Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: P1: Critical
Fix Version/s: 5.12.5, 5.13.1, 5.14.0 Alpha
Affects Version/s: 5.12
Component/s: QML: Declarative and Javascript Engine, Quick: Controls 2
Labels:
- earmarked_by_ulf

Commits:
abfa03d7021aabe22f46a04d2b9d9f6adff2478a (qt/qtdeclarative/5.12)

We've been seeing this for a while now in auto tests.

tst_font::systemFont() was skipped: https://codereview.qt-project.org/#/c/240515/
tst_font::font() was skipped: https://codereview.qt-project.org/#/c/243380/

After both of those were in, tst_QQuickDrawer started crashing (see patch set 9): https://codereview.qt-project.org/#/c/242444/

When running tst_QQuickDrawer locally on 10.14, I get this trace:

08:35:32: Starting /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer...
QML debugging is enabled. Only use this in a safe environment.
********* Start testing of tst_QQuickDrawer *********
Config: Using QtTest library 5.12.0, Qt 5.12.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Clang 10.0.0 (clang-1000.11.45.2) (Apple))
PASS   : tst_QQuickDrawer::Default::initTestCase()
PASS   : tst_QQuickDrawer::Default::defaults()
PASS   : tst_QQuickDrawer::Default::invalidEdge()
[snip]
PASS   : tst_QQuickDrawer::Fusion::slider(mouse,delta)
PASS   : tst_QQuickDrawer::Fusion::cleanupTestCase()
=================================================================
==27601==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060003b80b8 at pc 0x0001153477de bp 0x7ffee2ead3d0 sp 0x7ffee2eacb48
READ of size 25 at 0x6060003b80b8 thread T0
    #0 0x1153477dd in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x267dd)
    #1 0x1153479a9 in wrap_vsnprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x269a9)
    #2 0x113c0423c in qvsnprintf(char*, unsigned long, char const*, __va_list_tag*) qvsnprintf.cpp:97
    #3 0x10f6173f8 in QTest::qt_asprintf(QTestCharBuffer*, char const*, ...) qabstracttestlogger.cpp:171
    #4 0x10f61788b in QTestPrivate::generateTestIdentifier(QTestCharBuffer*, int) qabstracttestlogger.cpp:208
    #5 0x10f60a165 in QPlainTestLogger::printMessage(char const*, char const*, char const*, int) qplaintestlogger.cpp:243
    #6 0x10f60c579 in QPlainTestLogger::addMessage(QAbstractTestLogger::MessageTypes, QString const&, char const*, int) qplaintestlogger.cpp:399
    #7 0x10f616f16 in QAbstractTestLogger::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qabstracttestlogger.cpp:146
    #8 0x10f60c3c5 in QPlainTestLogger::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qplaintestlogger.cpp:389
    #9 0x10f5f74b0 in QTest::TestLoggers::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qtestlog.cpp:238
    #10 0x10f5f5622 in QTest::messageHandler(QtMsgType, QMessageLogContext const&, QString const&) qtestlog.cpp:326
    #11 0x1138d5c6b in qt_message_print(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:1829
    #12 0x1138c5472 in qt_message(QtMsgType, QMessageLogContext const&, char const*, __va_list_tag*) qlogging.cpp:372
    #13 0x1138c7aa5 in QMessageLogger::warning(char const*, ...) const qlogging.cpp:650
    #14 0x1126e1444 in qmlClearEnginePlugins() qqmlimport.cpp:234
    #15 0x1125afa5a in qmlClearTypeRegistrations() qqmlmetatype.cpp:1634
    #16 0x10cda06e2 in runTests(QObject*, int, char**) qtest_quickcontrols.h:60
    #17 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #18 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

0x6060003b80b8 is located 24 bytes inside of 64-byte region [0x6060003b80a0,0x6060003b80e0)
freed by thread T0 here:
    #0 0x11537810d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5710d)
    #1 0x113957241 in QArrayData::deallocate(QArrayData*, unsigned long, unsigned long) qarraydata.cpp:167
    #2 0x10cda1252 in QTypedArrayData<char>::deallocate(QArrayData*) qarraydata.h:239
    #3 0x10cda1187 in QByteArray::~QByteArray() qbytearray.h:476
    #4 0x10cd55104 in QByteArray::~QByteArray() qbytearray.h:476
    #5 0x10cda07b7 in runTests(QObject*, int, char**) qtest_quickcontrols.h:65
    #6 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #7 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

previously allocated by thread T0 here:
    #0 0x115377f53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
    #1 0x11395600f in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.cpp:118
    #2 0x11396175a in QTypedArrayData<char>::allocate(unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.h:224
    #3 0x113962ad0 in QByteArray::reallocData(unsigned int, QFlags<QArrayData::AllocationOption>) qbytearray.cpp:1905
    #4 0x113965575 in QByteArray::append(QByteArray const&) qbytearray.cpp:2064
    #5 0x10cdbed8c in QByteArray::operator+=(QByteArray const&) qbytearray.h:593
    #6 0x10cdbd924 in operator+(QByteArray const&, QByteArray const&) qbytearray.h:658
    #7 0x10cda074b in runTests(QObject*, int, char**) qtest_quickcontrols.h:62
    #8 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #9 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x267dd) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x1c0c00076fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0c00077010: fa fa fa fa fd fd fd[fd]fd fd fd fd fa fa fa fa
  0x1c0c00077020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0c00077040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077050: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c0c00077060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27601==ABORTING
08:36:25: The program has unexpectedly finished.
08:36:25: The process was ended forcefully.
08:36:26: /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer crashed.

is required for

QTBUG-71066 QML MenuItem disappear after highlighting using Instantiator

Closed

relates to

QTBUG-69509 Errors when calling qmlClearTypeRegistrations() to switch Qt Quick Controls 2 styles

Reported

QTBUG-69440 QQuickStylePlugin crashes when calling qmlClearTypeRegistrations

Closed

QTBUG-70063 tst_font::font(Control) crash on macOS 10.13

Closed

QTBUG-73165 tst_customization::comboPopup() failed on Linux Ubuntu_16_04 (gcc-x86_64)

Closed

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

For Gerrit Dashboard: QTBUG-71387
#	Subject	Branch	Project	Status	CR	V
243834,1	WIP: Fix crash after calling qmlClearTypeRegistrations()	5.12	qt/qtquickcontrols2	Status: ABANDONED	-2	0
243836,3	Fix heap-use-after-free in tst_QQuickDrawer	5.12	qt/qtquickcontrols2	Status: MERGED	+2	0
247303,8	Unregister unit cache hook when destroying the plugin singleton	5.12	qt/qtdeclarative	Status: MERGED	+2	0
262575,1	WIP: When clearing plugins, don't actually unload them	5.12	qt/qtdeclarative	Status: ABANDONED	-2	0