https://bugs.kde.org/show_bug.cgi?id=356940
--- Comment #7 from Peter Wu <pe...@lekensteyn.nl> --- Created attachment 100758 --> https://bugs.kde.org/attachment.cgi?id=100758&action=edit Testcase (with ASAN) I bisected Wireshark and found that it started crashing after using setStyle(new QProxyStyle). Fair enough, I can create a minimal testcase that crashes when setStyle(new QProxyStyle) is used and exit() is called. This problem does not occur when -style windows (or anything other than breeze and oxygen) is in use. Following test was done with: qt5-base 5.7.0-2 breeze v5.7.4-17-gf79266d (also reproduced with 5.7.3-1 and many releases before that...) oxygen 5.7.3-1 (not in output, but also affected) ASAN output: ================================================================= ==3262==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000005930 at pc 0x7f5644140df8 bp 0x7ffd4e1b4c90 sp 0x7ffd4e1b4c80 WRITE of size 4 at 0x602000005930 thread T0 #0 0x7f5644140df7 in std::__atomic_base<int>::operator--() /usr/include/c++/6.1.1/bits/atomic_base.h:304 #1 0x7f5644140df7 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&) src/corelib/arch/qatomic_cxx11.h:147 #2 0x7f5644140df7 in QBasicAtomicInteger<int>::deref() src/corelib/thread/qbasicatomic.h:111 #3 0x7f5644140df7 in QWeakPointer<QObject>::~QWeakPointer() src/corelib/tools/qsharedpointer_impl.h:607 #4 0x7f5644140df7 in QWeakPointer<QObject>::operator=(QWeakPointer<QObject>&&) src/corelib/tools/qsharedpointer_impl.h:634 #5 0x7f5644140df7 in QWeakPointer<QObject>& QWeakPointer<QObject>::assign<QObject>(QObject*) src/corelib/tools/qsharedpointer_impl.h:719 #6 0x7f5644140df7 in QPointer<QObject>::operator=(QObject*) src/corelib/kernel/qpointer.h:83 #7 0x7f5644140df7 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #8 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #9 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #10 0x7f5644b3351b in QProxyStylePrivate::ensureBaseStyle() const styles/qproxystyle.cpp:99 #11 0x7f5644b3591d in QProxyStyle::event(QEvent*) styles/qproxystyle.cpp:386 #12 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #13 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #14 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #15 0x7f56441ea3e1 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #16 0x7f56441ea3e1 in QObjectPrivate::setParent_helper(QObject*) kernel/qobject.cpp:1996 #17 0x7f56441eb88f in QObject::~QObject() kernel/qobject.cpp:1048 #18 0x7f562b413788 (/usr/lib/qt/plugins/styles/breeze.so+0x53788) #19 0x7f56441d959a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #20 0x7f56441d959a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #21 0x7f56441da323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #22 0x7f56441eba18 in QObject::~QObject() kernel/qobject.cpp:920 #23 0x7f562b427416 (/usr/lib/qt/plugins/styles/breeze.so+0x67416) #24 0x7f56441589f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #25 0x7f5644141ea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #26 0x7f56441421a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 #27 0x7f56441eb8e9 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:60 #28 0x7f56441eb8e9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:107 #29 0x7f56441eb8e9 in QObject::~QObject() kernel/qobject.cpp:900 #30 0x7f56441402e3 in QFactoryLoader::~QFactoryLoader() plugin/qfactoryloader.cpp:205 #31 0x7f5644addbf8 in ~Holder styles/qstylefactory.cpp:72 #32 0x7f56432de98f in __run_exit_handlers (/usr/lib/libc.so.6+0x3598f) #33 0x7f56432de9e9 in __GI_exit (/usr/lib/libc.so.6+0x359e9) #34 0x403337 in MainWindow::ping() (Trial+0x403337) #35 0x7f56441d8fb6 in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3740 #36 0x7f56441fa5b3 in QTimer::timerEvent(QTimerEvent*) kernel/qtimer.cpp:254 #37 0x7f56441db70b in QObject::event(QEvent*) kernel/qobject.cpp:1285 #38 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #39 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #40 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #41 0x7f56442439b4 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #42 0x7f56442439b4 in QTimerInfoList::activateTimers() kernel/qtimerinfo_unix.cpp:644 #43 0x7f5644244ac2 in timerSourceDispatch kernel/qeventdispatcher_glib.cpp:182 #44 0x7f5640c6cdd6 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x49dd6) #45 0x7f5640c6d03f (/usr/lib/libglib-2.0.so.0+0x4a03f) #46 0x7f5640c6d0eb in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x4a0eb) #47 0x7f5644245982 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventdispatcher_glib.cpp:423 #48 0x7f56441686a4 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) kernel/qeventloop.cpp:210 #49 0x7f564417ad1e in QCoreApplication::exec() kernel/qcoreapplication.cpp:1261 #50 0x402ff6 in main (Trial+0x402ff6) #51 0x7f56432c9290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #52 0x403179 in _start (Trial+0x403179) 0x602000005930 is located 0 bytes inside of 16-byte region [0x602000005930,0x602000005940) freed by thread T0 here: #0 0x7f56458955d0 in operator delete(void*) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:92 #1 0x7f562b4326f2 in qt_plugin_instance (/usr/lib/qt/plugins/styles/breeze.so+0x726f2) #2 0x7f5644140a02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #3 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #4 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #5 0x7f5644b3351b in QProxyStylePrivate::ensureBaseStyle() const styles/qproxystyle.cpp:99 #6 0x7f5644b3591d in QProxyStyle::event(QEvent*) styles/qproxystyle.cpp:386 #7 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #8 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 #9 0x7f564416c0a1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) kernel/qcoreapplication.cpp:988 #10 0x7f56441ea3e1 in QCoreApplication::sendEvent(QObject*, QEvent*) src/corelib/kernel/qcoreapplication.h:231 #11 0x7f56441ea3e1 in QObjectPrivate::setParent_helper(QObject*) kernel/qobject.cpp:1996 #12 0x7f56441eb88f in QObject::~QObject() kernel/qobject.cpp:1048 #13 0x7f562b413788 (/usr/lib/qt/plugins/styles/breeze.so+0x53788) #14 0x7f56441d959a in QtPrivate::QSlotObjectBase::call(QObject*, void**) src/corelib/kernel/qobject_impl.h:130 #15 0x7f56441d959a in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3723 #16 0x7f56441da323 in QObject::destroyed(QObject*) .moc/moc_qobject.cpp:213 #17 0x7f56441eba18 in QObject::~QObject() kernel/qobject.cpp:920 #18 0x7f562b427416 (/usr/lib/qt/plugins/styles/breeze.so+0x67416) #19 0x7f56441589f6 in QLibraryPrivate::unload(QLibraryPrivate::UnloadFlag) plugin/qlibrary.cpp:557 #20 0x7f5644141ea0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:86 #21 0x7f56441421a0 in QFactoryLoaderPrivate::~QFactoryLoaderPrivate() plugin/qfactoryloader.cpp:89 #22 0x7f56441eb8e9 in QScopedPointerDeleter<QObjectData>::cleanup(QObjectData*) src/corelib/tools/qscopedpointer.h:60 #23 0x7f56441eb8e9 in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::~QScopedPointer() src/corelib/tools/qscopedpointer.h:107 #24 0x7f56441eb8e9 in QObject::~QObject() kernel/qobject.cpp:900 #25 0x7f56441402e3 in QFactoryLoader::~QFactoryLoader() plugin/qfactoryloader.cpp:205 #26 0x7f5644addbf8 in ~Holder styles/qstylefactory.cpp:72 #27 0x7f56432de98f in __run_exit_handlers (/usr/lib/libc.so.6+0x3598f) #28 0x7f56432de9e9 in __GI_exit (/usr/lib/libc.so.6+0x359e9) #29 0x403337 in MainWindow::ping() (Trial+0x403337) #30 0x7f56441d8fb6 in QMetaObject::activate(QObject*, int, int, void**) kernel/qobject.cpp:3740 #31 0x7f56441fa5b3 in QTimer::timerEvent(QTimerEvent*) kernel/qtimer.cpp:254 #32 0x7f56441db70b in QObject::event(QEvent*) kernel/qobject.cpp:1285 #33 0x7f5644992417 in QApplicationPrivate::notify_helper(QObject*, QEvent*) kernel/qapplication.cpp:3799 #34 0x7f56449a4b8d in QApplication::notify(QObject*, QEvent*) kernel/qapplication.cpp:3641 previously allocated by thread T0 here: #0 0x7f5645894f50 in operator new(unsigned long) /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_new_delete.cc:60 #1 0x7f5643e59928 in QtSharedPointer::ExternalRefCountData::getAndRef(QObject const*) tools/qsharedpointer.cpp:1344 #2 0x7f562b4326b3 in qt_plugin_instance (/usr/lib/qt/plugins/styles/breeze.so+0x726b3) #3 0x7f5644140a02 in QFactoryLoader::instance(int) const plugin/qfactoryloader.cpp:283 #4 0x7f5644ad7e87 in QStyle* qLoadPlugin<QStyle, QStylePlugin>(QFactoryLoader const*, QString const&) src/corelib/plugin/qfactoryloader_p.h:101 #5 0x7f5644ad7e87 in QStyleFactory::create(QString const&) styles/qstylefactory.cpp:158 #6 0x7f564499ce7c in QApplication::style() kernel/qapplication.cpp:1138 #7 0x7f564499d4f4 in QApplicationPrivate::initialize() kernel/qapplication.cpp:651 #8 0x7f564499d5ea in QApplicationPrivate::init() kernel/qapplication.cpp:592 #9 0x402fd9 in main (Trial+0x402fd9) #10 0x7f56432c9290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #11 0x403179 in _start (Trial+0x403179) SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/6.1.1/bits/atomic_base.h:304 in std::__atomic_base<int>::operator--() Shadow bytes around the buggy address: 0x0c047fff8ad0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8ae0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8af0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd =>0x0c047fff8b20: fa fa fd fd fa fa[fd]fd fa fa 00 00 fa fa fd fd 0x0c047fff8b30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff8b40: fa fa fd fd fa fa 00 fa fa fa 00 fa fa fa 00 00 0x0c047fff8b50: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff8b60: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 04 fa 0x0c047fff8b70: fa fa 04 fa fa fa fd fa fa fa 04 fa fa fa 04 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3262==ABORTING -- You are receiving this mail because: You are watching all bug changes.
