https://bugs.kde.org/show_bug.cgi?id=471970
Bug ID: 471970
Summary: Closing the document while animation cache is being
populated causes a crash under ASAN
Classification: Applications
Product: krita
Version: git master (please specify the git hash!)
Platform: Other
OS: Other
Status: REPORTED
Severity: crash
Priority: NOR
Component: OpenGL Canvas
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
STEPS TO REPRODUCE
1. Open a huge document with animation
2. Check that the cache is being populated
3. Press Ctrl+W
=================================================================
==77748==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000f4a30
at pc 0x7fc5eac6bfdc bp 0x7ffcd81d4750 sp 0x7ffcd81d4740
READ of size 8 at 0x6020000f4a30 thread T0
#0 0x7fc5eac6bfdb in KisTextureTile::~KisTextureTile()
/home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108
#1 0x7fc5eac52587 in KisOpenGLImageTextures::destroyImageTextureTiles()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:301
#2 0x7fc5eac5bb1e in KisOpenGLImageTextures::~KisOpenGLImageTextures()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:134
#3 0x7fc5eac5d2f5 in KisOpenGLImageTextures::~KisOpenGLImageTextures()
/home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:138
#4 0x7fc5eba00470 in
KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures>
const*, KisOpenGLImageTextures*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
#5 0x7fc5eba00470 in
KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures>
const*, KisOpenGLImageTextures*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
#6 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::deref() const
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:216
#7 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::~KisSharedPtr()
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:100
#8 0x7fc5eba00470 in KisAnimationFrameCache::Private::~Private()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:42
#9 0x7fc5eba00470 in
QScopedPointerDeleter<KisAnimationFrameCache::Private>::cleanup(KisAnimationFrameCache::Private*)
/home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:60
#10 0x7fc5eba00470 in QScopedPointer<KisAnimationFrameCache::Private,
QScopedPointerDeleter<KisAnimationFrameCache::Private> >::~QScopedPointer()
/home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:107
#11 0x7fc5eba00470 in KisAnimationFrameCache::~KisAnimationFrameCache()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
#12 0x7fc5eba00dd5 in KisAnimationFrameCache::~KisAnimationFrameCache()
/home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
#13 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache>
const*, KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
#14 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache>
const*, KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
#15 0x7fc5eba31db2 in
KisSharedPtr<KisAnimationFrameCache>::attach(KisAnimationFrameCache*)
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:509
#16 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::clear()
/home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:516
#17 0x7fc5eba31db2 in
KisAsyncAnimationCacheRenderer::clearFrameRegenerationState(bool)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:66
#18 0x7fc5eba27343 in
KisAsyncAnimationRendererBase::notifyFrameCancelled(int,
KisAsyncAnimationRendererBase::CancelReason)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:150
#19 0x7fc5eba2de7c in
KisAsyncAnimationCacheRenderer::frameCancelledCallback(int,
KisAsyncAnimationRendererBase::CancelReason)
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:60
#20 0x7fc5eba26e9e in
KisAsyncAnimationRendererBase::slotFrameRegenerationCancelled()
/home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:100
#21 0x7fc5ea13a157 in
KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**)
/home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:124
#22 0x7fc5ea13a157 in
KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call,
int, void**)
/home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:115
#23 0x7fc5e24285dd in QObject::event(QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qobject.cpp:1347
#24 0x7fc5e2f5d7e2 in QApplicationPrivate::notify_helper(QObject*, QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/widgets/kernel/qapplication.cpp:3637
#25 0x7fc5eb6993d9 in KisApplication::notify(QObject*, QEvent*)
/home/appimage/persistent/krita/libs/ui/KisApplication.cpp:768
#26 0x7fc5e23fab59 in QCoreApplication::notifyInternal2(QObject*, QEvent*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
#27 0x7fc5e23fdc46 in QCoreApplicationPrivate::sendPostedEvents(QObject*,
int, QThreadData*)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1821
#28 0x7fc5e2455056 in postEventSourceDispatch
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
#29 0x7fc5e08f117c in g_main_context_dispatch
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
#30 0x7fc5e08f13ff (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
#31 0x7fc5e08f14a2 in g_main_context_iteration
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
#32 0x7fc5e24546a7 in
QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
#33 0x7fc5e23f946a in
QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventloop.cpp:232
#34 0x7fc5e2401a13 in QCoreApplication::exec()
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
#35 0x55da41a3ed84 in main
/home/appimage/persistent/krita/krita/main.cc:731
#36 0x7fc5e1bda082 in __libc_start_main ../csu/libc-start.c:308
#37 0x55da41a427bd in _start
(/home/appimage/appimage-workspace/krita.appdir/usr/bin/krita+0x1d7bd)
0x6020000f4a30 is located 0 bytes inside of 8-byte region
[0x6020000f4a30,0x6020000f4a38)
freed by thread T0 here:
#0 0x7fc5ec51760f in operator delete(void*, unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
#1 0x7fc5e287978f in QOpenGLContext::destroy()
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:655
previously allocated by thread T0 here:
#0 0x7fc5ec5165a7 in operator new(unsigned long)
../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x7fc5e2875ca9 in QOpenGLContext::functions() const
/home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:741
SUMMARY: AddressSanitizer: heap-use-after-free
/home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108 in
KisTextureTile::~KisTextureTile()
Shadow bytes around the buggy address:
0x0c04800168f0: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd
0x0c0480016900: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa
0x0c0480016910: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480016920: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c0480016930: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c0480016940: fa fa 00 fa fa fa[fd]fa fa fa fd fd fa fa fd fa
0x0c0480016950: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa
0x0c0480016960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
0x0c0480016970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480016980: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480016990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==77748==ABORTING
--
You are receiving this mail because:
You are watching all bug changes.
