Bug 377286 - Git master - clip paint event leads to heap-use-after-free (crash)
Summary: Git master - clip paint event leads to heap-use-after-free (crash)
Status: RESOLVED FIXED
Alias: None
Product: kdenlive
Classification: Applications
Component: User Interface (show other bugs)
Version: git-master
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Jean-Baptiste Mardelle
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-06 13:11 UTC by alcinos
Modified: 2019-04-07 17:58 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description alcinos 2017-03-06 13:11:42 UTC 
The bug was triggered in a fairly populated timeline, with operations in various order among :
- insert clips
- Razor clips
- Split audio
- Ungroup audio
- delete clips
- resize audio
- undo/redo the FULL stack (using the Undo History)

The crash is the following :
=================================================================
==25859==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000cf94b0 at pc 0x0000004dbce3 bp 0x7ffc79f606e0 sp 0x7ffc79f606d0
READ of size 8 at 0x611000cf94b0 thread T0
    #0 0x4dbce2 in QListData::isEmpty() const /usr/include/qt/QtCore/qlist.h:114
    #1 0x55958d in QList<QVariant>::isEmpty() const /usr/include/qt/QtCore/qlist.h:191
    #2 0x66bfea in ClipItem::paint(QPainter*, QStyleOptionGraphicsItem const*, QWidget*) /home/nicolas/Documents/Developpement/Projets/kdenlive/src/timeline/clipitem.cpp:675
    #3 0x7f10feb0de3e  (/usr/lib/libQt5Widgets.so.5+0x469e3e)
    #4 0x7f10feb0ecfe  (/usr/lib/libQt5Widgets.so.5+0x46acfe)
    #5 0x7f10feb0f3a9  (/usr/lib/libQt5Widgets.so.5+0x46b3a9)
    #6 0x7f10feb31189 in QGraphicsView::paintEvent(QPaintEvent*) (/usr/lib/libQt5Widgets.so.5+0x48d189)
    #7 0x7f10fe83e9b7 in QWidget::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x19a9b7)
    #8 0x7f10fe926e1d in QFrame::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x282e1d)
    #9 0x7f10feb2fc9a in QGraphicsView::viewportEvent(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x48bc9a)
    #10 0x7f10fb10c640 in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x287640)
    #11 0x7f10fe7f7334 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x153334)
    #12 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15aad0)
    #13 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x2878df)
    #14 0x7f10fe837739 in QWidgetPrivate::sendPaintEvent(QRegion const&) (/usr/lib/libQt5Widgets.so.5+0x193739)
    #15 0x7f10fe837d88 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) (/usr/lib/libQt5Widgets.so.5+0x193d88)
    #16 0x7f10fe80769d  (/usr/lib/libQt5Widgets.so.5+0x16369d)
    #17 0x7f10fe8078c6  (/usr/lib/libQt5Widgets.so.5+0x1638c6)
    #18 0x7f10fe82673e in QWidgetPrivate::syncBackingStore() (/usr/lib/libQt5Widgets.so.5+0x18273e)
    #19 0x7f10fe83ea87 in QWidget::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x19aa87)
    #20 0x7f10fe93dd4a in QMainWindow::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x299d4a)
    #21 0x7f11029b8009 in KMainWindow::event(QEvent*) (/usr/lib/libKF5XmlGui.so.5+0x8b009)
    #22 0x7f1102a09a84 in KXmlGuiWindow::event(QEvent*) (/usr/lib/libKF5XmlGui.so.5+0xdca84)
    #23 0xd95e80 in MainWindow::event(QEvent*) /home/nicolas/Documents/Developpement/Projets/kdenlive/src/mainwindow.cpp:757
    #24 0x7f10fe7f735b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15335b)
    #25 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15aad0)
    #26 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x2878df)
    #27 0x7f10fb10f06c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/libQt5Core.so.5+0x28a06c)
    #28 0x7f10feb01301  (/usr/lib/libQt5Widgets.so.5+0x45d301)
    #29 0x7f10feb06b58  (/usr/lib/libQt5Widgets.so.5+0x462b58)
    #30 0x7f10fb138f28 in QObject::event(QEvent*) (/usr/lib/libQt5Core.so.5+0x2b3f28)
    #31 0x7f10feb136ea in QGraphicsScene::event(QEvent*) (/usr/lib/libQt5Widgets.so.5+0x46f6ea)
    #32 0x7f10fe7f735b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15335b)
    #33 0x7f10fe7fead0 in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt5Widgets.so.5+0x15aad0)
    #34 0x7f10fb10c8df in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x2878df)
    #35 0x7f10fb10f06c in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/libQt5Core.so.5+0x28a06c)
    #36 0x7f10fb160eb2  (/usr/lib/libQt5Core.so.5+0x2dbeb2)
    #37 0x7f10f42e1586 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x4a586)
    #38 0x7f10f42e17ef  (/usr/lib/libglib-2.0.so.0+0x4a7ef)
    #39 0x7f10f42e189b in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x4a89b)
    #40 0x7f10fb1612be in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x2dc2be)
    #41 0x7f10fb10ad39 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x285d39)
    #42 0x7f10fb11323b in QCoreApplication::exec() (/usr/lib/libQt5Core.so.5+0x28e23b)
    #43 0xd84fd5 in main /home/nicolas/Documents/Developpement/Projets/kdenlive/src/main.cpp:153
    #44 0x7f10fa264290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #45 0x498379 in _start (/home/nicolas/Documents/Developpement/Projets/kdenlive/build/src/kdenlive+0x498379)

0x611000cf94b0 is located 112 bytes inside of 240-byte region [0x611000cf9440,0x611000cf9530)
freed by thread T0 here:
    #0 0x7f11065e1500 in operator delete(void*) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:92
    #1 0xd36471 in ProjectClip::~ProjectClip() /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/projectclip.cpp:114
    #2 0xced6ea in Bin::deleteClip(QString const&) /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:978
    #3 0xd582cf in AddClipCommand::undo() /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bincommands.cpp:326
    #4 0x7f10feb671cc in QUndoCommand::undo() (/usr/lib/libQt5Widgets.so.5+0x4c31cc)

previously allocated by thread T0 here:
    #0 0x7f11065e0e80 in operator new(unsigned long) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cc:60
    #1 0xcf387c in Bin::createClip(QDomElement const&) /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:1339
    #2 0xd1be43 in Bin::addClip(QDomElement, QString const&) /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bin.cpp:3970
    #3 0xd583ed in AddClipCommand::redo() /home/nicolas/Documents/Developpement/Projets/kdenlive/src/bin/bincommands.cpp:335
    #4 0x7f10feb6714d in QUndoCommand::redo() (/usr/lib/libQt5Widgets.so.5+0x4c314d)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/qt/QtCore/qlist.h:114 in QListData::isEmpty() const
Shadow bytes around the buggy address:
  0x0c2280197240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280197250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280197260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280197270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280197280: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280197290: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c22801972a0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c22801972b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801972c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801972d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22801972e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25859==ABORTING

It seems that the binController is being deleted by the redo while a Paint event of the clip is executed (race condition).
Comment 1 Christoph Feck 2018-01-10 14:36:40 UTC 
Is this still reproducible with a recent version?
Comment 2 emohr 2019-04-07 16:17:56 UTC 
Please try with the Kdenlive_Nightly_Appimage
https://binary-factory.kde.org/job/Kdenlive_Nightly_Appimage_Build/lastSuccessfulBuild/artifact/
Comment 3 alcinos 2019-04-07 17:58:54 UTC 
This is a report from the old version, will consider it as closed because this code doesn't exist anymore.