Details
-
Bug
-
Resolution: Done
-
P2: Important
-
4.8.2
-
None
-
365f262d0efd17f7a7f187ae701d5052f0cb960e (4.8), 41064f851591d9437baeda502b6e2504fee8f213 (5.0)
Description
Under load (for example an AF_PACKET socket with ETH_P_ALL) on ARM the QHttpThreadDelegate seems to have a race condition which can lead to segmentation faults. In QHttpThreadDelegate::headerChangedSlot() and QHttpNetworkReply::readAnyAvailable() httpRequest is dereferenced without check. In the race condition this pointer can be null if QHttpThreadDelegate::abortRequest() has been called before.
Backtrace:
[bt] MyApp(_Z13bt_sighandleriP7siginfoPv+0xac)(bt_sighandler(int, siginfo*, void*)+0xac) [0xaa1bc] [bt] /lib/libc.so.6(__default_rt_sa_restorer_v2+0) [0x404d2e70] [bt] MyApp()(QHttpNetworkReply::supportsUserProvidedDownloadBuffer()+0x0) [0x106c954] [bt] MyApp()(QHttpThreadDelegate::headerChangedSlot()+0x40) [0xffa7dc] [bt] MyApp()(QHttpThreadDelegate::qt_static_metacall(QObject*, QMetaObject::Call, int, void**)+0x124) [0x1053134] [bt] MyApp()(QMetaObject::activate(QObject*, QMetaObject const*, int, void**)+0x2c0) [0x11a449c] [bt] MyApp()(QHttpNetworkConnectionChannel::_q_receiveReply()+0x664) [0x107ad9c] [bt] MyApp()(QMetaCallEvent::placeMetaCall(QObject*)+0x28) [0x119fb64] [bt] MyApp()(QObject::event(QEvent*)+0x3a4) [0x11a81a0] [bt] MyApp()(QApplicationPrivate::notify_helper(QObject*, QEvent*)+0x98) [0x9d5de8] [bt] MyApp()(QApplication::notify(QObject*, QEvent*)+0x3e8) [0x9daf4c] [bt] MyApp()(QCoreApplication::notifyInternal(QObject*, QEvent*)+0x78) [0x118c5dc] [bt] MyApp()(QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*)+0x4e4) [0x11909ec] [bt] MyApp()(QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)+0x30) [0x11bb068] [bt] MyApp()(QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)+0x40) [0x118b170] [bt] MyApp()(QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)+0x118) [0x118b3dc] [bt] MyApp()(QThread::exec()+0x154) [0x10a0d08] [bt] MyApp()(QThreadPrivate::start(void*)+0xec) [0x10a3f2c] [bt] /lib/libpthread.so.0(+0x7038) [0x40167038] [bt] /lib/libc.so.6(clone+0x88) [0x4057d7a8]
Debug output with QHTTPTHREADDELEGATE_DEBUG enabled and missing null pointer checks added:
QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 404 QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::headerChangedSlot: HTTP reply had already been deleted, internal problem. Please report. QHttpThreadDelegate::readyReadSlot: HTTP reply had already been deleted, internal problem. Please report. QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::abortRequest() thread= 0x43356460 sync= false QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::startRequest() thread= 0x44b56460 QHttpThreadDelegate::startRequest() thread= 0x44b56460 QHttpThreadDelegate::headerChangedSlot() thread= 0x44b56460 QHttpThreadDelegate::headerChangedSlot() thread= 0x44b56460 QHttpThreadDelegate::finishedSlot() thread= 0x44b56460 result= 200 QHttpThreadDelegate::finishedSlot() thread= 0x44b56460 result= 200 QHttpThreadDelegate::abortRequest() thread= 0x44b56460 sync= false QHttpThreadDelegate::abortRequest() thread= 0x44b56460 sync= false QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 301 QHttpThreadDelegate::startRequest() thread= 0x43356460 QHttpThreadDelegate::headerChangedSlot() thread= 0x43356460 QHttpThreadDelegate::finishedSlot() thread= 0x43356460 result= 200 QHttpThreadDelegate::startRequest() thread= 0x44b56460 QHttpThreadDelegate::headerChangedSlot() thread= 0x44b56460 QHttpThreadDelegate::finishedSlot() thread= 0x44b56460 result= 200
Attachments
| For Gerrit Dashboard: QTBUG-26245 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 29645,1 | Fix race condition in QHttpThreadDelegate::headerChangedSlot() | master | qt/qtbase | Status: ABANDONED | 0 | 0 |
| 29730,1 | Add null httpReply checks to QHttpThreadDelegate | master | qt/qtbase | Status: MERGED | +2 | 0 |
| 30017,1 | Add null httpReply checks to QHttpThreadDelegate | 4.8 | qt/qt | Status: MERGED | +2 | 0 |