[kstars] [Bug 406950] New: Valgrind reports use after free

Fri, 26 Apr 2019 21:36:22 -0700 

https://bugs.kde.org/show_bug.cgi?id=406950

            Bug ID: 406950
           Summary: Valgrind reports use after free
           Product: kstars
           Version: 3.2.0
          Platform: Mint (Ubuntu based)
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: mutla...@ikarustech.com
          Reporter: ella...@eskimo.com
  Target Milestone: ---

SUMMARY

Was having some stability problems (see also bug #406638) so I decided to run
kstars under Valgrind on amd64.

Valgrind reported a large number of troubling uninitialized data errors, but
the most critical one I saw after a bit of testing was a clear use-after-free.

STEPS TO REPRODUCE
1. Start kstars under valgrind with some appropriate suppressions.
2. Open EKOS and start indi with simulators. I used a guider as well as a CCD.
3. This error appeared around the time I clicked "capture" in the Guide window,
though it seemed somewhat random.

OBSERVED RESULT

org.kde.kstars.ekos.align: "Capturing image..."
org.kde.kstars.fits: Loading FITS file  "/tmp/fitsu28517.fits"
Found one coordinate representation.
org.kde.kstars.ekos.align: "Image received."
org.kde.kstars.ekos.align: "Capturing dark frame..."
org.kde.kstars.fits: Loading FITS file  "/tmp/fitsN28517.fits"
org.kde.kstars.ekos.align: "Dark frame received."
org.kde.kstars.fits: Loading FITS file  "/tmp/fitsN28517.fits"
org.kde.kstars.fits: Saved FITS file:
"/home/elladan/.local/share/kstars/darks/darkframe_2019-04-26T18-42-24.fits"
org.kde.kstars.ekos.align: "Dark frame saved to
/home/elladan/.local/share/kstars/darks/darkframe_2019-04-26T18-42-24.fits"
org.kde.kstars.ekos.align: "Starting solver..."
==28517== Thread 8 Thread (pooled):
==28517== Invalid write of size 1
==28517==    at 0x35114C: operator() (fitsview.cpp:603)
==28517==    by 0x35114C: QtConcurrent::StoredFunctorCall0<void, bool
FITSView::rescale<unsigned short>(FITSZoom)::{lambda()#1}>::runFunctor()
(qtconcurrentstoredfunctioncall.h:70)
==28517==    by 0x35017A: QtConcurrent::RunFunctionTask<void>::run()
(qtconcurrentrunbase.h:136)
==28517==    by 0xA4392B1: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xA43C17C: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xB5526DA: start_thread (pthread_create.c:463)
==28517==    by 0xC7EE88E: clone (clone.S:95)
==28517==  Address 0x7b56f418 is 730,072 bytes inside a block of size
24,000,000 free'd
==28517==    at 0x4C30D3B: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28517==    by 0x9886A44: QImageData::~QImageData() (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9886AB6: QImage::~QImage() (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9887C98: QImage::detach() (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9887D26: QImage::scanLine(int) (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x3510F7: operator() (fitsview.cpp:599)
==28517==    by 0x3510F7: QtConcurrent::StoredFunctorCall0<void, bool
FITSView::rescale<unsigned short>(FITSZoom)::{lambda()#1}>::runFunctor()
(qtconcurrentstoredfunctioncall.h:70)
==28517==    by 0x35017A: QtConcurrent::RunFunctionTask<void>::run()
(qtconcurrentrunbase.h:136)
==28517==    by 0xA4392B1: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xA43C17C: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xB5526DA: start_thread (pthread_create.c:463)
==28517==    by 0xC7EE88E: clone (clone.S:95)
==28517==  Block was alloc'd at
==28517==    at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28517==    by 0x9886D1E: QImageData::create(QSize const&, QImage::Format) (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9886E9A: QImage::QImage(QSize const&, QImage::Format) (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9886ED4: QImage::QImage(int, int, QImage::Format) (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x98874B2: QImage::copy(QRect const&) const (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9887C7E: QImage::detach() (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x9887D26: QImage::scanLine(int) (in
/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5.9.5)
==28517==    by 0x3510F7: operator() (fitsview.cpp:599)
==28517==    by 0x3510F7: QtConcurrent::StoredFunctorCall0<void, bool
FITSView::rescale<unsigned short>(FITSZoom)::{lambda()#1}>::runFunctor()
(qtconcurrentstoredfunctioncall.h:70)
==28517==    by 0x35017A: QtConcurrent::RunFunctionTask<void>::run()
(qtconcurrentrunbase.h:136)
==28517==    by 0xA4392B1: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xA43C17C: ??? (in
/usr/lib/x86_64-linux-gnu/libQt5Core.so.5.9.5)
==28517==    by 0xB5526DA: start_thread (pthread_create.c:463)
==28517== 

EXPECTED RESULT

Use before free. :-)

SOFTWARE/OS VERSIONS

Kstars: Build: 2019-04-14T19:19:24Z
Linux Mint 19.1 (Tessa)

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to