Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-56296

[macOS] Crash in QOpenGLFramebufferObject

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Done
    • Affects Version/s: 5.8.0 Beta
    • Fix Version/s: 5.6.3, 5.7.2
    • Component/s: WebEngine
    • Labels:
      None
    • Environment:
      macOS 10.11
    • Platform/s:
      macOS
    • Commits:
      cd1d11414021288729cd85a32a7a1160756aeeab, 342f18c71f51227a062bd204037541ecae150846

      Description

      Steps to reproduce
      0) Have a Mac
      1) Open quicknanobrowser
      2) Go to http://webglsamples.org/
      3) Click on third "Caves example", and wait for it to load
      4) Click back arrow in the application, observe crash.

      
      =================================================================
      ==85470==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200040cdf8 at pc 0x0001360f4e0a bp 0x70000052ba00 sp 0x70000052b9f8
      READ of size 8 at 0x60200040cdf8 thread T28
          #0 0x1360f4e09 in QScopedPointer<QOpenGLFramebufferObjectPrivate, QScopedPointerDeleter<QOpenGLFramebufferObjectPrivate> >::data() const qscopedpointer.h:140
          #1 0x1360f02b4 in QScopedPointer<QOpenGLFramebufferObjectPrivate, QScopedPointerDeleter<QOpenGLFramebufferObjectPrivate> >::pointer qGetPtrHelper<QScopedPointer<QOpenGLFramebufferObjectPrivate, QScopedPointerDeleter<QOpenGLFramebufferObjectPrivate> > >(QScopedPointer<QOpenGLFramebufferObjectPrivate, QScopedPointerDeleter<QOpenGLFramebufferObjectPrivate> > const&) qglobal.h:984
          #2 0x1360f31d8 in QOpenGLFramebufferObject::d_func() const qopenglframebufferobject.h:60
          #3 0x1360ed902 in QOpenGLFramebufferObject::format() const qopenglframebufferobject.cpp:1264
          #4 0x1328801d5 in QSG24BitTextMaskShader::useSRGB() const qsgdefaultglyphnode_p.cpp:243
          #5 0x1328802d0 in QSG24BitTextMaskShader::activate() qsgdefaultglyphnode_p.cpp:253
          #6 0x13279f4c5 in QSGBatchRenderer::Renderer::setActiveShader(QSGMaterialShader*, QSGBatchRenderer::ShaderManager::Shader*) qsgbatchrenderer.cpp:2229
          #7 0x1327a0a90 in QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*) qsgbatchrenderer.cpp:2299
          #8 0x1327a5847 in QSGBatchRenderer::Renderer::renderBatches() qsgbatchrenderer.cpp:2550
          #9 0x1327aac61 in QSGBatchRenderer::Renderer::render() qsgbatchrenderer.cpp:2744
          #10 0x132773e89 in QSGRenderer::renderScene(QSGBindable const&) qsgrenderer.cpp:240
          #11 0x132773709 in QSGRenderer::renderScene(unsigned int) qsgrenderer.cpp:194
          #12 0x1328bbe3b in QSGDefaultRenderContext::renderNextFrame(QSGRenderer*, unsigned int) qsgdefaultrendercontext.cpp:181
          #13 0x132a26b43 in QQuickWindowPrivate::renderSceneGraph(QSize const&) qquickwindow.cpp:465
          #14 0x1328ec4e0 in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:630
          #15 0x1328edd01 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:711
          #16 0x138cf46e1 in QThreadPrivate::start(void*) qthread_unix.cpp:368
          #17 0x7fff9c69399c in _pthread_body (libsystem_pthread.dylib+0x399c)
          #18 0x7fff9c693919 in _pthread_start (libsystem_pthread.dylib+0x3919)
          #19 0x7fff9c691350 in thread_start (libsystem_pthread.dylib+0x1350)
      
      0x60200040cdf8 is located 8 bytes inside of 16-byte region [0x60200040cdf0,0x60200040ce00)
      freed by thread T28 here:
          #0 0x13a25887b in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib+0x5487b)
          #1 0x1360ec4a1 in QOpenGLFramebufferObject::~QOpenGLFramebufferObject() qopenglframebufferobject.cpp:936
          #2 0x1328dec3a in QSGDefaultLayer::invalidated() qsgdefaultlayer.cpp:124
          #3 0x1328dea02 in QSGDefaultLayer::~QSGDefaultLayer() qsgdefaultlayer.cpp:117
          #4 0x1328dea44 in QSGDefaultLayer::~QSGDefaultLayer() qsgdefaultlayer.cpp:116
          #5 0x1328dea68 in QSGDefaultLayer::~QSGDefaultLayer() qsgdefaultlayer.cpp:116
          #6 0x101c181bb in QtSharedPointer::CustomDeleter<QSGLayer, QtSharedPointer::NormalDeleter>::execute() qsharedpointer_impl.h:195
          #7 0x101c18080 in QtSharedPointer::ExternalRefCountWithCustomDeleter<QSGLayer, QtSharedPointer::NormalDeleter>::deleter(QtSharedPointer::ExternalRefCountData*) qsharedpointer_impl.h:213
          #8 0x101b4785e in QtSharedPointer::ExternalRefCountData::destroy() qsharedpointer_impl.h:157
          #9 0x101c1278c in QSharedPointer<QSGLayer>::deref(QtSharedPointer::ExternalRefCountData*) qsharedpointer_impl.h:458
          #10 0x101c12749 in QSharedPointer<QSGLayer>::deref() qsharedpointer_impl.h:453
          #11 0x101c126f4 in QSharedPointer<QSGLayer>::~QSharedPointer() qsharedpointer_impl.h:312
          #12 0x101c08d04 in QSharedPointer<QSGLayer>::~QSharedPointer() qsharedpointer_impl.h:312
          #13 0x101c0fcf8 in QPair<cc::RenderPassId, QSharedPointer<QSGLayer> >::~QPair() qpair.h:49
          #14 0x101c09714 in QPair<cc::RenderPassId, QSharedPointer<QSGLayer> >::~QPair() qpair.h:49
          #15 0x101c0d988 in QVector<QPair<cc::RenderPassId, QSharedPointer<QSGLayer> > >::destruct(QPair<cc::RenderPassId, QSharedPointer<QSGLayer> >*, QPair<cc::RenderPassId, QSharedPointer<QSGLayer> >*) qvector.h:351
          #16 0x101c0d93b in QVector<QPair<cc::RenderPassId, QSharedPointer<QSGLayer> > >::freeData(QTypedArrayData<QPair<cc::RenderPassId, QSharedPointer<QSGLayer> > >*) qvector.h:527
          #17 0x101c0d8e6 in QVector<QPair<cc::RenderPassId, QSharedPointer<QSGLayer> > >::~QVector() qvector.h:75
          #18 0x101c0d3d4 in QVector<QPair<cc::RenderPassId, QSharedPointer<QSGLayer> > >::~QVector() qvector.h:75
          #19 0x101c0d36b in QtWebEngineCore::DelegatedFrameNode::SGObjects::~SGObjects() delegated_frame_node.h:98
          #20 0x101c07264 in QtWebEngineCore::DelegatedFrameNode::SGObjects::~SGObjects() delegated_frame_node.h:98
          #21 0x101c04afc in QtWebEngineCore::DelegatedFrameNode::commit(QtWebEngineCore::ChromiumCompositorData*, std::__1::vector<cc::ReturnedResource, std::__1::allocator<cc::ReturnedResource> >*, QtWebEngineCore::RenderWidgetHostViewQtDelegate*) delegated_frame_node.cpp:702
          #22 0x101cd83bf in QtWebEngineCore::RenderWidgetHostViewQt::updatePaintNode(QSGNode*) render_widget_host_view_qt.cpp:737
          #23 0x1019e70c3 in QtWebEngineCore::RenderWidgetHostViewQtDelegateQuick::updatePaintNode(QSGNode*, QQuickItem::UpdatePaintNodeData*) render_widget_host_view_qt_delegate_quick.cpp:373
          #24 0x132a4aadb in QQuickWindowPrivate::updateDirtyNode(QQuickItem*) qquickwindow.cpp:3094
          #25 0x132a260aa in QQuickWindowPrivate::updateDirtyNodes() qquickwindow.cpp:2839
          #26 0x132a2533b in QQuickWindowPrivate::syncSceneGraph() qquickwindow.cpp:420
          #27 0x1328eb0fa in QSGRenderThread::sync(bool) qsgthreadedrenderloop.cpp:549
          #28 0x1328ebcdf in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:595
          #29 0x1328edd01 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:711
      
      previously allocated by thread T28 here:
          #0 0x13a2582bb in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib+0x542bb)
          #1 0x1328e1a0c in QSGDefaultLayer::grab() qsgdefaultlayer.cpp:353
          #2 0x1328dfaa6 in QSGDefaultLayer::updateTexture() qsgdefaultlayer.cpp:179
          #3 0x101bff299 in QtWebEngineCore::DelegatedFrameNode::preprocess() delegated_frame_node.cpp:472
          #4 0x132775295 in QSGRenderer::preprocess() qsgrenderer.cpp:300
          #5 0x132773b0b in QSGRenderer::renderScene(QSGBindable const&) qsgrenderer.cpp:218
          #6 0x132773709 in QSGRenderer::renderScene(unsigned int) qsgrenderer.cpp:194
          #7 0x1328bbe3b in QSGDefaultRenderContext::renderNextFrame(QSGRenderer*, unsigned int) qsgdefaultrendercontext.cpp:181
          #8 0x132a26b43 in QQuickWindowPrivate::renderSceneGraph(QSize const&) qquickwindow.cpp:465
          #9 0x1328ec4e0 in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:630
          #10 0x1328edd01 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:711
          #11 0x138cf46e1 in QThreadPrivate::start(void*) qthread_unix.cpp:368
          #12 0x7fff9c69399c in _pthread_body (libsystem_pthread.dylib+0x399c)
          #13 0x7fff9c693919 in _pthread_start (libsystem_pthread.dylib+0x3919)
          #14 0x7fff9c691350 in thread_start (libsystem_pthread.dylib+0x1350)
      
      Thread T28 created by T0 here:
          #0 0x13a242f99 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib+0x3ef99)
          #1 0x138cf7060 in QThread::start(QThread::Priority) qthread_unix.cpp:645
          #2 0x1328f3657 in QSGThreadedRenderLoop::handleExposure(QQuickWindow*) qsgthreadedrenderloop.cpp:972
          #3 0x1328f14cc in QSGThreadedRenderLoop::exposureChanged(QQuickWindow*) qsgthreadedrenderloop.cpp:891
          #4 0x132a22ff7 in QQuickWindow::exposeEvent(QExposeEvent*) qquickwindow.cpp:215
          #5 0x13555ed6c in QWindow::event(QEvent*) qwindow.cpp:2107
          #6 0x132a3726b in QQuickWindow::event(QEvent*) qquickwindow.cpp:1575
          #7 0x133a215d9 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3741
          #8 0x133a2644b in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3101
          #9 0x13944695b in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:988
          #10 0x135532c6c in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) qcoreapplication.h:234
          #11 0x135521a19 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) qguiapplication.cpp:2821
          #12 0x135512e0e in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) qguiapplication.cpp:1769
          #13 0x13549d862 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) qwindowsysteminterface.cpp:662
          #14 0x135493aac in QWindowSystemInterface::flushWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) qwindowsysteminterface.cpp:640
          #15 0x1401f101c in QCocoaWindow::setVisible(bool) qcocoawindow.mm:696
          #16 0x13554fa0b in QWindow::setVisible(bool) qwindow.cpp:552
          #17 0x132dbe602 in QQuickWindowQmlImpl::setVisible(bool) qquickwindowmodule.cpp:82
          #18 0x132dbfb0e in QQuickWindowQmlImpl::setWindowVisibility() qquickwindowmodule.cpp:167
          #19 0x132dbed99 in QQuickWindowQmlImpl::componentComplete() qquickwindowmodule.cpp:124
          #20 0x137a1063f in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) qqmlobjectcreator.cpp:1222
          #21 0x13780153a in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) qqmlcomponent.cpp:911
          #22 0x1377fd33e in QQmlComponentPrivate::completeCreate() qqmlcomponent.cpp:947
          #23 0x137803977 in QQmlComponent::createObject(QQmlV4Function*) qqmlcomponent.cpp:1274
          #24 0x137b63c64 in QQmlComponent::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) moc_qqmlcomponent.cpp:147
          #25 0x137b64814 in QQmlComponent::qt_metacall(QMetaObject::Call, int, void**) moc_qqmlcomponent.cpp:212
          #26 0x139460c80 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) qmetaobject.cpp:301
          #27 0x13792baa1 in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const qqmlpropertycache.cpp:1701
          #28 0x1376d7bc9 in QV4::QObjectMethod::callInternal(QV4::CallData*, QV4::Scope&) const qv4qobjectwrapper.cpp:1820
          #29 0x1376d6d5c in QV4::QObjectMethod::call(QV4::Managed const*, QV4::Scope&, QV4::CallData*) qv4qobjectwrapper.cpp:1755
          #30 0x1371ec521 in QV4::Object::call(QV4::Scope&, QV4::CallData*) const qv4object_p.h:333
          #31 0x137756918 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, int, QV4::CallData*) qv4runtime.cpp:1034
          #32 0x145c8023a  (<unknown module>)
          #33 0x13753056d in QV4::SimpleScriptFunction::call(QV4::Managed const*, QV4::Scope&, QV4::CallData*) qv4functionobject.cpp:587
          #34 0x1371ec521 in QV4::Object::call(QV4::Scope&, QV4::CallData*) const qv4object_p.h:333
          #35 0x137754c7c in QV4::Runtime::method_callActivationProperty(QV4::ExecutionEngine*, int, QV4::CallData*) qv4runtime.cpp:982
          #36 0x145c805fb  (<unknown module>)
          #37 0x13753056d in QV4::SimpleScriptFunction::call(QV4::Managed const*, QV4::Scope&, QV4::CallData*) qv4functionobject.cpp:587
          #38 0x1371ec521 in QV4::Object::call(QV4::Scope&, QV4::CallData*) const qv4object_p.h:333
          #39 0x137789097 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) qqmlvmemetaobject.cpp:950
          #40 0x139460be0 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) qmetaobject.cpp:299
          #41 0x13946d8fe in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2225
          #42 0x13946c01e in QMetaObject::invokeMethod(QObject*, char const*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qmetaobject.cpp:1488
          #43 0x101958696 in QMetaObject::invokeMethod(QObject*, char const*, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) qobjectdefs.h:487
          #44 0x10195722e in main main.cpp:91
      GVA info: Successfully connected to the Intel plugin, offline Gen9 
          #45 0x7fffa1dae5ac in start (libdyld.dylib+0x35ac)
          #46 0x0  (<unknown module>)
      
      SUMMARY: AddressSanitizer: heap-use-after-free qscopedpointer.h:140 in QScopedPointer<QOpenGLFramebufferObjectPrivate, QScopedPointerDeleter<QOpenGLFramebufferObjectPrivate> >::data() const
      Shadow bytes around the buggy address:
        0x1c0400081960: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c0400081970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c0400081980: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c0400081990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c04000819a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      =>0x1c04000819b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd[fd]
        0x1c04000819c0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
        0x1c04000819d0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
        0x1c04000819e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c04000819f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
        0x1c0400081a00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==85470==ABORTING
      The program has unexpectedly finished.
      

        Attachments

          Issue Links

          For Gerrit Dashboard: QTBUG-56296
          # Subject Branch Project Status CR V

            Activity

              People

              Assignee:
              alexandru.croitor Alexandru Croitor
              Reporter:
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes