpression::evaluate(void**, QMetaType const*, int) qqmljavascriptexpression.cpp:270
#29 0x11773ad68 in QQmlBoundSignalExpression::evaluate(void**) qqmlboundsignal.cpp:196
SUMMARY: AddressSanitizer: heap-use-after-free cxx_atomic_impl.h:449 in int std::__1::__cxx_atomic_fetch_add[abi:se180100]<int>(std::__1::__cxx_atomic_base_impl<int>*, int, std::__1::memory_order)
Shadow bytes around the buggy address:
0x6040004a9c00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x6040004a9c80: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x6040004a9d00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x6040004a9d80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x6040004a9e00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x6040004a9e80: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fa
0x6040004a9f00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x6040004a9f80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x6040004aa000: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x6040004aa080: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x6040004aa100: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==90607==ABORTING
09:41:33: The process crashed.