Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-85389

heap-use-after-free when unloading QGtk3ThemePlugin during auto test

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • P1: Critical
    • None
    • 6.0
    • Core: Other
    • None
    • Ubuntu 18.04.3

    Description

      When running qtquickcontrols2/tests/auto/sanity/tst_sanity attachedObjects:"material/Dialog.qml" I get a heap-use-after-free:

      13:21:23: Starting /home/mitch/dev/qt-dev2-debug/qtquickcontrols2/tests/auto/sanity/tst_sanity attachedObjects:"material/Dialog.qml"...
********* Start testing of tst_Sanity *********
Config: Using QtTest library 6.0.0, Qt 6.0.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.5.0)
PASS   : tst_Sanity::initTestCase()
FAIL!  : tst_Sanity::attachedObjects(material/Dialog.qml) '!classNames.contains(className)' returned FALSE. (Multiple QQuickMaterialStyle instances)
   Loc: [/home/mitch/dev/qt-dev2/qtquickcontrols2/tests/auto/sanity/tst_sanity.cpp(361)]
PASS   : tst_Sanity::cleanupTestCase()
Totals: 2 passed, 1 failed, 0 skipped, 0 blacklisted, 297ms
********* Finished testing of tst_Sanity *********
=================================================================
==11061==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000000040 at pc 0x7fa7e20b462b bp 0x7ffe0241c7f0 sp 0x7ffe0241c7e0
WRITE of size 4 at 0x60f000000040 thread T0
    #0 0x7fa7e20b462a in std::__atomic_base<int>::operator--() /usr/include/c++/7/bits/atomic_base.h:304
    #1 0x7fa7e20b06d1 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/thread/qatomic_cxx11.h:289
    #2 0x7fa7e20aecb1 in QBasicAtomicInteger<int>::deref() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/thread/qbasicatomic.h:119
    #3 0x7fa7e2128137 in QThreadData::deref() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:119
    #4 0x7fa7e27c9a22 in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:226
    #5 0x7fa7e27c9bdb in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:231
    #6 0x7fa7e27eed79 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:60
    #7 0x7fa7e27e9ed9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:107
    #8 0x7fa7e27cdb83 in QObject::~QObject() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:966
    #9 0x7fa7e5364af0 in QPlatformThemePlugin::~QPlatformThemePlugin() /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qplatformthemeplugin.cpp:58
    #10 0x7fa7d3ee1672 in QGtk3ThemePlugin::~QGtk3ThemePlugin() (/home/mitch/dev/qt-dev2-debug/qtbase/plugins/platformthemes/libqgtk3.so+0x29672)
    #11 0x7fa7d3ee168d in QGtk3ThemePlugin::~QGtk3ThemePlugin() (/home/mitch/dev/qt-dev2-debug/qtbase/plugins/platformthemes/libqgtk3.so+0x2968d)
    #12 0x7fa7e27092d6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:606
    #13 0x7fa7e270f0ed in QLibraryStore::cleanup() /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:416
    #14 0x7fa7e27082d6 in qlibraryCleanup /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:440
    #15 0x7fa7e27082f6 in ~qlibraryCleanup_dtor_class_ /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:442
    #16 0x7fa7e159d614 in __cxa_finalize (/lib/x86_64-linux-gnu/libc.so.6+0x43614)
    #17 0x7fa7e20a1d42  (/home/mitch/dev/qt-dev2-debug/qtbase/lib/libQt6Core.so.6+0x1b5d42)

0x60f000000040 is located 0 bytes inside of 168-byte region [0x60f000000040,0x60f0000000e8)
freed by thread T0 here:
    #0 0x7fa7e94329c8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19c8)
    #1 0x7fa7e2128162 in QThreadData::deref() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:120
    #2 0x7fa7e27c9a22 in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:226
    #3 0x7fa7e27c9bdb in QObjectPrivate::~QObjectPrivate() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:231
    #4 0x7fa7e27eed79 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:60
    #5 0x7fa7e27e9ed9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt-dev2/qtbase/src/corelib/tools/qscopedpointer.h:107
    #6 0x7fa7e27cdb83 in QObject::~QObject() /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qobject.cpp:966
    #7 0x7fa7e53575ee in QPlatformIntegrationPlugin::~QPlatformIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qplatformintegrationplugin.cpp:49
    #8 0x7fa7d7c4cf3e in QXcbIntegrationPlugin::~QXcbIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/plugins/platforms/xcb/qxcbmain.cpp:45
    #9 0x7fa7d7c4cf59 in QXcbIntegrationPlugin::~QXcbIntegrationPlugin() /home/mitch/dev/qt-dev2/qtbase/src/plugins/platforms/xcb/qxcbmain.cpp:45
    #10 0x7fa7e27092d6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:606
    #11 0x7fa7e270f0ed in QLibraryStore::cleanup() /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:416
    #12 0x7fa7e27082d6 in qlibraryCleanup /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:440
    #13 0x7fa7e27082f6 in ~qlibraryCleanup_dtor_class_ /home/mitch/dev/qt-dev2/qtbase/src/corelib/plugin/qlibrary.cpp:442
    #14 0x7fa7e159d614 in __cxa_finalize (/lib/x86_64-linux-gnu/libc.so.6+0x43614)

previously allocated by thread T0 here:
    #0 0x7fa7e9431448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
    #1 0x7fa7e212f01e in QThreadData::current(bool) /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread_unix.cpp:184
    #2 0x7fa7e21288d9 in QThread::currentThread() /home/mitch/dev/qt-dev2/qtbase/src/corelib/thread/qthread.cpp:401
    #3 0x7fa7e27294bf in QCoreApplicationPrivate::QCoreApplicationPrivate(int&, char**, unsigned int) /home/mitch/dev/qt-dev2/qtbase/src/corelib/kernel/qcoreapplication.cpp:460
    #4 0x7fa7e53776c5 in QGuiApplicationPrivate::QGuiApplicationPrivate(int&, char**, int) /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qguiapplication.cpp:740
    #5 0x7fa7e5376dc4 in QGuiApplication::QGuiApplication(int&, char**, int) /home/mitch/dev/qt-dev2/qtbase/src/gui/kernel/qguiapplication.cpp:667
    #6 0x55a68a0c7b9c in main /home/mitch/dev/qt-dev2/qtquickcontrols2/tests/auto/sanity/tst_sanity.cpp:375
    #7 0x7fa7e157bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/atomic_base.h:304 in std::__atomic_base<int>::operator--()
Shadow bytes around the buggy address:
  0x0c1e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff8000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c1e7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1e7fff8020: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff8030: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c1e7fff8040: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff8050: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11061==ABORTING
13:21:24: /home/mitch/dev/qt-dev2-debug/qtquickcontrols2/tests/auto/sanity/tst_sanity exited with code 1

      Reverting 5a5c20ad402af18f7bf56ad11edee2dfec3d7e63 fixes it.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-85357 Heap use after free in tst_qsqlquery.cpp

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          is required for

          Task - A task that needs to be done. QTBUG-82922 Register types declaratively

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              ulherman Ulf Hermann
              mitch_curtis Mitch Curtis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes