Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.12
-
None
-
Linux/X11,
macOS
-
1d88e9919ff837d535f9bbde53613b6a6b96fcd8 (qt/qtdeclarative/5.12)
Description
This is with the latest 5.12 (ea725e1b54e5a28fb7c37f23acfdd95e6269624a). Reverting b17091b0006e41c0bb4ddf77dbbc09621d809aea makes the heap-use-after-free go away (though I'm then faced with another crash, but that may be unrelated).
16:30:11: Starting /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer...
QML debugging is enabled. Only use this in a safe environment.
********* Start testing of tst_QQuickDrawer *********
Config: Using QtTest library 5.12.0, Qt 5.12.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by Clang 10.0.0 (clang-1000.11.45.2) (Apple))
PASS : tst_QQuickDrawer::Default::initTestCase()
=================================================================
==30815==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000043680 at pc 0x00010ef56c45 bp 0x7ffee7c5a680 sp 0x7ffee7c5a678
READ of size 8 at 0x610000043680 thread T0
#0 0x10ef56c44 in QQmlPrivate::qdeclarativeelement_destructor(QObject*) qqmlengine.cpp:758
#1 0x11d1e7208 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:102
#2 0x11d1e70e4 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:101
#3 0x11d1e7108 in QQmlPrivate::QQmlElement<QQuickDrawer>::~QQmlElement() qqmlprivate.h:101
#4 0x10d410af5 in QObjectPrivate::deleteChildren() qobject.cpp:2006
#5 0x10d40ff62 in QObject::~QObject() qobject.cpp:1032
#6 0x108ae16ed in QQuickItem::~QQuickItem() qquickitem.cpp:2443
#7 0x108bc2b64 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87
#8 0x108bbc8f4 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87
#9 0x108bbc918 in QQuickRootItem::~QQuickRootItem() qquickwindow_p.h:87
#10 0x108b8f670 in QQuickWindow::~QQuickWindow() qquickwindow.cpp:1342
#11 0x108f20d6e in QQuickWindowQmlImpl::~QQuickWindowQmlImpl() qquickwindowmodule_p.h:63
#12 0x108f27dad in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:103
#13 0x108f27bf4 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#14 0x108f27c18 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#15 0x107ff5a9e in QScopedPointerDeleter<QObject>::cleanup(QObject*) qscopedpointer.h:60
#16 0x10801127f in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:107
#17 0x107fa8814 in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:105
#18 0x107fa7e77 in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:150
#19 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171
#20 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288
#21 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122
#22 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915
#23 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114
#24 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456
#25 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896
#26 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68
#27 0x107ff21c7 in main tst_qquickdrawer.cpp:1319
#28 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c)
0x610000043680 is located 64 bytes inside of 184-byte region [0x610000043640,0x6100000436f8)
freed by thread T0 here:
#0 0x110311582 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x63582)
#1 0x10efd36f3 in QQmlContextData::destroy() qqmlcontext.cpp:675
#2 0x10ea175c3 in QQmlContextDataRef::clear() qqmlcontext_p.h:342
#3 0x10eab899e in QQmlContextDataRef::setContextData(QQmlContextData*) qqmlcontext_p.h:326
#4 0x10eaa8cee in QQmlContextDataRef::operator=(QQmlContextData*) qqmlcontext_p.h:349
#5 0x10ef56b56 in QQmlPrivate::qdeclarativeelement_destructor(QObject*) qqmlengine.cpp:754
#6 0x108f27da1 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:102
#7 0x108f27bf4 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#8 0x108f27c18 in QQmlPrivate::QQmlElement<QQuickWindowQmlImpl>::~QQmlElement() qqmlprivate.h:101
#9 0x107ff5a9e in QScopedPointerDeleter<QObject>::cleanup(QObject*) qscopedpointer.h:60
#10 0x10801127f in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:107
#11 0x107fa8814 in QScopedPointer<QObject, QScopedPointerDeleter<QObject> >::~QScopedPointer() qscopedpointer.h:105
#12 0x107fa7e77 in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:150
#13 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171
#14 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288
#15 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122
#16 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915
#17 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114
#18 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456
#19 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896
#20 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68
#21 0x107ff21c7 in main tst_qquickdrawer.cpp:1319
#22 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c)
previously allocated by thread T0 here:
#0 0x110310fa2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x62fa2)
#1 0x10f1e0223 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) qqmlobjectcreator.cpp:173
#2 0x10efbcdb5 in QQmlComponentPrivate::beginCreate(QQmlContextData*) qqmlcomponent.cpp:871
#3 0x10efbc533 in QQmlComponent::beginCreate(QQmlContext*) qqmlcomponent.cpp:823
#4 0x10efbc35b in QQmlComponent::create(QQmlContext*) qqmlcomponent.cpp:783
#5 0x107fa756a in tst_QQuickDrawer::defaults() tst_qquickdrawer.cpp:142
#6 0x107ff2b2b in tst_QQuickDrawer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tst_qquickdrawer.moc:171
#7 0x10d34a684 in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericReturnArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.cpp:2288
#8 0x10c6770fb in QMetaMethod::invoke(QObject*, Qt::ConnectionType, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument, QGenericArgument) const qmetaobject.h:122
#9 0x10c67544e in QTest::TestMethods::invokeTestOnData(int) const qtestcase.cpp:915
#10 0x10c678b5a in QTest::TestMethods::invokeTest(int, char const*, QTest::WatchDog*) const qtestcase.cpp:1114
#11 0x10c67ebc1 in QTest::TestMethods::invokeTests(QObject*) const qtestcase.cpp:1456
#12 0x10c6828e4 in QTest::qRun() qtestcase.cpp:1896
#13 0x107ff2775 in runTests(QObject*, int, char**) qtest_quickcontrols.h:68
#14 0x107ff21c7 in main tst_qquickdrawer.cpp:1319
#15 0x7fff5986808c in start (libdyld.dylib:x86_64+0x1708c)
SUMMARY: AddressSanitizer: heap-use-after-free qqmlengine.cpp:758 in QQmlPrivate::qdeclarativeelement_destructor(QObject*)
Shadow bytes around the buggy address:
0x1c2000008680: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c2000008690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c20000086a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c20000086b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c20000086c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c20000086d0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x1c20000086e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c20000086f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2000008700: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c2000008710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c2000008720: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30815==ABORTING
16:30:15: The program has unexpectedly finished.
16:30:15: The process was ended forcefully.
16:30:15: /Users/mitch/dev/qt5.12-fw/qtquickcontrols2/tests/auto/qquickdrawer/tst_qquickdrawer crashed.