Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
5.10.1, 5.11.3, 5.12.0
-
None
-
-
fa4b1aa6024f5f3b2d0e0502561b1eaedddd0c78 (qt/qtquickcontrols2/5.12)
Description
Self contained example attached.
Just click outside the popup and quit the application.
================================================================= ==57893==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003a1920 at pc 0x0001129aaf91 bp 0x7ffee09bcff0 sp 0x7ffee09bcfe8 READ of size 8 at 0x6030003a1920 thread T0 #0 0x1129aaf90 in QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&) (QtQuick:x86_64+0x36ff90) #1 0x1129a585a in QQuickItemPrivate::removeChild(QQuickItem*) (QtQuick:x86_64+0x36a85a) #2 0x11299cdac in QQuickItem::setParentItem(QQuickItem*) (QtQuick:x86_64+0x361dac) #3 0x11299b67e in QQuickItem::~QQuickItem() (QtQuick:x86_64+0x36067e) #4 0x112a4c39d in QQuickRootItem::~QQuickRootItem() (QtQuick:x86_64+0x41139d) #5 0x112a22ca5 in QQuickWindow::~QQuickWindow() (QtQuick:x86_64+0x3e7ca5) #6 0x10f2474f9 in main (quick_segfault:x86_64+0x1000054f9) #7 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8) 0x6030003a1920 is located 0 bytes inside of 32-byte region [0x6030003a1920,0x6030003a1940) freed by thread T0 here: #0 0x1147fb582 in wrap__ZdlPv (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x63582) #1 0x11f364dc4 in QQuickPopup::~QQuickPopup() (QtQuickTemplates2:x86_64+0xd4dc4) #2 0x11f823c79 in QQmlPrivate::QQmlElement<QQuickDialog>::~QQmlElement() (libqtquicktemplates2plugin.dylib:x86_64+0x91c79) #3 0x111cbfb4b in QObjectPrivate::deleteChildren() (QtCore:x86_64+0x74fb4b) #4 0x111cbeefd in QObject::~QObject() (QtCore:x86_64+0x74eefd) #5 0x11299c0cf in QQuickItem::~QQuickItem() (QtQuick:x86_64+0x3610cf) #6 0x112ad77e9 in QQmlPrivate::QQmlElement<QQuickRectangle>::~QQmlElement() (QtQuick:x86_64+0x49c7e9) #7 0x112c2a599 in QQuickView::~QQuickView() (QtQuick:x86_64+0x5ef599) #8 0x10f2474f9 in main (quick_segfault:x86_64+0x1000054f9) #9 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8) previously allocated by thread T0 here: #0 0x1147fafa2 in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x62fa2) #1 0x11f362bc1 in QQuickPopupPrivate::getPositioner() (QtQuickTemplates2:x86_64+0xd2bc1) #2 0x11f35d8dd in QQuickPopup::setParentItem(QQuickItem*) (QtQuickTemplates2:x86_64+0xcd8dd) #3 0x11f36f236 in QQuickPopup::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (QtQuickTemplates2:x86_64+0xdf236) #4 0x113bc907d in QObjectPointerBinding::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) (QtQml:x86_64+0x8bb07d) #5 0x113bc7d86 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) (QtQml:x86_64+0x8b9d86) #6 0x113bbf7f7 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) (QtQml:x86_64+0x8b17f7) #7 0x113c0debd in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) (QtQml:x86_64+0x8ffebd) #8 0x113a2194f in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) (QtQml:x86_64+0x71394f) #9 0x113a1a74d in QQmlComponentPrivate::completeCreate() (QtQml:x86_64+0x70c74d) #10 0x113a1fe55 in QQmlComponent::create(QQmlContext*) (QtQml:x86_64+0x711e55) #11 0x112c281c1 in QQuickView::continueExecute() (QtQuick:x86_64+0x5ed1c1) #12 0x112c27972 in QQuickViewPrivate::execute() (QtQuick:x86_64+0x5ec972) #13 0x10f247466 in main (quick_segfault:x86_64+0x100005466) #14 0x7fff78d54ed8 in start (libdyld.dylib:x86_64+0x16ed8) SUMMARY: AddressSanitizer: heap-use-after-free (QtQuick:x86_64+0x36ff90) in QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&) Shadow bytes around the buggy address: 0x1c06000742d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x1c06000742e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00 0x1c06000742f0: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 0x1c0600074300: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa 0x1c0600074310: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 =>0x1c0600074320: 00 fa fa fa[fd]fd fd fd fa fa fd fd fd fd fa fa 0x1c0600074330: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 0x1c0600074340: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd 0x1c0600074350: fd fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa 0x1c0600074360: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd 0x1c0600074370: fa fa 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==57893==ABORTING
I also have a segfault when calling QQuickView::setSource at runtime
1 ?? 0x555556441d70
2 QQuickItemPrivate::itemChange(QQuickItem::ItemChange, QQuickItem::ItemChangeData const&) 0x7ffff74da43f
3 QQuickItemPrivate::addChild(QQuickItem *) 0x7ffff74e4e5f
4 QQuickItem::setParentItem(QQuickItem *) 0x7ffff74e6bd7
5 QQuickViewPrivate::setRootObject(QObject *) 0x7ffff758a53f
6 QQuickView::continueExecute() 0x7ffff758b123
7 QQuickViewPrivate::execute() 0x7ffff758b3af
8 App::createFixture
I cannot really work in this way
Attachments
For Gerrit Dashboard: QTBUG-72746 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
249377,2 | QQuickPopupPositioner: fix crash on application exit | 5.12 | qt/qtquickcontrols2 | Status: MERGED | +2 | 0 |