[krita] [Bug 471970] New: Closing the document while animation cache is being populated causes a crash under ASAN

Wed, 05 Jul 2023 04:10:05 -0700 

https://bugs.kde.org/show_bug.cgi?id=471970

            Bug ID: 471970
           Summary: Closing the document while animation cache is being
                    populated causes a crash under ASAN
    Classification: Applications
           Product: krita
           Version: git master (please specify the git hash!)
          Platform: Other
                OS: Other
            Status: REPORTED
          Severity: crash
          Priority: NOR
         Component: OpenGL Canvas
          Assignee: krita-bugs-n...@kde.org
          Reporter: dimul...@gmail.com
  Target Milestone: ---

STEPS TO REPRODUCE
1. Open a huge document with animation
2. Check that the cache is being populated
3. Press Ctrl+W

=================================================================
==77748==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000f4a30
at pc 0x7fc5eac6bfdc bp 0x7ffcd81d4750 sp 0x7ffcd81d4740
READ of size 8 at 0x6020000f4a30 thread T0
    #0 0x7fc5eac6bfdb in KisTextureTile::~KisTextureTile()
/home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108
    #1 0x7fc5eac52587 in KisOpenGLImageTextures::destroyImageTextureTiles()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:301
    #2 0x7fc5eac5bb1e in KisOpenGLImageTextures::~KisOpenGLImageTextures()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:134
    #3 0x7fc5eac5d2f5 in KisOpenGLImageTextures::~KisOpenGLImageTextures()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:138
    #4 0x7fc5eba00470 in
KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures>
const*, KisOpenGLImageTextures*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
    #5 0x7fc5eba00470 in
KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures>
const*, KisOpenGLImageTextures*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
    #6 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::deref() const
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:216
    #7 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::~KisSharedPtr()
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:100
    #8 0x7fc5eba00470 in KisAnimationFrameCache::Private::~Private()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:42
    #9 0x7fc5eba00470 in
QScopedPointerDeleter<KisAnimationFrameCache::Private>::cleanup(KisAnimationFrameCache::Private*)
/home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:60
    #10 0x7fc5eba00470 in QScopedPointer<KisAnimationFrameCache::Private,
QScopedPointerDeleter<KisAnimationFrameCache::Private> >::~QScopedPointer()
/home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:107
    #11 0x7fc5eba00470 in KisAnimationFrameCache::~KisAnimationFrameCache()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
    #12 0x7fc5eba00dd5 in KisAnimationFrameCache::~KisAnimationFrameCache()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
    #13 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache>
const*, KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
    #14 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache>
const*, KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
    #15 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::attach(KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:509
    #16 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::clear()
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:516
    #17 0x7fc5eba31db2 in
KisAsyncAnimationCacheRenderer::clearFrameRegenerationState(bool)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:66
    #18 0x7fc5eba27343 in
KisAsyncAnimationRendererBase::notifyFrameCancelled(int,
KisAsyncAnimationRendererBase::CancelReason)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:150
    #19 0x7fc5eba2de7c in
KisAsyncAnimationCacheRenderer::frameCancelledCallback(int,
KisAsyncAnimationRendererBase::CancelReason)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:60
    #20 0x7fc5eba26e9e in
KisAsyncAnimationRendererBase::slotFrameRegenerationCancelled()
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:100
    #21 0x7fc5ea13a157 in
KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**)
/home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:124
    #22 0x7fc5ea13a157 in
KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**)
/home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:115
    #23 0x7fc5e24285dd in QObject::event(QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qobject.cpp:1347
    #24 0x7fc5e2f5d7e2 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/widgets/kernel/qapplication.cpp:3637
    #25 0x7fc5eb6993d9 in KisApplication::notify(QObject*, QEvent*)
/home/appimage/persistent/krita/libs/ui/KisApplication.cpp:768
    #26 0x7fc5e23fab59 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
    #27 0x7fc5e23fdc46 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1821
    #28 0x7fc5e2455056 in postEventSourceDispatch
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
    #29 0x7fc5e08f117c in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
    #30 0x7fc5e08f13ff  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #31 0x7fc5e08f14a2 in g_main_context_iteration
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
    #32 0x7fc5e24546a7 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
    #33 0x7fc5e23f946a in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventloop.cpp:232
    #34 0x7fc5e2401a13 in QCoreApplication::exec()
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
    #35 0x55da41a3ed84 in main
/home/appimage/persistent/krita/krita/main.cc:731
    #36 0x7fc5e1bda082 in __libc_start_main ../csu/libc-start.c:308
    #37 0x55da41a427bd in _start
(/home/appimage/appimage-workspace/krita.appdir/usr/bin/krita+0x1d7bd)

0x6020000f4a30 is located 0 bytes inside of 8-byte region
[0x6020000f4a30,0x6020000f4a38)
freed by thread T0 here:
    #0 0x7fc5ec51760f in operator delete(void*, unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
    #1 0x7fc5e287978f in QOpenGLContext::destroy()
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:655

previously allocated by thread T0 here:
    #0 0x7fc5ec5165a7 in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7fc5e2875ca9 in QOpenGLContext::functions() const
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:741

SUMMARY: AddressSanitizer: heap-use-after-free
/home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108 in
KisTextureTile::~KisTextureTile()
Shadow bytes around the buggy address:
  0x0c04800168f0: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480016900: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa
  0x0c0480016910: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016920: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c0480016930: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c0480016940: fa fa 00 fa fa fa[fd]fa fa fa fd fd fa fa fd fa
  0x0c0480016950: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c0480016960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
  0x0c0480016970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016980: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==77748==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to