Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-71387

Crash after calling qmlClearTypeRegistrations()

    XMLWordPrintable

Details

    • abfa03d7021aabe22f46a04d2b9d9f6adff2478a (qt/qtdeclarative/5.12)

    Description

      We've been seeing this for a while now in auto tests.

      After both of those were in, tst_QQuickDrawer started crashing (see patch set 9): https://codereview.qt-project.org/#/c/242444/

      When running tst_QQuickDrawer locally on 10.14, I get this trace:

      08:35:32: Starting /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer...
QML debugging is enabled. Only use this in a safe environment.
********* Start testing of tst_QQuickDrawer *********
Config: Using QtTest library 5.12.0, Qt 5.12.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Clang 10.0.0 (clang-1000.11.45.2) (Apple))
PASS   : tst_QQuickDrawer::Default::initTestCase()
PASS   : tst_QQuickDrawer::Default::defaults()
PASS   : tst_QQuickDrawer::Default::invalidEdge()
[snip]
PASS   : tst_QQuickDrawer::Fusion::slider(mouse,delta)
PASS   : tst_QQuickDrawer::Fusion::cleanupTestCase()
=================================================================
==27601==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060003b80b8 at pc 0x0001153477de bp 0x7ffee2ead3d0 sp 0x7ffee2eacb48
READ of size 25 at 0x6060003b80b8 thread T0
    #0 0x1153477dd in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x267dd)
    #1 0x1153479a9 in wrap_vsnprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x269a9)
    #2 0x113c0423c in qvsnprintf(char*, unsigned long, char const*, __va_list_tag*) qvsnprintf.cpp:97
    #3 0x10f6173f8 in QTest::qt_asprintf(QTestCharBuffer*, char const*, ...) qabstracttestlogger.cpp:171
    #4 0x10f61788b in QTestPrivate::generateTestIdentifier(QTestCharBuffer*, int) qabstracttestlogger.cpp:208
    #5 0x10f60a165 in QPlainTestLogger::printMessage(char const*, char const*, char const*, int) qplaintestlogger.cpp:243
    #6 0x10f60c579 in QPlainTestLogger::addMessage(QAbstractTestLogger::MessageTypes, QString const&, char const*, int) qplaintestlogger.cpp:399
    #7 0x10f616f16 in QAbstractTestLogger::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qabstracttestlogger.cpp:146
    #8 0x10f60c3c5 in QPlainTestLogger::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qplaintestlogger.cpp:389
    #9 0x10f5f74b0 in QTest::TestLoggers::addMessage(QtMsgType, QMessageLogContext const&, QString const&) qtestlog.cpp:238
    #10 0x10f5f5622 in QTest::messageHandler(QtMsgType, QMessageLogContext const&, QString const&) qtestlog.cpp:326
    #11 0x1138d5c6b in qt_message_print(QtMsgType, QMessageLogContext const&, QString const&) qlogging.cpp:1829
    #12 0x1138c5472 in qt_message(QtMsgType, QMessageLogContext const&, char const*, __va_list_tag*) qlogging.cpp:372
    #13 0x1138c7aa5 in QMessageLogger::warning(char const*, ...) const qlogging.cpp:650
    #14 0x1126e1444 in qmlClearEnginePlugins() qqmlimport.cpp:234
    #15 0x1125afa5a in qmlClearTypeRegistrations() qqmlmetatype.cpp:1634
    #16 0x10cda06e2 in runTests(QObject*, int, char**) qtest_quickcontrols.h:60
    #17 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #18 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

0x6060003b80b8 is located 24 bytes inside of 64-byte region [0x6060003b80a0,0x6060003b80e0)
freed by thread T0 here:
    #0 0x11537810d in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5710d)
    #1 0x113957241 in QArrayData::deallocate(QArrayData*, unsigned long, unsigned long) qarraydata.cpp:167
    #2 0x10cda1252 in QTypedArrayData<char>::deallocate(QArrayData*) qarraydata.h:239
    #3 0x10cda1187 in QByteArray::~QByteArray() qbytearray.h:476
    #4 0x10cd55104 in QByteArray::~QByteArray() qbytearray.h:476
    #5 0x10cda07b7 in runTests(QObject*, int, char**) qtest_quickcontrols.h:65
    #6 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #7 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

previously allocated by thread T0 here:
    #0 0x115377f53 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56f53)
    #1 0x11395600f in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.cpp:118
    #2 0x11396175a in QTypedArrayData<char>::allocate(unsigned long, QFlags<QArrayData::AllocationOption>) qarraydata.h:224
    #3 0x113962ad0 in QByteArray::reallocData(unsigned int, QFlags<QArrayData::AllocationOption>) qbytearray.cpp:1905
    #4 0x113965575 in QByteArray::append(QByteArray const&) qbytearray.cpp:2064
    #5 0x10cdbed8c in QByteArray::operator+=(QByteArray const&) qbytearray.h:593
    #6 0x10cdbd924 in operator+(QByteArray const&, QByteArray const&) qbytearray.h:658
    #7 0x10cda074b in runTests(QObject*, int, char**) qtest_quickcontrols.h:62
    #8 0x10cda0247 in main tst_qquickdrawer.cpp:1319
    #9 0x7fff63afa084 in start (libdyld.dylib:x86_64+0x17084)

SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x267dd) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x1c0c00076fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00076ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0c00077010: fa fa fa fa fd fd fd[fd]fd fd fd fd fa fa fa fa
  0x1c0c00077020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c0c00077040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0c00077050: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c0c00077060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27601==ABORTING
08:36:25: The program has unexpectedly finished.
08:36:25: The process was ended forcefully.
08:36:26: /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer crashed.

      Attachments

        Issue Links

          is required for

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-71066 QML MenuItem disappear after highlighting using Instantiator

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-69509 Errors when calling qmlClearTypeRegistrations() to switch Qt Quick Controls 2 styles

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Reported

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-69440 QQuickStylePlugin crashes when calling qmlClearTypeRegistrations

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-70063 tst_font::font(Control) crash on macOS 10.13

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-73165 tst_customization::comboPopup() failed on Linux Ubuntu_16_04 (gcc-x86_64)

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              ulherman Ulf Hermann
              mitch_curtis Mitch Curtis
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes