-
Bug
-
Resolution: Done
-
P1: Critical
-
5.15.0
-
Ubuntu 18.04, embedded linux
-
Linux/Wayland,
-
837b3795c237d20dfca4be46e10697e1cd300e60 (qt/qtquickcontrols2/dev) e19e923f52217e82be9e11aadeacfbc917a00126 (qt/qtquickcontrols2/6.0) c379659f5f51ae14331e5bdd365ef229c9a4c9c9 (qt/tqtc-qtquickcontrols2/5.15)
procedure to reproduce the crash
- pixmapChange() of qquickninepatchimage.cpp (main thread)
- updatePaintNode() of qquickninepatchimage.cpp(qsgrender thread)
- .......
- pixmapChange() of qquickninepatchimage.cpp (main thread)
- ... rendering (qsgrender thread)
- crash at QImage::copy ( heap-use-after-free)
the result with AddressSanitizer
=================================================================
==27192==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fbe70d87d04 at pc 0x7fbe7be22733 bp 0x7fbe581b0ca0 sp 0x7fbe581b0448
READ of size 1272 at 0x7fbe70d87d04 thread T7 (QSGRenderThread)
#0 0x7fbe7be22732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x7fbe7aefb63a in QImage::copy(QRect const&) const image/qimage.cpp:1234
#2 0x7fbe7b230cb7 in QOpenGLTextureUploader::textureImage(unsigned int, QImage const&, QFlags<QOpenGLTextureUploader::BindOption>, QSize) opengl/qopengltextureuploader.cpp:372
#3 0x7fbe7b82bfeb in QSGPlainTexture::bind() scenegraph/util/qsgplaintexture.cpp:238
#4 0x7fbe7b82e885 in QSGOpaqueTextureMaterialShader::updateState(QSGMaterialShader::RenderState const&, QSGMaterial*, QSGMaterial*) scenegraph/util/qsgtexturematerial.cpp:112
#5 0x7fbe7b813e48 in QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*) scenegraph/coreapi/qsgbatchrenderer.cpp:3058
#6 0x7fbe7b817854 in QSGBatchRenderer::Renderer::renderBatches() scenegraph/coreapi/qsgbatchrenderer.cpp:4027
#7 0x7fbe7b817d96 in QSGBatchRenderer::Renderer::render() scenegraph/coreapi/qsgbatchrenderer.cpp:4324
#8 0x7fbe7b8002e2 in QSGRenderer::renderScene(QSGBindable const&) scenegraph/coreapi/qsgrenderer.cpp:264
#9 0x7fbe7b8007d6 in QSGRenderer::renderScene(unsigned int) scenegraph/coreapi/qsgrenderer.cpp:212
#10 0x7fbe7b869c40 in QSGDefaultRenderContext::renderNextFrame(QSGRenderer*, unsigned int) scenegraph/qsgdefaultrendercontext.cpp:228
#11 0x7fbe7b8cd368 in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) items/qquickwindow.cpp:541
#12 0x7fbe7b876f0e in QSGRenderThread::syncAndRender(QImage*) scenegraph/qsgthreadedrenderloop.cpp:837
#13 0x7fbe7b87ad8a in QSGRenderThread::run() scenegraph/qsgthreadedrenderloop.cpp:1043
#14 0x7fbe79f84414 in QThreadPrivate::start(void*) thread/qthread_unix.cpp:342
#15 0x7fbe78f1b6da (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#16 0x7fbe79660a3e (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)
0x7fbe70d87d04 is located 1284 bytes inside of 206080-byte region [0x7fbe70d87800,0x7fbe70db9d00)
freed by thread T0 here:
#0 0x7fbe7be877a8 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
#1 0x7fbe7aefa5c9 in QImageData::~QImageData() image/qimage.cpp:177
previously allocated by thread T0 here:
#0 0x7fbe7be87b40 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x7fbe7aefa93b in QImageData::create(QSize const&, QImage::Format) image/qimage.cpp:160
Thread T7 (QSGRenderThread) created by T0 here:
#0 0x7fbe7bde0d2f (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7fbe79f83cf0 in QThread::start(QThread::Priority) thread/qthread_unix.cpp:716
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0ff84e1a8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff84e1a8fa0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff84e1a8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27192==ABORTING
You can use the attached example file.
(Run and just click the application)
| For Gerrit Dashboard: QTBUG-88162 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 329782,2 | Ensure the ninepatch image is detached | 6.0 | qt/qtquickcontrols2 | Status: MERGED | +2 | 0 |
| 329784,3 | Ensure the ninepatch image is detached | tqtc/lts-5.15 | qt/tqtc-qtquickcontrols2 | Status: MERGED | +2 | 0 |
| 329832,2 | Ensure the ninepatch image is detached | dev | qt/qtquickcontrols2 | Status: MERGED | +2 | 0 |