Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-68964

heap-use-after-free in QQuickPathView

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.11.2
    • 5.9.7, 5.11.0
    • None
    • Ubuntu 18.04
    • 49c244e3c5a9138e6785515ebb64334705236ed4 b6ce37a9b7c5058a33d05d307d74f35ebbf1b9e7

    Description

      Initially found in tst_controls::Universal::TabBar::test_move with ASAN (ASAN_OPTIONS=detect_leaks=0,new_delete_type_mismatch=0):

      Starting /home/mitch/dev/qt5.11-debug/qtquickcontrols2/tests/auto/controls/universal/tst_universal...
      ********* Start testing of tst_controls::Universal *********
      Config: Using QtTest library 5.11.1, Qt 5.11.1 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 7.3.0)
      PASS   : tst_controls::Universal::TabBar::initTestCase()
      PASS   : tst_controls::Universal::TabBar::test_move(0->1 (0))
      PASS   : tst_controls::Universal::TabBar::test_move(0->1 (1))
      PASS   : tst_controls::Universal::TabBar::test_move(0->1 (2))
      =================================================================
      ==14506==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900045a2c0 at pc 0x7f15c5c0c048 bp 0x7ffc59cf11d0 sp 0x7ffc59cf11c0
      READ of size 8 at 0x61900045a2c0 thread T0
          #0 0x7f15c5c0c047 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2396
          #1 0x7f15c42db0c2 in QQuickControl::~QQuickControl() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol_p.h:60
          #2 0x7f15c42db0c2 in QQuickAbstractButton::~QQuickAbstractButton() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickabstractbutton.cpp:427
          #3 0x7f15ac06f658 in QQuickTabButton::~QQuickTabButton() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbutton_p.h:55
          #4 0x7f15ac06f658 in QQmlPrivate::QQmlElement<QQuickTabButton>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #5 0x7f15ac06f658 in QQmlPrivate::QQmlElement<QQuickTabButton>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #6 0x7f15c7fe4ad0 in QObjectPrivate::deleteChildren() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1997
          #7 0x7f15c7fe9745 in QObject::~QObject() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1025
          #8 0x7f15c5c0ca41 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2378
          #9 0x7f15c43239d6 in QQuickControl::~QQuickControl() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol_p.h:60
          #10 0x7f15c43239d6 in QQuickContainer::~QQuickContainer() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:445
          #11 0x7f15ac074fa6 in QQuickTabBar::~QQuickTabBar() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar_p.h:59
          #12 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #13 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #14 0x7f15c7fcbe40 in qDeleteInEventHandler(QObject*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:4604
          #15 0x7f15c7fd214b in QObject::event(QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1242
          #16 0x7f15c5c0440d in QQuickItem::event(QEvent*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:8003
          #17 0x7f15c7f234fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1197
          #18 0x7f15c7f2374d in doNotify /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138
          #19 0x7f15c7f23c1c in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1124
          #20 0x7f15c8900645 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/gui/kernel/qguiapplication.cpp:1762
          #21 0x7f15c7f239bc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1048
          #22 0x7f15c7f35594 in QCoreApplication::sendEvent(QObject*, QEvent*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/kernel/qcoreapplication.h:234
          #23 0x7f15c7f35594 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1745
          #24 0x7f15c7f3739c in QCoreApplication::sendPostedEvents(QObject*, int) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1599
          #25 0x7f15ca8e850a in qWait /home/mitch/dev/qt5.11-debug/qtbase/include/QtTest/../../../../qt5.11/qtbase/src/testlib/qtestsystem.h:103
          #26 0x7f15ca8e850a in QuickTestResult::wait(int) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktestresult.cpp:635
          #27 0x7f15ca8f4b17 in QuickTestResult::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:338
          #28 0x7f15ca8f60d2 in QuickTestResult::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:484
          #29 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
          #30 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
          #31 0x7f15c4d217ee in CallMethod /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1175
          #32 0x7f15c4d233df in CallPrecise /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1437
          #33 0x7f15c4d254ec in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1975
          #34 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
          #35 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #36 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
          #37 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800
          #38 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
          #39 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #40 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
          #41 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
          #42 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
          #43 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #44 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
          #45 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
          #46 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
          #47 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #48 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
          #49 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
          #50 0x7f15c50e8796 in QV4::Moth::VME::exec(QV4::Function*, QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth_p.h:72
          #51 0x7f15c50e8796 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext const*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/jsruntime/qv4function_p.h:72
          #52 0x7f15c50e8796 in QQmlJavaScriptExpression::evaluate(QV4::CallData*, bool*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:217
          #53 0x7f15c4ef8a67 in QQmlBoundSignalExpression::evaluate(void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:237
          #54 0x7f15c4ef96b4 in QQmlBoundSignal_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlboundsignal.cpp:370
          #55 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
          #56 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
          #57 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
          #58 0x7f15c4e57a23 in QQmlVMEMetaObject::activate(QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1246
          #59 0x7f15c4e60e9f in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:839
          #60 0x7f15c4e63aa8 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:979
          #61 0x7f15c7f461e0 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:299
          #62 0x7f15c5113c51 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:350
          #63 0x7f15c5113c51 in bool GenericBinding<1>::doStore<bool>(bool, QQmlPropertyData const*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:334
          #64 0x7f15c5113c51 in GenericBinding<1>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:296
          #65 0x7f15c5116001 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
          #66 0x7f15c5108e47 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
          #67 0x7f15c510bcb7 in QQmlBinding::expressionChanged() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:527
          #68 0x7f15c50e4c2d in QQmlJavaScriptExpressionGuard_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:484
          #69 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
          #70 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
          #71 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
          #72 0x7f15c4e57a23 in QQmlVMEMetaObject::activate(QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:1246
          #73 0x7f15c4e60e9f in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:839
          #74 0x7f15c4e63aa8 in QQmlVMEMetaObject::metaCall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlvmemetaobject.cpp:979
          #75 0x7f15c7f461e0 in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:299
          #76 0x7f15c5113c51 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/5.11.1/QtQml/private/../../../../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:350
          #77 0x7f15c5113c51 in bool GenericBinding<1>::doStore<bool>(bool, QQmlPropertyData const*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:334
          #78 0x7f15c5113c51 in GenericBinding<1>::write(QV4::Value const&, bool, QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:296
          #79 0x7f15c5116001 in QQmlNonbindingBinding::doUpdate(QQmlJavaScriptExpression::DeleteWatcher const&, QFlags<QQmlPropertyData::WriteFlag>, QV4::Scope&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:249
          #80 0x7f15c5108e47 in QQmlBinding::update(QFlags<QQmlPropertyData::WriteFlag>) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:185
          #81 0x7f15c510bcb7 in QQmlBinding::expressionChanged() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlbinding.cpp:527
          #82 0x7f15c50e4c2d in QQmlJavaScriptExpressionGuard_callback(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmljavascriptexpression.cpp:484
          #83 0x7f15c503ce2e in QQmlNotifier::emitNotify(QQmlNotifierEndpoint*, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlnotifier.cpp:106
          #84 0x7f15c4e71c52 in QQmlData::signalEmitted(QAbstractDeclarativeData*, QObject*, int, void**) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlengine.cpp:861
          #85 0x7f15c7fcf524 in QMetaObject::activate(QObject*, int, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3648
          #86 0x7f15c7fd1165 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:3633
          #87 0x7f15ca8a6cf9 in QTestRootObject::windowShownChanged() .moc/quicktest.moc:198
          #88 0x7f15ca8b43e9 in QTestRootObject::setWindowShown(bool) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:104
          #89 0x7f15ca8b43e9 in quick_test_main_with_setup(int, char**, char const*, char const*, QObject*) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:572
          #90 0x7f15ca8b5bff in quick_test_main(int, char**, char const*, char const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktest.cpp:334
          #91 0x5594b923049a in main /home/mitch/dev/qt5.11/qtquickcontrols2/tests/auto/controls/universal/tst_universal.cpp:46
          #92 0x7f15c6e27b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #93 0x5594b92301f9 in _start (/home/mitch/dev/qt5.11-debug/qtquickcontrols2/tests/auto/controls/universal/tst_universal+0x11f9)
      
      0x61900045a2c0 is located 320 bytes inside of 960-byte region [0x61900045a180,0x61900045a540)
      freed by thread T0 here:
          #0 0x7f15c98e59d8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19d8)
          #1 0x7f15c5fc86ff in QQuickPathViewPrivate::~QQuickPathViewPrivate() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview_p_p.h:74
          #2 0x7f15c7fe966e in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/tools/qscopedpointer.h:60
          #3 0x7f15c7fe966e in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/tools/qscopedpointer.h:107
          #4 0x7f15c7fe966e in QObject::~QObject() /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:884
          #5 0x7f15c5c0ca41 in QQuickItem::~QQuickItem() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2378
          #6 0x7f15c5fb54ed in QQuickPathView::~QQuickPathView() /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview.cpp:545
          #7 0x7f15c5c9bd56 in QQmlPrivate::QQmlElement<QQuickPathView>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #8 0x7f15c5c9bd56 in QQmlPrivate::QQmlElement<QQuickPathView>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #9 0x7f15c432387f in QQuickContainerPrivate::cleanup() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:220
          #10 0x7f15c432398a in QQuickContainer::~QQuickContainer() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:448
          #11 0x7f15ac074fa6 in QQuickTabBar::~QQuickTabBar() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQuickTemplates2/5.11.1/QtQuickTemplates2/private/../../../../../../../qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar_p.h:59
          #12 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #13 0x7f15ac074fa6 in QQmlPrivate::QQmlElement<QQuickTabBar>::~QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:103
          #14 0x7f15c7fcbe40 in qDeleteInEventHandler(QObject*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:4604
          #15 0x7f15c7fd214b in QObject::event(QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qobject.cpp:1242
          #16 0x7f15c5c0440d in QQuickItem::event(QEvent*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:8003
          #17 0x7f15c7f234fe in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1197
          #18 0x7f15c7f2374d in doNotify /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1138
          #19 0x7f15c7f23c1c in QCoreApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1124
          #20 0x7f15c8900645 in QGuiApplication::notify(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/gui/kernel/qguiapplication.cpp:1762
          #21 0x7f15c7f239bc in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1048
          #22 0x7f15c7f35594 in QCoreApplication::sendEvent(QObject*, QEvent*) ../../include/QtCore/../../../../qt5.11/qtbase/src/corelib/kernel/qcoreapplication.h:234
          #23 0x7f15c7f35594 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1745
          #24 0x7f15c7f3739c in QCoreApplication::sendPostedEvents(QObject*, int) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qcoreapplication.cpp:1599
          #25 0x7f15ca8e850a in qWait /home/mitch/dev/qt5.11-debug/qtbase/include/QtTest/../../../../qt5.11/qtbase/src/testlib/qtestsystem.h:103
          #26 0x7f15ca8e850a in QuickTestResult::wait(int) /home/mitch/dev/qt5.11/qtdeclarative/src/qmltest/quicktestresult.cpp:635
          #27 0x7f15ca8f4b17 in QuickTestResult::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:338
          #28 0x7f15ca8f60d2 in QuickTestResult::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_quicktestresult_p.cpp:484
          #29 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
          #30 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
          #31 0x7f15c4d217ee in CallMethod /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1175
          #32 0x7f15c4d233df in CallPrecise /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1437
          #33 0x7f15c4d254ec in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1975
          #34 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
          #35 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #36 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
          #37 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800
      
      previously allocated by thread T0 here:
          #0 0x7f15c98e4458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
          #1 0x7f15c5fa94ba in QQuickPathView::QQuickPathView(QQuickItem*) /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickpathview.cpp:539
          #2 0x7f15c5c9bbe1 in QQmlPrivate::QQmlElement<QQuickPathView>::QQmlElement() /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:98
          #3 0x7f15c5c9bbe1 in void QQmlPrivate::createInto<QQuickPathView>(void*) /home/mitch/dev/qt5.11-debug/qtbase/include/QtQml/../../../../qt5.11/qtdeclarative/src/qml/qml/qqmlprivate.h:107
          #4 0x7f15c4f33d97 in QQmlType::create(QObject**, void**, unsigned long) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlmetatype.cpp:915
          #5 0x7f15c515680c in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1163
          #6 0x7f15c515b8b5 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:825
          #7 0x7f15c5160c46 in QQmlObjectCreator::populateDeferredBinding(QQmlProperty const&, QQmlData::DeferredData*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:344
          #8 0x7f15c433ab48 in beginDeferred /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute.cpp:95
          #9 0x7f15c433b133 in QtQuickPrivate::beginDeferred(QObject*, QString const&) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute.cpp:118
          #10 0x7f15c42e2737 in void quickBeginDeferred<QQuickItem>(QObject*, QString const&, QQuickDeferredPointer<QQuickItem>&) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickdeferredexecute_p_p.h:74
          #11 0x7f15c43342a8 in QQuickControlPrivate::executeContentItem(bool) /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:650
          #12 0x7f15c43377ec in QQuickControl::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontrol.cpp:1430
          #13 0x7f15c4324ce9 in QQuickContainer::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquickcontainer.cpp:749
          #14 0x7f15c441db51 in QQuickTabBar::componentComplete() /home/mitch/dev/qt5.11/qtquickcontrols2/src/quicktemplates2/qquicktabbar.cpp:375
          #15 0x7f15c515220f in QQmlObjectCreator::finalize(QQmlInstantiationInterrupt&) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1359
          #16 0x7f15c4ec5a53 in QQmlComponentPrivate::complete(QQmlEnginePrivate*, QQmlComponentPrivate::ConstructionState*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:924
          #17 0x7f15c4ec5dd6 in QQmlComponentPrivate::completeCreate() /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:959
          #18 0x7f15c4ed7afe in QQmlComponent::createObject(QQmlV4Function*) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:1315
          #19 0x7f15c4ed953f in QQmlComponent::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qqmlcomponent.cpp:149
          #20 0x7f15c4ed9ee2 in QQmlComponent::qt_metacall(QMetaObject::Call, int, void**) .moc/moc_qqmlcomponent.cpp:213
          #21 0x7f15c7f4622d in QMetaObject::metacall(QObject*, QMetaObject::Call, int, void**) /home/mitch/dev/qt5.11/qtbase/src/corelib/kernel/qmetaobject.cpp:301
          #22 0x7f15c501434f in QQmlObjectOrGadget::metacall(QMetaObject::Call, int, void**) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/qml/qqmlpropertycache.cpp:1733
          #23 0x7f15c4d260d1 in QV4::QObjectMethod::callInternal(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1969
          #24 0x7f15c4d2628a in QV4::QObjectMethod::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4qobjectwrapper.cpp:1912
          #25 0x7f15c4ddf7f2 in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #26 0x7f15c4ddf7f2 in QV4::Runtime::method_callProperty(QV4::ExecutionEngine*, QV4::Value*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1062
          #27 0x7f15c4d80feb in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:800
          #28 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
          #29 0x7f15c4dd0c5b in QV4::FunctionObject::call(QV4::Value const*, QV4::Value const*, int) const /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject_p.h:163
          #30 0x7f15c4dd0c5b in QV4::Runtime::method_callName(QV4::ExecutionEngine*, int, QV4::Value*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4runtime.cpp:1030
          #31 0x7f15c4d81fce in QV4::Moth::VME::exec(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4vme_moth.cpp:827
          #32 0x7f15c4a06c74 in QV4::ScriptFunction::call(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) /home/mitch/dev/qt5.11/qtdeclarative/src/qml/jsruntime/qv4functionobject.cpp:408
      
      SUMMARY: AddressSanitizer: heap-use-after-free /home/mitch/dev/qt5.11/qtdeclarative/src/quick/items/qquickitem.cpp:2396 in QQuickItem::~QQuickItem()
      

      Qt Quick-only example (click the button a few times or uncomment the timer):

      import QtQml.Models 2.11
      import QtQuick 2.11
      import QtQuick.Window 2.2
      
      Window {
          id: window
          width: 400
          height: 400
          visible: true
      
          property Item pathViewItem
      
          Component {
              id: pathViewComponent
      
              PathView {
                  id: pathView
                  width: 32 * 3
                  height: 32
                  anchors.centerIn: parent
                  objectName: "PathView"
                  model: objectModel
      
                  interactive: false
                  snapMode: PathView.SnapToItem
                  movementDirection: PathView.Positive
                  highlightMoveDuration: 100
      
                  path: Path {
                      startX: pathView.width / pathView.count / 2
                      startY: pathView.height / 2
                      PathLine {
                          x: pathView.width + (pathView.width / pathView.count / 2)
                          y: pathView.height / 2
                      }
                  }
              }
          }
      
          ObjectModel {
              id: objectModel
      
              Rectangle {
                  width: 32
                  height: 32
                  color: "red"
              }
              Rectangle {
                  width: 32
                  height: 32
                  color: "green"
              }
              Rectangle {
                  width: 32
                  height: 32
                  color: "blue"
              }
          }
      
          function newView() {
              if (pathViewItem)
                  pathViewItem.destroy()
              pathViewItem = pathViewComponent.createObject(window.contentItem)
          }
      
          function move(from, to) {
              objectModel.move(from, to)
          }
      
      //    Timer {
      //        running: true
      //        repeat: true
      //        interval: 30
      //        onTriggered: {
      //            newView()
      //            move(0, 1)
      //        }
      //    }
      
          Text {
              text: "Reproduce bug"
      
              Rectangle {
                  anchors.fill: parent
                  anchors.margins: -10
                  color: "#eee"
                  z: -1
      
                  MouseArea {
                      anchors.fill: parent
      
                      onClicked: {
                          newView()
                          move(0, 1)
                      }
                  }
              }
          }
      }
      

      ASAN output for the above example:

      qtbug68964-qtquick-only-asan.txt

      Attachments

        Issue Links

          Activity

            People

              mitch_curtis Mitch Curtis
              mitch_curtis Mitch Curtis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: