Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-64375

Crash (potential double-free?) in QPropertyAnimation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Cannot Reproduce
    • Affects Version/s: 5.9.2
    • Fix Version/s: None
    • Labels:
      None

      Description

      An application with MDI main window crashes sometimes when showing a toolbar. The problematic part of the call stack is:

      #6  0x00007f72ae9c4afa in QVariantAnimationPrivate::valueAt(double) const () from /usr/lib64/libQt5Core.so.5
      #7  0x00007f72ae9c5ddd in QVariantAnimation::keyValueAt(double) const () from /usr/lib64/libQt5Core.so.5
      #8  0x00007f72ae9c5dfd in QVariantAnimation::startValue() const () from /usr/lib64/libQt5Core.so.5
      #9  0x00007f72ae9c9a13 in QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) () from /usr/lib64/libQt5Core.so.5
      #10 0x00007f72ae9c2a9b in QAbstractAnimation::start(QAbstractAnimation::DeletionPolicy) () from /usr/lib64/libQt5Core.so.5
      #11 0x00007f72b0b60b00 in QWidgetAnimator::animate(QWidget*, QRect const&, bool) () from /usr/lib64/libQt5Widgets.so.5
      #12 0x00007f72b0b993e8 in QDockAreaLayout::apply(bool) () from /usr/lib64/libQt5Widgets.so.5
      #13 0x00007f72b0bc854f in QMainWindowLayout::applyState(QMainWindowLayoutState&, bool) () from /usr/lib64/libQt5Widgets.so.5
      #14 0x00007f72b0bc9e08 in QMainWindowLayout::setGeometry(QRect const&) () from /usr/lib64/libQt5Widgets.so.5
      #15 0x00007f72b0a92f3c in QLayoutPrivate::doResize(QSize const&) () from /usr/lib64/libQt5Widgets.so.5
      #16 0x00007f72b0a93ea1 in QLayout::activate() () from /usr/lib64/libQt5Widgets.so.5
      #17 0x00007f72b0ab2a58 in QWidget::setVisible(bool) () from /usr/lib64/libQt5Widgets.so.5
      

      At this stage already a sub-window is shown maximized in the application and some dock widgets are shown. This error doesn't seem to happen if I don't have any maximized sub-windows. The clang build with AddressSanitizer reports here a double-free

      ==14776==ERROR: AddressSanitizer: attempting double-free on 0x6030006c2f20 in thread T0:
          #0 0x72cd5b in operator delete(void*) /home/abuild/rpmbuild/BUILD/llvm-3.8.0.src/stage2/../projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
          #1 0x7f47b145c347  (/usr/lib64/libQt5Core.so.5+0x2b0347)
          #2 0x7f47b123de41 in QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) (/usr/lib64/libQt5Core.so.5+0x91e41)
          #3 0x7f47b1236a9a in QAbstractAnimation::start(QAbstractAnimation::DeletionPolicy) (/usr/lib64/libQt5Core.so.5+0x8aa9a)
          #4 0x7f47b33d4aff  (/usr/lib64/libQt5Widgets.so.5+0x24baff)
          #5 0x7f47b340d3e7  (/usr/lib64/libQt5Widgets.so.5+0x2843e7)
          #6 0x7f47b343c54e  (/usr/lib64/libQt5Widgets.so.5+0x2b354e)
          #7 0x7f47b343de07  (/usr/lib64/libQt5Widgets.so.5+0x2b4e07)
          #8 0x7f47b3306f3b in QLayoutPrivate::doResize(QSize const&) (/usr/lib64/libQt5Widgets.so.5+0x17df3b)
          #9 0x7f47b3307ea0 in QLayout::activate() (/usr/lib64/libQt5Widgets.so.5+0x17eea0)
          #10 0x7f47b3326a57 in QWidget::setVisible(bool) (/usr/lib64/libQt5Widgets.so.5+0x19da57)
      

      This error also happens sometimes when resizing the main window already having some "content" shown in a maximized sub-window:

      ==14834==ERROR: AddressSanitizer: attempting double-free on 0x60300075a5d0 in thread T0:
          #0 0x72cd5b in operator delete(void*) /home/abuild/rpmbuild/BUILD/llvm-3.8.0.src/stage2/../projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
          #1 0x7fa817152347  (/usr/lib64/libQt5Core.so.5+0x2b0347)
          #2 0x7fa816f33e41 in QPropertyAnimation::updateState(QAbstractAnimation::State, QAbstractAnimation::State) (/usr/lib64/libQt5Core.so.5+0x91e41)
          #3 0x7fa816f2ca9a in QAbstractAnimation::start(QAbstractAnimation::DeletionPolicy) (/usr/lib64/libQt5Core.so.5+0x8aa9a)
          #4 0x7fa8190caaff  (/usr/lib64/libQt5Widgets.so.5+0x24baff)
          #5 0x7fa8191033e7  (/usr/lib64/libQt5Widgets.so.5+0x2843e7)
          #6 0x7fa81913254e  (/usr/lib64/libQt5Widgets.so.5+0x2b354e)
          #7 0x7fa819133e07  (/usr/lib64/libQt5Widgets.so.5+0x2b4e07)
          #8 0x7fa818ffcf3b in QLayoutPrivate::doResize(QSize const&) (/usr/lib64/libQt5Widgets.so.5+0x17df3b)
          #9 0x7fa818ffdea0 in QLayout::activate() (/usr/lib64/libQt5Widgets.so.5+0x17eea0)
          #10 0x7fa818fe1c89 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x162c89)
          #11 0x7fa818fe8a0f in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x169a0f)
          #12 0x7fa81710cd24 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x26ad24)
          #13 0x7fa8190351ed  (/usr/lib64/libQt5Widgets.so.5+0x1b61ed)
          #14 0x7fa81903814a  (/usr/lib64/libQt5Widgets.so.5+0x1b914a)
          #15 0x7fa818fe1cbb in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x162cbb)
          #16 0x7fa818fe8a0f in QApplication::notify(QObject*, QEvent*) (/usr/lib64/libQt5Widgets.so.5+0x169a0f)
          #17 0x7fa81710cd24 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib64/libQt5Core.so.5+0x26ad24)
          #18 0x7fa817a50dcc in QGuiApplicationPrivate::processGeometryChangeEvent(QWindowSystemInterfacePrivate::GeometryChangeEvent*) (/usr/lib64/libQt5Gui.so.5+0x104dcc)
          #19 0x7fa817a554bc in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/usr/lib64/libQt5Gui.so.5+0x1094bc)
          #20 0x7fa817a338aa in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Gui.so.5+0xe78aa)
          #21 0x7fa7f787d5af  (/usr/lib64/libQt5XcbQpa.so.5+0x935af)
          #22 0x7fa80d159133 in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x4c133)
          #23 0x7fa80d159387  (/usr/lib64/libglib-2.0.so.0+0x4c387)
          #24 0x7fa80d15942b in g_main_context_iteration (/usr/lib64/libglib-2.0.so.0+0x4c42b)
          #25 0x7fa81715ddbb in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Core.so.5+0x2bbdbb)
          #26 0x7fa81710b01a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib64/libQt5Core.so.5+0x26901a)
          #27 0x7fa8171135e3 in QCoreApplication::exec() (/usr/lib64/libQt5Core.so.5+0x2715e3)
      

      Sorry, I don't have a small example application to reproduce this problem. But this is easily reproducible with LabPlot. So, if it's feasible for you, fetch the sources from https://cgit.kde.org/labplot.git/ , compile&install the application and open the project "fit (Anscombe's quartet).lml" located in the example folder.

      This problem is similar to problems reported in QTBUG-18604 and QTBUG-6897 reported with Qt4. We have/had this problem with Qt4, too.

      Not sure about the proper component here. Please adjust it this is wrong.

      Gatis Paeglis FYI.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              asemke Alexander Semke
              Votes:
              12 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes