Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-68393

Heap corruption during deferred widget destruction

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P2: Important P2: Important
    • 5.12.0 Alpha
    • 5.10.1
    • Widgets: Widgets and Dialogs
    • None
    • Arch linux (current as of 22. May 2018)

      qt5-base 5.10.1-8
    • 81e298a51d08c510457b4a26b37c0d4aac5eba65

      I get crashes and error reports from valgrind with a fairly trivial program.

      • All the UI that the problem is in comes from generated code (ui file)
      • The main() does absolutely nothing interesting
      • It is causing crashes on newer Qt versions (I deploy with 5.4 on linux and 5.6 elsewhere, the problem is not visible there)
      • Even taking binaries built with Qt 5.4 and running it with new Qt exposes the problem (so it is not a problem with code generation, or with the build process itself)

      It looks like some heap corruption caused by bad access to widget focus chains while the widgets are beging destroyed (not just normal, but also deferred destruction):

      ==8087== Invalid write of size 8
==8087== at 0x4FCBDC4: QWidget::~QWidget() (qwidget.cpp:1611)
==8087== by 0x516A2F9: QToolButton::~QToolButton() (qtoolbutton.cpp:326)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x5145BB9: QTabBar::~QTabBar() (qtabbar.cpp:861)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x51657C9: QTabWidget::~QTabWidget() (qtabwidget.cpp:368)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x10F9E9: DEMO::~DEMO() (demo.cpp:20)
==8087== by 0x10D4EE: main (demo.cpp:30)
==8087== Address 0x1e0bd4b0 is 128 bytes inside a block of size 456 free'd
==8087== at 0x4C2E60B: operator delete(void*) (vg_replace_malloc.c:576)
==8087== by 0x60DA59E: cleanup (qscopedpointer.h:60)
==8087== by 0x60DA59E: ~QScopedPointer (qscopedpointer.h:107)
==8087== by 0x60DA59E: QObject::~QObject() (qobject.cpp:882)
==8087== by 0x4FCC03B: QWidget::~QWidget() (qwidget.cpp:1564)
==8087== by 0x4FCC1C9: QWidget::~QWidget() (qwidget.cpp:1727)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x524B829: QTreeView::~QTreeView() (qtreeview.cpp:207)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x4FCC1C9: QWidget::~QWidget() (qwidget.cpp:1727)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x5143689: QStackedWidget::~QStackedWidget() (qstackedwidget.cpp:147)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x51657C9: QTabWidget::~QTabWidget() (qtabwidget.cpp:368)
==8087== by 0x60D11CA: QObjectPrivate::deleteChildren() (qobject.cpp:1993)
==8087== by 0x4FCBFAA: QWidget::~QWidget() (qwidget.cpp:1703)
==8087== by 0x10F9E9: DEMO::~DEMO() (demo.cpp:20)
==8087== by 0x10D4EE: main (demo.cpp:30)
==8087== Block was alloc'd at
==8087== at 0x4C2D54F: operator new(unsigned long) (vg_replace_malloc.c:334)
==8087== by 0x4FD292D: QWidget::QWidget(QWidget*, QFlags<Qt::WindowType>) (qwidget.cpp:1027)
==8087== by 0x507E91F: QAbstractScrollAreaPrivate::init() (qabstractscrollarea.cpp:291)
==8087== by 0x51E85F9: QAbstractItemView::QAbstractItemView(QAbstractItemViewPrivate&, QWidget*) (qabstractitemview.cpp:628)
==8087== by 0x524E0E4: QTreeView::QTreeView(QWidget*) (qtreeview.cpp:186)
==8087== by 0x10EEE6: Ui_DEMO::setupUi(QWidget*) (ui_demo.h:110)
==8087== by 0x10F961: DEMO::DEMO(QWidget*) (demo.cpp:17)
==8087== by 0x10D4CE: main (demo.cpp:30)

      You can find a demo project with this problem here (I separated a minimal example from the original project):

      https://github.com/peterix/demo_heap_corruption

       

        1. valgrind.log
          21 kB
          Petr Mrazek
        2. demo.cpp
          0.5 kB
          Christian Ehrlicher
        3. qtbug68393.zip
          1 kB
          Friedemann Kleint
        For Gerrit Dashboard: QTBUG-68393
        # Subject Branch Project Status CR V
        237817,5 QWidget: fix setTabOrder for compound widgets 5.12 qt/qtbase Status: MERGED +2 0
        264529,5 QWidget: fix setTabOrder for compound widgets 5.12 qt/qtbase Status: MERGED +2 0

            chehrlic Christian Ehrlicher
            peterix Petr Mrazek
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes