https://bugs.kde.org/show_bug.cgi?id=405737
Bug ID: 405737
Summary: Crash when transforming a frame [asan backtrace]
Product: krita
Version: git master
Platform: Other
OS: Linux
Status: REPORTED
Severity: crash
Priority: NOR
Component: Tools/Transform
Assignee: krita-bugs-n...@kde.org
Reporter: griffinval...@gmail.com
Target Milestone: ---
SUMMARY
Did a free transform on a frame, a rotation transform sepcifically. Did this
about a dozen times before hitting this, so not easy to reproduce.
=================================================================
==17960==ERROR: AddressSanitizer: heap-use-after-free on address 0x603002cc8a20
at pc 0x559276c44539 bp 0x7f77eab4c130 sp 0x7f77eab4c120
WRITE of size 4 at 0x603002cc8a20 thread T9282 (Thread (pooled))
#0 0x559276c44538 in std::__atomic_base<int>::operator--()
/usr/include/c++/7/bits/atomic_base.h:304
#1 0x7f784f8760c1 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&)
/usr/include/x86_64-linux-gnu/qt5/QtCore/qatomic_cxx11.h:271
#2 0x7f784f875b47 in QBasicAtomicInteger<int>::deref()
/usr/include/x86_64-linux-gnu/qt5/QtCore/qbasicatomic.h:115
#3 0x7f784f88c471 in
QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0471)
#4 0x7f784f88ab54 in QSharedPointer<KisLiquifyProperties>::deref()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
#5 0x7f784f885e0b in
QSharedPointer<KisLiquifyProperties>::~QSharedPointer()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
#6 0x7f784f886755 in
QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties>
const&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
#7 0x7f784f87b507 in ToolTransformArgs::operator=(ToolTransformArgs const&)
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
#8 0x7f784fa027a4 in
TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
#9 0x7f78a7135021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
#10 0x7f78a714a7fc in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
#11 0x7f78a77bdff0 in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
#12 0x7f78a4786351 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)
#13 0x7f78a4781bc1 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa7bc1)
#14 0x7f78a37246da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#15 0x7f78a3e6988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x603002cc8a20 is located 0 bytes inside of 24-byte region
[0x603002cc8a20,0x603002cc8a38)
freed by thread T9284 (Thread (pooled)) here:
#0 0x7f78b05212d0 in operator delete(void*)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
#1 0x7f784f87548a in QtSharedPointer::ExternalRefCountData::operator
delete(void*)
/usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:167
#2 0x7f784f88c491 in
QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0491)
#3 0x7f784f88ab54 in QSharedPointer<KisLiquifyProperties>::deref()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
#4 0x7f784f885e0b in
QSharedPointer<KisLiquifyProperties>::~QSharedPointer()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
#5 0x7f784f886755 in
QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties>
const&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
#6 0x7f784f87b507 in ToolTransformArgs::operator=(ToolTransformArgs const&)
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
#7 0x7f784fa027a4 in
TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
#8 0x7f78a7135021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
#9 0x7f78a714a7fc in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
#10 0x7f78a77bdff0 in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
#11 0x7f78a4786351 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)
previously allocated by thread T0 here:
#0 0x7f78b0520458 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
#1 0x7f784f88c2cd in
QtSharedPointer::ExternalRefCountWithCustomDeleter<KisLiquifyProperties,
QtSharedPointer::NormalDeleter>::create(KisLiquifyProperties*,
QtSharedPointer::NormalDeleter, void
(*)(QtSharedPointer::ExternalRefCountData*))
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa02cd)
#2 0x7f784f88aaa3 in void
QSharedPointer<KisLiquifyProperties>::internalConstruct<KisLiquifyProperties,
QtSharedPointer::NormalDeleter>(KisLiquifyProperties*,
QtSharedPointer::NormalDeleter)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eaa3)
#3 0x7f784f885da0 in
QSharedPointer<KisLiquifyProperties>::QSharedPointer<KisLiquifyProperties>(KisLiquifyProperties*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99da0)
#4 0x7f784f879acf in ToolTransformArgs::ToolTransformArgs()
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:52
#5 0x7f784f9fe484 in
TransformStrokeStrategy::TransformStrokeStrategy(KisSharedPtr<KisNode>,
QList<KisSharedPtr<KisNode> >, KisSharedPtr<KisSelection>,
KisStrokeUndoFacade*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:54
#6 0x7f784f8a5e0b in
KisToolTransform::startStroke(ToolTransformArgs::TransformMode, bool)
/home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:931
#7 0x7f784f89f459 in KisToolTransform::beginActionImpl(KoPointerEvent*,
bool, KisTool::AlternateAction)
/home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:280
#8 0x7f784f89ff0b in KisToolTransform::beginPrimaryAction(KoPointerEvent*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:375
#9 0x7f78aae30d46 in KisToolProxy::forwardToTool(KisToolProxy::ActionState,
KisTool::ToolAction, QEvent*, QPointF const&)
/home/wolthera/krita/src/libs/ui/canvas/kis_tool_proxy.cpp:167
#10 0x7f78aae308a4 in KisToolProxy::forwardEvent(KisToolProxy::ActionState,
KisTool::ToolAction, QEvent*, QEvent*)
/home/wolthera/krita/src/libs/ui/canvas/kis_tool_proxy.cpp:138
#11 0x7f78ab7a5954 in KisToolInvocationAction::begin(int, QEvent*)
/home/wolthera/krita/src/libs/ui/input/kis_tool_invocation_action.cpp:108
#12 0x7f78ab7c18cf in
KisShortcutMatcher::tryRunReadyShortcut(Qt::MouseButton, QEvent*)
/home/wolthera/krita/src/libs/ui/input/kis_shortcut_matcher.cpp:495
#13 0x7f78ab7bf33c in KisShortcutMatcher::buttonPressed(Qt::MouseButton,
QEvent*) /home/wolthera/krita/src/libs/ui/input/kis_shortcut_matcher.cpp:209
#14 0x7f78ab76d53d in KisInputManager::eventFilterImpl(QEvent*)
/home/wolthera/krita/src/libs/ui/input/kis_input_manager.cpp:303
Thread T9282 (Thread (pooled)) created by T9280 (Thread (pooled)) here:
#0 0x7f78b0477d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f78a478123d in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)
Thread T9280 (Thread (pooled)) created by T0 here:
#0 0x7f78b0477d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f78a478123d in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)
Thread T9284 (Thread (pooled)) created by T9280 (Thread (pooled)) here:
#0 0x7f78b0477d2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7f78a478123d in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)
SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/7/bits/atomic_base.h:304 in
std::__atomic_base<int>::operator--()
Shadow bytes around the buggy address:
0x0c06805910f0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680591100: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa
0x0c0680591110: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 fa fa
0x0c0680591120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680591130: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fa fa
=>0x0c0680591140: fa fa fa fa[fd]fd fd fa fa fa fa fa fa fa fa fa
0x0c0680591150: fd fd fd fa fa fa 00 00 00 00 fa fa fa fa fa fa
0x0c0680591160: fa fa fa fa fa fa fa fa fd fd fd fd fa fa fa fa
0x0c0680591170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680591180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680591190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17960==ABORTING
wolthera@Euthenia:~/krita/build$
--
You are receiving this mail because:
You are watching all bug changes.
