Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-98769

QML StackView heap-use-after-free on pop()

XMLWordPrintable

    • Linux/X11
    • f7bac60ed8 (qt/qtdeclarative/dev) f7bac60ed8 (qt/tqtc-qtdeclarative/dev) 5374e59dc5 (qt/qtdeclarative/6.3) 5374e59dc5 (qt/tqtc-qtdeclarative/6.3) b40c17487a (qt/tqtc-qtdeclarative/6.2) 0ad96b813e (qt/qtdeclarative/6.4) 5374e59dc5 (qt/qtdeclarative/6.3.2)

      I see the heap-use-after-free from LSan when running e.g. tst_basic "StackView::test_requiredProperties". Log is attached.

      It does look indeed valid (albeit no clue how it manages to pass - do we do something nasty when deleting UI elements there?)

      Some analysis:

      When doing pop() on a stack view:
      QQuickStackViewPrivate::completeTransition() [1] seems to call first `element->completeTransition(transition);` and then `viewItemTransitionFinished(element);`, where element->completeTransition(transition) also internally calls viewItemTransitionFinished(element), so we call this function twice essentially.

      viewItemTransitionFinished() seems to remove the passed element in the case of the aforementioned test, so: it first deletes it and then is called again for the same element -> LSan considers this as heap-use-after-free

      [1]: https://github.com/qt/qtdeclarative/blob/88fb3b404347a54e2984bed9f61ce56b6189b891/src/quicktemplates2/qquickstackview_p.cpp#L280

        1. log.txt
          34 kB
          Andrei Golubev
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            ulherman Ulf Hermann
            agolubev Andrei Golubev
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes