412135 – Asan crash while painting.

Bug 412135 - Asan crash while painting.

Summary: Asan crash while painting.

Status:	RESOLVED FIXED

Alias:	None

Product:	krita
Classification:	Applications
Component:	Tile manager (show other bugs)
Version:	git master (please specify the git hash!)
Platform:	Other Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Dmitry Kazakov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-09-20 19:30 UTC by wolthera
Modified:	2019-10-03 12:28 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/kde/krita/commit/9f9e8e07d34dbc9d95d7c257ca6823e54e37135e
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description wolthera 2019-09-20 19:30:10 UTC

I got this when painting, I had just merged master to my branch. Have not tried to reproduce.

=================================================================
==19028==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000145650 at pc 0x7f55fac41129 bp 0x7f558fe649c0 sp 0x7f558fe649b0
READ of size 8 at 0x610000145650 thread T807 (Thread (pooled))
    #0 0x7f55fac41128 in std::__atomic_base<unsigned long long>::load(std::memory_order) const /usr/include/c++/7/bits/atomic_base.h:396
    #1 0x7f55fac41128 in Atomic<unsigned long long>::load(MemoryOrder) const /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/atomic.h:91
    #2 0x7f55fac3fe56 in SimpleJobCoordinator::loadConsume() const /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/simple_job_coordinator.h:46
    #3 0x7f55fac6471d in ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >::migrationInProcess() /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/concurrent_map.h:51
    #4 0x7f55fac5a03f in KisTileHashTableTraits2<KisTile>::getTileLazy(int, int, bool&) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x46403f)
    #5 0x7f55fac58008 in KisTiledDataManager::getTile(int, int, bool) /home/wolthera/krita/src/libs/image/tiles3/swap/../kis_tiled_data_manager.h:120
    #6 0x7f55fac8e1e0 in KisTiledDataManager::getTilesPair(int, int, bool, KisSharedPtr<KisTile>*, KisSharedPtr<KisTile>*) /home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.h:107
    #7 0x7f55fac99deb in KisRandomAccessor2::fetchTileData(int, int) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:122
    #8 0x7f55fac99a0d in KisRandomAccessor2::moveTo(int, int) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:89
    #9 0x7f55fac98d74 in KisRandomAccessor2::KisRandomAccessor2(KisTiledDataManager*, int, int, int, int, bool, KisIteratorCompleteListener*) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:38
    #10 0x7f55fb482bde in KisPaintDevice::Private::KisPaintDeviceStrategy::createRandomAccessorNG(int, int) /home/wolthera/krita/src/libs/image/kis_paint_device_strategies.h:111
    #11 0x7f55fb46a840 in KisPaintDevice::createRandomAccessorNG(int, int) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:1786
    #12 0x7f55fad185bc in KisPainter::bltFixed(QRect const&, QList<KisRenderedDab>) /home/wolthera/krita/src/libs/image/kis_painter_blt_multi_fixed.cpp:180
    #13 0x7f55bb2e2d87 in operator() /home/wolthera/krita/src/plugins/paintops/defaultpaintops/brush/kis_brushop.cpp:318
    #14 0x7f55bb2e81ae in _M_invoke /usr/include/c++/7/bits/std_function.h:316
    #15 0x7f55ff391915 in std::function<void ()>::operator()() const /usr/include/c++/7/bits/std_function.h:706
    #16 0x7f55fb03cca2 in KisRunnableStrokeJobData::run() /home/wolthera/krita/src/libs/image/KisRunnableStrokeJobData.cpp:46
    #17 0x7f55fb03ae95 in KisRunnableBasedStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/KisRunnableBasedStrokeStrategy.cpp:73
    #18 0x7f55ff39848c in FreehandStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:220
    #19 0x7f55fb033b0d in SimpleStrokeJobStrategy::run(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #20 0x7f55fb045aa6 in KisStrokeJob::run() /home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #21 0x7f55fb6bf27e in KisUpdateJobItem::run() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #22 0x7f55f85063e1  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)
    #23 0x7f55f8501c71  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa7c71)
    #24 0x7f55f74a46da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #25 0x7f55f7be988e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x610000145650 is located 16 bytes inside of 184-byte region [0x610000145640,0x6100001456f8)
freed by thread T801 (Thread (pooled)) here:
    #0 0x7f560429b7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7f55fac6ac73 in Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::Table::destroy() /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:86
    #2 0x7f55fac702ca in Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::TableMigration::destroy() /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:142
    #3 0x7f55fac70427 in void QSBR::enqueue<Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::TableMigration>(void (Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::TableMigration::*)(), Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::TableMigration*, bool)::Closure::thunk(void*) /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:83
    #4 0x7f55fac403f6 in QSBR::Action::operator()() /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:38
    #5 0x7f55fac405e9 in QSBR::releasePoolSafely(KisLocklessStack<QSBR::Action>*, bool) /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:62
    #6 0x7f55fac57d17 in QSBR::update(bool) /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/qsbr.h:101
    #7 0x7f55fac5a04c in KisTileHashTableTraits2<KisTile>::getTileLazy(int, int, bool&) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x46404c)
    #8 0x7f55fac58008 in KisTiledDataManager::getTile(int, int, bool) /home/wolthera/krita/src/libs/image/tiles3/swap/../kis_tiled_data_manager.h:120
    #9 0x7f55fac8e1e0 in KisTiledDataManager::getTilesPair(int, int, bool, KisSharedPtr<KisTile>*, KisSharedPtr<KisTile>*) /home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.h:107
    #10 0x7f55fac99deb in KisRandomAccessor2::fetchTileData(int, int) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:122
    #11 0x7f55fac99a0d in KisRandomAccessor2::moveTo(int, int) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:89
    #12 0x7f55fac98d74 in KisRandomAccessor2::KisRandomAccessor2(KisTiledDataManager*, int, int, int, int, bool, KisIteratorCompleteListener*) /home/wolthera/krita/src/libs/image/tiles3/kis_random_accessor.cc:38
    #13 0x7f55fb482bde in KisPaintDevice::Private::KisPaintDeviceStrategy::createRandomAccessorNG(int, int) /home/wolthera/krita/src/libs/image/kis_paint_device_strategies.h:111
    #14 0x7f55fb46a840 in KisPaintDevice::createRandomAccessorNG(int, int) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:1786
    #15 0x7f55fad185bc in KisPainter::bltFixed(QRect const&, QList<KisRenderedDab>) /home/wolthera/krita/src/libs/image/kis_painter_blt_multi_fixed.cpp:180
    #16 0x7f55bb2e2d87 in operator() /home/wolthera/krita/src/plugins/paintops/defaultpaintops/brush/kis_brushop.cpp:318
    #17 0x7f55bb2e81ae in _M_invoke /usr/include/c++/7/bits/std_function.h:316
    #18 0x7f55ff391915 in std::function<void ()>::operator()() const /usr/include/c++/7/bits/std_function.h:706
    #19 0x7f55fb03cca2 in KisRunnableStrokeJobData::run() /home/wolthera/krita/src/libs/image/KisRunnableStrokeJobData.cpp:46
    #20 0x7f55fb03ae95 in KisRunnableBasedStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/KisRunnableBasedStrokeStrategy.cpp:73
    #21 0x7f55ff39848c in FreehandStrokeStrategy::doStrokeCallback(KisStrokeJobData*) /home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:220
    #22 0x7f55fb033b0d in SimpleStrokeJobStrategy::run(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:51
    #23 0x7f55fb045aa6 in KisStrokeJob::run() /home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #24 0x7f55fb6bf27e in KisUpdateJobItem::run() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #25 0x7f55f85063e1  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)

previously allocated by thread T802 (Thread (pooled)) here:
    #0 0x7f560429bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f55fac6aaba in Leapfrog<ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> > >::Table::create(unsigned long long) /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/leapfrog.h:67
    #2 0x7f55fac668c8 in ConcurrentMap<unsigned int, KisTile*, DefaultKeyTraits<unsigned int>, DefaultValueTraits<KisTile*> >::ConcurrentMap(unsigned long long) /home/wolthera/krita/src/libs/image/3rdparty/lock_free_map/concurrent_map.h:33
    #3 0x7f55fac5b4a1 in KisTileHashTableTraits2<KisTile>::KisTileHashTableTraits2(KisMementoManager*) (/home/wolthera/krita/inst/lib/x86_64-linux-gnu/libkritaimage.so.19+0x4654a1)
    #4 0x7f55fac4e906 in KisTiledDataManager::KisTiledDataManager(unsigned int, unsigned char const*) /home/wolthera/krita/src/libs/image/tiles3/kis_tiled_data_manager.cc:50
    #5 0x7f55fb472725 in KisDataManager::KisDataManager(unsigned int, unsigned char const*) /home/wolthera/krita/src/libs/image/kis_datamanager.h:57
    #6 0x7f55fb45f818 in KisPaintDevice::Private::init(KoColorSpace const*, unsigned char const*) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:983
    #7 0x7f55fb4607f8 in KisPaintDevice::init(KoColorSpace const*, KisSharedPtr<KisDefaultBoundsBase>, KisWeakSharedPtr<KisNode>, QString const&) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:1020
    #8 0x7f55fb45fd07 in KisPaintDevice::KisPaintDevice(KoColorSpace const*, QString const&) /home/wolthera/krita/src/libs/image/kis_paint_device.cc:992
    #9 0x7f55fb46ee71 in KisPaintDevice::createCompositionSourceDevice() const /home/wolthera/krita/src/libs/image/kis_paint_device.cc:1987
    #10 0x7f55ff3aa2ed in KisPainterBasedStrokeStrategy::initStrokeCallback() /home/wolthera/krita/src/libs/ui/tool/strokes/kis_painter_based_stroke_strategy.cpp:243
    #11 0x7f55ff39756f in FreehandStrokeStrategy::initStrokeCallback() /home/wolthera/krita/src/libs/ui/tool/strokes/freehand_stroke.cpp:135
    #12 0x7f55fb03395f in SimpleStrokeJobStrategy::run(KisStrokeJobData*) /home/wolthera/krita/src/libs/image/kis_simple_stroke_strategy.cpp:40
    #13 0x7f55fb045aa6 in KisStrokeJob::run() /home/wolthera/krita/src/libs/image/kis_stroke_job.h:44
    #14 0x7f55fb6bf27e in KisUpdateJobItem::run() /home/wolthera/krita/build/libs/image/kritaimage_autogen/EWIEGA46WW/../../../../../src/libs/image/kis_update_job_item.h:91
    #15 0x7f55f85063e1  (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xac3e1)

Thread T807 (Thread (pooled)) created by T805 (Thread (pooled)) here:
    #0 0x7f56041f4d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f55f85012ed in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)

Thread T805 (Thread (pooled)) created by T803 (Thread (pooled)) here:
    #0 0x7f56041f4d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f55f85012ed in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)

Thread T803 (Thread (pooled)) created by T802 (Thread (pooled)) here:
    #0 0x7f56041f4d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f55f85012ed in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)

Thread T802 (Thread (pooled)) created by T0 here:
    #0 0x7f56041f4d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f55f85012ed in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)

Thread T801 (Thread (pooled)) created by T0 here:
    #0 0x7f56041f4d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
    #1 0x7f55f85012ed in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xa72ed)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/7/bits/atomic_base.h:396 in std::__atomic_base<unsigned long long>::load(std::memory_order) const
Shadow bytes around the buggy address:
  0x0c2080020a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080020a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080020a90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2080020aa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080020ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c2080020ac0: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x0c2080020ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080020ae0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080020af0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2080020b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080020b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19028==ABORTING
wolthera@Euthenia:~/krita/build$

Comment 1 wolthera 2019-09-20 19:40:02 UTC

Assigning this to dmitry.

Comment 2 Dmitry Kazakov 2019-09-24 11:59:47 UTC

Git commit 9894a2026969636e3a8caecf4bd47491366c2ddb by Dmitry Kazakov.
Committed on 24/09/2019 at 11:59.
Pushed by dkazakov into branch 'master'.

Fix crash in lockfree hash table garbage collection

I'm not sure how migrationInProgress() was supposed to fix the
linearization issue (I guess it was there originally), but it just
didn't work. We have rawPointerUsersLock istead of it, so it should
be safe just to remove it.

M  +5    -0    libs/image/3rdparty/lock_free_map/leapfrog.h
M  +6    -5    libs/image/3rdparty/lock_free_map/qsbr.h
M  +6    -6    libs/image/tiles3/kis_tile_hash_table2.h

https://invent.kde.org/kde/krita/commit/9894a2026969636e3a8caecf4bd47491366c2ddb

Comment 3 Halla Rempt 2019-10-03 12:28:58 UTC

Git commit 9f9e8e07d34dbc9d95d7c257ca6823e54e37135e by Boudewijn Rempt, on behalf of Dmitry Kazakov.
Committed on 03/10/2019 at 12:27.
Pushed by rempt into branch 'krita/4.2'.

Fix crash in lockfree hash table garbage collection

I'm not sure how migrationInProgress() was supposed to fix the
linearization issue (I guess it was there originally), but it just
didn't work. We have rawPointerUsersLock istead of it, so it should
be safe just to remove it.

M  +5    -0    libs/image/3rdparty/lock_free_map/leapfrog.h
M  +6    -5    libs/image/3rdparty/lock_free_map/qsbr.h
M  +6    -6    libs/image/tiles3/kis_tile_hash_table2.h

https://invent.kde.org/kde/krita/commit/9f9e8e07d34dbc9d95d7c257ca6823e54e37135e