Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-137557

QtLocation: Using GeocodeModel with OSM plugin in QML causes app crash when canceling update

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P1: Critical
    • None
    • 6.9.1
    • Location
    • None
    • ArchLinux, latest, using the KDE desktop environment.
    • Linux/Wayland
    • Linux/Wayland, Linux/X11, Linux/Yocto, Linux/Other display system

    Description

      Calling cancel(), update() or reset() while a GeocodeModel object using the OSM pluggin is loading (.state = GeocodeModel.Loading) cause the app to crash.

      I discovered this working on KDE's Merkuro Calendar - I don't have a minimal example to share yet, but I will attach a patch I'm working on that works around the issue. This specific crash is triggered by editing the location at the right moment for the timer to execute while the previous query request is still loading.

      It's possible this issue lies deeper than QtLocation, as the crash itself comes from QtCore, though I am not well-versed enough in Qt technologies to figure this out :/

      Here's the backtrace of a crash with ASAN turned on:

      {{AddressSanitizer:DEADLYSIGNAL}}
      {{=================================================================}}
      {{==1035185==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fab877c247e bp 0x7fffd38bb650 sp 0x7fffd38bb600 T0)}}
      {{==1035185==The signal is caused by a READ memory access.}}
      {{==1035185==Hint: address points to the zero page.}}
      {{qt.network.http2.connection: [0x7d1b62616100] Connection error: HEADERS on invalid stream (1)}}
      {{#0 0x7fab877c247e in QObject::deleteLater() (/usr/lib/libQt6Core.so.6+0x1c247e) (BuildId: 87fda2aacc2207cf15c167c45b3dab4a5675c67b)}}
      {{#1 0x7bab3d7353e3 in QDeclarativeGeocodeModel::abortRequest() (/usr/lib/qt6/qml/QtLocation/../../../libQt6Location.so.6+0x1113e3) (BuildId: dc2e19efff0bbce654d2ffc0c77f3fb270739980)}}
      {{#2 0x7bab3d736331 in QDeclarativeGeocodeModel::cancel() (/usr/lib/qt6/qml/QtLocation/../../../libQt6Location.so.6+0x112331) (BuildId: dc2e19efff0bbce654d2ffc0c77f3fb270739980)}}
      {{#3 0x7bab3d695326 in QDeclarativeGeocodeModel::qt_metacall(QMetaObject::Call, int, void**) (/usr/lib/qt6/qml/QtLocation/../../../libQt6Location.so.6+0x71326) (BuildId: dc2e19efff0bbce654d2ffc0c77f3fb270739980)}}
      {{#4 0x7fab88355362 (/usr/lib/libQt6Qml.so.6+0x355362) (BuildId: a5549eb52e5783d0660e8d352d8b9de4dfd0e44c)}}
      {{#5 0x7fab8820a7f6 in QV4::QObjectMethod::callPrecise(QQmlObjectOrGadget const&, QQmlPropertyData const&, QV4::ExecutionEngine*, QV4::CallData*, QMetaObject::Call) (/usr/lib/libQt6Qml.so.6+0x20a7f6) (BuildId: a5549eb52e5783d0660e8d352d8b9de4dfd0e44c)}}
      {{#6 0x7fab8820e384 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const (/usr/lib/libQt6Qml.so.6+0x20e384) (BuildId: a5549eb52e5783d0660e8d352d8b9de4dfd0e44c)}}
      {{#7 0x7fab8822ca1c in QV4::Runtime::CallPropertyLookup::call(QV4::ExecutionEngine*, QV4::Value const&, unsigned int, QV4::Value*, int) (/usr/lib/libQt6Qml.so.6+0x22ca1c) (BuildId: a5549eb52e5783d0660e8d352d8b9de4dfd0e44c)}}
      {{#8 0x7bab5fdd2df2 (/memfd:JITCode:QtQml (deleted)+0xdf2)}}

      ==1035185==Register values:
      {{rax = 0x00007fffd38bb600 rbx = 0x0000000000000000 rcx = 0x00007fab6269b800 rdx = 0x0000000000000001 }}
      {{rdi = 0x0000000000000000 rsi = 0x00007fab6269b6d0 rbp = 0x00007fffd38bb650 rsp = 0x00007fffd38bb600 }}
      {{r8 = 0x00007fab8bc5b000 r9 = 0x00007fab8bc5b000 r10 = 0x0000000000000008 r11 = 0x00007fffd38bb357 }}
      {{r12 = 0x00007c7b617e0450 r13 = 0x00007fffd38bba30 r14 = 0x00007d1b617ef580 r15 = 0x000000000000005d }}
      AddressSanitizer can not provide additional info.
      SUMMARY: AddressSanitizer: SEGV (/usr/lib/libQt6Core.so.6+0x1c247e) (BuildId: 87fda2aacc2207cf15c167c45b3dab4a5675c67b) in QObject::deleteLater()
      ==1035185==ABORTING

      Here's the GDB stacktrace:

      Thread 1 "merkuro-calenda" received signal SIGSEGV, Segmentation fault.
      QObject::deleteLater (this=0x0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:2465
      2465        Q_D(QObject);
      (gdb) bt
      #0  QObject::deleteLater (this=0x0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:2465
      #1  0x00007bffa8f353e4 in QDeclarativeGeocodeModel::abortRequest (this=this@entry=0x7d3fcd6a4a40) at /usr/src/debug/qt6-location/qtlocation/src/location/declarativemaps/qdeclarativegeocodemodel.cpp:181
      #2  0x00007bffa8f36332 in QDeclarativeGeocodeModel::cancel (this=0x7d3fcd6a4a40) at /usr/src/debug/qt6-location/qtlocation/src/location/declarativemaps/qdeclarativegeocodemodel.cpp:592
      #3  0x00007bffa8e95327 in QDeclarativeGeocodeModel::qt_metacall (this=0x7d3fcd6a4a40, _c=<optimized out>, _id=17, _a=0x7fffffffae90)
         at /usr/src/debug/qt6-location/build/src/location/Location_autogen/7TAJWXWKQV/moc_qdeclarativegeocodemodel_p.cpp:330
      #4  0x00007ffff3b55363 in QQmlObjectOrGadget::metacall (this=<optimized out>, type=<optimized out>, index=<optimized out>, argv=<optimized out>)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmlobjectorgadget.cpp:14
      #5  0x00007ffff3a0a7f7 in QV4::CallMethod (object=..., index=93, returnType=..., argCount=0, argTypes=0x0, engine=0x7d6fccfef580, callArgs=<optimized out>, callType=QMetaObject::InvokeMetaMethod)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1722
      #6  QV4::QObjectMethod::callPrecise (object=..., data=..., engine=<optimized out>, engine@entry=0x7d6fccfef580, callArgs=<optimized out>,  
         callArgs@entry=0x7bffaa751590, callType=callType@entry=QMetaObject::InvokeMetaMethod) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2082
      #7  0x00007ffff3a0e385 in operator() (__closure=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3078
      #8  operator()<QV4::QObjectMethod::callInternal(const QV4::Value*, const QV4::Value*, int) const::<lambda()> > (__closure=<synthetic pointer>, call=<optimized out>)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3055
      #9  QV4::QObjectMethod::callInternal (this=0x7fffffffb270, thisObject=<optimized out>, argv=0x7bffaa751508, argc=0)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:3078
      #10 0x00007ffff3a690fe in QV4::Moth::VME::interpret (frame=0x0, frame@entry=0x7fffffffb650, engine=0x7d6fccfef580, code=0x7bffaa751540 "")
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:798
      #11 0x00007ffff3a6cc14 in QV4::Moth::VME::exec (frame=<optimized out>, engine=<optimized out>) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:487
      #12 0x00007ffff39b4c70 in QV4::doCall (self=<optimized out>, thisObject=<optimized out>, argv=<optimized out>, argc=argc@entry=0, context=<optimized out>)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4function.cpp:52
      #13 0x00007ffff39bbce9 in QV4::Function::call (this=this@entry=0x7cafcdb20990, thisObject=<optimized out>, argv=argv@entry=0x7bffaa751500, argc=argc@entry=0, context=context@entry=0x7bff9be1a060)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4function.cpp:77
      #14 0x00007ffff39bbfd9 in operator() (__closure=<synthetic pointer>, thisObject=<optimized out>, argv=0x7bffaa751500, argc=0)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4function.cpp:28
      #15 QV4::convertAndCall<QV4::Function::call(QObject*, void*, const QMetaType, int, QV4::ExecutionContext*)::<lambda(const QV4::Value*, const QV4::Value*, int)> >
         (engine=<optimized out>, thisObject=0x7d0fce303f00, a=0x7fffffffb910, types=0x7fffffffb900, argc=0, call=...) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4jscall_p.h:199
      #16 QV4::Function::call (this=0x7cafcdb20990, thisObject=0x7d0fce303f00, a=0x7fffffffb910, types=0x7fffffffb900, argc=0, context=0x7bff9be1a060)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/jsruntime/qv4function.cpp:25
      #17 0x00007ffff3b11400 in QQmlJavaScriptExpression::evaluate (this=<optimized out>, a=<optimized out>, types=<optimized out>, argc=<optimized out>)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:270
      #18 0x00007ffff3aa9e2b in QQmlBoundSignalExpression::evaluate (this=<optimized out>, a=a@entry=0x0) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:200
      #19 0x00007ffff3aaf0fd in QQmlBoundSignal_callback (e=0x7c5fcdfc1b60, a=0x0) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/ftw/qqmlrefcount_p.h:73
      #20 QQmlBoundSignal_callback (e=0x7c5fcdfc1b60, a=0x0) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:294
      #21 0x00007ffff3b3b460 in QQmlNotifier::emitNotify (endpoint=<optimized out>, a=0x0) at /usr/src/debug/qt6-declarative/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:70
      #22 0x00007ffff2fd3462 in doActivate<false> (sender=0x7d0fce303f00, signal_index=33, argv=0x0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:4036
      #23 0x00007ffff4c54c9e in QQuickTextInput::textChanged (this=0x7d0fce303f00) at /usr/src/debug/qt6-declarative/build/src/quick/Quick_autogen/include/moc_qquicktextinput_p.cpp:922
      #24 QQuickTextInputPrivate::finishChange (this=this@entry=0x7d8fcd33b180, validateFromState=<optimized out>, update=update@entry=false, edited=edited@entry=true)
         at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/items/qquicktextinput.cpp:3793
      #25 0x00007ffff4c55ec7 in QQuickTextInputPrivate::insert (this=this@entry=0x7d8fcd33b180, newText=...) at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/items/qquicktextinput.cpp:3411
      #26 0x00007ffff4c58d5c in QQuickTextInputPrivate::processKeyEvent (this=0x7d8fcd33b180, event=0x7fffffffd870) at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/items/qquicktextinput.cpp:4766
      #27 0x00007ffff4bad0b6 in QQuickItemPrivate::deliverKeyEvent (this=0x7d8fcd33b180, e=0x7fffffffd870) at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/items/qquickitem.cpp:5701
      #28 0x00007ffff4bb6460 in QQuickItem::event (this=0x7d0fce303f00, ev=0x7fffffffd870) at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/items/qquickitem.cpp:9165
      #29 0x00007ffff6301c70 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x7d0fce303f00, e=0x7fffffffd870) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3303
      #30 0x00007ffff2f68118 in QCoreApplication::notifyInternal2 (receiver=0x7d0fce303f00, event=0x7fffffffd870) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1106
      #31 0x00007ffff2f6815d in QCoreApplication::sendEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1546
      #32 0x00007ffff4d9e8c0 in QQuickDeliveryAgentPrivate::deliverKeyEvent (this=<optimized out>, e=0x7fffffffd870) at /usr/src/debug/qt6-declarative/qtdeclarative/src/quick/util/qquickdeliveryagent.cpp:974
      #33 0x00007ffff420d875 in QWindow::event (this=<optimized out>, ev=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/gui/kernel/qwindow.cpp:2742
      #34 0x00007ffff6301c70 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x7d0fce2093c0, e=0x7fffffffd870) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3303
      #35 0x00007ffff2f68118 in QCoreApplication::notifyInternal2 (receiver=0x7d0fce2093c0, event=0x7fffffffd870) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1106
      #36 0x00007ffff2f6816d in QCoreApplication::sendSpontaneousEvent (receiver=<optimized out>, event=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1560
      #37 0x00007ffff419cee0 in QGuiApplicationPrivate::processKeyEvent (e=0x7cbfcd470c00) at /usr/src/debug/qt6-base/qtbase/src/gui/kernel/qguiapplication.cpp:2615
      #38 0x00007ffff42248f4 in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at /usr/src/debug/qt6-base/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1113
      #39 0x00007ffff4213b27 in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at /usr/src/debug/qt6-base/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1082
      #40 0x00007ffff2fc0e34 in QObject::event (this=<optimized out>, e=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qobject.cpp:1431
      #41 0x00007ffff6301c70 in QApplicationPrivate::notify_helper (this=<optimized out>, receiver=0x7d5fccfe0080, e=0x7cbfcd5b52c0) at /usr/src/debug/qt6-base/qtbase/src/widgets/kernel/qapplication.cpp:3303
      #42 0x00007ffff2f68118 in QCoreApplication::notifyInternal2 (receiver=0x7d5fccfe0080, event=event@entry=0x7cbfcd5b52c0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1106
      #43 0x00007ffff2f684fb in QCoreApplication::sendEvent (receiver=<optimized out>, event=0x7cbfcd5b52c0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1546
      #44 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x7ccfccfe0450) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1879
      #45 0x00007ffff323fcf8 in QCoreApplication::sendPostedEvents (receiver=0x0, event_type=0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1733
      #46 postEventSourceDispatch (s=0x7cafcd02d0f0) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:246
      #47 0x00007fffef90887d in g_main_dispatch (context=0x7d0fccfea2c0) at ../glib/glib/gmain.c:3398
      #48 0x00007fffef909cd7 in g_main_context_dispatch_unlocked (context=0x7d0fccfea2c0) at ../glib/glib/gmain.c:4249
      #49 g_main_context_iterate_unlocked (context=context@entry=0x7d0fccfea2c0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4314
      #50 0x00007fffef909ee5 in g_main_context_iteration (context=0x7d0fccfea2c0, may_block=1) at ../glib/glib/gmain.c:4379
      #51 0x00007ffff323c5e2 in QEventDispatcherGlib::processEvents (this=0x7c2fcd022040, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:399
      #52 0x00007ffff2f744b6 in QEventLoop::processEvents (this=0x7fffffffde40, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:104
      #53 QEventLoop::exec (this=0x7fffffffde40, flags=...) at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qeventloop.cpp:186
      #54 0x00007ffff2f6c7c1 in QCoreApplication::exec () at /usr/src/debug/qt6-base/qtbase/src/corelib/kernel/qcoreapplication.cpp:1449
      -Type <RET> for more, q to quit, c to continue without paging-
      #55 0x000055555559fcaa in main (argc=1, argv=0x7fffffffe278) at /home/yukijoou/Documents/Code/KDE/src/merkuro/src/calendar/main.cpp:144

      Attachments

        For Gerrit Dashboard: QTBUG-137557
        # Subject Branch Project Status CR V
        653469,2 Fix double free error when aborting request dev qt/qtlocation Status: NEW 0 0

        Activity

          People

            matthias_rauter Matthias Rauter
            yukijoou Yuki Joou
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There is 1 open Gerrit change