Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85389

heap-use-after-free when unloading QGtk3ThemePlugin during auto test

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P1: Critical
    • Resolution: Duplicate
    • Affects Version/s: 6.0 (Next Major Release)
    • Fix Version/s: None
    • Component/s: Core: Other
    • Labels:
      None
    • Environment:
      Ubuntu 18.04.3

      Description

      When running qtquickcontrols2/tests/auto/sanity/tst_sanity attachedObjects:"material/Dialog.qml" I get a heap-use-after-free:

      13:21:23: Starting /home/mitch/dev/qt-dev2-debug/qtquickcontrols2/tests/auto/sanity/tst_sanity attachedObjects:"material/Dialog.qml"...
      ********* Start testing of tst_Sanity *********
      Config: Using QtTest library 6.0.0, Qt 6.0.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.5.0)
      PASS   : tst_Sanity::initTestCase()
      FAIL!  : tst_Sanity::attachedObjects(material/Dialog.qml) '!classNames.contains(className)' returned FALSE. (Multiple QQuickMaterialStyle instances)
         Loc: [/home/mitch/dev/qt-dev2/qtquickcontrols2/tests/auto/sanity/tst_sanity.cpp(361)]
      PASS   : tst_Sanity::cleanupTestCase()
      Totals: 2 passed, 1 failed, 0 skipped, 0 blacklisted, 297ms
      ********* Finished testing of tst_Sanity *********
      =================================================================
      ==11061==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000040 at pc 0x7fa7e20b462b bp 0x7ffe0241c7f0 sp 0x7ffe0241c7e0
      WRITE of size 4 at 0x60f000000040 thread T0
          #0 0x7fa7e20b462a in std::__atomic_base<int>::operator--() /usr/include/c++/7/bits/atomic_base.h:304
          #1 0x7fa7e20b06d1 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/thread/qatomic_cxx11.h:289
          #2 0x7fa7e20aecb1 in QBasicAtomicInteger<int>::deref() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/thread/qbasicatomic.h:119
          #3 0x7fa7e2128137 in QThreadData::deref() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:119
          #4 0x7fa7e27c9a22 in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:226
          #5 0x7fa7e27c9bdb in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:231
          #6 0x7fa7e27eed79 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:60
          #7 0x7fa7e27e9ed9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:107
          #8 0x7fa7e27cdb83 in QObject::~QObject() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:966
          #9 0x7fa7e5364af0 in QPlatformThemePlugin::~QPlatformThemePlugin() /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qplatformthemeplugin.cpp:58
          #10 0x7fa7d3ee1672 in QGtk3ThemePlugin::~QGtk3ThemePlugin() (/home/mitch/dev/qt-dev2-debug/qtbase/plugins/platformthemes/libqgtk3.so+0x29672)
          #11 0x7fa7d3ee168d in QGtk3ThemePlugin::~QGtk3ThemePlugin() (/home/mitch/dev/qt-dev2-debug/qtbase/plugins/platformthemes/libqgtk3.so+0x2968d)
          #12 0x7fa7e27092d6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:606
          #13 0x7fa7e270f0ed in QLibraryStore::cleanup() /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:416
          #14 0x7fa7e27082d6 in qlibraryCleanup /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:440
          #15 0x7fa7e27082f6 in ~qlibraryCleanup_dtor_class_ /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:442
          #16 0x7fa7e159d614 in __cxa_finalize (/lib/x86_64-linux-gnu/libc.so.6+0x43614)
          #17 0x7fa7e20a1d42  (/home/mitch/dev/qt-dev2-debug/qtbase/lib/libQt6Core.so.6+0x1b5d42)
      
      0x60f000000040 is located 0 bytes inside of 168-byte region [0x60f000000040,0x60f0000000e8)
      freed by thread T0 here:
          #0 0x7fa7e94329c8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19c8)
          #1 0x7fa7e2128162 in QThreadData::deref() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:120
          #2 0x7fa7e27c9a22 in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:226
          #3 0x7fa7e27c9bdb in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:231
          #4 0x7fa7e27eed79 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:60
          #5 0x7fa7e27e9ed9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:107
          #6 0x7fa7e27cdb83 in QObject::~QObject() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:966
          #7 0x7fa7e53575ee in QPlatformIntegrationPlugin::~QPlatformIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qplatformintegrationplugin.cpp:49
          #8 0x7fa7d7c4cf3e in QXcbIntegrationPlugin::~QXcbIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/plugins/platforms/xcb/qxcbmain.cpp:45
          #9 0x7fa7d7c4cf59 in QXcbIntegrationPlugin::~QXcbIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/plugins/platforms/xcb/qxcbmain.cpp:45
          #10 0x7fa7e27092d6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:606
          #11 0x7fa7e270f0ed in QLibraryStore::cleanup() /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:416
          #12 0x7fa7e27082d6 in qlibraryCleanup /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:440
          #13 0x7fa7e27082f6 in ~qlibraryCleanup_dtor_class_ /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:442
          #14 0x7fa7e159d614 in __cxa_finalize (/lib/x86_64-linux-gnu/libc.so.6+0x43614)
      
      previously allocated by thread T0 here:
          #0 0x7fa7e9431448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
          #1 0x7fa7e212f01e in QThreadData::current(bool) /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread_unix.cpp:184
          #2 0x7fa7e21288d9 in QThread::currentThread() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:401
          #3 0x7fa7e27294bf in QCoreApplicationPrivate::QCoreApplicationPrivate(int&, char**, unsigned int) /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qcoreapplication.cpp:460
          #4 0x7fa7e53776c5 in QGuiApplicationPrivate::QGuiApplicationPrivate(int&, char**, int) /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qguiapplication.cpp:740
          #5 0x7fa7e5376dc4 in QGuiApplication::QGuiApplication(int&, char**, int) /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qguiapplication.cpp:667
          #6 0x55a68a0c7b9c in main /home/mitch/dev/qt-dev2/qtquickcontrols2/tests/auto/sanity/tst_sanity.cpp:375
          #7 0x7fa7e157bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      
      SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/atomic_base.h:304 in std::__atomic_base<int>::operator--()
      Shadow bytes around the buggy address:
        0x0c1e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c1e7fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
        0x0c1e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
        0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
        0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
        0x0c1e7fff8040: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1e7fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==11061==ABORTING
      13:21:24: /home/mitch/dev/qt-dev2-debug/qtquickcontrols2/tests/auto/sanity/tst_sanity exited with code 1
      

      Reverting 5a5c20ad402af18f7bf56ad11edee2dfec3d7e63 fixes it.

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              ulherman Ulf Hermann
              Reporter:
              mitch_curtis Mitch Curtis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                  There are no open Gerrit changes