Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88162

Crash when NinePatchImage's source is changed

    XMLWordPrintable

Details

    • Linux/Wayland, Linux/X11
    • 837b3795c237d20dfca4be46e10697e1cd300e60 (qt/qtquickcontrols2/dev) e19e923f52217e82be9e11aadeacfbc917a00126 (qt/qtquickcontrols2/6.0) c379659f5f51ae14331e5bdd365ef229c9a4c9c9 (qt/tqtc-qtquickcontrols2/5.15)

    Description

      procedure to reproduce the crash

      1. pixmapChange() of qquickninepatchimage.cpp (main thread)
      2. updatePaintNode() of qquickninepatchimage.cpp(qsgrender thread)
      3. .......
      4. pixmapChange() of qquickninepatchimage.cpp (main thread)
      5. ... rendering (qsgrender thread)
      6. crash at QImage::copy ( heap-use-after-free)

      the result with AddressSanitizer

      ================================================================= 
==27192==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fbe70d87d04 at pc 0x7fbe7be22733 bp 0x7fbe581b0ca0 sp 0x7fbe581b0448 
READ of size 1272 at 0x7fbe70d87d04 thread T7 (QSGRenderThread) 
    #0 0x7fbe7be22732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
    #1 0x7fbe7aefb63a in QImage::copy(QRect const&) const image/qimage.cpp:1234 
    #2 0x7fbe7b230cb7 in QOpenGLTextureUploader::textureImage(unsigned int, QImage const&, QFlags<QOpenGLTextureUploader::BindOption>, QSize) opengl/qopengltextureuploader.cpp:372 
    #3 0x7fbe7b82bfeb in QSGPlainTexture::bind() scenegraph/util/qsgplaintexture.cpp:238 
    #4 0x7fbe7b82e885 in QSGOpaqueTextureMaterialShader::updateState(QSGMaterialShader::RenderState const&, QSGMaterial*, QSGMaterial*) scenegraph/util/qsgtexturematerial.cpp:112 
    #5 0x7fbe7b813e48 in QSGBatchRenderer::Renderer::renderMergedBatch(QSGBatchRenderer::Batch const*) scenegraph/coreapi/qsgbatchrenderer.cpp:3058 
    #6 0x7fbe7b817854 in QSGBatchRenderer::Renderer::renderBatches() scenegraph/coreapi/qsgbatchrenderer.cpp:4027 
    #7 0x7fbe7b817d96 in QSGBatchRenderer::Renderer::render() scenegraph/coreapi/qsgbatchrenderer.cpp:4324   
    #8 0x7fbe7b8002e2 in QSGRenderer::renderScene(QSGBindable const&) scenegraph/coreapi/qsgrenderer.cpp:264 
    #9 0x7fbe7b8007d6 in QSGRenderer::renderScene(unsigned int) scenegraph/coreapi/qsgrenderer.cpp:212 
    #10 0x7fbe7b869c40 in QSGDefaultRenderContext::renderNextFrame(QSGRenderer*, unsigned int) scenegraph/qsgdefaultrendercontext.cpp:228 
    #11 0x7fbe7b8cd368 in QQuickWindowPrivate::renderSceneGraph(QSize const&, QSize const&) items/qquickwindow.cpp:541 
    #12 0x7fbe7b876f0e in QSGRenderThread::syncAndRender(QImage*) scenegraph/qsgthreadedrenderloop.cpp:837 
    #13 0x7fbe7b87ad8a in QSGRenderThread::run() scenegraph/qsgthreadedrenderloop.cpp:1043 
    #14 0x7fbe79f84414 in QThreadPrivate::start(void*) thread/qthread_unix.cpp:342 
    #15 0x7fbe78f1b6da (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) 
    #16 0x7fbe79660a3e (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

0x7fbe70d87d04 is located 1284 bytes inside of 206080-byte region [0x7fbe70d87800,0x7fbe70db9d00) 
freed by thread T0 here: 
    #0 0x7fbe7be877a8 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8) 
    #1 0x7fbe7aefa5c9 in QImageData::~QImageData() image/qimage.cpp:177

previously allocated by thread T0 here: 
    #0 0x7fbe7be87b40 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) 
    #1 0x7fbe7aefa93b in QImageData::create(QSize const&, QImage::Format) image/qimage.cpp:160

Thread T7 (QSGRenderThread) created by T0 here: 
    #0 0x7fbe7bde0d2f (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f) 
    #1 0x7fbe79f83cf0 in QThread::start(QThread::Priority) thread/qthread_unix.cpp:716

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address: 
  0x0ff84e1a8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
=>0x0ff84e1a8fa0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x0ff84e1a8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable: 00 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone: fa 
  Freed heap region: fd 
  Stack left redzone: f1 
  Stack mid redzone: f2 
  Stack right redzone: f3 
  Stack after return: f5 
  Stack use after scope: f8 
  Global redzone: f9 
  Global init order: f6 
  Poisoned by user: f7 
  Container overflow: fc 
  Array cookie: ac 
  Intra object redzone: bb 
  ASan internal: fe 
  Left alloca redzone: ca 
  Right alloca redzone: cb 
==27192==ABORTING

       

      You can use the attached example file.

      (Run and just click the application)

      Attachments

        Activity

          People

            lagocs Laszlo Agocs
            dekim dennis kim
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: