405732 – ASAN crash in input manager with creating guides.

Bug 405732 - ASAN crash in input manager with creating guides.

Summary: ASAN crash in input manager with creating guides.

Status:	RESOLVED FIXED

Alias:	None

Product:	krita
Classification:	Applications
Component:	Shortcuts and Canvas Input Settings (show other bugs)
Version:	git master (please specify the git hash!)
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Krita Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-03-21 20:26 UTC by wolthera
Modified:	2019-04-20 17:02 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/kde/krita/commit/dd3746f67dba8552a7f04d1db7aa1fbca68e17fd
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description wolthera 2019-03-21 20:26:57 UTC

SUMMARY
Got this crash running Krita with Address Sanitizer while making guides. Did not try to reproduce.

=================================================================
==2320==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd86a29248 at pc 0x7fd8f718dd40 bp 0x7ffd86a28ae0 sp 0x7ffd86a28ad0
READ of size 8 at 0x7ffd86a29248 thread T0
    #0 0x7fd8f718dd3f in QPointF::toPoint() const /usr/include/x86_64-linux-gnu/qt5/QtCore/qpoint.h:409
    #1 0x7fd8f72045ff in QEnterEvent::pos() const (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaui.so.18+0x2b955ff)
    #2 0x7fd8f720085d in KisGuidesManager::Private::getDocPointFromEvent(QEvent*) /home/wolthera/krita/src/libs/ui/canvas/kis_guides_manager.cpp:580
    #3 0x7fd8f7201092 in KisGuidesManager::eventFilter(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/canvas/kis_guides_manager.cpp:638
    #4 0x7fd8f7ae75f0 in KisInputManager::eventFilter(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/input/kis_input_manager.cpp:178
    #5 0x7fd8f7af8220 in KisInputManager::Private::CanvasSwitcher::eventFilter(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/input/kis_input_manager_p.cpp:272
    #6 0x7fd8f0cd50ac in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2800ac)
    #7 0x7fd8f1acb814 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b814)
    #8 0x7fd8f1ad2dcf in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x162dcf)
    #9 0x7fd8f7cd0f3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #10 0x7fd8f0cd5327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #11 0x7fd8f1ad0948 in QApplicationPrivate::setFocusWidget(QWidget*, Qt::FocusReason) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x160948)
    #12 0x7fd8f1b05c21 in QWidget::setFocus(Qt::FocusReason) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x195c21)
    #13 0x7fd8f1b0a939  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x19a939)
    #14 0x7fd8f0d04e24 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2afe24)
    #15 0x7fd8f3b34c62 in KisTimedSignalThreshold::timeout() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/moc_kis_timed_signal_threshold.cpp:161
    #16 0x7fd8f358fb15 in KisTimedSignalThreshold::forceDone() /home/wolthera/krita/src/libs/image/kis_timed_signal_threshold.cpp:58
    #17 0x7fd8f358fcb0 in KisTimedSignalThreshold::start() /home/wolthera/krita/src/libs/image/kis_timed_signal_threshold.cpp:70
    #18 0x7fd8f7af83fe in KisInputManager::Private::CanvasSwitcher::eventFilter(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/input/kis_input_manager_p.cpp:319
    #19 0x7fd8f0cd50ac in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2800ac)
    #20 0x7fd8f1acb814 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b814)
    #21 0x7fd8f1ad3ca7 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x163ca7)
    #22 0x7fd8f7cd0f3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #23 0x7fd8f0cd5327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #24 0x7fd8f1ad229e in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x16229e)
    #25 0x7fd8f1b26a7f  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b6a7f)
    #26 0x7fd8f1b29349  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b9349)
    #27 0x7fd8f1acb83b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b83b)
    #28 0x7fd8f1ad2dcf in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x162dcf)
    #29 0x7fd8f7cd0f3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #30 0x7fd8f0cd5327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #31 0x7fd8f129d52a in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x11352a)
    #32 0x7fd8f129e694 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x114694)
    #33 0x7fd8f127714a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xed14a)
    #34 0x7fd8d7397309  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x6b309)
    #35 0x7fd8e6a50386 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c386)
    #36 0x7fd8e6a505bf  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c5bf)
    #37 0x7fd8e6a5064b in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64b)
    #38 0x7fd8f0d3213e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2dd13e)
    #39 0x7fd8f0cd3649 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x27e649)
    #40 0x7fd8f0cdc7ff in QCoreApplication::exec() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2877ff)
    #41 0x56019f09c581 in main /home/wolthera/krita/src/krita/main.cc:481
    #42 0x7fd8f00e4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #43 0x56019f095ba9 in _start (/home/wolthera/krita/inst/bin/krita+0x24dbba9)

Address 0x7ffd86a29248 is located in stack of thread T0 at offset 184 in frame
    #0 0x7fd8f7af7c63 in KisInputManager::Private::CanvasSwitcher::eventFilter(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/input/kis_input_manager_p.cpp:245

  This frame has 3 object(s):
    [32, 48) '<unknown>'
    [96, 112) '<unknown>'
    [160, 184) 'event' <== Memory access at offset 184 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/include/x86_64-linux-gnu/qt5/QtCore/qpoint.h:409 in QPointF::toPoint() const
Shadow bytes around the buggy address:
  0x100030d3d1f0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x100030d3d200: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2
  0x100030d3d210: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00
  0x100030d3d220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030d3d230: 00 00 f1 f1 f1 f1 f8 f8 f2 f2 f2 f2 f2 f2 f8 f8
=>0x100030d3d240: f2 f2 f2 f2 f2 f2 00 00 00[f2]00 00 00 00 00 00
  0x100030d3d250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030d3d260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030d3d270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030d3d280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100030d3d290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2320==ABORTING
wolthera@Euthenia:~/krita/build$

Comment 1 wolthera 2019-03-21 20:31:33 UTC

Ok, this one is reproducable in an Address Sanitizer build :)

Comment 2 wolthera 2019-04-10 08:45:34 UTC

I did some investigation, it really is caused by the calling of enterEvent->pos(), which makes it a bug in qt :(

Comment 3 Dmitry Kazakov 2019-04-20 17:02:39 UTC

Git commit dd3746f67dba8552a7f04d1db7aa1fbca68e17fd by Dmitry Kazakov.
Committed on 20/04/2019 at 17:02.
Pushed by dkazakov into branch 'master'.

Fix ASAN crash when creating a guide

In some places we static_cast our event into QEnterEvent, so
we should prepare a correct object for that.

M  +6    -1    libs/ui/input/kis_input_manager_p.cpp

https://invent.kde.org/kde/krita/commit/dd3746f67dba8552a7f04d1db7aa1fbca68e17fd