Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-94717

Double free with Qt 6.2 and QtQuick

    XMLWordPrintable

Details

    • Linux/X11, macOS

    Description

      Backtrace Linux:

      ```
      1 __GI_raise raise.c 50 0x7ffff523618b
      2 __GI_abort abort.c 79 0x7ffff5215859
      3 __libc_message libc_fatal.c 155 0x7ffff52803ee
      4 malloc_printerr malloc.c 5347 0x7ffff528847c
      5 malloc_consolidate malloc.c 4477 0x7ffff5288c58
      6 _int_malloc malloc.c 3699 0x7ffff528ae03
      7 _int_realloc malloc.c 4600 0x7ffff528bfdf
      8 _GI__libc_realloc malloc.c 3235 0x7ffff528e2d6
      9 QArrayData::reallocateUnaligned qarraydata.cpp 260 0x7ffff59fddc1
      10 QTypedArrayData<QRhiGles2::DeferredReleaseEntry>::reallocateUnaligned qarraydata.h 149 0x7ffff62f0a4b
      11 QtPrivate::QPodArrayOps<QRhiGles2::DeferredReleaseEntry>::reallocate qarraydataops.h 289 0x7ffff62f0a4b
      12 QArrayDataPointer<QRhiGles2::DeferredReleaseEntry>::reallocateAndGrow qarraydatapointer.h 222 0x7ffff62f0a4b
      13 QArrayDataPointer<QRhiGles2::DeferredReleaseEntry>::detachAndGrow atomic_base.h 420 0x7ffff62f0bf1
      14 QtPrivate::QPodArrayOps<QRhiGles2::DeferredReleaseEntry>::emplace<QRhiGles2::DeferredReleaseEntry const&> qarraydataops.h 215 0x7ffff62f0bf1
      15 QList<QRhiGles2::DeferredReleaseEntry>::emplaceBack<QRhiGles2::DeferredReleaseEntry const&> qlist.h 815 0x7ffff62e8e6f
      16 QList<QRhiGles2::DeferredReleaseEntry>::append qlist.h 396 0x7ffff62e8e6f
      17 QGles2Buffer::destroy qrhigles2.cpp 4261 0x7ffff62e8e6f
      18 QGles2Buffer::~QGles2Buffer qrhigles2.cpp 4243 0x7ffff62e8e6f
      19 QGles2Buffer::~QGles2Buffer qrhigles2.cpp 4244 0x7ffff62e8e6f
      20 QSGBatchRenderer::qsg_wipeBuffer qsgbatchrenderer.cpp 941 0x7ffff7175dbf
      21 QSGBatchRenderer::qsg_wipeBatch qsgbatchrenderer.cpp 955 0x7ffff7175dbf
      22 QSGBatchRenderer::Renderer::~Renderer qdatabuffer_p.h 93 0x7ffff718237f
      23 QSGBatchRenderer::Renderer::~Renderer qsgbatchrenderer.cpp 961 0x7ffff71827e9
      24 QSGRhiLayer::invalidated qsgrhilayer.cpp 71 0x7ffff71d56c8
      25 QSGRhiLayer::~QSGRhiLayer qsgrhilayer.cpp 64 0x7ffff71d56f7
      26 QSGRhiLayer::~QSGRhiLayer qsgrhilayer.cpp 62 0x7ffff71d5719
      27 QQuickShaderEffectSourceCleanup::run qquickshadereffectsource.cpp 91 0x7ffff737b413
      28 QQuickWindowPrivate::runAndClearJobs qquickwindow.cpp 3665 0x7ffff714f37a
      29 QQuickWindowPrivate::syncSceneGraph qquickwindow.cpp 582 0x7ffff7150095
      30 QSGRenderThread::sync qsgthreadedrenderloop.cpp 602 0x7ffff72e69d6
      31 QSGRenderThread::syncAndRender qsgthreadedrenderloop.cpp 739 0x7ffff72e896f
      32 QSGRenderThread::run qsgthreadedrenderloop.cpp 987 0x7ffff72eb4e6
      33 QThreadPrivate::start qthread_unix.cpp 330 0x7ffff5a62b7f
      34 start_thread pthread_create.c 477 0x7ffff7f8f609
      35 clone clone.S 95 0x7ffff5312293
      ```

      Backtrace OSX:

      ```
      Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
      0 libsystem_kernel.dylib 0x00007fff204b1462 __pthread_kill + 10
      1 libsystem_pthread.dylib 0x00007fff204df610 pthread_kill + 263
      2 libsystem_c.dylib 0x00007fff204327ba __abort + 139
      3 libsystem_c.dylib 0x00007fff2043272f abort + 135
      4 libsystem_malloc.dylib 0x00007fff20313430 malloc_vreport + 548
      5 libsystem_malloc.dylib 0x00007fff20327702 malloc_zone_error + 183
      6 libsystem_malloc.dylib 0x00007fff2030b182 tiny_free_list_add_ptr + 1224
      7 libsystem_malloc.dylib 0x00007fff2030a7aa tiny_free_no_lock + 1116
      8 libsystem_malloc.dylib 0x00007fff2030a1f9 free_tiny + 442
      9 org.qt-project.QtCore 0x000000010803b2fa QObjectPrivate::Connection::deref() + 74 (qobject_p.h:194) [inlined]
      10 org.qt-project.QtCore 0x000000010803b2fa QObjectPrivate::ConnectionData::deleteOrphaned(QObjectPrivate::ConnectionOrSignalVector*) + 170 (qobject.cpp:437)
      11 org.qt-project.QtCore 0x000000010803c740 QObjectPrivate::ConnectionData::~ConnectionData() + 9 (qobject_p.h:274) [inlined]
      12 org.qt-project.QtCore 0x000000010803c740 QObjectPrivate::ConnectionData::~ConnectionData() + 9 (qobject_p.h:273) [inlined]
      13 org.qt-project.QtCore 0x000000010803c740 QObject::~QObject() + 1856 (qobject.cpp:1078)
      14 org.qt-project.QtQuick 0x0000000106d29a2e QSGGuiThreadShaderEffectManager::~QSGGuiThreadShaderEffectManager() + 5 (qsgadaptationlayer_p.h:249) [inlined]
      15 org.qt-project.QtQuick 0x0000000106d29a2e QSGRhiGuiThreadShaderEffectManager::~QSGRhiGuiThreadShaderEffectManager() + 5 (qsgrhishadereffectnode_p.h:149) [inlined]
      16 org.qt-project.QtQuick 0x0000000106d29a2e QSGRhiGuiThreadShaderEffectManager::~QSGRhiGuiThreadShaderEffectManager() + 5 (qsgrhishadereffectnode_p.h:149) [inlined]
      17 org.qt-project.QtQuick 0x0000000106d29a2e QSGRhiGuiThreadShaderEffectManager::~QSGRhiGuiThreadShaderEffectManager() + 14 (qsgrhishadereffectnode_p.h:149)
      18 org.qt-project.QtQuick 0x0000000106ec03d6 QQuickShaderEffectImpl::~QQuickShaderEffectImpl() + 86 (qquickshadereffect.cpp:981)
      19 org.qt-project.QtQuick 0x0000000106ec0c0e QQuickShaderEffectImpl::~QQuickShaderEffectImpl() + 5 (qquickshadereffect.cpp:975) [inlined]
      20 org.qt-project.QtQuick 0x0000000106ec0c0e QQuickShaderEffectImpl::~QQuickShaderEffectImpl() + 14 (qquickshadereffect.cpp:975)
      21 org.qt-project.QtQuick 0x0000000106ebeac5 QQuickShaderEffect::~QQuickShaderEffect() + 53 (qquickshadereffect.cpp:682)
      22 org.qt-project.QtQuick 0x0000000106df4bbb QQmlPrivate::QQmlElement<QQuickShaderEffect>::~QQmlElement() + 34 (qqmlprivate.h:133) [inlined]
      23 org.qt-project.QtQuick 0x0000000106df4bbb QQmlPrivate::QQmlElement<QQuickShaderEffect>::~QQmlElement() + 34 (qqmlprivate.h:131) [inlined]
      24 org.qt-project.QtQuick 0x0000000106df4bbb QQmlPrivate::QQmlElement<QQuickShaderEffect>::~QQmlElement() + 43 (qqmlprivate.h:131)
      25 org.qt-project.QtCore 0x000000010803c99e QObjectPrivate::deleteChildren() + 158 (qobject.cpp:2073)
      26 org.qt-project.QtCore 0x000000010803c76e QObject::~QObject() + 1902 (qobject.cpp:1082)
      27 org.qt-project.QtQuick 0x0000000106be673c QQuickItem::~QQuickItem() + 956 (qquickitem.cpp:2400)
      28 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:133) [inlined]
      29 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:131) [inlined]
      30 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 43 (qqmlprivate.h:131)
      31 org.qt-project.QtCore 0x000000010803c99e QObjectPrivate::deleteChildren() + 158 (qobject.cpp:2073)
      32 org.qt-project.QtCore 0x000000010803c76e QObject::~QObject() + 1902 (qobject.cpp:1082)
      33 org.qt-project.QtQuick 0x0000000106be673c QQuickItem::~QQuickItem() + 956 (qquickitem.cpp:2400)
      34 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:133) [inlined]
      35 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:131) [inlined]
      36 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 43 (qqmlprivate.h:131)
      37 org.qt-project.QtCore 0x000000010803c99e QObjectPrivate::deleteChildren() + 158 (qobject.cpp:2073)
      38 org.qt-project.QtCore 0x000000010803c76e QObject::~QObject() + 1902 (qobject.cpp:1082)
      39 org.qt-project.QtQuick 0x0000000106be673c QQuickItem::~QQuickItem() + 956 (qquickitem.cpp:2400)
      40 org.qt-project.QtQuickTemplates2 0x000000010866f0ab QQmlPrivate::QQmlElement<QQuickPane>::~QQmlElement() + 34 (qqmlprivate.h:133) [inlined]
      41 org.qt-project.QtQuickTemplates2 0x000000010866f0ab QQmlPrivate::QQmlElement<QQuickPane>::~QQmlElement() + 34 (qqmlprivate.h:131) [inlined]
      42 org.qt-project.QtQuickTemplates2 0x000000010866f0ab QQmlPrivate::QQmlElement<QQuickPane>::~QQmlElement() + 43 (qqmlprivate.h:131)
      43 org.qt-project.QtCore 0x000000010803c99e QObjectPrivate::deleteChildren() + 158 (qobject.cpp:2073)
      44 org.qt-project.QtCore 0x000000010803c76e QObject::~QObject() + 1902 (qobject.cpp:1082)
      45 org.qt-project.QtQuick 0x0000000106be673c QQuickItem::~QQuickItem() + 956 (qquickitem.cpp:2400)
      46 org.qt-project.QtQuickLayouts 0x000000018514a786 QQuickLinearLayout::~QQuickLinearLayout() + 8 (qquicklinearlayout_p.h:210) [inlined]
      47 org.qt-project.QtQuickLayouts 0x000000018514a786 QQuickColumnLayout::~QQuickColumnLayout() + 8 (qquicklinearlayout_p.h:259) [inlined]
      48 org.qt-project.QtQuickLayouts 0x000000018514a786 QQmlPrivate::QQmlElement<QQuickColumnLayout>::~QQmlElement() + 45 (qqmlprivate.h:133) [inlined]
      49 org.qt-project.QtQuickLayouts 0x000000018514a786 QQmlPrivate::QQmlElement<QQuickColumnLayout>::~QQmlElement() + 45 (qqmlprivate.h:131) [inlined]
      50 org.qt-project.QtQuickLayouts 0x000000018514a786 QQmlPrivate::QQmlElement<QQuickColumnLayout>::~QQmlElement() + 54 (qqmlprivate.h:131)
      51 org.qt-project.QtCore 0x000000010803c99e QObjectPrivate::deleteChildren() + 158 (qobject.cpp:2073)
      52 org.qt-project.QtCore 0x000000010803c76e QObject::~QObject() + 1902 (qobject.cpp:1082)
      53 org.qt-project.QtQuick 0x0000000106be673c QQuickItem::~QQuickItem() + 956 (qquickitem.cpp:2400)
      54 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:133) [inlined]
      55 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 34 (qqmlprivate.h:131) [inlined]
      56 org.qt-project.QtQuick 0x0000000106dddebb QQmlPrivate::QQmlElement<QQuickItem>::~QQmlElement() + 43 (qqmlprivate.h:131)
      57 org.qt-project.QtCore 0x000000010803d610 qDeleteInEventHandler(QObject*) + 18 (qobject.cpp:4715) [inlined]
      58 org.qt-project.QtCore 0x000000010803d610 QObject::event(QEvent*) + 928 (qobject.cpp:1319)
      59 org.qt-project.QtWidgets 0x0000000106560bd7 QApplicationPrivate::notify_helper(QObject*, QEvent*) + 247 (qapplication.cpp:3395)
      60 org.qt-project.QtWidgets 0x0000000106561d55 QApplication::notify(QObject*, QEvent*) + 501
      61 org.qt-project.QtCore 0x0000000107ff6e79 QCoreApplication::notifyInternal2(QObject*, QEvent*) + 169 (qcoreapplication.cpp:1061)
      62 org.qt-project.QtCore 0x0000000107ff801e QCoreApplication::sendEvent(QObject*, QEvent*) + 17 (qcoreapplication.cpp:1469) [inlined]
      63 org.qt-project.QtCore 0x0000000107ff801e QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) + 814 (qcoreapplication.cpp:1828)
      64 libqcocoa.dylib 0x0000000117216ab5 QCocoaEventDispatcherPrivate::processPostedEvents() + 325 (qcocoaeventdispatcher.mm:902)
      65 libqcocoa.dylib 0x000000011721722b QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) + 43 (qcocoaeventdispatcher.mm:925)
      66 com.apple.CoreFoundation 0x00007fff205d7a0c _CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION_ + 17
      67 com.apple.CoreFoundation 0x00007fff205d7974 __CFRunLoopDoSource0 + 180
      68 com.apple.CoreFoundation 0x00007fff205d76ef __CFRunLoopDoSources0 + 248
      69 com.apple.CoreFoundation 0x00007fff205d6121 __CFRunLoopRun + 890
      70 com.apple.CoreFoundation 0x00007fff205d56ce CFRunLoopRunSpecific + 563
      71 com.apple.HIToolbox 0x00007fff2885d630 RunCurrentEventLoopInMode + 292
      72 com.apple.HIToolbox 0x00007fff2885d282 ReceiveNextEventCommon + 283
      73 com.apple.HIToolbox 0x00007fff2885d14f _BlockUntilNextEventMatchingListInModeWithFilter + 64
      74 com.apple.AppKit 0x00007fff22df59b1 _DPSNextEvent + 883
      75 com.apple.AppKit 0x00007fff22df4177 -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1366
      76 com.apple.AppKit 0x00007fff22de668a -[NSApplication run] + 586
      77 libqcocoa.dylib 0x0000000117215fd1 QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 2129 (qcocoaeventdispatcher.mm:430)
      78 org.qt-project.QtCore 0x00000001080008a6 QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 30 (qeventloop.cpp:139) [inlined]
      79 org.qt-project.QtCore 0x00000001080008a6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 470 (qeventloop.cpp:232)
      80 org.qt-project.QtCore 0x0000000107ff74a2 QCoreApplication::exec() + 130 (qcoreapplication.cpp:1376)
      81 0x0000000100683da8 run_app(int, char**) + 8296 (main.prerequisites.hpp:536)
      82 0x0000000100681acc main + 44 (main.cpp:38)
      83 libdyld.dylib 0x00007fff204fa621 start + 1
      ```

      (Equivalent is working in 5.15.2, i'm not able to reproduce in standalone since it's a complex project, but we can clearly see that's come from QObject logic which i never free manually in my code since it's use ref counting, and the Bt clearly shows that's come from Qt code)

      Some infos:

      • Im using Qt5CompatMod and QGraphicalEffects from this module
      • We use DropShadow and Gradient (We also use InnerShadow but i have to comment this one since it's not present anymore)
      • This crash occured after i log in into my application, loading the new view -> instant double free
      • Same code work perfectly in 5.15.2

      Can someone advice me on which kind of stuff i can do for debugging it's seems rly hard to isolate

      Log from myapp:

      ```
      [19:18:13] [debug] [main.prerequisites.hpp:121] [1459846]: Success: Login
      [19:18:13] [debug] [main.prerequisites.hpp:121] [1459846]: current status: initializing_mm2
      [19:18:13] [debug] [main.prerequisites.hpp:121] [1459846]: status changed: 1
      [19:18:13] [error] [main.prerequisites.hpp:141] [1459846]: sigabort received, cleaning mm2
      atomicdex-desktop(41122,0x10b3ede00) malloc: Incorrect checksum for freed object 0x7f9f56009c80: probably modified after being freed.
      Corrupt value: 0xe0000000ffffffff
      atomicdex-desktop(41122,0x10b3ede00) malloc: *** set a breakpoint in malloc_error_break to debug
      ```

      Last function that log before the crash from QML:

      import QtQuick.Layouts 1.15
import QtQuick.Controls 2.15

import "../Components"
import "../Constants"
import "../Wallet"
import "../Exchange"
import "../Sidebar"

SetupPage {
    // Override
    property var onLoaded: () => {}

    readonly property string current_status: API.app.wallet_mgr.initial_loading_status

    onCurrent_statusChanged: {
        console.log("current status: " + current_status)
        if(current_status === "complete") {
            console.log("current status: " + current_status)
            onLoaded()
        }
    }

    image_path: "file:///"+ atomic_logo_path +  "/"+ theme.bigSidebarLogo
    image_margin: 30
    content: ColumnLayout {
        DefaultText {
            text_value: qsTr("Loading, please wait")
            Layout.bottomMargin: 10
        }

        RowLayout {
            DefaultBusyIndicator {
                Layout.alignment: Qt.AlignHCenter
                Layout.leftMargin: -15
                Layout.rightMargin: Layout.leftMargin*0.75
                scale: 0.5
            }

            DefaultText {
                text_value: (current_status === "initializing_mm2" ? qsTr("Initializing MM2") :
                             current_status === "enabling_coins" ? qsTr("Enabling assets") : qsTr("Getting ready")) + "..."
            }
        }
    }
}

      import QtQuick 2.15
import QtQuick.Layouts 1.15
import QtQuick.Controls 2.15
import "../Constants"

Item {
    property alias image: image
    property alias image_path: image.source
    property alias image_scale: image.scale
    property alias content: inner_space.sourceComponent
    property alias bottom_content: bottom_content.sourceComponent
    property double image_margin: 5

    ColumnLayout {
        id: window_layout

        anchors.horizontalCenter: parent.horizontalCenter
        anchors.verticalCenter: parent.verticalCenter
        transformOrigin: Item.Center
        spacing: image_margin

        DefaultImage {
            id: image
            Layout.maximumWidth: 300
            Layout.maximumHeight: Layout.maximumWidth * paintedHeight/paintedWidth

            Layout.alignment: Qt.AlignHCenter | Qt.AlignVCenter
            antialiasing: true
        }

        Pane {
            id: pane

            leftPadding: 30
            rightPadding: leftPadding
            topPadding: leftPadding * 0.5
            bottomPadding: topPadding

            Layout.alignment: Qt.AlignHCenter | Qt.AlignVCenter

            background: FloatingBackground {
                color: theme.backgroundColor
            }

            Loader {
                id: inner_space
                onStatusChanged: console.log("status changed: " + status)
            }
        }

        Loader {
            id: bottom_content
            Layout.alignment: Qt.AlignHCenter
            onStatusChanged: console.log("status changed: " + status)
        }
    }
}

      As you can see i use loader for this specific purpose.

      I want to clarify that the project is quite large in itself, so it would be great to have some help from Qt to migrate the most complex projects or at least explain how this part of Qt works to try understand the new behavior.

      (Using QtOnlineInstaller with 6.2 preview)

      Project link: https://github.com/KomodoPlatform/atomicDEX-Desktop
      QML folder: https://github.com/KomodoPlatform/atomicDEX-Desktop/tree/qt6_migration/atomic_defi_design/qml

      After debugging on Linux i also get crash each time i copy a data structure that contains :

       struct order_swaps_data
    {
        //! eg: true / false
        bool is_maker;

        //! eg: RICK
        QString base_coin;

        //! eg: MORTY
        QString rel_coin;

        //! eg: RICK/MORTY
        QString ticker_pair;

        //! eg: 1
        QString base_amount;

        //! eg: 1 in fiat currency.
        QString base_amount_fiat;

        //! eg: 1
        QString rel_amount;

        //! eg: 1 in fiat currency.
        QString rel_amount_fiat;

        //! eg: taker/maker order;
        QString order_type;

        //! eg: 2020-07-2020 17:23:36.625
        QString human_date;

        //! eg: 1595406178
        unsigned long long unix_timestamp;

        //! eg: b741646a-5738-4012-b5b0-dcd1375affd1
        QString order_id;

        //! eg: Successful / On Going / Matched / Matching
        QString order_status;

        QString maker_payment_id;

        QString taker_payment_id;

        //! eg: true / false
        bool is_swap;

        //! eg: true / false
        bool is_cancellable;

        //! eg: true / false
        bool is_recoverable;

        //! Order error state
        QString order_error_state;

        //! Order error message
        QString order_error_message;

        //! Events
        QJsonArray events;

        //! error events
        QStringList error_events;

        //! success events
        QStringList success_events;

        bool is_swap_active{false};

        //! Only available for maker order
        std::optional<QString>        min_volume{std::nullopt};
        std::optional<nlohmann::json> conf_settings{std::nullopt};
    };

      This data model is shared between thread using a `boost::synchronized_value<order_swaps_data>` and copy it when i need it in the main thread, the crash seems to happens when copying Qt data type, works well in 5.15.2 and no sanitizer error

      After my debugging session regarding the copy of QVariant, i think something has changed in terms of thread safety / ref counting, if someone can clarify

      Is copying QVariant between thread is thread safe (deep copy) ?

      Attachments

        1. stack-trace.txt
          2 kB
        2. qtbug-94717-free-netreply.zip
          3 kB
        3. debug-log.txt
          5 kB

        Activity

          People

            tpochep Timur Pocheptsov
            milerius milerius
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: