Bug 405739 - Alpha into mask on animated fill layer results in [asan crash]
Summary: Alpha into mask on animated fill layer results in [asan crash]
Status: RESOLVED FIXED
Alias: None
Product: krita
Classification: Applications
Component: Layer Stack (show other bugs)
Version: git master (please specify the git hash!)
Platform: Other Linux
: NOR crash
Target Milestone: ---
Assignee: Krita Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-22 00:10 UTC by wolthera
Modified: 2019-04-08 11:00 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description wolthera 2019-03-22 00:10:06 UTC 
SUMMARY
Apply "split alpha into mask" on animated fill layer with Address Sanitzer enabled, get this crash:

=================================================================
==28661==ERROR: AddressSanitizer: heap-use-after-free on address 0x606003220d30 at pc 0x7fe94b8dca48 bp 0x7ffc96fbc1d0 sp 0x7ffc96fbc1c0
READ of size 8 at 0x606003220d30 thread T0
    #0 0x7fe94b8dca47 in KisPixelSelection::KisPixelSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisWeakSharedPtr<KisSelection>) /home/wolthera/krita/src/libs/image/kis_pixel_selection.cpp:96
    #1 0x7fe94b8fb648 in KisSelection::KisSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisSharedPtr<KisDefaultBoundsBase>) /home/wolthera/krita/src/libs/image/kis_selection.cc:82
    #2 0x7fe94b5561a9 in KisMask::Private::initSelectionImpl(KisSharedPtr<KisSelection>, KisSharedPtr<KisLayer>, KisSharedPtr<KisPaintDevice>) /home/wolthera/krita/src/libs/image/kis_mask.cc:181
    #3 0x7fe94b555507 in KisMask::initSelection(KisSharedPtr<KisPaintDevice>, KisSharedPtr<KisLayer>) /home/wolthera/krita/src/libs/image/kis_mask.cc:153
    #4 0x7fe94f484d30 in KisMaskManager::createMaskCommon(KisSharedPtr<KisMask>, KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, KUndo2MagicString const&, QString const&, QString const&, bool, bool, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:172
    #5 0x7fe94f4865cf in KisMaskManager::createTransparencyMask(KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:218
    #6 0x7fe94f4b01e9 in KisNodeManager::createNode(QString const&, bool, KisSharedPtr<KisPaintDevice>) /home/wolthera/krita/src/libs/ui/kis_node_manager.cpp:551
    #7 0x7fe94f4bfe3e in KisNodeManager::slotSplitAlphaIntoMask() /home/wolthera/krita/src/libs/ui/kis_node_manager.cpp:1189
    #8 0x7fe94feaa27a in KisNodeManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/wolthera/krita/build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_kis_node_manager.cpp:346
    #9 0x7fe948c5fe24 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2afe24)
    #10 0x7fe949a200f1 in QAction::triggered(bool) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1550f1)
    #11 0x7fe949a2270b in QAction::activate(QAction::ActionEvent) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15770b)
    #12 0x7fe949b973ab  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2cc3ab)
    #13 0x7fe949b9e91a  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2d391a)
    #14 0x7fe949b9f792 in QMenu::mouseReleaseEvent(QMouseEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2d4792)
    #15 0x7fe949a66837 in QWidget::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x19b837)
    #16 0x7fe949ba1aba in QMenu::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2d6aba)
    #17 0x7fe949a2683b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b83b)
    #18 0x7fe949a2eca7 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x163ca7)
    #19 0x7fe94fc2bf3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #20 0x7fe948c30327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #21 0x7fe949a2d29e in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x16229e)
    #22 0x7fe949a8179c  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b679c)
    #23 0x7fe949a84349  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b9349)
    #24 0x7fe949a2683b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b83b)
    #25 0x7fe949a2ddcf in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x162dcf)
    #26 0x7fe94fc2bf3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #27 0x7fe948c30327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #28 0x7fe9491f852a in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x11352a)
    #29 0x7fe9491f9694 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x114694)
    #30 0x7fe9491d214a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xed14a)
    #31 0x7fe92f2f2309  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x6b309)
    #32 0x7fe93e9ab386 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c386)
    #33 0x7fe93e9ab5bf  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c5bf)
    #34 0x7fe93e9ab64b in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64b)
    #35 0x7fe948c8d13e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2dd13e)
    #36 0x7fe948c2e649 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x27e649)
    #37 0x7fe949b9c5ff in QMenu::exec(QPoint const&, QAction*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x2d15ff)
    #38 0x7fe8f1f093dc in LayerBox::slotContextMenuRequested(QPoint const&, QModelIndex const&) /home/wolthera/krita/src/plugins/dockers/layerdocker/LayerBox.cpp:681
    #39 0x7fe8f1f12869 in LayerBox::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/wolthera/krita/build/plugins/dockers/layerdocker/kritalayerdocker_autogen/include/moc_LayerBox.cpp:228
    #40 0x7fe948c5fe24 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2afe24)
    #41 0x7fe8f1f667fb in NodeView::contextMenuRequested(QPoint const&, QModelIndex const&) /home/wolthera/krita/build/plugins/dockers/layerdocker/kritalayerdocker_autogen/EWIEGA46WW/moc_NodeView.cpp:224
    #42 0x7fe8f1f5d1dc in NodeView::showContextMenu(QPoint const&, QModelIndex const&) /home/wolthera/krita/src/plugins/dockers/layerdocker/NodeView.cpp:318
    #43 0x7fe8f1f5d160 in NodeView::contextMenuEvent(QContextMenuEvent*) /home/wolthera/krita/src/plugins/dockers/layerdocker/NodeView.cpp:313
    #44 0x7fe949a67613 in QWidget::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x19c613)
    #45 0x7fe949b08d1d in QFrame::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x23dd1d)
    #46 0x7fe949c7fc72 in QAbstractItemView::viewportEvent(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x3b4c72)
    #47 0x7fe949ce980b in QTreeView::viewportEvent(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x41e80b)
    #48 0x7fe8f1f5cbc2 in NodeView::viewportEvent(QEvent*) /home/wolthera/krita/src/plugins/dockers/layerdocker/NodeView.cpp:304
    #49 0x7fe948c300ac in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2800ac)
    #50 0x7fe949a26814 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b814)
    #51 0x7fe949a2e2e6 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1632e6)
    #52 0x7fe94fc2bf3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #53 0x7fe948c30327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #54 0x7fe949a81bc7  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b6bc7)
    #55 0x7fe949a84349  (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1b9349)
    #56 0x7fe949a2683b in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b83b)
    #57 0x7fe949a2ddcf in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x162dcf)
    #58 0x7fe94fc2bf3c in KisApplication::notify(QObject*, QEvent*) /home/wolthera/krita/src/libs/ui/KisApplication.cpp:639
    #59 0x7fe948c30327 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x280327)
    #60 0x7fe9491f852a in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x11352a)
    #61 0x7fe9491f9694 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0x114694)
    #62 0x7fe9491d214a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xed14a)
    #63 0x7fe92f2f2309  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x6b309)
    #64 0x7fe93e9ab386 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c386)
    #65 0x7fe93e9ab5bf  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c5bf)
    #66 0x7fe93e9ab64b in g_main_context_iteration (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64b)
    #67 0x7fe948c8d13e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2dd13e)
    #68 0x7fe948c2e649 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x27e649)
    #69 0x7fe948c377ff in QCoreApplication::exec() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2877ff)
    #70 0x558b36046581 in main /home/wolthera/krita/src/krita/main.cc:481
    #71 0x7fe94803fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #72 0x558b3603fba9 in _start (/home/wolthera/krita/inst/bin/krita+0x24dbba9)

0x606003220d30 is located 48 bytes inside of 56-byte region [0x606003220d00,0x606003220d38)
freed by thread T0 here:
    #0 0x7fe9547f72d0 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe12d0)
    #1 0x7fe94b8dccc9 in KisPixelSelection::~KisPixelSelection() /home/wolthera/krita/src/libs/image/kis_pixel_selection.cpp:109
    #2 0x7fe94b10608a in KisSharedPtr<KisPaintDevice>::deref(KisSharedPtr<KisPaintDevice> const*, KisPaintDevice*) /home/wolthera/krita/src/libs/global/kis_shared_ptr.h:211
    #3 0x7fe94b0fff14 in KisSharedPtr<KisPaintDevice>::deref() const /home/wolthera/krita/src/libs/global/kis_shared_ptr.h:225
    #4 0x7fe94b0eb6c1 in KisSharedPtr<KisPaintDevice>::~KisSharedPtr() /home/wolthera/krita/src/libs/global/kis_shared_ptr.h:109
    #5 0x7fe94b838c5c in ~DeviceChangeColorSpaceCommand /home/wolthera/krita/src/libs/image/kis_paint_device.cc:901
    #6 0x7fe94b838c83 in ~DeviceChangeColorSpaceCommand /home/wolthera/krita/src/libs/image/kis_paint_device.cc:901
    #7 0x7fe94b825b54 in KisPaintDevice::Private::convertColorSpace(KoColorSpace const*, KoColorConversionTransformation::Intent, QFlags<KoColorConversionTransformation::ConversionFlag>) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:951
    #8 0x7fe94b82cdfa in KisPaintDevice::convertTo(KoColorSpace const*, KoColorConversionTransformation::Intent, QFlags<KoColorConversionTransformation::ConversionFlag>) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:1516
    #9 0x7fe94b8dca22 in KisPixelSelection::KisPixelSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisWeakSharedPtr<KisSelection>) /home/wolthera/krita/src/libs/image/kis_pixel_selection.cpp:94
    #10 0x7fe94b8fb648 in KisSelection::KisSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisSharedPtr<KisDefaultBoundsBase>) /home/wolthera/krita/src/libs/image/kis_selection.cc:82
    #11 0x7fe94b5561a9 in KisMask::Private::initSelectionImpl(KisSharedPtr<KisSelection>, KisSharedPtr<KisLayer>, KisSharedPtr<KisPaintDevice>) /home/wolthera/krita/src/libs/image/kis_mask.cc:181
    #12 0x7fe94b555507 in KisMask::initSelection(KisSharedPtr<KisPaintDevice>, KisSharedPtr<KisLayer>) /home/wolthera/krita/src/libs/image/kis_mask.cc:153
    #13 0x7fe94f484d30 in KisMaskManager::createMaskCommon(KisSharedPtr<KisMask>, KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, KUndo2MagicString const&, QString const&, QString const&, bool, bool, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:172
    #14 0x7fe94f4865cf in KisMaskManager::createTransparencyMask(KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:218

previously allocated by thread T0 here:
    #0 0x7fe9547f6458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)
    #1 0x7fe94b8fb62b in KisSelection::KisSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisSharedPtr<KisDefaultBoundsBase>) /home/wolthera/krita/src/libs/image/kis_selection.cc:82
    #2 0x7fe94b5561a9 in KisMask::Private::initSelectionImpl(KisSharedPtr<KisSelection>, KisSharedPtr<KisLayer>, KisSharedPtr<KisPaintDevice>) /home/wolthera/krita/src/libs/image/kis_mask.cc:181
    #3 0x7fe94b555507 in KisMask::initSelection(KisSharedPtr<KisPaintDevice>, KisSharedPtr<KisLayer>) /home/wolthera/krita/src/libs/image/kis_mask.cc:153
    #4 0x7fe94f484d30 in KisMaskManager::createMaskCommon(KisSharedPtr<KisMask>, KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, KUndo2MagicString const&, QString const&, QString const&, bool, bool, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:172
    #5 0x7fe94f4865cf in KisMaskManager::createTransparencyMask(KisSharedPtr<KisNode>, KisSharedPtr<KisPaintDevice>, bool) /home/wolthera/krita/src/libs/ui/kis_mask_manager.cc:218
    #6 0x7fe94f4b01e9 in KisNodeManager::createNode(QString const&, bool, KisSharedPtr<KisPaintDevice>) /home/wolthera/krita/src/libs/ui/kis_node_manager.cpp:551
    #7 0x7fe94f4bfe3e in KisNodeManager::slotSplitAlphaIntoMask() /home/wolthera/krita/src/libs/ui/kis_node_manager.cpp:1189
    #8 0x7fe94feaa27a in KisNodeManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/wolthera/krita/build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_kis_node_manager.cpp:346
    #9 0x7fe948c5fe24 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2afe24)
    #10 0x7fe949a200f1 in QAction::triggered(bool) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x1550f1)

SUMMARY: AddressSanitizer: heap-use-after-free /home/wolthera/krita/src/libs/image/kis_pixel_selection.cpp:96 in KisPixelSelection::KisPixelSelection(KisSharedPtr<KisPaintDevice>, KritaUtils::DeviceCopyMode, KisWeakSharedPtr<KisSelection>)
Shadow bytes around the buggy address:
  0x0c0c8063c150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c8063c160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8063c170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8063c180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8063c190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c8063c1a0: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
  0x0c0c8063c1b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8063c1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8063c1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8063c1e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8063c1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28661==ABORTING
wolthera@Euthenia:~/krita/build$
Comment 1 wolthera 2019-04-08 11:00:34 UTC 
Fixed in https://phabricator.kde.org/R37:38175ae5b1efddcecf6f0699544884e5278a7c3f

It still doesn't work, but that should be a seperate bugreport :)