Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-92455

AdressSanitizer: heap-use-after-free in QQmlComponentAttached::~QQmlComponentAttached

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • Not Evaluated
    • None
    • 5.12.9
    • Quick: Core Declarative QML
    • None
    • Linux/X11

    Description

      Due to complexity of our application we couldn't prepare minimal example for reproduction.
      AddressSanitizer report:

      ==6447==ERROR: AddressSanitizer: heap-use-after-free on address 0x610001c94ff0 at pc 0x7f8ce48d6a75 bp 0x7fff8fd43b60 sp 0x7fff8fd43b50
WRITE of size 8 at 0x610001c94ff0 thread T0
    #0 0x7f8ce48d6a74 in QQmlComponentAttached::~QQmlComponentAttached() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:983
    #1 0x7f8ce48d6a96 in QQmlComponentAttached::~QQmlComponentAttached() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:987
    #2 0x7f8ce1b86645 in QObjectPrivate::deleteChildren() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:2017
    #3 0x7f8ce1b8ada3 in QObject::~QObject() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:1033
    #4 0x7f8ce572cee1 in QQuickItem::~QQuickItem() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickitem.cpp:2383
    #5 0x7f8c639afed9 in QQuickControl::~QQuickControl() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:932
    #6 0x7f8c63a8f988 in QQuickStackView::~QQuickStackView() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtquickcontrols2/src/quicktemplates2/qquickstackview.cpp:385
    #7 0x7f8c63702b8e in QQmlPrivate::QQmlElement<QQuickStackView>::~QQmlElement() /mnt/work/source/ntgdeps/build-asan/qt/build/qtdeclarative/include/QtQml/../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmlprivate.h:108
    #8 0x7f8c63702b8e in QQmlPrivate::QQmlElement<QQuickStackView>::~QQmlElement() /mnt/work/source/ntgdeps/build-asan/qt/build/qtdeclarative/include/QtQml/../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmlprivate.h:108
    #9 0x7f8ce1b86645 in QObjectPrivate::deleteChildren() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:2017
    #10 0x7f8ce1b8ada3 in QObject::~QObject() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:1033
    #11 0x7f8ce572cee1 in QQuickItem::~QQuickItem() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickitem.cpp:2383
    ...
    #70 0x7f8ce1abb3fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1249
    #71 0x7f8ce1abb69c in doNotify /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1178
    #72 0x7f8ce1abbb4d in QCoreApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1164
    #73 0x7f8ce26cd8a6 in QGuiApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1796
    #74 0x7f8ce1abb8fc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1088
    #75 0x7f8ce1abc1c2 in QCoreApplication::sendEvent(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1476
    #76 0x7f8ce1acd3b4 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1825
    #77 0x7f8ce1ace1ae in QCoreApplication::sendPostedEvents(QObject*, int) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1679
    #78 0x7f8ce1c1bd9b in postEventSourceDispatch /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:276
    #79 0x7f8cddedf536 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c536)
    #80 0x7f8cddedf76f  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c76f)
    #81 0x7f8cddedf7fb in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c7fb)
    #82 0x7f8ce1c1a898 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:422
    #83 0x7f8cd71824f3 in QXcbGlibEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/plugins/platforms/xcb/qxcbeventdispatcher.cpp:143
    #84 0x7f8ce1ab44ed in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qeventloop.cpp:138
    #85 0x7f8ce1ab6015 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qeventloop.cpp:225
    #86 0x7f8ce1ad2c98 in QCoreApplication::exec() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1389
    #87 0x7f8ce26b618f in QGuiApplication::exec() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1784
    #88 0x5620d0fe6f3d in main /mnt/work/source/ntgdeps/ntgdeps/qtapplicationmanager/src/tools/appman/appman.cpp:120
    #89 0x7f8ce04fdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #90 0x5620d0fe6569 in _start (/mnt/work/source/ntgdeps/build-asan/install/bin/appman+0x83569)

0x610001c94ff0 is located 176 bytes inside of 184-byte region [0x610001c94f40,0x610001c94ff8)
freed by thread T0 here:
    #0 0x7f8ce6ffd407 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb1407)
    #1 0x7f8ce48f524d in QQmlContextData::destroy() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlcontext.cpp:677
    #2 0x7f8ce4872f66 in QQmlContextDataRef::clear() ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmlcontext_p.h:342
    #3 0x7f8ce4872f66 in QQmlContextDataRef::setContextData(QQmlContextData*) ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmlcontext_p.h:326
    #4 0x7f8ce4872f66 in QQmlContextDataRef::operator=(QQmlContextData*) ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmlcontext_p.h:349
    #5 0x7f8ce4872f66 in QQmlData::setQueuedForDeletion(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:936
    #6 0x7f8ce4873017 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:919
    #7 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #8 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #9 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #10 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #11 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #12 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #13 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #14 0x7f8ce4873180 in QQmlData::markAsDeleted(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:923
    #15 0x7f8ce487343f in QQmlPrivate::qdeclarativeelement_destructor(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:763
    #16 0x7f8c92facd04 in QQmlPrivate::QQmlElement<MBInputScope>::~QQmlElement() (/mnt/work/source/ntg7/dbuild/build-uikit/imports/mbfw/input/libQmlMBFWInputPlugin.so+0x8ed04)
    #17 0x7f8c92facd39 in QQmlPrivate::QQmlElement<MBInputScope>::~QQmlElement() (/mnt/work/source/ntg7/dbuild/build-uikit/imports/mbfw/input/libQmlMBFWInputPlugin.so+0x8ed39)
    #18 0x7f8ce1b6aaa9 in qDeleteInEventHandler(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:4658
    #19 0x7f8ce1b6ec73 in QObject::event(QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:1252
    #20 0x7f8ce571f503 in QQuickItem::event(QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickitem.cpp:8105
    ...    
    #22 0x7f8ce1abb3fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1249
    #23 0x7f8ce1abb69c in doNotify /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1178
    #24 0x7f8ce1abbb4d in QCoreApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1164
    #25 0x7f8ce26cd8a6 in QGuiApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1796
    #26 0x7f8ce1abb8fc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1088
    #27 0x7f8ce1abc1c2 in QCoreApplication::sendEvent(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1476
    #28 0x7f8ce1acd3b4 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1825
    #29 0x7f8ce1ace1ae in QCoreApplication::sendPostedEvents(QObject*, int) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1679
    #30 0x7f8ce1c1bd9b in postEventSourceDispatch /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:276
    #31 0x7f8cddedf536 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c536)

previously allocated by thread T0 here:
    #0 0x7f8ce6ffc3a7 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb03a7)
    #1 0x7f8ce4b06448 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:173
    #2 0x7f8ce4b03359 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1202
    #3 0x7f8ce4b067ba in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #4 0x7f8ce4b03359 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1202
    #5 0x7f8ce4b097d0 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #6 0x7f8ce4b12848 in QQmlObjectCreator::setupBindings(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #7 0x7f8ce4b153a2 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1473
    #8 0x7f8ce4b044e2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1306
    #9 0x7f8ce4b097d0 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #10 0x7f8ce4b12848 in QQmlObjectCreator::setupBindings(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #11 0x7f8ce4b153a2 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1473
    #12 0x7f8ce4b044e2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1306
    #13 0x7f8ce4b097d0 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #14 0x7f8ce4b12848 in QQmlObjectCreator::setupBindings(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #15 0x7f8ce4b153a2 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1473
    #16 0x7f8ce4b044e2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1306
    #17 0x7f8ce4b067ba in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #18 0x7f8ce4b03359 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1202
    #19 0x7f8ce4b097d0 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #20 0x7f8ce4b12848 in QQmlObjectCreator::setupBindings(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #21 0x7f8ce4b153a2 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1473
    #22 0x7f8ce4b044e2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1306
    #23 0x7f8ce4b067ba in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #24 0x7f8ce48f07f2 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:299
    #25 0x7f8ce48f2f16 in QQmlIncubationController::incubateFor(int) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:390
    #26 0x7f8ce576039e in QQuickWindowIncubationController::incubate() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickwindow.cpp:164
    #27 0x7f8ce576039e in QQuickWindowIncubationController::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/qquickwindow.moc:74
    #28 0x7f8ce1b75471 in QMetaObject::activate(QObject*, int, int, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:3804
    #29 0x7f8ce1b75c97 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:3657
    #30 0x7f8ce557f86b in QSGRenderLoop::timeToIncubate() .moc/moc_qsgrenderloop_p.cpp:130

SUMMARY: AddressSanitizer: heap-use-after-free /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:983 in QQmlComponentAttached::~QQmlComponentAttached()

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-92955 AdressSanitizer: heap-use-after-free after changing still loading component in async loader

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qt.team.quick.subscriptions Qt Quick and Widgets Team
              dmytrokh Dmytro Khlopov
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes