Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-60786

use-after-free when quitting the controls gallery

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P0: Blocker
    • Resolution: Done
    • Affects Version/s: 5.9
    • Fix Version/s: 5.9.0 RC
    • Component/s: Quick: Controls 1
    • Labels:
      None
    • Environment:
      macos sierra
    • Commits:
      9954187adba4d26a1b1aa93874993f15d6d8a0b9(5.9.0), 7da9fa289068ed742307c6b921442365130e0818(5.9)

      Description

      When quitting the controls gallery, I get:

      =================================================================
      ==20648==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000322b38 at pc 0x00011719c7de bp 0x7fff5695b550 sp 0x7fff5695b548
      READ of size 8 at 0x611000322b38 thread T0
          #0 0x11719c7dd in QtNS::QCocoaWindow::menubar() const qcocoawindow.mm:1971
          #1 0x11721708b in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:82
          #2 0x117218ec4 in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:67
          #3 0x117218ee8 in QtNS::QCocoaMenuBar::~QCocoaMenuBar() qcocoamenubar.mm:67
          #4 0x11fc6f30c in QtNS::QQuickMenuBar1::setNativeNoNotify(bool) qquickmenubar.cpp:120
          #5 0x11fc6e983 in QtNS::QQuickMenuBar1::~QQuickMenuBar1() qquickmenubar.cpp:79
          #6 0x11fc51f0a in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:104
          #7 0x11fc51e64 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:102
          #8 0x11fc51e88 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickMenuBar1>::~QQmlElement() qqmlprivate.h:102
          #9 0x1104c4340 in QtNS::QObjectPrivate::deleteChildren() qobject.cpp:1992
          #10 0x1104c37ed in QtNS::QObject::~QObject() qobject.cpp:1022
          #11 0x10c38ca27 in QtNS::QWindow::~QWindow() qwindow.cpp:216
          #12 0x1097de52b in QtNS::QQuickWindow::~QQuickWindow() qquickwindow.cpp:1315
          #13 0x109b0fc3e in QtNS::QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
          #14 0x109b16616 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:104
          #15 0x109b16464 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
          #16 0x109b16488 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
          #17 0x10e8c47ee in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*>::const_iterator>(QtNS::QList<QtNS::QObject*>::const_iterator, QtNS::QList<QtNS::QObject*>::const_iterator) qalgorithms.h:320
          #18 0x10e8bfe39 in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*> >(QtNS::QList<QtNS::QObject*> const&) qalgorithms.h:328
          #19 0x10e8bfbfc in QtNS::QQmlApplicationEnginePrivate::cleanUp() qqmlapplicationengine.cpp:64
          #20 0x10e8c3694 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:245
          #21 0x10e8c36c4 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
          #22 0x1092a7faa in main main.cpp:68
          #23 0x7fffa6552234 in start (libdyld.dylib+0x5234)
      
      0x611000322b38 is located 120 bytes inside of 232-byte region [0x611000322ac0,0x611000322ba8)
      freed by thread T0 here:
          #0 0x11127abbb in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib+0x57bbb)
          #1 0x11717a551 in QtNS::QCocoaWindow::~QCocoaWindow() qcocoawindow.mm:505
          #2 0x11717a578 in non-virtual thunk to QtNS::QCocoaWindow::~QCocoaWindow() qcocoawindow.mm:504
          #3 0x10c38d1db in QtNS::QWindowPrivate::destroy() qwindow.cpp:1832
          #4 0x10c38c91d in QtNS::QWindow::~QWindow() qwindow.cpp:212
          #5 0x1097de52b in QtNS::QQuickWindow::~QQuickWindow() qquickwindow.cpp:1315
          #6 0x109b0fc3e in QtNS::QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
          #7 0x109b16616 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:104
          #8 0x109b16464 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
          #9 0x109b16488 in QtNS::QQmlPrivate::QQmlElement<QtNS::QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
          #10 0x10e8c47ee in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*>::const_iterator>(QtNS::QList<QtNS::QObject*>::const_iterator, QtNS::QList<QtNS::QObject*>::const_iterator) qalgorithms.h:320
          #11 0x10e8bfe39 in void QtNS::qDeleteAll<QtNS::QList<QtNS::QObject*> >(QtNS::QList<QtNS::QObject*> const&) qalgorithms.h:328
          #12 0x10e8bfbfc in QtNS::QQmlApplicationEnginePrivate::cleanUp() qqmlapplicationengine.cpp:64
          #13 0x10e8c3694 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:245
          #14 0x10e8c36c4 in QtNS::QQmlApplicationEngine::~QQmlApplicationEngine() qqmlapplicationengine.cpp:242
          #15 0x1092a7faa in main main.cpp:68
          #16 0x7fffa6552234 in start (libdyld.dylib+0x5234)
      
      previously allocated by thread T0 here:
          #0 0x11127a5fb in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib+0x575fb)
          #1 0x11714e58b in QtNS::QCocoaIntegration::createPlatformWindow(QtNS::QWindow*) const qcocoaintegration.mm:534
          #2 0x10c390dd6 in QtNS::QWindowPrivate::create(bool, unsigned long long) qwindow.cpp:438
          #3 0x10c3913a7 in QtNS::QWindow::create() qwindow.cpp:619
          #4 0x11721b3ce in QtNS::QCocoaMenuBar::handleReparent(QtNS::QWindow*) qcocoamenubar.mm:230
          #5 0x11fc70146 in QtNS::QQuickMenuBar1::setParentWindow(QtNS::QQuickWindow*) qquickmenubar.cpp:138
          #6 0x11fd09ce7 in QtNS::QQuickMenuBar1::qt_static_metacall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) moc_qquickmenubar_p.cpp:161
          #7 0x11fd0a1bc in QtNS::QQuickMenuBar1::qt_metacall(QtNS::QMetaObject::Call, int, void**) moc_qquickmenubar_p.cpp:206
          #8 0x10e6551cd in QtNS::QQmlVMEMetaObject::metaCall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) qqmlvmemetaobject.cpp:976
          #9 0x110408650 in QtNS::QMetaObject::metacall(QtNS::QObject*, QtNS::QMetaObject::Call, int, void**) qmetaobject.cpp:299
          #10 0x10e6c245d in QtNS::QQmlPropertyData::writeProperty(QtNS::QObject*, void*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) const qqmlpropertycache_p.h:324
          #11 0x10e6bf7d8 in QtNS::QQmlPropertyPrivate::write(QtNS::QObject*, QtNS::QQmlPropertyData const&, QtNS::QVariant const&, QtNS::QQmlContextData*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1208
          #12 0x10e6be2a3 in QtNS::QQmlPropertyPrivate::writeValueProperty(QtNS::QObject*, QtNS::QQmlPropertyData const&, QtNS::QQmlPropertyData const&, QtNS::QVariant const&, QtNS::QQmlContextData*, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1164
          #13 0x10e6bdbb2 in QtNS::QQmlPropertyPrivate::writeValueProperty(QtNS::QVariant const&, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1143
          #14 0x10e6c2e02 in QtNS::QQmlPropertyPrivate::write(QtNS::QQmlProperty const&, QtNS::QVariant const&, QtNS::QFlags<QtNS::QQmlPropertyData::WriteFlag>) qqmlproperty.cpp:1492
          #15 0x10e6c2a3d in QtNS::QQmlProperty::write(QtNS::QVariant const&) const qqmlproperty.cpp:1408
          #16 0x10e98df5c in QtNS::QQmlBind::eval() qqmlbind.cpp:385
          #17 0x10e98f210 in QtNS::QQmlBind::componentComplete() qqmlbind.cpp:346
          #18 0x10e98f298 in non-virtual thunk to QtNS::QQmlBind::componentComplete() qqmlbind.cpp:338
          #19 0x10e8f4b8f in QtNS::QQmlObjectCreator::finalize(QtNS::QQmlInstantiationInterrupt&) qqmlobjectcreator.cpp:1236
          #20 0x10e6ce33a in QtNS::QQmlComponentPrivate::complete(QtNS::QQmlEnginePrivate*, QtNS::QQmlComponentPrivate::ConstructionState*) qqmlcomponent.cpp:900
          #21 0x10e6c97ce in QtNS::QQmlComponentPrivate::completeCreate() qqmlcomponent.cpp:936
          #22 0x10e6ce611 in QtNS::QQmlComponent::completeCreate() qqmlcomponent.cpp:929
          #23 0x10e6ccd89 in QtNS::QQmlComponent::create(QtNS::QQmlContext*) qqmlcomponent.cpp:769
          #24 0x10e8c1ddc in QtNS::QQmlApplicationEnginePrivate::finishLoad(QtNS::QQmlComponent*) qqmlapplicationengine.cpp:134
          #25 0x10e8c179d in QtNS::QQmlApplicationEnginePrivate::startLoad(QtNS::QUrl const&, QtNS::QByteArray const&, bool) qqmlapplicationengine.cpp:118
          #26 0x10e8c2eb2 in QtNS::QQmlApplicationEngine::load(QtNS::QUrl const&) qqmlapplicationengine.cpp:259
          #27 0x10e8c2f64 in QtNS::QQmlApplicationEngine::QQmlApplicationEngine(QtNS::QUrl const&, QtNS::QObject*) qqmlapplicationengine.cpp:222
          #28 0x1092a7f23 in main main.cpp:64
          #29 0x7fffa6552234 in start (libdyld.dylib+0x5234)
      
      SUMMARY: AddressSanitizer: heap-use-after-free qcocoawindow.mm:1971 in QtNS::QCocoaWindow::menubar() const
      Shadow bytes around the buggy address:
        0x1c2200064510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x1c2200064520: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x1c2200064530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x1c2200064540: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
        0x1c2200064550: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      =>0x1c2200064560: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
        0x1c2200064570: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
        0x1c2200064580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x1c2200064590: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x1c22000645a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x1c22000645b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==20648==ABORTING
      
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            dedietri Gabriel de Dietrich (drgvond)
            Reporter:
            erikv Erik Verbruggen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Gerrit Reviews

                There are no open Gerrit changes