Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.0.0 RC 1
-
None
-
Linux, Clang trunk/3.3, -sanitize-address
https://codereview.qt-project.org/#change,41476
-
ed15e4eb07104dd780fe8d72b2792916ce4db098
Description
There is a heap-use-after-free in
tests/auto/widgets/graphicsview/qgraphicsitem
================================================================= ==30327== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcd70845d48 at pc 0x7fcd7c5a0a0c bp 0x7fff46327fd0 sp 0x7fff46327fc8 WRITE of size 8 at 0x7fcd70845d48 thread T0 #0 0x7fcd7c5a0a0b in QGraphicsItemPrivate::resetFocusProxy() qgraphicsitem.cpp:5561 #1 0x7fcd7c71d1ef in QGraphicsScenePrivate::removeItemHelper(QGraphicsItem*) qgraphicsscene.cpp:616 #2 0x7fcd7c59f8f1 in ~QGraphicsItem qgraphicsitem.cpp:1458 #3 0x7fcd7c5fa20e in ~QGraphicsRectItem qgraphicsitem.cpp:8412 #4 0x60a52f in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8496 #5 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964 #6 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146 #7 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462 #8 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396 #9 0x7fcd7a678ccc in QTest::qInvokeTestMethodDataEntry(char*) qtestcase.cpp:1651 #10 0x7fcd7a677187 in QTest::qInvokeTestMethod(char const*, char const*) qtestcase.cpp:1769 #11 0x7fcd7a668392 in QTest::qInvokeTestMethods(QObject*) qtestcase.cpp:1923 #12 0x7fcd7a66652c in QTest::qExec(QObject*, int, char**) qtestcase.cpp:2136 #13 0x6c2b96 in main tst_qgraphicsitem.cpp:11341 #14 0x7fcd74f9c76c in ?? ??:0 0x7fcd70845d48 is located 264 bytes inside of 416-byte region [0x7fcd70845c40,0x7fcd70845de0) freed by thread T0 here: #0 0x7d193a in operator delete(void*) _asan_rtl_ #1 0x7fcd7c699d6b in QGraphicsRectItemPrivate::~QGraphicsRectItemPrivate() qgraphicsitem.cpp:8360 #2 0x7fcd7c6898ab in QScopedPointerDeleter<QGraphicsItemPrivate>::cleanup(QGraphicsItemPrivate*) qscopedpointer.h:63 #3 0x7fcd7c6896d6 in ~QScopedPointer qscopedpointer.h:99 #4 0x7fcd7c63bb95 in ~QScopedPointer qscopedpointer.h:97 #5 0x7fcd7c5a0028 in ~QGraphicsItem qgraphicsitem.cpp:1478 #6 0x7fcd7c5fa20e in ~QGraphicsRectItem qgraphicsitem.cpp:8412 #7 0x60a238 in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8489 #8 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964 #9 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146 #10 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462 #11 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396 #12 0x7fcd7a678ccc in QTest::qInvokeTestMethodDataEntry(char*) qtestcase.cpp:1651 previously allocated by thread T0 here: #0 0x7d17ba in operator new(unsigned long) _asan_rtl_ #1 0x7fcd7c5fa04b in QGraphicsRectItem qgraphicsitem.cpp:8405 #2 0x609bc7 in tst_QGraphicsItem::focusProxyDeletion() tst_qgraphicsitem.cpp:8479 #3 0x6c6c2a in tst_QGraphicsItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qgraphicsitem.moc:964 #4 0x7fcd772629ba in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2146 #5 0x7fcd77260533 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1462 #6 0x7fcd7a69f3e6 in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:396 Shadow byte and word: 0x1ff9ae108ba9: fd 0x1ff9ae108ba8: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff9ae108b88: fd fd fd fd fd fd fd fd 0x1ff9ae108b90: fd fd fd fd fd fd fd fd 0x1ff9ae108b98: fd fd fd fd fd fd fd fd 0x1ff9ae108ba0: fd fd fd fd fd fd fd fd =>0x1ff9ae108ba8: fd fd fd fd fd fd fd fd 0x1ff9ae108bb0: fd fd fd fd fd fd fd fd 0x1ff9ae108bb8: fd fd fd fd fd fd fd fd 0x1ff9ae108bc0: fa fa fa fa fa fa fa fa 0x1ff9ae108bc8: fd fd fd fd fd fd fd fd Stats: 5M malloced (8M for red zones) by 51128 calls Stats: 0M realloced by 11025 calls Stats: 3M freed by 36213 calls Stats: 0M really freed by 0 calls Stats: 17M (4365 full pages) mmaped in 34 calls mmaps by size class: 7:45045; 8:6141; 9:2046; 10:1022; 11:765; 12:384; 13:128; 14:160; 15:32; 16:8; mallocs by size class: 7:42571; 8:5532; 9:909; 10:861; 11:732; 12:279; 13:78; 14:141; 15:19; 16:6; frees by size class: 7:32510; 8:1913; 9:641; 10:565; 11:383; 12:62; 13:29; 14:104; 15:1; 16:5; rfrees by size class: Stats: malloc large: 25 small slow: 435 ==30327== ABORTING
The QGraphicsRectItemPrivate is already deleted when used in QGraphicsItemPrivate::resetFocusProxy(), the used list there is out of date.