Loading...

Details

Type: Bug
Resolution: Done
Priority: P2: Important
Fix Version/s: 5.11.2
Affects Version/s: 5.9.7, 5.11.0
Component/s: Quick: Core Declarative QML
Labels:
None
Environment:
Ubuntu 18.04

Commits:
49c244e3c5a9138e6785515ebb64334705236ed4 b6ce37a9b7c5058a33d05d307d74f35ebbf1b9e7

Description

Initially found in tst_controls::Universal::TabBar::test_move with ASAN (ASAN_OPTIONS=detect_leaks=0,new_delete_type_mismatch=0):

Starting /home/mitch/dev/qt5.11-debug/qtquickcontrols2/tests/auto/controls/universal/tst_universal...
********* Start testing of tst_controls::Universal *********
Config: Using QtTest library 5.11.1, Qt 5.11.1 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.3.0)
PASS   : tst_controls::Universal::TabBar::initTestCase()
PASS   : tst_controls::Universal::TabBar::test_move(0->1 (0))
PASS   : tst_controls::Universal::TabBar::test_move(0->1 (1))
PASS   : tst_controls::Universal::TabBar::test_move(0->1 (2))
=================================================================
==14506==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900045a2c0 at pc 0x7f15c5c0c048 bp 0x7ffc59cf11d0 sp 0x7ffc59cf11c0
READ of size 8 at 0x61900045a2c0 thread T0
    #0 0x7f15c5c0c047 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2396
    #1 0x7f15c42db0c2 in QQuickControl::~QQuickControl() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol_p.h:60
    #2 0x7f15c42db0c2 in QQuickAbstractButton::~QQuickAbstractButton() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickabstractbutton.cpp:427
    #3 0x7f15ac06f658 in QQuickTabButton::~QQuickTabButton() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbutton_p.h:55
    #4 0x7f15ac06f658 in QQmlPrivate::QQmlElement<QQuickTabButton>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #5 0x7f15ac06f658 in QQmlPrivate::QQmlElement<QQuickTabButton>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #6 0x7f15c7fe4ad0 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1997
    #7 0x7f15c7fe9745 in QObject::~QObject() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1025
    #8 0x7f15c5c0ca41 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2378
    #9 0x7f15c43239d6 in QQuickControl::~QQuickControl() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol_p.h:60
    #10 0x7f15c43239d6 in QQuickContainer::~QQuickContainer() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:445
    #11 0x7f15ac074fa6 in QQuickTabBar::~QQuickTabBar() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar_p.h:59
    #12 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #13 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #14 0x7f15c7fcbe40 in qDeleteInEventHandler(QObject*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:4604
    #15 0x7f15c7fd214b in QObject::event(QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1242
    #16 0x7f15c5c0440d in QQuickItem::event(QEvent*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:8003
    #17 0x7f15c7f234fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1197
    #18 0x7f15c7f2374d in doNotify /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138
    #19 0x7f15c7f23c1c in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1124
    #20 0x7f15c8900645 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/gui/kernel/qguiapplication.cpp:1762
    #21 0x7f15c7f239bc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1048
    #22 0x7f15c7f35594 in QCoreApplication::sendEvent(QObject*, QEvent*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/kernel/qcoreapplication.h:234
    #23 0x7f15c7f35594 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1745
    #24 0x7f15c7f3739c in QCoreApplication::sendPostedEvents(QObject*, int) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1599
    #25 0x7f15ca8e850a in qWait /home/mitch/dev/qt5.11-debug/qtbase/include/QtTest/../../../../qt5.11/qtbase/src/testlib/qtestsystem.h:103
    #26 0x7f15ca8e850a in QuickTestResult::wait(int) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktestresult.cpp:635
    #27 0x7f15ca8f4b17 in QuickTestResult::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:338
    #28 0x7f15ca8f60d2 in QuickTestResult::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:484
    #29 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
    #30 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
    #31 0x7f15c4d217ee in CallMethod /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1175
    #32 0x7f15c4d233df in CallPrecise /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1437
    #33 0x7f15c4d254ec in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1975
    #34 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
    #35 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #36 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
    #37 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800
    #38 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
    #39 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #40 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
    #41 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
    #42 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
    #43 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #44 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
    #45 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
    #46 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
    #47 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #48 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
    #49 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
    #50 0x7f15c50e8796 in QV4::Moth::VME::exec(QV4::Function*, QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth_p.h:72
    #51 0x7f15c50e8796 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/jsruntime/qv4function_p.h:72
    #52 0x7f15c50e8796 in QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:217
    #53 0x7f15c4ef8a67 in QQmlBoundSignalExpression::evaluate(void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:237
    #54 0x7f15c4ef96b4 in QQmlBoundSignal_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:370
    #55 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
    #56 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
    #57 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
    #58 0x7f15c4e57a23 in QQmlVMEMetaObject::activate(QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1246
    #59 0x7f15c4e60e9f in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:839
    #60 0x7f15c4e63aa8 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:979
    #61 0x7f15c7f461e0 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:299
    #62 0x7f15c5113c51 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:350
    #63 0x7f15c5113c51 in bool GenericBinding<1>::doStore<bool>(bool, QQmlPropertyData const*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:334
    #64 0x7f15c5113c51 in GenericBinding<1>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:296
    #65 0x7f15c5116001 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
    #66 0x7f15c5108e47 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
    #67 0x7f15c510bcb7 in QQmlBinding::expressionChanged() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:527
    #68 0x7f15c50e4c2d in QQmlJavaScriptExpressionGuard_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:484
    #69 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
    #70 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
    #71 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
    #72 0x7f15c4e57a23 in QQmlVMEMetaObject::activate(QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1246
    #73 0x7f15c4e60e9f in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:839
    #74 0x7f15c4e63aa8 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:979
    #75 0x7f15c7f461e0 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:299
    #76 0x7f15c5113c51 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:350
    #77 0x7f15c5113c51 in bool GenericBinding<1>::doStore<bool>(bool, QQmlPropertyData const*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:334
    #78 0x7f15c5113c51 in GenericBinding<1>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:296
    #79 0x7f15c5116001 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
    #80 0x7f15c5108e47 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
    #81 0x7f15c510bcb7 in QQmlBinding::expressionChanged() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:527
    #82 0x7f15c50e4c2d in QQmlJavaScriptExpressionGuard_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:484
    #83 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
    #84 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
    #85 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
    #86 0x7f15c7fd1165 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3633
    #87 0x7f15ca8a6cf9 in QTestRootObject::windowShownChanged() .moc/quicktest.moc:198
    #88 0x7f15ca8b43e9 in QTestRootObject::setWindowShown(bool) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:104
    #89 0x7f15ca8b43e9 in quick_test_main_with_setup(int, char**, char const*, char const*, QObject*) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:572
    #90 0x7f15ca8b5bff in quick_test_main(int, char**, char const*, char const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:334
    #91 0x5594b923049a in main /home/mitch/dev/qt5.11/qtquickcontrols2/tests/auto/controls/universal/tst_universal.cpp:46
    #92 0x7f15c6e27b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #93 0x5594b92301f9 in _start (/home/mitch/dev/qt5.11-debug/qtquickcontrols2/tests/auto/controls/universal/tst_universal+0x11f9)

0x61900045a2c0 is located 320 bytes inside of 960-byte region [0x61900045a180,0x61900045a540)
freed by thread T0 here:
    #0 0x7f15c98e59d8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19d8)
    #1 0x7f15c5fc86ff in QQuickPathViewPrivate::~QQuickPathViewPrivate() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview_p_p.h:74
    #2 0x7f15c7fe966e in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/tools/qscopedpointer.h:60
    #3 0x7f15c7fe966e in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/tools/qscopedpointer.h:107
    #4 0x7f15c7fe966e in QObject::~QObject() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:884
    #5 0x7f15c5c0ca41 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2378
    #6 0x7f15c5fb54ed in QQuickPathView::~QQuickPathView() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview.cpp:545
    #7 0x7f15c5c9bd56 in QQmlPrivate::QQmlElement<QQuickPathView>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #8 0x7f15c5c9bd56 in QQmlPrivate::QQmlElement<QQuickPathView>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #9 0x7f15c432387f in QQuickContainerPrivate::cleanup() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:220
    #10 0x7f15c432398a in QQuickContainer::~QQuickContainer() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:448
    #11 0x7f15ac074fa6 in QQuickTabBar::~QQuickTabBar() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar_p.h:59
    #12 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #13 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
    #14 0x7f15c7fcbe40 in qDeleteInEventHandler(QObject*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:4604
    #15 0x7f15c7fd214b in QObject::event(QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1242
    #16 0x7f15c5c0440d in QQuickItem::event(QEvent*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:8003
    #17 0x7f15c7f234fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1197
    #18 0x7f15c7f2374d in doNotify /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138
    #19 0x7f15c7f23c1c in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1124
    #20 0x7f15c8900645 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/gui/kernel/qguiapplication.cpp:1762
    #21 0x7f15c7f239bc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1048
    #22 0x7f15c7f35594 in QCoreApplication::sendEvent(QObject*, QEvent*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/kernel/qcoreapplication.h:234
    #23 0x7f15c7f35594 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1745
    #24 0x7f15c7f3739c in QCoreApplication::sendPostedEvents(QObject*, int) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1599
    #25 0x7f15ca8e850a in qWait /home/mitch/dev/qt5.11-debug/qtbase/include/QtTest/../../../../qt5.11/qtbase/src/testlib/qtestsystem.h:103
    #26 0x7f15ca8e850a in QuickTestResult::wait(int) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktestresult.cpp:635
    #27 0x7f15ca8f4b17 in QuickTestResult::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:338
    #28 0x7f15ca8f60d2 in QuickTestResult::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:484
    #29 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
    #30 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
    #31 0x7f15c4d217ee in CallMethod /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1175
    #32 0x7f15c4d233df in CallPrecise /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1437
    #33 0x7f15c4d254ec in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1975
    #34 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
    #35 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #36 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
    #37 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800

previously allocated by thread T0 here:
    #0 0x7f15c98e4458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x7f15c5fa94ba in QQuickPathView::QQuickPathView(QQuickItem*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview.cpp:539
    #2 0x7f15c5c9bbe1 in QQmlPrivate::QQmlElement<QQuickPathView>::QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:98
    #3 0x7f15c5c9bbe1 in void QQmlPrivate::createInto<QQuickPathView>(void*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:107
    #4 0x7f15c4f33d97 in QQmlType::create(QObject**, void**, unsigned long) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlmetatype.cpp:915
    #5 0x7f15c515680c in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1163
    #6 0x7f15c515b8b5 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #7 0x7f15c5160c46 in QQmlObjectCreator::populateDeferredBinding(QQmlProperty const&, QQmlData::DeferredData*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:344
    #8 0x7f15c433ab48 in beginDeferred /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute.cpp:95
    #9 0x7f15c433b133 in QtQuickPrivate::beginDeferred(QObject*, QString const&) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute.cpp:118
    #10 0x7f15c42e2737 in void quickBeginDeferred<QQuickItem>(QObject*, QString const&, QQuickDeferredPointer<QQuickItem>&) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute_p_p.h:74
    #11 0x7f15c43342a8 in QQuickControlPrivate::executeContentItem(bool) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:650
    #12 0x7f15c43377ec in QQuickControl::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:1430
    #13 0x7f15c4324ce9 in QQuickContainer::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:749
    #14 0x7f15c441db51 in QQuickTabBar::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar.cpp:375
    #15 0x7f15c515220f in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1359
    #16 0x7f15c4ec5a53 in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:924
    #17 0x7f15c4ec5dd6 in QQmlComponentPrivate::completeCreate() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:959
    #18 0x7f15c4ed7afe in QQmlComponent::createObject(QQmlV4Function*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1315
    #19 0x7f15c4ed953f in QQmlComponent::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qqmlcomponent.cpp:149
    #20 0x7f15c4ed9ee2 in QQmlComponent::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qqmlcomponent.cpp:213
    #21 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
    #22 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
    #23 0x7f15c4d260d1 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1969
    #24 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
    #25 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #26 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
    #27 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800
    #28 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
    #29 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
    #30 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
    #31 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
    #32 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408

SUMMARY: AddressSanitizer: heap-use-after-free /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2396 in QQuickItem::~QQuickItem()

Qt Quick-only example (click the button a few times or uncomment the timer):

import QtQml.Models 2.11
import QtQuick 2.11
import QtQuick.Window 2.2

Window {
    id: window
    width: 400
    height: 400
    visible: true

    property Item pathViewItem

    Component {
        id: pathViewComponent

        PathView {
            id: pathView
            width: 32 * 3
            height: 32
            anchors.centerIn: parent
            objectName: "PathView"
            model: objectModel

            interactive: false
            snapMode: PathView.SnapToItem
            movementDirection: PathView.Positive
            highlightMoveDuration: 100

            path: Path {
                startX: pathView.width / pathView.count / 2
                startY: pathView.height / 2
                PathLine {
                    x: pathView.width + (pathView.width / pathView.count / 2)
                    y: pathView.height / 2
                }
            }
        }
    }

    ObjectModel {
        id: objectModel

        Rectangle {
            width: 32
            height: 32
            color: "red"
        }
        Rectangle {
            width: 32
            height: 32
            color: "green"
        }
        Rectangle {
            width: 32
            height: 32
            color: "blue"
        }
    }

    function newView() {
        if (pathViewItem)
            pathViewItem.destroy()
        pathViewItem = pathViewComponent.createObject(window.contentItem)
    }

    function move(from, to) {
        objectModel.move(from, to)
    }

//    Timer {
//        running: true
//        repeat: true
//        interval: 30
//        onTriggered: {
//            newView()
//            move(0, 1)
//        }
//    }

    Text {
        text: "Reproduce bug"

        Rectangle {
            anchors.fill: parent
            anchors.margins: -10
            color: "#eee"
            z: -1

            MouseArea {
                anchors.fill: parent

                onClicked: {
                    newView()
                    move(0, 1)
                }
            }
        }
    }
}

ASAN output for the above example:

qtbug68964-qtquick-only-asan.txt

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

qtbug68964-qtquick-only-asan.txt
25 kB
19 Jun '18 10:30

Issue Links

relates to

QTBUG-69056 Avoid duplicate item change listeners

Reported

QTBUG-99629 Improve safety/debuggability of item change listeners

Open

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-68964
#	Subject	Branch	Project	Status	CR	V
232824,6	QQuickPathViewPrivate: fix heap-use-after-free	5.11	qt/qtdeclarative	Status: MERGED	-2	0
233239,3	QQuickPathViewPrivate: fix heap-use-after-free	5.9	qt/qtdeclarative	Status: MERGED	+2	0

heap-use-after-free in QQuickPathView

Details

Description

Attachments

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews