[krita] [Bug 405737] Crash when transforming a frame [asan backtrace]

wolthera Sat, 23 Mar 2019 09:09:39 -0700

https://bugs.kde.org/show_bug.cgi?id=405737


--- Comment #1 from wolthera <griffinval...@gmail.com> ---
And again, this time when entering the transformation mode.

==12309==ERROR: AddressSanitizer: heap-use-after-free on address 0x603002ca0e50
at pc 0x562bd44b4539 bp 0x7f7f4314a130 sp 0x7f7f4314a120
WRITE of size 4 at 0x603002ca0e50 thread T155 (Thread (pooled))
    #0 0x562bd44b4538 in std::__atomic_base<int>::operator--()
/usr/include/c++/7/bits/atomic_base.h:304
    #1 0x7f7fc4eda0c1 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&)
/usr/include/x86_64-linux-gnu/qt5/QtCore/qatomic_cxx11.h:271
    #2 0x7f7fc4ed9b47 in QBasicAtomicInteger<int>::deref()
/usr/include/x86_64-linux-gnu/qt5/QtCore/qbasicatomic.h:115
    #3 0x7f7fc4ef0471 in
QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0471)
    #4 0x7f7fc4eeeb54 in QSharedPointer<KisLiquifyProperties>::deref()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
    #5 0x7f7fc4ee9e0b in
QSharedPointer<KisLiquifyProperties>::~QSharedPointer()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
    #6 0x7f7fc4eea755 in
QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties>
const&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
    #7 0x7f7fc4edf507 in ToolTransformArgs::operator=(ToolTransformArgs const&)
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
    #8 0x7f7fc50667a4 in
TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
    #9 0x7f801c67c021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #10 0x7f801c6917fc in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #11 0x7f801cd04ff0 in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #12 0x7f8019ccd351  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)
    #13 0x7f8019cc8bc1  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa7bc1)
    #14 0x7f8018c6b6da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7f80193b088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x603002ca0e50 is located 0 bytes inside of 24-byte region
[0x603002ca0e50,0x603002ca0e68)
freed by thread T161 (Thread (pooled)) here:
    #0 0x7f8025a682d0 in operator delete(void*)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
    #1 0x7f7fc4ed948a in QtSharedPointer::ExternalRefCountData::operator
delete(void*)
/usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:167
    #2 0x7f7fc4ef0491 in
QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0491)
    #3 0x7f7fc4eeeb54 in QSharedPointer<KisLiquifyProperties>::deref()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
    #4 0x7f7fc4ee9e0b in
QSharedPointer<KisLiquifyProperties>::~QSharedPointer()
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
    #5 0x7f7fc4eea755 in
QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties>
const&)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
    #6 0x7f7fc4edf507 in ToolTransformArgs::operator=(ToolTransformArgs const&)
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
    #7 0x7f7fc50667a4 in
TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
    #8 0x7f801c67c021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*)
/home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #9 0x7f801c6917fc in KisStrokeJob::run()
/home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #10 0x7f801cd04ff0 in KisUpdateJobItem::run()
/home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #11 0x7f8019ccd351  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)

previously allocated by thread T0 here:
    #0 0x7f8025a67458 in operator new(unsigned long)
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x7f7fc4ef02cd in
QtSharedPointer::ExternalRefCountWithCustomDeleter<KisLiquifyProperties,
QtSharedPointer::NormalDeleter>::create(KisLiquifyProperties*,
QtSharedPointer::NormalDeleter, void
(*)(QtSharedPointer::ExternalRefCountData*))
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa02cd)
    #2 0x7f7fc4eeeaa3 in void
QSharedPointer<KisLiquifyProperties>::internalConstruct<KisLiquifyProperties,
QtSharedPointer::NormalDeleter>(KisLiquifyProperties*,
QtSharedPointer::NormalDeleter)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eaa3)
    #3 0x7f7fc4ee9da0 in
QSharedPointer<KisLiquifyProperties>::QSharedPointer<KisLiquifyProperties>(KisLiquifyProperties*)
(/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99da0)
    #4 0x7f7fc4eddacf in ToolTransformArgs::ToolTransformArgs()
/home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:52
    #5 0x7f7fc5062484 in
TransformStrokeStrategy::TransformStrokeStrategy(KisSharedPtr<KisNode>,
QList<KisSharedPtr<KisNode> >, KisSharedPtr<KisSelection>,
KisStrokeUndoFacade*)
/home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:54
    #6 0x7f7fc4f09e0b in
KisToolTransform::startStroke(ToolTransformArgs::TransformMode, bool)
/home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:931
    #7 0x7f7fc4f08280 in KisToolTransform::activate(KoToolBase::ToolActivation,
QSet<KoShape*> const&)
/home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:805
    #8 0x7f8016146cdd in KoToolManager::Private::postSwitchTool(bool)
/home/wolthera/krita/src/libs/flake/KoToolManager.cpp:618
    #9 0x7f80161454fa in KoToolManager::Private::switchTool(KoToolBase*, bool)
/home/wolthera/krita/src/libs/flake/KoToolManager.cpp:554
    #10 0x7f8016145ba8 in KoToolManager::Private::switchTool(QString const&,
bool) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:579
    #11 0x7f80161401bb in KoToolManager::switchToolRequested(QString const&)
/home/wolthera/krita/src/libs/flake/KoToolManager.cpp:300
    #12 0x7f801614e5b3 in
KoToolManager::Private::switchInputDevice(KoInputDevice const&)
/home/wolthera/krita/src/libs/flake/KoToolManager.cpp:960
    #13 0x7f8016170d1d in KoToolProxy::tabletEvent(QTabletEvent*, QPointF
const&) /home/wolthera/krita/src/libs/flake/KoToolProxy.cpp:173
    #14 0x7f802037722e in KisToolProxy::forwardHoverEvent(QEvent*)
/home/wolthera/krita/src/libs/ui/canvas/kis_tool_proxy.cpp:94

Thread T155 (Thread (pooled)) created by T0 here:
    #0 0x7f80259bed2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f8019cc823d in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)

Thread T161 (Thread (pooled)) created by T155 (Thread (pooled)) here:
    #0 0x7f80259bed2f in __interceptor_pthread_create
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f8019cc823d in QThread::start(QThread::Priority)
(/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)

SUMMARY: AddressSanitizer: heap-use-after-free
/usr/include/c++/7/bits/atomic_base.h:304 in
std::__atomic_base<int>::operator--()
Shadow bytes around the buggy address:
  0x0c068058c170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c180: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fa fa
  0x0c068058c190: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c068058c1a0: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 06
  0x0c068058c1b0: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
=>0x0c068058c1c0: 00 00 fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa
  0x0c068058c1d0: fa fa fa fa fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c068058c1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c068058c1f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c200: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12309==ABORTING

-- 
You are receiving this mail because:
You are watching all bug changes.

[krita] [Bug 405737] Crash when transforming a frame [asan backtrace]

Reply via email to