Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-90401

Heap-use-after-free in QAbstractAnimationJob

    XMLWordPrintable

Details

    • Linux/Wayland, Linux/Yocto
    • 2ba30fcc069f63153baeb38cd5c57d5639bdc26b 680f28b08f65ad38c8d5498b5738231b2a2779a3 62bf7be90ba5d7868cc18c8a1e81209c91f449c5 6de9ec7d721ecd2a72beb31ccb8a05bf0ed5884b 604696479781c15ce3c967f30b63c53b15771dcb

    Description

      Random crashes are observed when using Qt Animation Framework.

      Due to complexity of our application we couldn't prepare minimal example leading to crash.

      Please see AddressSanitizer report:

      ==12597==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100001f85a8 at pc 0x7fc28961c62c bp 0x7ffff592b7c0 sp 0x7ffff592b7b0
      READ of size 8 at 0x6100001f85a8 thread T0
          #0 0x7fc28961c62b in QAbstractAnimationJob::nextSibling() const ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../qt/qtdeclarative/src/qml/animations/qabstractanimationjob_p.h:127
          #1 0x7fc28961c62b in QSequentialAnimationGroupJob::uncontrolledAnimationFinished(QAbstractAnimationJob*) ~/qt/qtdeclarative/src/qml/animations/qsequentialanimationgroupjob.cpp:334
          #2 0x7fc28960ff44 in QAbstractAnimationJob::finished() ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:585
          #3 0x7fc289613ee2 in QAbstractAnimationJob::setState(QAbstractAnimationJob::State) ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:385
          #4 0x7fc2896140b0 in QAbstractAnimationJob::stop() ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:522
          #5 0x7fc289e64a9d in QQuickAnimatorProxyJob::updateCurrentTime(int) ~/qt/qtdeclarative/src/quick/util/qquickanimatorjob.cpp:163
          #6 0x7fc289614869 in QAbstractAnimationJob::setCurrentTime(int) ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:484
          #7 0x7fc28961e01d in QSequentialAnimationGroupJob::updateCurrentTime(int) ~/qt/qtdeclarative/src/qml/animations/qsequentialanimationgroupjob.cpp:231
          #8 0x7fc289614869 in QAbstractAnimationJob::setCurrentTime(int) ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:484
          #9 0x7fc289615030 in QQmlAnimationTimer::updateAnimationsTime(long long) ~/qt/qtdeclarative/src/qml/animations/qabstractanimationjob.cpp:111
          #10 0x7fc285e0f070 in QUnifiedTimer::updateAnimationTimers(long long) ~/qt/qtbase/src/corelib/animation/qabstractanimation.cpp:323
          #11 0x7fc285e10f22 in QAnimationDriver::advanceAnimation(long long) ~/qt/qtbase/src/corelib/animation/qabstractanimation.cpp:821
          #12 0x7fc289f618dd in QSGAnimationDriver::advance() ~/qt/qtdeclarative/src/quick/scenegraph/qsgcontext.cpp:218
          #13 0x7fc28a00b1da in QSGThreadedRenderLoop::polishAndSync(QSGThreadedRenderLoop::Window*, bool) ~/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1229
          #14 0x7fc28a00c5a3 in QSGThreadedRenderLoop::handleUpdateRequest(QQuickWindow*) ~/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1042
          #15 0x7fc28a1ad211 in QQuickWindow::event(QEvent*) ~/qt/qtdeclarative/src/quick/items/qquickwindow.cpp:1769
          #16 0x7fc2864c03fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1249
          #17 0x7fc2864c069c in doNotify ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1178
          #18 0x7fc2864c0b4d in QCoreApplication::notify(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1164
          #19 0x7fc2870d28a6 in QGuiApplication::notify(QObject*, QEvent*) ~/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1796
          #20 0x7fc2864c08fc in QCoreApplication::notifyInternal2(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1088
          #21 0x7fc2864c11c2 in QCoreApplication::sendEvent(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1476
          #22 0x7fc2870ab46b in QPlatformWindow::deliverUpdateRequest() ~/qt/qtbase/src/gui/kernel/qplatformwindow.cpp:793
          #23 0x7fc2870a3b5a in QPlatformWindow::windowEvent(QEvent*) ~/qt/qtbase/src/gui/kernel/qplatformwindow.cpp:478
          #24 0x7fc27bb43945 in QXcbWindow::windowEvent(QEvent*) ~/qt/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:2393
          #25 0x7fc2870bb218 in QGuiApplicationPrivate::sendQWindowEventToQPlatformWindow(QWindow*, QEvent*) ~/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1828
          #26 0x7fc2870d2894 in QGuiApplication::notify(QObject*, QEvent*) ~/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1792
          #27 0x7fc2864c08fc in QCoreApplication::notifyInternal2(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1088
          #28 0x7fc2864c11c2 in QCoreApplication::sendEvent(QObject*, QEvent*) ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1476
          #29 0x7fc28661be56 in QTimerInfoList::activateTimers() ~/qt/qtbase/src/corelib/kernel/qtimerinfo_unix.cpp:643
          #30 0x7fc28661dfdb in timerSourceDispatch ~/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:182
          #31 0x7fc28661e03d in idleTimerSourceDispatch ~/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:229
          #32 0x7fc2828e4416 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c416)
          #33 0x7fc2828e464f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f)
          #34 0x7fc2828e46db in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c6db)
          #35 0x7fc28661f898 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ~/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:422
          #36 0x7fc27bb874f3 in QXcbGlibEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ~/qt/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:143
          #37 0x7fc2864b94ed in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ~/qt/qtbase/src/corelib/kernel/qeventloop.cpp:138
          #38 0x7fc2864bb015 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ~/qt/qtbase/src/corelib/kernel/qeventloop.cpp:225
          #39 0x7fc2864d7c98 in QCoreApplication::exec() ~/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1389
          #40 0x7fc2870bb18f in QGuiApplication::exec() ~/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1784
          #41 0x55ad68c6df3d in main ~/qtapplicationmanager/src/tools/appman/appman.cpp:120
          #42 0x7fc284f02b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #43 0x55ad68c6d569 in _start (~/build/install/bin/appman+0x83569)0x6100001f85a8 is located 104 bytes inside of 184-byte region [0x6100001f8540,0x6100001f85f8)
      freed by thread T0 here:
          #0 0x7fc28ba00407 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb1407)
          #1 0x7fc289e5eacb in QQuickAnimatorProxyJob::~QQuickAnimatorProxyJob() ~/qt/qtdeclarative/src/quick/util/qquickanimatorjob.cpp:131
          #2 0x7fc28961a737 in QAnimationGroupJob::clear() ~/qt/qtdeclarative/src/qml/animations/qanimationgroupjob.cpp:125
          #3 0x7fc28961a7b2 in QAnimationGroupJob::~QAnimationGroupJob() ~/qt/qtdeclarative/src/qml/animations/qanimationgroupjob.cpp:52
          #4 0x7fc28961b128 in QSequentialAnimationGroupJob::~QSequentialAnimationGroupJob() ~/qt/qtdeclarative/src/qml/animations/qsequentialanimationgroupjob.cpp:53
          #5 0x7fc28961b140 in QSequentialAnimationGroupJob::~QSequentialAnimationGroupJob() ~/qt/qtdeclarative/src/qml/animations/qsequentialanimationgroupjob.cpp:55
          #6 0x7fc289d383b9 in QQuickAbstractAnimationPrivate::commence() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:171
          #7 0x7fc289d3885e in QQuickAbstractAnimation::setRunning(bool) ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:294
          #8 0x7fc289d38e07 in QQuickAbstractAnimation::start() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:520
          #9 0x7fc289d38e32 in QQuickAbstractAnimation::restart() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:582
          #10 0x7fc289d3910c in QQuickAbstractAnimation::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:174
          #11 0x7fc289d437a0 in QQuickAbstractAnimation::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:301
          #12 0x7fc289d43f59 in QQuickAnimationGroup::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:1872
          #13 0x7fc289d43fd4 in QQuickSequentialAnimation::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:1962
          #14 0x7fc2864e2f24 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) ~/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:316
          #15 0x7fc2893f126f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const ~/qt/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1770
          #16 0x7fc288e3e977 in CallMethod ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1313
          #17 0x7fc288e3f965 in CallPrecise ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1561
          #18 0x7fc288e42524 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2118
          #19 0x7fc288e42fba in QV4::QObjectMethod::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2055
          #20 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #21 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #22 0x7fc21a3b3a68  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0xa68)
          #23 0x7fc288ef7a7e in QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) ~/qt/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:439
          #24 0x7fc288c24323 in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:521
          #25 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #26 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #27 0x7fc21a3b3571  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0x571)
          #28 0x7fc288ef7a7e in QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) ~/qt/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:439
          #29 0x7fc288c24323 in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:521
          #30 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #31 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #32 0x7fc21a4b6ca6  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0xca6)previously allocated by thread T0 here:
          #0 0x7fc28b9ff3a7 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb03a7)
          #1 0x7fc289d2e41e in QQuickSequentialAnimation::transition(QList<QQuickStateAction>&, QList<QQmlProperty>&, QQuickAbstractAnimation::TransitionDirection, QObject*) ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:1841
          #2 0x7fc289d38346 in QQuickAbstractAnimationPrivate::commence() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:169
          #3 0x7fc289d3885e in QQuickAbstractAnimation::setRunning(bool) ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:294
          #4 0x7fc289d38e07 in QQuickAbstractAnimation::start() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:520
          #5 0x7fc289d38e32 in QQuickAbstractAnimation::restart() ~/qt/qtdeclarative/src/quick/util/qquickanimation.cpp:582
          #6 0x7fc289d3910c in QQuickAbstractAnimation::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:174
          #7 0x7fc289d437a0 in QQuickAbstractAnimation::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:301
          #8 0x7fc289d43f59 in QQuickAnimationGroup::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:1872
          #9 0x7fc289d43fd4 in QQuickSequentialAnimation::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qquickanimation_p.cpp:1962
          #10 0x7fc2864e2f24 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) ~/qt/qtbase/src/corelib/kernel/qmetaobject.cpp:316
          #11 0x7fc2893f126f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const ~/qt/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1770
          #12 0x7fc288e3e977 in CallMethod ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1313
          #13 0x7fc288e3f965 in CallPrecise ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1561
          #14 0x7fc288e42524 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2118
          #15 0x7fc288e42fba in QV4::QObjectMethod::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:2055
          #16 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #17 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #18 0x7fc21a3b3a68  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0xa68)
          #19 0x7fc288ef7a7e in QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) ~/qt/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:439
          #20 0x7fc288c24323 in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:521
          #21 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #22 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #23 0x7fc21a4f3366  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0x366)
          #24 0x7fc288ef7a7e in QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) ~/qt/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:439
          #25 0x7fc288c24323 in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:521
          #26 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #27 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #28 0x7fc21a4f48a6  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0x8a6)
          #29 0x7fc288ef7a7e in QV4::Moth::VME::exec(QV4::CppStackFrame*, QV4::ExecutionEngine*) ~/qt/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:439
          #30 0x7fc288c24323 in QV4::ArrowFunction::virtualCall(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:521
          #31 0x7fc2891b0de8 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const ~/qt/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:202
          #32 0x7fc2891b0de8 in QV4::Runtime::method_callPropertyLookup(QV4::ExecutionEngine*, QV4::Value*, unsigned int, QV4::Value*, int) ~/qt/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1433
          #33 0x7fc21a4f459d  (/memfd:JITCode:~/build/install/lib/libQt5Qml.so.5 (deleted)+0x59d)SUMMARY: AddressSanitizer: heap-use-after-free ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../qt/qtdeclarative/src/qml/animations/qabstractanimationjob_p.h:127 in QAbstractAnimationJob::nextSibling() const 

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-90401
          # Subject Branch Project Status CR V

          Activity

            People

              ulherman Ulf Hermann
              diredko diredko
              Votes:
              14 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: