Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.10.1, 5.11.3, 5.12.0
-
None
-
All
-
fa4b1aa6024f5f3b2d0e0502561b1eaedddd0c78 (qt/qtquickcontrols2/5.12)
Description
Self contained example attached.
Just click outside the popup and quit the application.
=================================================================
==57893==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003a1920 at pc 0x0001129aaf91 bp 0x7ffee09bcff0 sp 0x7ffee09bcfe8
READ of size 8 at 0x6030003a1920 thread T0
#0 0x1129aaf90 in QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&) (QtQuick:x86_64+0x36ff90)
#1 0x1129a585a in QQuickItemPrivate::removeChild(QQuickItem*) (QtQuick:x86_64+0x36a85a)
#2 0x11299cdac in QQuickItem::setParentItem(QQuickItem*) (QtQuick:x86_64+0x361dac)
#3 0x11299b67e in QQuickItem::~QQuickItem() (QtQuick:x86_64+0x36067e)
#4 0x112a4c39d in QQuickRootItem::~QQuickRootItem() (QtQuick:x86_64+0x41139d)
#5 0x112a22ca5 in QQuickWindow::~QQuickWindow() (QtQuick:x86_64+0x3e7ca5)
#6 0x10f2474f9 in main (quick_segfault:x86_64+0x1000054f9)
#7 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8)
0x6030003a1920 is located 0 bytes inside of 32-byte region [0x6030003a1920,0x6030003a1940)
freed by thread T0 here:
#0 0x1147fb582 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x63582)
#1 0x11f364dc4 in QQuickPopup::~QQuickPopup() (QtQuickTemplates2:x86_64+0xd4dc4)
#2 0x11f823c79 in QQmlPrivate::QQmlElement<QQuickDialog>::~QQmlElement() (libqtquicktemplates2plugin.dylib:x86_64+0x91c79)
#3 0x111cbfb4b in QObjectPrivate::deleteChildren() (QtCore:x86_64+0x74fb4b)
#4 0x111cbeefd in QObject::~QObject() (QtCore:x86_64+0x74eefd)
#5 0x11299c0cf in QQuickItem::~QQuickItem() (QtQuick:x86_64+0x3610cf)
#6 0x112ad77e9 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() (QtQuick:x86_64+0x49c7e9)
#7 0x112c2a599 in QQuickView::~QQuickView() (QtQuick:x86_64+0x5ef599)
#8 0x10f2474f9 in main (quick_segfault:x86_64+0x1000054f9)
#9 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8)
previously allocated by thread T0 here:
#0 0x1147fafa2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x62fa2)
#1 0x11f362bc1 in QQuickPopupPrivate::getPositioner() (QtQuickTemplates2:x86_64+0xd2bc1)
#2 0x11f35d8dd in QQuickPopup::setParentItem(QQuickItem*) (QtQuickTemplates2:x86_64+0xcd8dd)
#3 0x11f36f236 in QQuickPopup::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (QtQuickTemplates2:x86_64+0xdf236)
#4 0x113bc907d in QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (QtQml:x86_64+0x8bb07d)
#5 0x113bc7d86 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (QtQml:x86_64+0x8b9d86)
#6 0x113bbf7f7 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (QtQml:x86_64+0x8b17f7)
#7 0x113c0debd in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) (QtQml:x86_64+0x8ffebd)
#8 0x113a2194f in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) (QtQml:x86_64+0x71394f)
#9 0x113a1a74d in QQmlComponentPrivate::completeCreate() (QtQml:x86_64+0x70c74d)
#10 0x113a1fe55 in QQmlComponent::create(QQmlContext*) (QtQml:x86_64+0x711e55)
#11 0x112c281c1 in QQuickView::continueExecute() (QtQuick:x86_64+0x5ed1c1)
#12 0x112c27972 in QQuickViewPrivate::execute() (QtQuick:x86_64+0x5ec972)
#13 0x10f247466 in main (quick_segfault:x86_64+0x100005466)
#14 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8)
SUMMARY: AddressSanitizer: heap-use-after-free (QtQuick:x86_64+0x36ff90) in QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&)
Shadow bytes around the buggy address:
0x1c06000742d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x1c06000742e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
0x1c06000742f0: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
0x1c0600074300: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
0x1c0600074310: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
=>0x1c0600074320: 00 fa fa fa[fd]fd fd fd fa fa fd fd fd fd fa fa
0x1c0600074330: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 00
0x1c0600074340: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
0x1c0600074350: fd fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
0x1c0600074360: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
0x1c0600074370: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==57893==ABORTING
I also have a segfault when calling QQuickView::setSource at runtime
1 ?? 0x555556441d70
2 QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&) 0x7ffff74da43f
3 QQuickItemPrivate::addChild(QQuickItem *) 0x7ffff74e4e5f
4 QQuickItem::setParentItem(QQuickItem *) 0x7ffff74e6bd7
5 QQuickViewPrivate::setRootObject(QObject *) 0x7ffff758a53f
6 QQuickView::continueExecute() 0x7ffff758b123
7 QQuickViewPrivate::execute() 0x7ffff758b3af
8 App::createFixture
I cannot really work in this way 