Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-87754

Heap-use-after-free in QRhiGles2::enqueueBindFramebuffer

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reported
    • Priority: P1: Critical
    • Resolution: Unresolved
    • Affects Version/s: 6.0 (Next Major Release)
    • Fix Version/s: None
    • Component/s: Qt RHI, Quick: SceneGraph
    • Labels:
      None

      Description

      To reproduce, check out https://codereview.qt-project.org/c/qt/qtquickcontrols/+/318391/ and run the extras auto test with -input /home/mitch/dev/qt-dev/qtquickcontrols/tests/auto/extras/data/tst_piemenu.qml.

      12:20:14: Starting /home/mitch/dev/qt-dev-debug/qtquickcontrols/tests/auto/extras/tst_extras -input /home/mitch/dev/qt-dev/qtquickcontrols/tests/auto/extras/data/tst_piemenu.qml...
      qt.qml.typeregistration: Invalid QML element name "MenuItemType"; value type names should begin with a lowercase letter
      qt.qml.typeregistration: Invalid QML element name "SelectionMode"; value type names should begin with a lowercase letter
      qt.qml.typeregistration: Invalid QML element name "ActivationMode"; value type names should begin with a lowercase letter
      qt.qml.typeregistration: Invalid QML element name "TriggerMode"; value type names should begin with a lowercase letter
      ********* Start testing of extras *********
      Config: Using QtTest library 6.0.0, Qt 6.0.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.5.0), ubuntu 18.04
      PASS   : extras::Tests_PieMenu::initTestCase()
      PASS   : extras::Tests_PieMenu::test_QTRD3027()
      =================================================================
      ==6774==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000ee000 at pc 0x7fef37bfaafb bp 0x7fef0892f500 sp 0x7fef0892f4f0
      READ of size 8 at 0x6150000ee000 thread T7 (QSGRenderThread)
      PASS   : extras::Tests_PieMenu::test_addItem()
          #0 0x7fef37bfaafa in QRhiGles2::enqueueBindFramebuffer(QRhiRenderTarget*, QGles2CommandBuffer*, bool*, bool*) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3200
          #1 0x7fef37bfb704 in QRhiGles2::beginPass(QRhiCommandBuffer*, QRhiRenderTarget*, QColor const&, QRhiDepthStencilClearValue const&, QRhiResourceUpdateBatch*, QFlags<QRhiCommandBuffer::BeginPassFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3286
          #2 0x7fef37b2ea97 in QRhiCommandBuffer::beginPass(QRhiRenderTarget*, QColor const&, QRhiDepthStencilClearValue const&, QRhiResourceUpdateBatch*, QFlags<QRhiCommandBuffer::BeginPassFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhi.cpp:5211
          #3 0x7fef2ea45630 in QSGBatchRenderer::Renderer::beginRenderPass(QSGBatchRenderer::Renderer::RenderPassContext*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp:3647
          #4 0x7fef2ea411cd in QSGBatchRenderer::Renderer::render() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgbatchrenderer.cpp:3382
          #5 0x7fef2ea0a125 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:175
          #6 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
          #7 0x7fef2eaee3c6 in QSGRhiLayer::grab() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:423
          #8 0x7fef2eae9534 in QSGRhiLayer::updateTexture() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:107
          #9 0x7fef2eafcbda in QSGRhiShaderEffectNode::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhishadereffectnode.cpp:771
          #10 0x7fef2ea0b152 in QSGRenderer::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:269
          #11 0x7fef2ea0a0c2 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:172
          #12 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
          #13 0x7fef2ede170f in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:706
          #14 0x7fef2ec2f0f8 in QSGRenderThread::syncAndRender(QImage*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:781
          #15 0x7fef2ec31a57 in QSGRenderThread::run() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:991
          #16 0x7fef33b22d7a in QThreadPrivate::start(void*) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:329
          #17 0x7fef327106da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
          #18 0x7fef32e55a3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)
      
      0x6150000ee000 is located 0 bytes inside of 472-byte region [0x6150000ee000,0x6150000ee1d8)
      freed by thread T0 here:
          #0 0x7fef3cd629c8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19c8)
          #1 0x7fef37c0b6ae in QGles2TextureRenderTarget::~QGles2TextureRenderTarget() /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:4311
          #2 0x7fef2eaea17e in QSGRhiLayer::releaseResources() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:214
          #3 0x7fef2eae985a in QSGRhiLayer::setItem(QSGNode*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:135
          #4 0x7fef2f2b1c88 in QQuickShaderEffectSource::sourceItemParentChanged(QQuickItem*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickshadereffectsource.cpp:370
          #5 0x7fef2f2b55d4 in QQuickShaderEffectSource::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qquickshadereffectsource_p.cpp:219
          #6 0x7fef3449e661 in void doActivate<false>(QObject*, int, void**) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:3832
          #7 0x7fef3448f6ba in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:3880
          #8 0x7fef2ed478d6 in QQuickItem::parentChanged(QQuickItem*) .moc/moc_qquickitem.cpp:1056
          #9 0x7fef2ed11404 in QQuickItem::setParentItem(QQuickItem*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2761
          #10 0x7fef2ed0c3fb in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2329
          #11 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #12 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #13 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
          #14 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
          #15 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
          #16 0x7fef2ee6e88d in QQuickImplicitSizeItem::~QQuickImplicitSizeItem() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQuick/6.0.0/QtQuick/private/../../../../../../../qt-dev/qtdeclarative/src/quick/items/qquickimplicitsizeitem_p.h:60
          #17 0x7fef2effb195 in QQuickLoader::~QQuickLoader() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickloader.cpp:313
          #18 0x7fef2f59da94 in QQmlPrivate::QQmlElement<QQuickLoader>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #19 0x7fef2f59dab9 in QQmlPrivate::QQmlElement<QQuickLoader>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #20 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
          #21 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
          #22 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
          #23 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #24 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #25 0x7fef34480492 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:2045
          #26 0x7fef3447c7c3 in QObject::~QObject() /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qobject.cpp:1071
          #27 0x7fef2ed0cfee in QQuickItem::~QQuickItem() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickitem.cpp:2316
          #28 0x7fef2f59de8c in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
          #29 0x7fef2f59deb1 in QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() /home/mitch/dev/qt-dev-debug/qtbase/include/QtQml/../../../../qt-dev/qtdeclarative/src/qml/qml/qqmlprivate.h:133
      
      previously allocated by thread T7 (QSGRenderThread) here:
          #0 0x7fef3cd61448 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0448)
          #1 0x7fef37be12d0 in QRhiGles2::createTextureRenderTarget(QRhiTextureRenderTargetDescription const&, QFlags<QRhiTextureRenderTarget::Flag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:1045
          #2 0x7fef37b30af7 in QRhi::newTextureRenderTarget(QRhiTextureRenderTargetDescription const&, QFlags<QRhiTextureRenderTarget::Flag>) /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhi.cpp:6054
          #3 0x7fef2eaec86b in QSGRhiLayer::grab() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:347
          #4 0x7fef2eae9534 in QSGRhiLayer::updateTexture() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhilayer.cpp:107
          #5 0x7fef2eafcbda in QSGRhiShaderEffectNode::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgrhishadereffectnode.cpp:771
          #6 0x7fef2ea0b152 in QSGRenderer::preprocess() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:269
          #7 0x7fef2ea0a0c2 in QSGRenderer::renderScene() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/coreapi/qsgrenderer.cpp:172
          #8 0x7fef2ec13d43 in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgdefaultrendercontext.cpp:211
          #9 0x7fef2ede170f in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:706
          #10 0x7fef2ec2f0f8 in QSGRenderThread::syncAndRender(QImage*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:781
          #11 0x7fef2ec31a57 in QSGRenderThread::run() /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:991
          #12 0x7fef33b22d7a in QThreadPrivate::start(void*) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:329
          #13 0x7fef327106da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
      
      Thread T7 (QSGRenderThread) created by T0 here:
          #0 0x7fef3ccb8d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
          #1 0x7fef33b245f9 in QThread::start(QThread::Priority) /home/mitch/dev/qt-dev/qtbase/src/corelib/thread/qthread_unix.cpp:714
          #2 0x7fef2ec3623e in QSGThreadedRenderLoop::handleExposure(QQuickWindow*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1323
          #3 0x7fef2ec34d46 in QSGThreadedRenderLoop::exposureChanged(QQuickWindow*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1251
          #4 0x7fef2eddd78c in QQuickWindow::exposeEvent(QExposeEvent*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:244
          #5 0x7fef36a30385 in QWindow::event(QEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qwindow.cpp:2438
          #6 0x7fef2eded09c in QQuickWindow::event(QEvent*) /home/mitch/dev/qt-dev/qtdeclarative/src/quick/items/qquickwindow.cpp:2000
          #7 0x7fef34356507 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1200
          #8 0x7fef34355c92 in doNotify /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1129
          #9 0x7fef34355b69 in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1115
          #10 0x7fef369bc6f0 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:1944
          #11 0x7fef34355991 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1039
          #12 0x7fef34357080 in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) /home/mitch/dev/qt-dev/qtbase/src/corelib/kernel/qcoreapplication.cpp:1446
          #13 0x7fef369c9f13 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:3192
          #14 0x7fef369bd6a1 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qguiapplication.cpp:2085
          #15 0x7fef3691e251 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/mitch/dev/qt-dev/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1129
          #16 0x7fef1d5cdba9 in xcbSourceDispatch /home/mitch/dev/qt-dev/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:93
          #17 0x7fef27815416 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c416)
      
      SUMMARY: AddressSanitizer: heap-use-after-free /home/mitch/dev/qt-dev/qtbase/src/gui/rhi/qrhigles2.cpp:3200 in QRhiGles2::enqueueBindFramebuffer(QRhiRenderTarget*, QGles2CommandBuffer*, bool*, bool*)
      Shadow bytes around the buggy address:
        0x0c2a80015bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c2a80015bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c2a80015bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c2a80015be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c2a80015bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c2a80015c00:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2a80015c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2a80015c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2a80015c30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c2a80015c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c2a80015c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==6774==ABORTING
      12:20:16: /home/mitch/dev/qt-dev-debug/qtquickcontrols/tests/auto/extras/tst_extras exited with code 1
      

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            lagocs Laszlo Agocs
            Reporter:
            mitch_curtis Mitch Curtis
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Gerrit Reviews

                There are no open Gerrit changes