Details
-
Bug
-
Resolution: Done
-
P2: Important
-
5.15.10, 6.3.1
-
-
9b6e79abbe (qt/qtbase/dev) 9b6e79abbe (qt/tqtc-qtbase/dev) b0cadd5ed2 (qt/qtbase/6.4.0) 1f9b635044 (qt/tqtc-qtbase/5.15) d7620f1b74 (qt/qtbase/6.4) d7620f1b74 (qt/tqtc-qtbase/6.4) b0cadd5ed2 (qt/tqtc-qtbase/6.4.0) 978087f351 (qt/tqtc-qtbase/6.2)
Description
When multiple vnc clients are connected, the application may crash after setting override cursor and one of the clients disconnects.
To reproduce:
- start attached application with "-platform vnc"
- connect with multiple vnc clients
- click "Start autotest: set only"
- disconnect one of the clients
It seems that on disconnect, QVncClient objects in QVncClientCursor are not cleared up and it touches already freed memory.
Stack trace of one of the crashes (5.15.10):
1 isRecursive qmutex.cpp 62 0x7ffff643084f 2 QMutex::lock qmutex.cpp 232 0x7ffff643084f 3 std::unique_lock<QMutex>::lock mutex 485 0x7ffff661a891 4 std::unique_lock<QMutex>::unique_lock mutex 415 0x7ffff661a891 5 (anonymous namespace)::qt_unique_lock<QMutex, std::unique_lock<QMutex>> qlocking_p.h 106 0x7ffff661a891 6 QCoreApplicationPrivate::lockThreadPostEventList qcoreapplication.cpp 1500 0x7ffff661da03 7 QCoreApplication::postEvent qcoreapplication.cpp 1546 0x7ffff661ea59 8 QVncClient::scheduleUpdate qvncclient.cpp 445 0x7fffeed456e1 9 QVncClient::setDirtyCursor qvncclient.h 72 0x7fffeed442d8 10 QVncClientCursor::changeCursor qvnc.cpp 607 0x7fffeed442d8 11 applyCursor qguiapplication.cpp 4065 0x7ffff6cf0292 12 applyCursor qguiapplication.cpp 4080 0x7ffff6cf0292 13 QGuiApplication::setOverrideCursor qguiapplication.cpp 4147 0x7ffff6cf0292 14 CursorDialog::setRandomOverrideCursor cursordialog.cpp 175 0x405ba1 15 CursorDialog::timerEvent cursordialog.cpp 118 0x405a02 16 QObject::event qobject.cpp 1324 0x7ffff665140c 17 QWidget::event qwidget.cpp 9106 0x7ffff766f394 18 QApplicationPrivate::notify_helper qapplication.cpp 3640 0x7ffff7623ac3 19 QApplication::notify qapplication.cpp 3590 0x7ffff762cd19 20 QCoreApplication::notifyInternal2 qcoreapplication.cpp 1064 0x7ffff661ba1c 21 QCoreApplication::sendEvent qcoreapplication.cpp 1462 0x7ffff661bc60 22 QTimerInfoList::activateTimers qtimerinfo_unix.cpp 643 0x7ffff667d85a 23 timerSourceDispatch qeventdispatcher_glib.cpp 183 0x7ffff667e08f 24 g_main_context_dispatch 0x7ffff3e9e267 25 ?? 0x7ffff3e9e4c0 26 g_main_context_iteration 0x7ffff3e9e56c 27 QEventDispatcherGlib::processEvents qeventdispatcher_glib.cpp 425 0x7ffff667e49d 28 QPAEventDispatcherGlib::processEvents qeventdispatcher_glib.cpp 120 0x7fffeed51d78 29 QEventLoop::processEvents qeventloop.cpp 142 0x7ffff66195bf 30 QEventLoop::exec qeventloop.cpp 235 0x7ffff6619a29 31 QCoreApplication::exec qcoreapplication.cpp 1375 0x7ffff6623fb8 32 QGuiApplication::exec qguiapplication.cpp 1870 0x7ffff6cee98a 33 QApplication::exec qapplication.cpp 2832 0x7ffff76239a1 34 main main.cpp 12 0x4065c6
Valgrind output (5.15.10):
Invalid write of size 1 in CursorDialog::setRandomOverrideCursor() in /home/user/work/overridecursor/cursordialog.cpp:175 1: setDirtyCursor in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.h:72 2: QVncClientCursor::changeCursor(QCursor*, QWindow*) in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvnc.cpp:607 3: applyCursor in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4065 4: applyCursor in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4080 5: QGuiApplication::setOverrideCursor(QCursor const&) in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:4147 6: CursorDialog::setRandomOverrideCursor() in /home/user/work/overridecursor/cursordialog.cpp:175 7: CursorDialog::timerEvent(QTimerEvent*) in /home/user/work/overridecursor/cursordialog.cpp:118 8: QObject::event(QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:1324 9: QWidget::event(QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qwidget.cpp:9106 10: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640 11: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3590 12: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064 13: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462 14: QTimerInfoList::activateTimers() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qtimerinfo_unix.cpp:643 15: timerSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:183 16: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 17: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 18: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 19: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423 20: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120 21: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142 22: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235 23: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375 24: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870 25: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832 26: main in /home/user/work/overridecursor/main.cpp:12 Address 0xeb64618 is 104 bytes inside a block of size 128 free'd 1: operator delete(void*, unsigned long) in /home/user/work/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:593 2: QVncClient::~QVncClient() in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.cpp:84 3: qDeleteInEventHandler(QObject*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:4854 4: QObject::event(QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:1334 5: QVncClient::event(QEvent*) in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvncclient.cpp:456 6: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640 7: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2980 8: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064 9: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462 10: QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1821 11: QCoreApplication::sendPostedEvents(QObject*, int) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1680 12: postEventSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277 13: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 14: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 15: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 16: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423 17: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120 18: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142 19: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235 20: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375 21: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870 22: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832 23: main in /home/user/work/overridecursor/main.cpp:12 Block was alloc'd at 1: operator new(unsigned long) in /home/user/work/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:342 2: QVncServer::newConnection() in /home/user/work/qt/git/qtbase/src/plugins/platforms/vnc/qvnc.cpp:662 3: QVncServer::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) in /home/user/work/qt/5.15/qtbase/src/plugins/platforms/vnc/.moc/moc_qvnc_p.cpp:75 4: void doActivate<false>(QObject*, int, void**) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:3937 5: QMetaObject::activate(QObject*, QMetaObject const*, int, void**) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qobject.cpp:3985 6: QTcpServer::newConnection() in /home/user/work/qt/5.15/qtbase/src/network/.moc/moc_qtcpserver.cpp:155 7: QTcpServerPrivate::readNotification() in /home/user/work/qt/git/qtbase/src/network/socket/qtcpserver.cpp:224 8: QAbstractSocketEngine::readNotification() in /home/user/work/qt/git/qtbase/src/network/socket/qabstractsocketengine.cpp:160 9: QReadNotifier::event(QEvent*) in /home/user/work/qt/git/qtbase/src/network/socket/qnativesocketengine.cpp:1274 10: QApplicationPrivate::notify_helper(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:3640 11: QApplication::notify(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2980 12: QCoreApplication::notifyInternal2(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064 13: QCoreApplication::sendEvent(QObject*, QEvent*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1462 14: socketNotifierSourceDispatch(_GSource*, int (*)(void*), void*) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:107 15: g_main_context_dispatch in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 16: /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 17: g_main_context_iteration in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.2 18: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423 19: QPAEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/platformsupport/eventdispatchers/qeventdispatcher_glib.cpp:120 20: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:142 21: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) in /home/user/work/qt/git/qtbase/src/corelib/kernel/qeventloop.cpp:235 22: QCoreApplication::exec() in /home/user/work/qt/git/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375 23: QGuiApplication::exec() in /home/user/work/qt/git/qtbase/src/gui/kernel/qguiapplication.cpp:1870 24: QApplication::exec() in /home/user/work/qt/git/qtbase/src/widgets/kernel/qapplication.cpp:2832 25: main in /home/user/work/overridecursor/main.cpp:12