Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Out of scope
Priority: P1: Critical
Fix Version/s: None
Affects Version/s: 5.15.0, 5.15.1
Component/s: Location: Mapbox plugins
Labels:
- ASAN

Platform/s:

Linux/X11

Description

I have created a QML application that show a geographic map using Mapbox GL. While the app runs fine in practise when I compile it in "debug" or "release" mode, seems to contain a serious memory access error that is caught as soon as I enable CLANG's memory access sanitiser, by compiling the app with flags

CMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=undefined -Werror -Wall -Wextra"

Once I start the application, CLANG reports a heap-buffer-overflow in QSGRenderThread and aborts the program. I attach CLANG's detailed error report.

Sincerel,y

Stefan Kebekus.

==6922==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603001d6a83d at pc 0x0000004ea7d9 bp 0x7f29f87d1660 sp 0x7f29f87d0e10
READ of size 7 at 0x603001d6a83d thread T19 (QSGRenderThread)
#0 0x4ea7d8 in MemcmpInterceptorCommon(void*, int (void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4ea7d8)
#1 0x4eaef8 in memcmp (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4eaef8)
#2 0x7f29f8cb2098 in bool std::__equal<true>::equal<char>(char const*, char const*, char const*) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:826
#3 0x7f29f8cb2098 in bool std::__equal_aux<char const*, char const*>(char const*, char const*, char const*) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:843
#4 0x7f29f8cb2098 in bool std::equal<char const*, _gnu_cxx::normal_iterator<char const*, std::string> >(char const*, char const*, __gnu_cxx::_normal_iterator<char const*, std::string>) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/bits/stl_algobase.h:1065
#5 0x7f29f8cb2098 in mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:20
#6 0x7f29f8cb21bb in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:41
#7 0x7f29f8cb21bb in std::_Function_handler<void (mbgl::style::expression::Expression const&), mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&)::'lambda'(mbgl::style::expression::Expression const&)>::_M_invoke(std::_Any_data const&, mbgl::style::expression::Expression const&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1871
#8 0x7f29f8e9e49a in std::function<void (mbgl::style::expression::Expression const&)>::operator()(mbgl::style::expression::Expression const&) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
#9 0x7f29f8e9e49a in mbgl::style::expression::Interpolate::eachChild(std::function<void (mbgl::style::expression::Expression const&)> const&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/expression/interpolate.hpp:30
#10 0x7f29f8cb1fa6 in mbgl::style::expression::isFeatureConstant(mbgl::style::expression::Expression const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/expression/is_constant.cpp:44
#11 0x7f29f8c74d3c in mbgl::style::PropertyExpression<mbgl::Color>::isFeatureConstant() const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/property_expression.hpp:25
#12 0x7f29f8c74d3c in mbgl::style::conversion::Converter<mbgl::style::DataDrivenPropertyValue<mbgl::Color>, void>::operator()(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&, bool) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion/data_driven_property_value.hpp:48
#13 0x7f29f8c76bde in std::experimental::optional<mbgl::style::DataDrivenPropertyValue<mbgl::Color> > mbgl::style::conversion::convert<mbgl::style::DataDrivenPropertyValue<mbgl::Color>, bool>(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&, bool&&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:301
#14 0x7f29f8c76bde in std::experimental::optional<mbgl::style::conversion::Error> mbgl::style::conversion::setProperty<mbgl::style::FillLayer, mbgl::style::DataDrivenPropertyValue<mbgl::Color>, &(mbgl::style::FillLayer::setFillColor(mbgl::style::DataDrivenPropertyValue<mbgl::Color>)), false>(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/property_setter.hpp:28
#15 0x7f29f8c451be in mbgl::style::conversion::setPaintProperty(mbgl::style::Layer&, std::string const&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:34
#16 0x7f29f8c4525b in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:47
#17 0x7f29f8c4525b in std::_Function_handler<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&), mbgl::style::conversion::setPaintProperties(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&)::'lambda'(std::string const&, mbgl::style::conversion::Convertible const&)>::_M_invoke(std::_Any_data const&, std::string const&, mbgl::style::conversion::Convertible const&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1857
#18 0x7f29f8c37c4c in std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)>::operator()(std::string const&, mbgl::style::conversion::Convertible const&) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
#19 0x7f29f8c37c4c in auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&)::'lambda'(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&)::operator()(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:231
#20 0x7f29f8c37c4c in std::experimental::optional<mbgl::style::conversion::Error> mbgl::style::conversion::ConversionTraits<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>::eachMember<auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&)::'lambda'(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&)>(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*&&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/rapidjson_conversion.hpp:49
#21 0x7f29f8c37c4c in auto mbgl::style::conversion::Convertible::vtableEachMember<rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const*>(std::aligned_storage<32ul, 8ul>::type const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:231
#22 0x7f29f8c44fcb in mbgl::style::conversion::eachMember(mbgl::style::conversion::Convertible const&, std::function<std::experimental::optional<mbgl::style::conversion::Error> (std::string const&, mbgl::style::conversion::Convertible const&)> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:155
#23 0x7f29f8c44fcb in mbgl::style::conversion::setPaintProperties(mbgl::style::Layer&, mbgl::style::conversion::Convertible const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:47
#24 0x7f29f8c45a0e in mbgl::style::conversion::Converter<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> >, void>::operator()(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&) const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/conversion/layer.cpp:221
#25 0x7f29f8ec11e2 in std::experimental::optional<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > > mbgl::style::conversion::convert<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > >(mbgl::style::conversion::Convertible const&, mbgl::style::conversion::Error&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/style/conversion.hpp:301
#26 0x7f29f8ec11e2 in std::experimental::optional<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > > mbgl::style::conversion::convert<std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> > >(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&, mbgl::style::conversion::Error&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/rapidjson_conversion.hpp:119
#27 0x7f29f8ebe114 in mbgl::style::Parser::parseLayer(std::string const&, rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&, std::unique_ptr<mbgl::style::Layer, std::default_delete<mbgl::style::Layer> >&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:267
#28 0x7f29f8ebf043 in mbgl::style::Parser::parseLayers(rapidjson::GenericValue<rapidjson::UTF8<char>, rapidjson::CrtAllocator> const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:212
#29 0x7f29f8ec0bbc in mbgl::style::Parser::parse(std::string const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/parser.cpp:105
#30 0x7f29f8d70d1b in mbgl::style::Style::Impl::parse(std::string const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/style_impl.cpp:79
#31 0x7f29f8d71f37 in operator() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/style/style_impl.cpp:71
#32 0x7f29f8d71f37 in std::_Function_handler<void (mbgl::Response), mbgl::style::Style::Impl::loadURL(std::string const&)::'lambda'(mbgl::Response)>::_M_invoke(std::_Any_data const&, mbgl::Response&&) /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:1871
#33 0x7f29f8daafb1 in std::function<void (mbgl::Response)>::operator()(mbgl::Response) const /opt/rh/devtoolset-4/root/usr/include/c++/5.3.1/functional:2267
#34 0x7f29f8daafb1 in mbgl::FileSourceRequest::setResponse(mbgl::Response const&) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/platform/default/file_source_request.cpp:30
#35 0x7f29f8c07ddf in mbgl::Mailbox::receive() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/actor/mailbox.cpp:85
#36 0x7f29f8c08008 in mbgl::Mailbox::maybeReceive(std::weak_ptr<mbgl::Mailbox>) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/actor/mailbox.cpp:94
#37 0x7f29f8c06bd2 in mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'()::operator()() const /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/run_loop.hpp:78
#38 0x7f29f8c06bd2 in void mbgl::WorkTaskImpl<mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'(), std::tuple<> >::invoke<>(std::integer_sequence<unsigned long>) /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/work_task_impl.hpp:43
#39 0x7f29f8c06bd2 in mbgl::WorkTaskImpl<mbgl::util::RunLoop::schedule(std::weak_ptr<mbgl::Mailbox>)::'lambda'(), std::tuple<> >::operator()() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/work_task_impl.hpp:23
#40 0x7f29f8c07425 in mbgl::util::RunLoop::process() /home/qt/work/qt/qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/run_loop.hpp:117
#41 0x7f2a24f76cf2 in QObject::event(QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:1314
#42 0x7f2a262e713b in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/widgets/kernel/qapplication.cpp:3671
#43 0x7f2a262edd0f in QApplication::notify(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/widgets/kernel/qapplication.cpp:3417
#44 0x7f2a24f478f7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1061
#45 0x7f2a24f4a961 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/qt/work/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1815
#46 0x7f2a24fa3a82 in postEventSourceDispatch(_GSource*, int (void*), void*) /home/qt/work/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
#47 0x7f2a2231c7ae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x527ae)
#48 0x7f2a2231cb37 (/lib64/libglib-2.0.so.0+0x52b37)
#49 0x7f2a2231cc02 in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x52c02)
#50 0x7f2a24fa311b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/qt/work/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
#51 0x7f2a27bbed99 in QSGRenderThread::run() /home/qt/work/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1048
#52 0x7f2a24d60414 in QThreadPrivate::start(void*) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:342
#53 0x7f2a2492b431 in start_thread (/lib64/libpthread.so.0+0x9431)
#54 0x7f2a2482a9d2 in clone (/lib64/libc.so.6+0x1019d2)

0x603001d6a83d is located 0 bytes to the right of 29-byte region [0x603001d6a820,0x603001d6a83d)
allocated by thread T0 here:
#0 0x541457 in operator new(unsigned long) (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x541457)
#1 0x7f2a24b50f50 (/lib64/libstdc++.so.6+0xc6f50)

Thread T19 (QSGRenderThread) created by T0 here:
#0 0x484fe6 in pthread_create (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x484fe6)
#1 0x7f2a24d5fcf0 in QThread::start(QThread::Priority) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:716

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kebekus/Software/projects/enroute/build-linux-debug/src/enroute+0x4ea7d8) in MemcmpInterceptorCommon(void*, int (void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x0c06803a54b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c06803a54c0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c06803a54d0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c06803a54e0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c06803a54f0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
=>0x0c06803a5500: 00 04 fa fa 00 00 00[05]fa fa 00 00 00 04 fa fa
0x0c06803a5510: 00 00 00 04 fa fa 00 00 00 00 fa fa 00 00 00 04
0x0c06803a5520: fa fa 00 00 00 04 fa fa 00 00 00 00 fa fa 00 00
0x0c06803a5530: 00 03 fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa
0x0c06803a5540: 00 00 00 00 fa fa 00 00 00 02 fa fa 00 00 00 02
0x0c06803a5550: fa fa 00 00 00 02 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6922==ABORTING

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Paolo Angelelli

Reporter:: Stefan Kebekus

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 08 Jun '20 06:29

Updated:: 19 Sep '23 06:42

Resolved:: 19 Sep '23 06:42

Gerrit Reviews

There are no open Gerrit changes