Bug 405737

And again, this time when entering the transformation mode.

==12309==ERROR: AddressSanitizer: heap-use-after-free on address 0x603002ca0e50 at pc 0x562bd44b4539 bp 0x7f7f4314a130 sp 0x7f7f4314a120
WRITE of size 4 at 0x603002ca0e50 thread T155 (Thread (pooled))
    #0 0x562bd44b4538 in std::__atomic_base<int>::operator--() /usr/include/c++/7/bits/atomic_base.h:304
    #1 0x7f7fc4eda0c1 in bool QAtomicOps<int>::deref<int>(std::atomic<int>&) /usr/include/x86_64-linux-gnu/qt5/QtCore/qatomic_cxx11.h:271
    #2 0x7f7fc4ed9b47 in QBasicAtomicInteger<int>::deref() /usr/include/x86_64-linux-gnu/qt5/QtCore/qbasicatomic.h:115
    #3 0x7f7fc4ef0471 in QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0471)
    #4 0x7f7fc4eeeb54 in QSharedPointer<KisLiquifyProperties>::deref() (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
    #5 0x7f7fc4ee9e0b in QSharedPointer<KisLiquifyProperties>::~QSharedPointer() (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
    #6 0x7f7fc4eea755 in QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties> const&) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
    #7 0x7f7fc4edf507 in ToolTransformArgs::operator=(ToolTransformArgs const&) /home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
    #8 0x7f7fc50667a4 in TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
    #9 0x7f801c67c021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #10 0x7f801c6917fc in KisStrokeJob::run() /home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #11 0x7f801cd04ff0 in KisUpdateJobItem::run() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #12 0x7f8019ccd351  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)
    #13 0x7f8019cc8bc1  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa7bc1)
    #14 0x7f8018c6b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7f80193b088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x603002ca0e50 is located 0 bytes inside of 24-byte region [0x603002ca0e50,0x603002ca0e68)
freed by thread T161 (Thread (pooled)) here:
    #0 0x7f8025a682d0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
    #1 0x7f7fc4ed948a in QtSharedPointer::ExternalRefCountData::operator delete(void*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qsharedpointer_impl.h:167
    #2 0x7f7fc4ef0491 in QSharedPointer<KisLiquifyProperties>::deref(QtSharedPointer::ExternalRefCountData*) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa0491)
    #3 0x7f7fc4eeeb54 in QSharedPointer<KisLiquifyProperties>::deref() (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eb54)
    #4 0x7f7fc4ee9e0b in QSharedPointer<KisLiquifyProperties>::~QSharedPointer() (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99e0b)
    #5 0x7f7fc4eea755 in QSharedPointer<KisLiquifyProperties>::operator=(QSharedPointer<KisLiquifyProperties> const&) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9a755)
    #6 0x7f7fc4edf507 in ToolTransformArgs::operator=(ToolTransformArgs const&) /home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:132
    #7 0x7f7fc50667a4 in TransformStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:229
    #8 0x7f801c67c021 in SimpleStrokeJobStrategy::run(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #9 0x7f801c6917fc in KisStrokeJob::run() /home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #10 0x7f801cd04ff0 in KisUpdateJobItem::run() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #11 0x7f8019ccd351  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac351)

previously allocated by thread T0 here:
    #0 0x7f8025a67458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x7f7fc4ef02cd in QtSharedPointer::ExternalRefCountWithCustomDeleter<KisLiquifyProperties, QtSharedPointer::NormalDeleter>::create(KisLiquifyProperties*, QtSharedPointer::NormalDeleter, void (*)(QtSharedPointer::ExternalRefCountData*)) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0xa02cd)
    #2 0x7f7fc4eeeaa3 in void QSharedPointer<KisLiquifyProperties>::internalConstruct<KisLiquifyProperties, QtSharedPointer::NormalDeleter>(KisLiquifyProperties*, QtSharedPointer::NormalDeleter) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x9eaa3)
    #3 0x7f7fc4ee9da0 in QSharedPointer<KisLiquifyProperties>::QSharedPointer<KisLiquifyProperties>(KisLiquifyProperties*) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/kritaplugins/kritatooltransform.so+0x99da0)
    #4 0x7f7fc4eddacf in ToolTransformArgs::ToolTransformArgs() /home/wolthera/krita/src/plugins/tools/tool_transform2/tool_transform_args.cc:52
    #5 0x7f7fc5062484 in TransformStrokeStrategy::TransformStrokeStrategy(KisSharedPtr<KisNode>, QList<KisSharedPtr<KisNode> >, KisSharedPtr<KisSelection>, KisStrokeUndoFacade*) /home/wolthera/krita/src/plugins/tools/tool_transform2/strokes/transform_stroke_strategy.cpp:54
    #6 0x7f7fc4f09e0b in KisToolTransform::startStroke(ToolTransformArgs::TransformMode, bool) /home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:931
    #7 0x7f7fc4f08280 in KisToolTransform::activate(KoToolBase::ToolActivation, QSet<KoShape*> const&) /home/wolthera/krita/src/plugins/tools/tool_transform2/kis_tool_transform.cc:805
    #8 0x7f8016146cdd in KoToolManager::Private::postSwitchTool(bool) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:618
    #9 0x7f80161454fa in KoToolManager::Private::switchTool(KoToolBase*, bool) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:554
    #10 0x7f8016145ba8 in KoToolManager::Private::switchTool(QString const&, bool) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:579
    #11 0x7f80161401bb in KoToolManager::switchToolRequested(QString const&) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:300
    #12 0x7f801614e5b3 in KoToolManager::Private::switchInputDevice(KoInputDevice const&) /home/wolthera/krita/src/libs/flake/KoToolManager.cpp:960
    #13 0x7f8016170d1d in KoToolProxy::tabletEvent(QTabletEvent*, QPointF const&) /home/wolthera/krita/src/libs/flake/KoToolProxy.cpp:173
    #14 0x7f802037722e in KisToolProxy::forwardHoverEvent(QEvent*) /home/wolthera/krita/src/libs/ui/canvas/kis_tool_proxy.cpp:94

Thread T155 (Thread (pooled)) created by T0 here:
    #0 0x7f80259bed2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f8019cc823d in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)

Thread T161 (Thread (pooled)) created by T155 (Thread (pooled)) here:
    #0 0x7f80259bed2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f8019cc823d in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa723d)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/atomic_base.h:304 in std::__atomic_base<int>::operator--()
Shadow bytes around the buggy address:
  0x0c068058c170: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c180: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fa fa
  0x0c068058c190: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fa fa
  0x0c068058c1a0: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 06
  0x0c068058c1b0: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
=>0x0c068058c1c0: 00 00 fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa
  0x0c068058c1d0: fa fa fa fa fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c068058c1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
  0x0c068058c1f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c200: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068058c210: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12309==ABORTING

Git commit 9a7cb4bdac690d9dec7cdb820a95d1bc922abdfc by Boudewijn Rempt.
Committed on 09/05/2019 at 09:04.
Pushed by rempt into branch 'master'.

Copy the liquify arguments instead of assigning an SP to an SP

I don't know why this only crashed in ASAN builds, maybe pure
luck, but apparently assigning a QSharedPointer::operator=
causes a double delete when both shared pointers to the same
object go out of scope.

M  +28   -0    plugins/tools/tool_transform2/kis_liquify_properties.cpp
M  +5    -0    plugins/tools/tool_transform2/kis_liquify_properties.h
M  +1    -1    plugins/tools/tool_transform2/tool_transform_args.cc

https://invent.kde.org/kde/krita/commit/9a7cb4bdac690d9dec7cdb820a95d1bc922abdfc

asan builds explicitely crash when something with memory is funny, so in other cases I guess this just only creates a memory leak :p