Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-135286

Qml Property Cache heap-use-after-free

    XMLWordPrintable

Details

    Description

      There is a race condition somewhere in the QQmlPropertyCache that lets our App crash on Android and iOS in ~40% of all App starts. I can trigger this crash when running the application on Linux with ASAN enabled:

       

      ==1249497==ERROR: AddressSanitizer: heap-use-after-free on address 0x506001068b10 at pc 0x7fcd33ee5e26 bp 0x7ffdac676850 sp 0x7ffdac676010
READ of size 33 at 0x506001068b10 thread T0
14:03:04.640 com.example.com.libfoobar: |?libQt6Core.so.6?|QDebug::~QDebug Missing vcard element in stanza
    #0 0x7fcd33ee5e25 in strlen.part.0 (/lib64/libasan.so.8+0x7be25) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
    #1 0x7fcd309eba08 in qstrlen(char const*) /home/qt/work/install/include/QtCore/qbytearrayalgorithms.h:114
    #2 0x7fcd309eba08 in QByteArray::append(char const*, long long) /home/qt/work/install/include/QtCore/qbytearray.h:295
    #3 0x7fcd309eba08 in QByteArray::append(char const*) /home/qt/work/install/include/QtCore/qbytearray.h:293
    #4 0x7fcd309eba08 in QQmlPropertyCache::toMetaObjectBuilder(QMetaObjectBuilder&) const /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1003
    #5 0x7fcd309ec11c in QQmlPropertyCache::createMetaObject() const /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:311
    #6 0x7fcd30a70c9b in QQmlInterceptorMetaObject::toDynamicMetaObject(QObject*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:407
    #7 0x7fcd3094e9c4 in QQmlMetaObject::QQmlMetaObject(QObject const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlmetaobject_p.h:177
    #8 0x7fcd3094e9c4 in QQmlData::growBits(QObject*, int) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:1440
    #9 0x7fcd3090f421 in QQmlData::setBit(QObject*, int) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmldata_p.h:298
    #10 0x7fcd3090f421 in QQmlData::setBindingBit(QObject*, int) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmldata_p.h:385
    #11 0x7fcd3090f421 in QQmlAbstractBinding::addToObject() /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlabstractbinding.cpp:83
    #12 0x7fcd309b1598 in operator() /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1059
    #13 0x7fcd309b9c54 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1070
    #14 0x7fcd309bbb4d in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:829
    #15 0x7fcd309bda83 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1790
    #16 0x7fcd309b6f4b in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1458
    #17 0x7fcd309b9868 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:892
    #18 0x7fcd309bbb4d in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:829
    #19 0x7fcd309bda83 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1790
    #20 0x7fcd309b6f4b in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1458
    #21 0x7fcd309b9868 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:892
    #22 0x7fcd309bbb4d in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:829
    #23 0x7fcd309bda83 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1790
    #24 0x7fcd309b6f4b in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1458
    #25 0x7fcd309b855f in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:205
    #26 0x7fcd309b7263 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1350
    #27 0x7fcd309b9868 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:892
    #28 0x7fcd309bbb4d in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:829
    #29 0x7fcd309bda83 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1790
    #30 0x7fcd309b6f4b in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1458
    #31 0x7fcd309b9868 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:892
    #32 0x7fcd309bbb4d in QQmlObjectCreator::setupBindings(QFlags<QQmlObjectCreator::BindingMode>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:829
    #33 0x7fcd309bda83 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1790
    #34 0x7fcd309b6f4b in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1458
    #35 0x7fcd309b855f in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*, int) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:205
    #36 0x7fcd3093677b in QQmlComponentPrivate::beginCreate(QQmlRefPointer<QQmlContextData>) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1118
    #37 0x7fcd3093768c in QQmlComponent::beginCreate(QQmlContext*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1037
    #38 0x7fcd309388e1 in QQmlComponentPrivate::createWithProperties(QObject*, QMap<QString, QVariant> const&, QQmlContext*, QQmlComponentPrivate::CreateBehavior, bool) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:960
    #39 0x7fcd30938c1a in QQmlComponent::create(QQmlContext*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:926
    #40 0x7fcd309112f2 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:156
    #41 0x7fcd30911bef in QQmlApplicationEnginePrivate::startLoad(QAnyStringView, QAnyStringView) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:142
    #42 0x5efb49 in mainAppInitialization /home/ciuser/Projekte/bj/app/src/app/main.cpp:198
    #43 0x5f1b6e in initForegroundApp() /home/ciuser/Projekte/bj/app/src/app/main.cpp:457
    #44 0x5f304a in main /home/ciuser/Projekte/bj/app/src/app/main.cpp:663
    #45 0x7fcd2e838087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: c8c3fa52aaee3f5d73b6fd862e39e9d4c010b6ba)
    #46 0x7fcd2e83814a in __libc_start_main_impl (/lib64/libc.so.6+0x2a14a) (BuildId: c8c3fa52aaee3f5d73b6fd862e39e9d4c010b6ba)
    #47 0x5a8ef4 in _start (/home/ciuser/Projekte/bj/app/build/Desktop_Qt_6_8_3-Debug/bin/fah+0x5a8ef4) (BuildId: bb31ee982c71305cdd9e4ea05a7a61d03e57fc31)
0x506001068b10 is located 16 bytes inside of 50-byte region [0x506001068b00,0x506001068b32)
freed by thread T25 (QQmlThread) here:
    #0 0x7fcd33f60638 in free.part.0 (/lib64/libasan.so.8+0xf6638) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
    #1 0x7fcd309911ca in QByteArray::~QByteArray() /home/qt/work/install/include/QtCore/qbytearray.h:602
    #2 0x7fcd309911ca in QQmlMetaTypeInterface::~QQmlMetaTypeInterface() /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlmetatype_p.h:287
    #3 0x7fcd309911ca in QQmlMetaType::unregisterInternalCompositeType(QMetaType, QMetaType) /home/qt/work/qt/qtdeclarative/src/qml/qml/qqmlmetatype.cpp:767
previously allocated by thread T25 (QQmlThread) here:
    #0 0x7fcd33f61997 in malloc (/lib64/libasan.so.8+0xf7997) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
    #1 0x7fcd2ecaaa17 in allocateData /home/qt/work/qt/qtbase/src/corelib/tools/qarraydata.cpp:139
    #2 0x7fcd2ecaaa17 in allocateHelper /home/qt/work/qt/qtbase/src/corelib/tools/qarraydata.cpp:181
    #3 0x7fcd2ecaaa17 in allocateHelper /home/qt/work/qt/qtbase/src/corelib/tools/qarraydata.cpp:157
    #4 0x7fcd2ecaaa17 in QArrayData::allocate1(QArrayData**, long long, QArrayData::AllocationOption) /home/qt/work/qt/qtbase/src/corelib/tools/qarraydata.cpp:211
Thread T25 (QQmlThread) created by T0 here:
    #0 0x7fcd33f59871 in pthread_create (/lib64/libasan.so.8+0xef871) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a)
    #1 0x7fcd2ed2c09c in QThread::start(QThread::Priority) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:790
SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.8+0x7be25) (BuildId: a4ad7eb954b390cf00f07fa10952988a41d9fc7a) in strlen.part.0
Shadow bytes around the buggy address:
  0x506001068880: 00 00 04 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x506001068900: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x506001068980: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x506001068a00: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x506001068a80: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x506001068b00: fd fd[fd]fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x506001068b80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x506001068c00: fa fa fa fa 00 00 00 00 00 00 06 fa fa fa fa fa
  0x506001068c80: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x506001068d00: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x506001068d80: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1249497==ABORTING
 

      The following patch fixes the problem for us, but I've no deeper knowledge of how to fix it the right way. Maybe it can help to understand the real problem:

      diff -Naur a/qtdeclarative/src/qml/qml/qqmlpropertycachecreator_p.h b/qtdeclarative/src/qml/qml/qqmlpropertycachecreator_p.h
--- a/qtdeclarative/src/qml/qml/qqmlpropertycachecreator_p.h    2025-01-24 07:04:38.000000000 +0100
+++ b/qtdeclarative/src/qml/qml/qqmlpropertycachecreator_p.h    2025-03-27 09:06:53.839801250 +0100
@@ -669,8 +669,27 @@
             flags.setHasArguments(true);
             parameterNames << stringAt(formal->nameIndex).toUtf8();
             QMetaType type = metaTypeForParameter(formal->type);
-            if (!type.isValid())
+            if (!type.isValid()) {
                 type = QMetaType::fromType<QVariant>();
+            } else {
+              // increase refcount in QmlType of parameter (the one thing that crashes us seems
+              // to be a composite type, so restrict it to those for paranoia)
+              // to ensure the QMetaType entries in there stay alive because the addMethod call
+              // below will copy them
+              // This is the wrong way to fix the problem because there will be a leak
+              // when the cache is destroyed, but it seems to help for now and
+              // destroying caches at runtime seems to be rare.
+              QQmlType qmltype;
+              bool selfReference = false;
+              const QString typeName = stringAt(formal->type.typeNameIndexOrCommonType());
+              if (imports->resolveType(QQmlTypeLoader::get(enginePrivate), typeName, &qmltype, nullptr, nullptr, nullptr,
+                                       QQmlType::AnyRegistrationType, &selfReference)) {
+                if (qmltype.isComposite()) {
+                  QQmlType::refHandle(qmltype.priv());
+                }
+              }
+            }
+
             parameterTypes << type;
         }

      I'm sorry for not being able to provide a small example for that. Whatever I tried, it's not catchable with the debugger enabled, as it is not possible to have it enabled with ASAN at the same time.

      Attachments

        For Gerrit Dashboard: QTBUG-135286
        # Subject Branch Project Status CR V
        635493,8 WIP: Use type references for function signatures dev qt/qtdeclarative Status: NEW -2 0

        Activity

          People

            ulherman Ulf Hermann
            cajus Cajus Pollmeier
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There is 1 open Gerrit change