Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-92955

AdressSanitizer: heap-use-after-free after changing still loading component in async loader

    XMLWordPrintable

Details

    • Linux/X11

    Description

      Due to complexity of our application we couldn't prepare minimal example for reproduction.
      AddressSanitizer report:

      ==29423==ERROR: AddressSanitizer: heap-use-after-free on address 0x613001a22ec8 at pc 0x7f9d039f23fd bp 0x7ffc4d561ef0 sp 0x7ffc4d561ee0
READ of size 8 at 0x613001a22ec8 thread T0
#0 0x7f9d039f23fc in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::operator->() const /mnt/work/source/ntgdeps/build-asan/qt/build/qtbase/include/QtCore/../../../../../Downloads/qt/qtbase/src/corelib/tools/qscopedpointer.h:118
    #1 0x7f9d039f23fc in decltype (({parm#1}.(operator->))()) qGetPtrHelper<QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> > >(QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> > const&) /mnt/work/source/ntgdeps/build-asan/qt/build/qtbase/include/QtCore/../../../../../Downloads/qt/qtbase/src/corelib/global/qglobal.h:1038
    #2 0x7f9d039f23fc in QObject::d_func() const /mnt/work/source/ntgdeps/build-asan/qt/build/qtbase/include/QtCore/../../../../../Downloads/qt/qtbase/src/corelib/kernel/qobject.h:121
    #3 0x7f9d039f23fc in QObjectPrivate::get(QObject const*) /mnt/work/source/ntgdeps/build-asan/qt/build/qtbase/include/QtCore/5.12.9/QtCore/private/../../../../../../../../Downloads/qt/qtbase/src/corelib/kernel/qobject_p.h:201
    #4 0x7f9d039f23fc in QQmlData::wasDeleted(QObject const*) ../../include/QtQml/5.12.9/QtQml/private/../../../../../../../../Downloads/qt/qtdeclarative/src/qml/qml/qqmldata_p.h:337
    #5 0x7f9d039f23fc in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlbinding.cpp:161
    #6 0x7f9d039f2c73 in QQmlBinding::expressionChanged() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlbinding.cpp:530
    #7 0x7f9d039cfc99 in QQmlJavaScriptExpressionGuard_callback(QQmlNotifierEndpoint*, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:414
    #8 0x7f9d0395c6da in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:104
    #9 0x7f9d0383f513 in QQmlNotifier::notify() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlnotifier_p.h:158
    #10 0x7f9d0383f513 in QQmlContextData::ContextGuard::objectDestroyed(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlcontext_p.h:376
    #11 0x7f9d037c48f6 in QQmlData::destroyed(QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:1982
    #12 0x7f9d037c4bc2 in QQmlData::destroyed(QAbstractDeclarativeData*, QObject*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlengine.cpp:794
    #13 0x7f9d00c61612 in QObject::~QObject() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:921
    #14 0x7f9cb26621f9 in BaseObject::~BaseObject()
    #15 0x7f9cb266cc7d in QQmlPrivate::QQmlElement<BaseObject>::~QQmlElement()
    #16 0x7f9cb266cc9d in QQmlPrivate::QQmlElement<BaseObject>::~QQmlElement()
    #17 0x7f9d03a3803c in QQmlObjectCreator::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1420
    #18 0x7f9d038316f0 in QQmlIncubatorPrivate::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:173
    #19 0x7f9d03831d3d in QQmlIncubator::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:562
    #20 0x7f9d0490743b in QQuickLoader::setActive(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickloader.cpp:355
...
0x613001a22ec8 is located 8 bytes inside of 360-byte region [0x613001a22ec0,0x613001a23028)
freed by thread T0 here:
    #0 0x7f9d05f40ec7 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb0ec7)
    #1 0x7f9cb1cf61c2 in QQmlPrivate::QQmlElement<InputScope>::operator delete(void*)
    #2 0x7f9cb1cf5d45 in QQmlPrivate::QQmlElement<InputScope>::~QQmlElement()
    #3 0x7f9d03a3803c in QQmlObjectCreator::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1420
    #4 0x7f9d038316f0 in QQmlIncubatorPrivate::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:173
    #5 0x7f9d03831d3d in QQmlIncubator::clear() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:562
    #6 0x7f9d0490743b in QQuickLoader::setActive(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickloader.cpp:355
...
previously allocated by thread T0 here:
    #0 0x7f9d05f403a7 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb03a7)
    #1 0x7f9d03888401 in QQmlType::create(QObject**, void**, unsigned long) const /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlmetatype.cpp:1042
    #2 0x7f9d03a45884 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1165
    #3 0x7f9d03a497ba in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #4 0x7f9d03a46359 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1202
    #5 0x7f9d03a4c7d0 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
    #6 0x7f9d03a55848 in QQmlObjectCreator::setupBindings(bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #7 0x7f9d03a583a2 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1473
    #8 0x7f9d03a474e2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1306
    #9 0x7f9d03a497ba in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #10 0x7f9d038337f2 in QQmlIncubatorPrivate::incubate(QQmlInstantiationInterrupt&) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:299
    #11 0x7f9d03835f16 in QQmlIncubationController::incubateFor(int) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/qml/qml/qqmlincubator.cpp:390
    #12 0x7f9d046a48a2 in QQuickWindowIncubationController::incubate() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickwindow.cpp:164
    #13 0x7f9d046a48a2 in QQuickWindowIncubationController::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/qquickwindow.moc:74
    #14 0x7f9d00c4cfe9 in QMetaObject::activate(QObject*, int, int, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:3804
    #15 0x7f9d00c4d80f in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qobject.cpp:3657
    #16 0x7f9d044c3d6f in QSGRenderLoop::timeToIncubate() .moc/moc_qsgrenderloop_p.cpp:130
    #17 0x7f9d0454c4cd in QSGThreadedRenderLoop::polishAndSync(QSGThreadedRenderLoop::Window*, bool) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1233
    #18 0x7f9d0454d847 in QSGThreadedRenderLoop::handleUpdateRequest(QQuickWindow*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/scenegraph/qsgthreadedrenderloop.cpp:1042
    #19 0x7f9d046ee4b5 in QQuickWindow::event(QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtdeclarative/src/quick/items/qquickwindow.cpp:1769
    #20 0x7f9d00b92f76 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1249
    #21 0x7f9d00b93214 in doNotify /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1178
    #22 0x7f9d00b936c5 in QCoreApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1164
    #23 0x7f9d017079c6 in QGuiApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1796
    #24 0x7f9d00b93474 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1088
    #25 0x7f9d00b93d3a in QCoreApplication::sendEvent(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1476
    #26 0x7f9d016e058b in QPlatformWindow::deliverUpdateRequest() /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qplatformwindow.cpp:793
    #27 0x7f9d016d8c7a in QPlatformWindow::windowEvent(QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qplatformwindow.cpp:478
    #28 0x7f9cf55c5945 in QXcbWindow::windowEvent(QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:2393
    #29 0x7f9d016f0338 in QGuiApplicationPrivate::sendQWindowEventToQPlatformWindow(QWindow*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1828
    #30 0x7f9d017079b4 in QGuiApplication::notify(QObject*, QEvent*) /mnt/work/source/ntgdeps/build-asan/Downloads/qt/qtbase/src/gui/kernel/qguiapplication.cpp:1792

SUMMARY: AddressSanitizer: heap-use-after-free /mnt/work/source/ntgdeps/build-asan/qt/build/qtbase/include/QtCore/../../../../../Downloads/qt/qtbase/src/corelib/tools/qscopedpointer.h:118 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::operator->() const

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-92455 AdressSanitizer: heap-use-after-free in QQmlComponentAttached::~QQmlComponentAttached

          • Not Evaluated - Not yet evaluated/prioritized
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qt.team.quick.subscriptions Qt Quick and Widgets Team
              dmytrokh Dmytro Khlopov
              Votes:
              18 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes