Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-54282

QCoreApplicationPrivate::cleanupThreadData() access deleted object

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P3: Somewhat important
    • None
    • 5.5.0
    • Core: Event loop
    • None

    Description

      void QCoreApplicationPrivate::cleanupThreadData()
      for (int i = 0; i < threadData->postEventList.size(); ++i) {
    const QPostEvent &pe = threadData->postEventList.at(i);
    if (pe.event) {
	--pe.receiver->d_func()->postedEvents;
	pe.event->posted = false;
	delete pe.event;
    }
}

      At -- pe.receiver->d_func()->postedEvents; pe.receiver may be (and probably is since all QCoreApplication children are deleted already) deleted. So there should be check if object is still valid.

      AddressSanitizer: heap-use-after-free
      =================================================================
==6950== ERROR: AddressSanitizer: heap-use-after-free on address 0x60040005c038 at pc 0x7f6b894ce0cb bp 0x7ffdfc79ce90 sp 0x7ffdfc79ce88
READ of size 8 at 0x60040005c038 thread T0
    #0 0x7f6b894ce0ca in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::data() const /home/Qt/5.5.0/Src/qtbase/include/QtCore/../../src/corelib/tools/qscopedpointer.h:135
    #1 0x7f6b89515a8c in qGetPtrHelper<QScopedPointer<QObjectData> > /home/Qt/5.5.0/Src/qtbase/include/QtCore/../../src/corelib/global/qglobal.h:983
    #2 0x7f6b89515add in QObject::d_func() /home/Qt/5.5.0/Src/qtbase/include/QtCore/../../src/corelib/kernel/qobject.h:110
    #3 0x7f6b898d86da in QCoreApplicationPrivate::cleanupThreadData() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qcoreapplication.cpp:495
    #4 0x7f6b8ac14f8f in QGuiApplicationPrivate::~QGuiApplicationPrivate() /home/Qt/5.5.0/Src/qtbase/src/gui/kernel/qguiapplication.cpp:1370
    #5 0x7f6b7c94d0fa in QApplicationPrivate::~QApplicationPrivate() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:188
    #6 0x7f6b7c94d129 in QApplicationPrivate::~QApplicationPrivate() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:192
    #7 0x7f6b89959500 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) /home/Qt/5.5.0/Src/qtbase/include/QtCore/../../src/corelib/tools/qscopedpointer.h:54 (discriminator 1)
    #8 0x7f6b899563cf in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() /home/Qt/5.5.0/Src/qtbase/include/QtCore/../../src/corelib/tools/qscopedpointer.h:101
    #9 0x7f6b89943fd1 in QObject::~QObject() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qobject.cpp:883
    #10 0x7f6b898d9cc8 in QCoreApplication::~QCoreApplication() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qcoreapplication.cpp:807
    #11 0x7f6b8ac0fa7c in QGuiApplication::~QGuiApplication() /home/Qt/5.5.0/Src/qtbase/src/gui/kernel/qguiapplication.cpp:577
    #12 0x7f6b7c950feb in QApplication::~QApplication() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:817
    #13 0x7f6b7c95103f in QApplication::~QApplication() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:887
    #14 0x7f6b8e65f874 in std::_Sp_counted_ptr<QApplication*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/4.8/bits/shared_ptr_base.h:290 (discriminator 1)
    #15 0x170669a in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/4.8/bits/shared_ptr_base.h:144
    #16 0x16ec955 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/4.8/bits/shared_ptr_base.h:546
    #17 0x16df88d in std::__shared_ptr<QApplication, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/4.8/bits/shared_ptr_base.h:781
    #18 0x16df8a7 in std::shared_ptr<QApplication>::~shared_ptr() /usr/include/c++/4.8/bits/shared_ptr.h:93
    #19 0x16960a0 in Application::~Application() /home/code/Application.h:148
    #20 0x168bc5f in main /home/code/main.cpp:24
    #21 0x7f6b81338f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #22 0x168ba68 in _start ??:?
0x60040005c038 is located 8 bytes inside of 16-byte region [0x60040005c030,0x60040005c040)
freed by thread T0 here:
    #0 0x7f6b91ba99da in operator delete(void*) ??:?
    #1 0x7f6b8e67394d in Receiver::~Receiver() /home/code/Receiver.cpp:45
    #2 0x7f6b89946826 in QObjectPrivate::deleteChildren() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qobject.cpp:1951 (discriminator 1)
    #3 0x7f6b89943f0b in QObject::~QObject() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qobject.cpp:1031
    #4 0x7f6b898d9cc8 in QCoreApplication::~QCoreApplication() /home/Qt/5.5.0/Src/qtbase/src/corelib/kernel/qcoreapplication.cpp:807
    #5 0x7f6b8ac0fa7c in QGuiApplication::~QGuiApplication() /home/Qt/5.5.0/Src/qtbase/src/gui/kernel/qguiapplication.cpp:577
    #6 0x7f6b7c950feb in QApplication::~QApplication() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:817
    #7 0x7f6b7c95103f in QApplication::~QApplication() /home/Qt/5.5.0/Src/qtbase/src/widgets/kernel/qapplication.cpp:887
    #8 0x7f6b8e65f874 in std::_Sp_counted_ptr<QApplication*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/4.8/bits/shared_ptr_base.h:290 (discriminator 1)
    #9 0x170669a in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/4.8/bits/shared_ptr_base.h:144
    #10 0x16ec955 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/4.8/bits/shared_ptr_base.h:546
    #11 0x16df88d in std::__shared_ptr<QApplication, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/4.8/bits/shared_ptr_base.h:781
    #12 0x16df8a7 in std::shared_ptr<QApplication>::~shared_ptr() /usr/include/c++/4.8/bits/shared_ptr.h:93
    #13 0x16960a0 in Application::~Application() /home/code/Application.h:148
    #14 0x168bc5f in main /home/code/main.cpp:24
    #15 0x7f6b81338f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
previously allocated by thread T0 here:
    #0 0x7f6b91ba981a in operator new(unsigned long) ??:?
    #1 0x1691530 in Application::Application(int&, char**) /home/code/Application.cpp:173
    #2 0x168bc3a in main /home/code/main.cpp:23
    #3 0x7f6b81338f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
Shadow bytes around the buggy address:
  0x0c01000037b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c01000037c0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c01000037d0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c01000037e0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c01000037f0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c0100003800: fa fa 01 fa fa fa fd[fd]fa fa 00 00 fa fa fd fd
  0x0c0100003810: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c0100003820: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0100003830: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0100003840: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0100003850: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6950== ABORTING

      Attachments

        For Gerrit Dashboard: QTBUG-54282
        # Subject Branch Project Status CR V
        163499,3 Make sure we delete QEvents with the event list mutex unlocked 5.8 qt/qtbase Status: ABANDONED +2 0

        Activity

          People

            thiago Thiago Macieira
            travnick Mikołaj
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes