Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-98769

QML StackView heap-use-after-free on pop()

    XMLWordPrintable

Details

    • Linux/X11
    • f7bac60ed8 (qt/qtdeclarative/dev) f7bac60ed8 (qt/tqtc-qtdeclarative/dev) 5374e59dc5 (qt/qtdeclarative/6.3) 5374e59dc5 (qt/tqtc-qtdeclarative/6.3) b40c17487a (qt/tqtc-qtdeclarative/6.2) 0ad96b813e (qt/qtdeclarative/6.4) 5374e59dc5 (qt/qtdeclarative/6.3.2)

    Description

      I see the heap-use-after-free from LSan when running e.g. tst_basic "StackView::test_requiredProperties". Log is attached.

      It does look indeed valid (albeit no clue how it manages to pass - do we do something nasty when deleting UI elements there?)

      Some analysis:

      When doing pop() on a stack view:
      QQuickStackViewPrivate::completeTransition() [1] seems to call first `element->completeTransition(transition);` and then `viewItemTransitionFinished(element);`, where element->completeTransition(transition) also internally calls viewItemTransitionFinished(element), so we call this function twice essentially.

      viewItemTransitionFinished() seems to remove the passed element in the case of the aforementioned test, so: it first deletes it and then is called again for the same element -> LSan considers this as heap-use-after-free

      [1]: https://github.com/qt/qtdeclarative/blob/88fb3b404347a54e2984bed9f61ce56b6189b891/src/quicktemplates2/qquickstackview_p.cpp#L280

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-104884 Crash with ComponentBehavior: Bound and DelegateModel

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-104923 Heap use after free in QQuickStackView

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-104386 tst_controls::Basic::StackView::test_requiredProperties() ERROR: AddressSanitizer: heap-use-after-free

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          relates to

          Task - A task that needs to be done. QTBUG-99629 Improve safety/debuggability of item change listeners

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. QTBUG-104386 tst_controls::Basic::StackView::test_requiredProperties() ERROR: AddressSanitizer: heap-use-after-free

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          For Gerrit Dashboard: QTBUG-98769
          # Subject Branch Project Status CR V
          421536,2 QQuickStackView: Avoid use-after-free dev qt/qtdeclarative Status: MERGED +2 0
          421714,2 QQuickStackView: Avoid use-after-free 6.3 qt/qtdeclarative Status: MERGED +2 0
          421715,2 QQuickStackView: Avoid use-after-free 6.4 qt/qtdeclarative Status: MERGED +2 0
          421742,2 QQuickStackView: Avoid use-after-free tqtc/lts-6.2 qt/tqtc-qtdeclarative Status: MERGED +2 0

          Activity

            People

              ulherman Ulf Hermann
              agolubev Andrei Golubev
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes