https://bugs.kde.org/show_bug.cgi?id=412135
Bug ID: 412135
Summary: Asan crash while painting.
Product: krita
Version: git master
Platform: Other
OS: Linux
Status: REPORTED
Severity: crash
Priority: NOR
Component: Tile manager
Assignee: krita-bugs-n...@kde.org
Reporter: griffinval...@gmail.com
Target Milestone: ---
I got this when painting, I had just merged master to my branch. Have not tried
to reproduce.
=================================================================
==19028==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000145650
at pc 0x7f55fac41129 bp 0x7f558fe649c0 sp 0x7f558fe649b0
READ of size 8 at 0x610000145650 thread T807 (Thread (pooled))
#0 0x7f55fac41128 in std::__atomic_base<unsigned long
long>::load(std::memory_order) const /usr/include/c++/7/bits/atomic_base.h:396
#1 0x7f55fac41128 in Atomic<unsigned long long>::load(MemoryOrder) const
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/atomic.h:91
#2 0x7f55fac3fe56 in SimpleJobCoordinator::loadConsume() const
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/simple_job_coordinator.h:46
#3 0x7f55fac6471d in ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*>
>::migrationInProcess()
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/concurrent_map.h:51
#4 0x7f55fac5a03f in KisTileHashTableTraits2<KisTile>::getTileLazy(int,
int, bool&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x46403f)
#5 0x7f55fac58008 in KisTiledDataManager::getTile(int, int, bool)
/home/wolthera/krita/src/libs/image/tiles3/swap/../kis_tiled_data_manager.h:120
#6 0x7f55fac8e1e0 in KisTiledDataManager::getTilesPair(int, int, bool,
KisSharedPtr<KisTile>*, KisSharedPtr<KisTile>*)
/home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.h:107
#7 0x7f55fac99deb in KisRandomAccessor2::fetchTileData(int, int)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:122
#8 0x7f55fac99a0d in KisRandomAccessor2::moveTo(int, int)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:89
#9 0x7f55fac98d74 in
KisRandomAccessor2::KisRandomAccessor2(KisTiledDataManager*, int, int, int,
int, bool, KisIteratorCompleteListener*)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:38
#10 0x7f55fb482bde in
KisPaintDevice::Private::KisPaintDeviceStrategy::createRandomAccessorNG(int,
int) /home/wolthera/krita/src/libs/image/kis_paint_device_strategies.h:111
#11 0x7f55fb46a840 in KisPaintDevice::createRandomAccessorNG(int, int)
/home/wolthera/krita/src/libs/image/kis_paint_device.cc:1786
#12 0x7f55fad185bc in KisPainter::bltFixed(QRect const&,
QList<KisRenderedDab>)
/home/wolthera/krita/src/libs/image/kis_painter_blt_multi_fixed.cpp:180
#13 0x7f55bb2e2d87 in operator()
/home/wolthera/krita/src/plugins/paintops/defaultpaintops/brush/kis_brushop.cpp:318
#14 0x7f55bb2e81ae in _M_invoke /usr/include/c++/7/bits/std_function.h:316
#15 0x7f55ff391915 in std::function<void ()>::operator()() const
/usr/include/c++/7/bits/std_function.h:706
#16 0x7f55fb03cca2 in KisRunnableStrokeJobData::run()
/home/wolthera/krita/src/libs/image/KisRunnableStrokeJobData.cpp:46
#17 0x7f55fb03ae95 in
KisRunnableBasedStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/KisRunnableBasedStrokeStrategy.cpp:73
#18 0x7f55ff39848c in
FreehandStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:220
#19 0x7f55fb033b0d in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
#20 0x7f55fb045aa6 in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
#21 0x7f55fb6bf27e in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
#22 0x7f55f85063e1 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)
#23 0x7f55f8501c71 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa7c71)
#24 0x7f55f74a46da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#25 0x7f55f7be988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x610000145650 is located 16 bytes inside of 184-byte region
[0x610000145640,0x6100001456f8)
freed by thread T801 (Thread (pooled)) here:
#0 0x7f560429b7b8 in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7f55fac6ac73 in Leapfrog<ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::Table::destroy()
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:86
#2 0x7f55fac702ca in Leapfrog<ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::TableMigration::destroy()
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:142
#3 0x7f55fac70427 in void QSBR::enqueue<Leapfrog<ConcurrentMap<unsigned
int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::TableMigration>(void (Leapfrog<ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::TableMigration::*)(), Leapfrog<ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::TableMigration*, bool)::Closure::thunk(void*)
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:83
#4 0x7f55fac403f6 in QSBR::Action::operator()()
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:38
#5 0x7f55fac405e9 in
QSBR::releasePoolSafely(KisLocklessStack<QSBR::Action>*, bool)
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:62
#6 0x7f55fac57d17 in QSBR::update(bool)
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:101
#7 0x7f55fac5a04c in KisTileHashTableTraits2<KisTile>::getTileLazy(int,
int, bool&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x46404c)
#8 0x7f55fac58008 in KisTiledDataManager::getTile(int, int, bool)
/home/wolthera/krita/src/libs/image/tiles3/swap/../kis_tiled_data_manager.h:120
#9 0x7f55fac8e1e0 in KisTiledDataManager::getTilesPair(int, int, bool,
KisSharedPtr<KisTile>*, KisSharedPtr<KisTile>*)
/home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.h:107
#10 0x7f55fac99deb in KisRandomAccessor2::fetchTileData(int, int)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:122
#11 0x7f55fac99a0d in KisRandomAccessor2::moveTo(int, int)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:89
#12 0x7f55fac98d74 in
KisRandomAccessor2::KisRandomAccessor2(KisTiledDataManager*, int, int, int,
int, bool, KisIteratorCompleteListener*)
/home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:38
#13 0x7f55fb482bde in
KisPaintDevice::Private::KisPaintDeviceStrategy::createRandomAccessorNG(int,
int) /home/wolthera/krita/src/libs/image/kis_paint_device_strategies.h:111
#14 0x7f55fb46a840 in KisPaintDevice::createRandomAccessorNG(int, int)
/home/wolthera/krita/src/libs/image/kis_paint_device.cc:1786
#15 0x7f55fad185bc in KisPainter::bltFixed(QRect const&,
QList<KisRenderedDab>)
/home/wolthera/krita/src/libs/image/kis_painter_blt_multi_fixed.cpp:180
#16 0x7f55bb2e2d87 in operator()
/home/wolthera/krita/src/plugins/paintops/defaultpaintops/brush/kis_brushop.cpp:318
#17 0x7f55bb2e81ae in _M_invoke /usr/include/c++/7/bits/std_function.h:316
#18 0x7f55ff391915 in std::function<void ()>::operator()() const
/usr/include/c++/7/bits/std_function.h:706
#19 0x7f55fb03cca2 in KisRunnableStrokeJobData::run()
/home/wolthera/krita/src/libs/image/KisRunnableStrokeJobData.cpp:46
#20 0x7f55fb03ae95 in
KisRunnableBasedStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/KisRunnableBasedStrokeStrategy.cpp:73
#21 0x7f55ff39848c in
FreehandStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:220
#22 0x7f55fb033b0d in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
#23 0x7f55fb045aa6 in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
#24 0x7f55fb6bf27e in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
#25 0x7f55f85063e1 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)
previously allocated by thread T802 (Thread (pooled)) here:
#0 0x7f560429bb50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f55fac6aaba in Leapfrog<ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >
>::Table::create(unsigned long long)
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:67
#2 0x7f55fac668c8 in ConcurrentMap<unsigned int, KisTile*,
DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*>
>::ConcurrentMap(unsigned long long)
/home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/concurrent_map.h:33
#3 0x7f55fac5b4a1 in
KisTileHashTableTraits2<KisTile>::KisTileHashTableTraits2(KisMementoManager*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x4654a1)
#4 0x7f55fac4e906 in KisTiledDataManager::KisTiledDataManager(unsigned int,
unsigned char const*)
/home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.cc:50
#5 0x7f55fb472725 in KisDataManager::KisDataManager(unsigned int, unsigned
char const*) /home/wolthera/krita/src/libs/image/kis_datamanager.h:57
#6 0x7f55fb45f818 in KisPaintDevice::Private::init(KoColorSpace const*,
unsigned char const*)
/home/wolthera/krita/src/libs/image/kis_paint_device.cc:983
#7 0x7f55fb4607f8 in KisPaintDevice::init(KoColorSpace const*,
KisSharedPtr<KisDefaultBoundsBase>, KisWeakSharedPtr<KisNode>, QString const&)
/home/wolthera/krita/src/libs/image/kis_paint_device.cc:1020
#8 0x7f55fb45fd07 in KisPaintDevice::KisPaintDevice(KoColorSpace const*,
QString const&) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:992
#9 0x7f55fb46ee71 in KisPaintDevice::createCompositionSourceDevice() const
/home/wolthera/krita/src/libs/image/kis_paint_device.cc:1987
#10 0x7f55ff3aa2ed in KisPainterBasedStrokeStrategy::initStrokeCallback()
/home/wolthera/krita/src/libs/ui/tool/strokes/kis_painter_based_stroke_strategy.cpp:243
#11 0x7f55ff39756f in FreehandStrokeStrategy::initStrokeCallback()
/home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:135
#12 0x7f55fb03395f in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:40
#13 0x7f55fb045aa6 in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
#14 0x7f55fb6bf27e in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
#15 0x7f55f85063e1 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)
Thread T807 (Thread (pooled)) created by T805 (Thread (pooled)) here:
#0 0x7f56041f4d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f55f85012ed in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)
Thread T805 (Thread (pooled)) created by T803 (Thread (pooled)) here:
#0 0x7f56041f4d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f55f85012ed in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)
Thread T803 (Thread (pooled)) created by T802 (Thread (pooled)) here:
#0 0x7f56041f4d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f55f85012ed in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)
Thread T802 (Thread (pooled)) created by T0 here:
#0 0x7f56041f4d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f55f85012ed in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)
Thread T801 (Thread (pooled)) created by T0 here:
#0 0x7f56041f4d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f55f85012ed in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)
SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/7/bits/atomic_base.h:396 in std::__atomic_base<unsigned long
long>::load(std::memory_order) const
Shadow bytes around the buggy address:
0x0c2080020a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2080020a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080020a90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c2080020aa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080020ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c2080020ac0: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
0x0c2080020ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2080020ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080020af0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c2080020b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2080020b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19028==ABORTING
wolthera@Euthenia:~/krita/build$
--
You are receiving this mail because:
You are watching all bug changes.
