P1: Critical Description
I ran the following QML code with QSG_VISUALIZE=overdraw:
import QtQuick 2.14 import QtQuick.Controls 2.14 import QtQuick.Layouts 1.14 ApplicationWindow { id: root width: 800 height: 600 visible: true ListView { id: listView anchors.fill: parent model: ListModel { ListElement { sender: "Bob Bobbleton"; title: "How are you going?" } ListElement { sender: "Rug Emporium"; title: "SALE! All rugs MUST go!" } ListElement { sender: "Electric Co."; title: "Electricity bill 15/07/2016 overdue" } ListElement { sender: "Tips"; title: "Five ways this tip will save your life" } } delegate: SwipeDelegate { id: swipeDelegate text: model.sender + " - " + model.title width: parent.width ListView.onRemove: SequentialAnimation { PropertyAction { target: swipeDelegate property: "ListView.delayRemove" value: true } NumberAnimation { target: swipeDelegate property: "height" to: 0 easing.type: Easing.InOutQuad } PropertyAction { target: swipeDelegate property: "ListView.delayRemove" value: false } } swipe.right: Label { id: deleteLabel text: qsTr("Delete") color: "white" verticalAlignment: Label.AlignVCenter padding: 12 height: parent.height anchors.right: parent.right SwipeDelegate.onPressedChanged: print("changed", SwipeDelegate.pressed) SwipeDelegate.onClicked: listView.model.remove(index) background: Rectangle { color: deleteLabel.SwipeDelegate.pressed ? Qt.darker("tomato", 1.1) : "tomato" } } } } }
Then I swiped the first SwipeDelegate to the left and the app crashed:
11:02:03: Starting /Users/mitch/dev/temp/quick-qt_dev_fw-Debug/quick.app/Contents/MacOS/quick ...
QML debugging is enabled. Only use this in a safe environment.
=================================================================
==53388==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000157680 at pc 0x0001143572a0 bp 0x700002cacbb0 sp 0x700002cac378
READ of size 11120 at 0x612000157680 thread T6
#0 0x11435729f in __asan_memcpy+0x1af (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4729f)
#1 0x10bbef098 in QRhiBufferData::assign(char const*, int) qrhi_p_p.h:347
#2 0x10bbd553a in QRhiResourceUpdateBatchPrivate::BufferOp::changeToStaticUpload(QRhiResourceUpdateBatchPrivate::BufferOp*, QRhiBuffer*, int, int, void const*) qrhi_p_p.h:409
#3 0x10bbd5971 in QRhiResourceUpdateBatch::uploadStaticBuffer(QRhiBuffer*, void const*) qrhi.cpp:4938
#4 0x1073bab58 in QSGBatchRenderer::Renderer::unmap(QSGBatchRenderer::Buffer*, bool) qsgbatchrenderer.cpp:1070
#5 0x1073d33bb in QSGBatchRenderer::Renderer::uploadBatch(QSGBatchRenderer::Batch*) qsgbatchrenderer.cpp:2227
#6 0x1073f87c3 in QSGBatchRenderer::Renderer::prepareRenderPass(QSGBatchRenderer::Renderer::RenderPassContext*) qsgbatchrenderer.cpp:3531
#7 0x1073f5903 in QSGBatchRenderer::Renderer::render() qsgbatchrenderer.cpp:3381
#8 0x107390aaf in QSGRenderer::renderScene() qsgrenderer.cpp:175
#9 0x107653cca in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) qsgdefaultrendercontext.cpp:211
#10 0x107886c87 in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) qquickwindow.cpp:706
#11 0x10767f788 in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:786
#12 0x107683262 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:987
#13 0x111f3886e in QThreadPrivate::start(void*) qthread_unix.cpp:329
#14 0x7fff6b4f5108 in _pthread_start+0x93 (libsystem_pthread.dylib:x86_64+0x6108)
#15 0x7fff6b4f0b8a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1b8a)
0x612000157680 is located 0 bytes to the right of 320-byte region [0x612000157540,0x612000157680)
allocated by thread T6 here:
#0 0x11435917d in wrap_malloc+0x9d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4917d)
#1 0x1073b9d67 in QSGBatchRenderer::Renderer::map(QSGBatchRenderer::Buffer*, int, bool) qsgbatchrenderer.cpp:1036
#2 0x1073cff02 in QSGBatchRenderer::Renderer::uploadBatch(QSGBatchRenderer::Batch*) qsgbatchrenderer.cpp:2071
#3 0x1073f87c3 in QSGBatchRenderer::Renderer::prepareRenderPass(QSGBatchRenderer::Renderer::RenderPassContext*) qsgbatchrenderer.cpp:3531
#4 0x1073f5903 in QSGBatchRenderer::Renderer::render() qsgbatchrenderer.cpp:3381
#5 0x107390aaf in QSGRenderer::renderScene() qsgrenderer.cpp:175
#6 0x107653cca in QSGDefaultRenderContext::renderNextRhiFrame(QSGRenderer*) qsgdefaultrendercontext.cpp:211
#7 0x107886c87 in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) qquickwindow.cpp:706
#8 0x10767f788 in QSGRenderThread::syncAndRender() qsgthreadedrenderloop.cpp:786
#9 0x107683262 in QSGRenderThread::run() qsgthreadedrenderloop.cpp:987
#10 0x111f3886e in QThreadPrivate::start(void*) qthread_unix.cpp:329
#11 0x7fff6b4f5108 in _pthread_start+0x93 (libsystem_pthread.dylib:x86_64+0x6108)
#12 0x7fff6b4f0b8a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1b8a)
Thread T6 created by T0 here:
#0 0x11435331a in wrap_pthread_create+0x5a (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4331a)
#1 0x111f3b519 in QThread::start(QThread::Priority) qthread_unix.cpp:714
#2 0x10768a196 in QSGThreadedRenderLoop::handleExposure(QQuickWindow*) qsgthreadedrenderloop.cpp:1319
#3 0x10768852a in QSGThreadedRenderLoop::exposureChanged(QQuickWindow*) qsgthreadedrenderloop.cpp:1247
#4 0x10788015f in QQuickWindow::exposeEvent(QExposeEvent*) qquickwindow.cpp:244
#5 0x10a6f3357 in QWindow::event(QEvent*) qwindow.cpp:2446
#6 0x10789e9b6 in QQuickWindow::event(QEvent*) qquickwindow.cpp:2010
#7 0x112b3d7aa in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) qcoreapplication.cpp:1201
#8 0x112b3c98a in doNotify(QObject*, QEvent*) qcoreapplication.cpp:1130
#9 0x112b3cb56 in QCoreApplication::notify(QObject*, QEvent*) qcoreapplication.cpp:1116
#10 0x10a6721e9 in QGuiApplication::notify(QObject*, QEvent*) qguiapplication.cpp:1944
#11 0x112b3c6a9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1040
#12 0x112b3ebb1 in QCoreApplication::sendSpontaneousEvent(QObject*, QEvent*) qcoreapplication.cpp:1447
#13 0x10a68138a in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) qguiapplication.cpp:3167
#14 0x10a6735a4 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) qguiapplication.cpp:2085
#15 0x10a57e194 in bool QWindowSystemInterfacePrivate::handleWindowSystemEvent<QWindowSystemInterface::SynchronousDelivery>(QWindowSystemInterfacePrivate::WindowSystemEvent*) qwindowsysteminterface.cpp:107
#16 0x10a59cc0b in bool QWindowSystemInterface::handleExposeEvent<QWindowSystemInterface::SynchronousDelivery>(QWindow*, QRegion const&) qwindowsysteminterface.cpp:351
#17 0x11b6c2f89 in QCocoaWindow::handleExposeEvent(QRegion const&) qcocoawindow.mm:1376
#18 0x11b70b27d in -[QNSView(Drawing) displayLayer:] qnsview_drawing.mm:243
#19 0x7fff3cd7453b in -[CALayer display]+0xb3 (QuartzCore:x86_64+0x2653b)
#20 0x7fff3cd73e08 in CA::Layer::display_if_needed(CA::Transaction*)+0x2f4 (QuartzCore:x86_64+0x25e08)
#21 0x7fff3cd52105 in CA::Context::commit_transaction(CA::Transaction*, double)+0x14d (QuartzCore:x86_64+0x4105)
#22 0x7fff3cd50cef in CA::Transaction::commit()+0x283 (QuartzCore:x86_64+0x2cef)
#23 0x7fff2e690da0 in __62+[CATransaction(NSCATransaction) NS_setFlushesWithDisplayLink]_block_invoke+0x109 (AppKit:x86_64+0x1e0da0)
#24 0x7fff2edb007f in ___NSRunLoopObserverCreateWithHandler_block_invoke+0x28 (AppKit:x86_64+0x90007f)
#25 0x7fff31280334 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__+0x16 (CoreFoundation:x86_64h+0x83334)
#26 0x7fff31280266 in __CFRunLoopDoObservers+0x1c8 (CoreFoundation:x86_64h+0x83266)
#27 0x7fff3127f804 in __CFRunLoopRun+0x369 (CoreFoundation:x86_64h+0x82804)
#28 0x7fff3127ee3d in CFRunLoopRunSpecific+0x1cd (CoreFoundation:x86_64h+0x81e3d)
#29 0x7fff2feababc in RunCurrentEventLoopInMode+0x123 (HIToolbox:x86_64+0x2fabc)
#30 0x7fff2feab6f3 in ReceiveNextEventCommon+0x166 (HIToolbox:x86_64+0x2f6f3)
#31 0x7fff2feab578 in _BlockUntilNextEventMatchingListInModeWithFilter+0x3f (HIToolbox:x86_64+0x2f578)
#32 0x7fff2e4f1038 in _DPSNextEvent+0x372 (AppKit:x86_64+0x41038)
#33 0x7fff2e4ef87f in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x547 (AppKit:x86_64+0x3f87f)
#34 0x7fff2e4e158d in -[NSApplication run]+0x291 (AppKit:x86_64+0x3158d)
#35 0x11b766b9b in QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qcocoaeventdispatcher.mm:430
#36 0x112b2769f in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qeventloop.cpp:139
#37 0x112b27d2f in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) qeventloop.cpp:232
#38 0x112b3e343 in QCoreApplication::exec() qcoreapplication.cpp:1348
#39 0x10a671855 in QGuiApplication::exec() qguiapplication.cpp:1876
#40 0x106f2bf7d in main main.cpp:42
#41 0x7fff6b2f0cc8 in start+0x0 (libdyld.dylib:x86_64+0x1acc8)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4729f) in __asan_memcpy+0x1af
Shadow bytes around the buggy address:
0x1c240002ae80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c240002ae90: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
0x1c240002aea0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c240002aeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c240002aec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c240002aed0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c240002aee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c240002aef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c240002af00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c240002af10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c240002af20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==53388==ABORTING
11:02:28: The program has unexpectedly finished.
11:02:28: The process was ended forcefully.
11:02:28: /Users/mitch/dev/temp/quick-qt_dev_fw-Debug/quick.app/Contents/MacOS/quick crashed.