Bug 447131 - ASAN crash when changing brushes too quickly
Summary: ASAN crash when changing brushes too quickly
Status: RESOLVED FIXED
Alias: None
Product: krita
Classification: Applications
Component: Resource Management (show other bugs)
Version: git master (please specify the git hash!)
Platform: Other Linux
: NOR crash
Target Milestone: ---
Assignee: Krita Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-17 13:43 UTC by Dmitry Kazakov
Modified: 2021-12-20 15:54 UTC (History)
0 users

See Also:
Latest Commit: https://invent.kde.org/graphics/krita/commit/e80d1ba445c8cc961608efa2237eb9c27880d9c1
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Kazakov 2021-12-17 13:43:32 UTC 
STEPS TO REPRODUCE
1. Open Brush Presets docker
2. Click and Drag on it to activate scrolling
3. While scrolling the presets will start switch very quickly and in the end crash Krita

=================================================================
==13937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900509f200 at pc 0x7f9b9976043c bp 0x7ffec1da2bb0 sp 0x7ffec1da2ba0
READ of size 4 at 0x62900509f200 thread T0
    #0 0x7f9b9976043b in estimateImageAverage /home/appimage/persistent/krita/libs/brush/KisColorfulBrush.cpp:28
    #1 0x7f9b99760a15 in KisColorfulBrush::adjustedMidPoint() const /home/appimage/persistent/krita/libs/brush/KisColorfulBrush.cpp:46
    #2 0x7f9b6ab3076f in KisPredefinedBrushChooser::slotUpdateResetBrushAdjustmentsButtonState() /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:485
    #3 0x7f9b6ab37615 in KisPredefinedBrushChooser::slotUpdateBrushModeButtonsState() /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:457
    #4 0x7f9b6ab3bf31 in KisPredefinedBrushChooser::updateBrushTip(QSharedPointer<KoResource>, bool) /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:404
    #5 0x7f9b6ab3ea61 in KisPredefinedBrushChooser::setBrush(QSharedPointer<KisBrush>) /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp:236
    #6 0x7f9b6ab5d13a in KisBrushSelectionWidget::setCurrentBrush(QSharedPointer<KisBrush>) /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_brush_selection_widget.cpp:125
    #7 0x7f9b6ab519cf in KisBrushOptionWidget::readOptionSetting(KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/appimage/persistent/krita/plugins/paintops/libpaintop/kis_brush_option_widget.cpp:60
    #8 0x7f9b9b2239f7 in KisPaintOpOption::startReadOptionSetting(KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/appimage/persistent/krita/libs/ui/kis_paintop_option.cpp:68
    #9 0x7f9b9b2357a0 in KisPaintOpSettingsWidget::setConfiguration(KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/appimage/persistent/krita/libs/ui/kis_paintop_settings_widget.cpp:117
    #10 0x7f9b97dbcfe3 in KisPaintOpConfigWidget::setConfigurationSafe(KisPinnedSharedPtr<KisPropertiesConfiguration>) /home/appimage/persistent/krita/libs/image/brushengine/kis_paintop_config_widget.cpp:40
    #11 0x7f9b9b1ee788 in KisPaintopBox::setCurrentPaintop(QSharedPointer<KisPaintOpPreset>) /home/appimage/persistent/krita/libs/ui/kis_paintop_box.cc:651
    #12 0x7f9b9b1f2b64 in KisPaintopBox::resourceSelected(QSharedPointer<KoResource>) /home/appimage/persistent/krita/libs/ui/kis_paintop_box.cc:604
    #13 0x7f9b9aa31f27 in KisPaintopBox::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_kis_paintop_box.cpp:244
    #14 0x7f9b8e12b858 in QMetaObject::activate(QObject*, int, int, void**) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2b4858)
    #15 0x7f9b9aa07b95 in KisPaintOpPresetsChooserPopup::resourceSelected(QSharedPointer<KoResource>) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/IMAN36LHMA/moc_kis_paintop_presets_chooser_popup.cpp:186
    #16 0x7f9b9aa2b914 in KisPaintOpPresetsChooserPopup::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/IMAN36LHMA/moc_kis_paintop_presets_chooser_popup.cpp:103
    #17 0x7f9b8e12b858 in QMetaObject::activate(QObject*, int, int, void**) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2b4858)
    #18 0x7f9b9aa08a75 in KisPresetChooser::resourceSelected(QSharedPointer<KoResource>) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/IMAN36LHMA/moc_kis_preset_chooser.cpp:184
    #19 0x7f9b9aa1f6bd in KisPresetChooser::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/IMAN36LHMA/moc_kis_preset_chooser.cpp:110
    #20 0x7f9b8e12b858 in QMetaObject::activate(QObject*, int, int, void**) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2b4858)
    #21 0x7f9b941987e5 in KisResourceItemChooser::resourceSelected(QSharedPointer<KoResource>) /home/appimage/appimage-workspace/krita-build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemChooser.cpp:204
    #22 0x7f9b941c3bed in KisResourceItemChooser::activate(QModelIndex const&) /home/appimage/persistent/krita/libs/resourcewidgets/KisResourceItemChooser.cpp:378
    #23 0x7f9b9419f8f1 in KisResourceItemChooser::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemChooser.cpp:127
    #24 0x7f9b8e12b858 in QMetaObject::activate(QObject*, int, int, void**) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2b4858)
    #25 0x7f9b94199188 in KisResourceItemListView::currentResourceChanged(QModelIndex const&) /home/appimage/appimage-workspace/krita-build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemListView.cpp:212
    #26 0x7f9b941c82b7 in KisResourceItemListView::selectionChanged(QItemSelection const&, QItemSelection const&) /home/appimage/persistent/krita/libs/resourcewidgets/KisResourceItemListView.cpp:91
    #27 0x7f9b9419b5cd in KisResourceItemListView::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/resourcewidgets/kritaresourcewidgets_autogen/EWIEGA46WW/moc_KisResourceItemListView.cpp:114
    #28 0x7f9b8e12b858 in QMetaObject::activate(QObject*, int, int, void**) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2b4858)
    #29 0x7f9b8e0b8306 in QItemSelectionModel::selectionChanged(QItemSelection const&, QItemSelection const&) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x241306)
    #30 0x7f9b8e0bd1db in QItemSelectionModel::emitSelectionChanged(QItemSelection const&, QItemSelection const&) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2461db)
    #31 0x7f9b8e0c0064 in QItemSelectionModel::select(QItemSelection const&, QFlags<QItemSelectionModel::SelectionFlag>) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x249064)
    #32 0x7f9b8ee2c297 in QListView::setSelection(QRect const&, QFlags<QItemSelectionModel::SelectionFlag>) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x3ed297)
    #33 0x7f9b8edf93c4 in QAbstractItemView::mouseMoveEvent(QMouseEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x3ba3c4)
    #34 0x7f9b8ee31fb6 in QListView::mouseMoveEvent(QMouseEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x3f2fb6)
    #35 0x7f9b8ebe23b7 in QWidget::event(QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x1a33b7)
    #36 0x7f9b8ec87c7d in QFrame::event(QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x248c7d)
    #37 0x7f9b8edf9d92 in QAbstractItemView::viewportEvent(QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x3bad92)
    #38 0x7f9b941c8ee6 in KisResourceItemListView::viewportEvent(QEvent*) /home/appimage/persistent/krita/libs/resourcewidgets/KisResourceItemListView.cpp:130
    #39 0x7f9b8e0fe22c in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x28722c)
    #40 0x7f9b8eba18b4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x1628b4)
    #41 0x7f9b8eba99cf in QApplication::notify(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x16a9cf)
    #42 0x7f9b9bd01c19 in KisApplication::notify(QObject*, QEvent*) /home/appimage/persistent/krita/libs/ui/KisApplication.cpp:756
    #43 0x7f9b8e0fe4a7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2874a7)
    #44 0x7f9b8eba8461 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x169461)
    #45 0x7f9b8ebfc179  (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x1bd179)
    #46 0x7f9b8ebff0e2  (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x1c00e2)
    #47 0x7f9b8eba18db in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x1628db)
    #48 0x7f9b8eba8f1f in QApplication::notify(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Widgets.so.5+0x169f1f)
    #49 0x7f9b9bd01c19 in KisApplication::notify(QObject*, QEvent*) /home/appimage/persistent/krita/libs/ui/KisApplication.cpp:756
    #50 0x7f9b8e0fe4a7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2874a7)
    #51 0x7f9b8e574bc6 in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Gui.so.5+0x14cbc6)
    #52 0x7f9b8e576194 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Gui.so.5+0x14e194)
    #53 0x7f9b8e55239a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Gui.so.5+0x12a39a)
    #54 0x7f9b816c9fb9  (/home/appimage/appimage-workspace/deps/usr/lib/libQt5XcbQpa.so.5+0x6afb9)
    #55 0x7f9b8a8b7266 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a266)
    #56 0x7f9b8a8b74bf  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a4bf)
    #57 0x7f9b8a8b756b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a56b)
    #58 0x7f9b8e1577ce in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x2e07ce)
    #59 0x7f9b8e0fca39 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x285a39)
    #60 0x7f9b8e1057b3 in QCoreApplication::exec() (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Core.so.5+0x28e7b3)
    #61 0x412430 in main /home/appimage/persistent/krita/krita/main.cc:698
    #62 0x7f9b8cfab83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #63 0x415728 in _start (/home/appimage/appimage-workspace/krita.appdir/usr/bin/krita+0x415728)

0x62900509f200 is located 0 bytes to the right of 16384-byte region [0x62900509b200,0x62900509f200)
allocated by thread T0 here:
    #0 0x7f9b9cd03ca8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10bca8)
    #1 0x7f9b8e5bb8cf in QImageData::create(QSize const&, QImage::Format) (/home/appimage/appimage-workspace/deps/usr/lib/libQt5Gui.so.5+0x1938cf)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/appimage/persistent/krita/libs/brush/KisColorfulBrush.cpp:28 in estimateImageAverage
Shadow bytes around the buggy address:
  0x0c5280a0bdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280a0be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280a0be10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280a0be20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5280a0be30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280a0be40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280a0be50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280a0be60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280a0be70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280a0be80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5280a0be90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13937==ABORTING
Comment 2 Dmitry Kazakov 2021-12-20 14:43:46 UTC 
Git commit e80d1ba445c8cc961608efa2237eb9c27880d9c1 by Dmitry Kazakov.
Committed on 20/12/2021 at 09:51.
Pushed by dkazakov into branch 'krita/5.0'.

Fix an ASAN crash when switching to "g) Dry Bristles" from any RGBA brush

The KisPredefinedBrushChooser uses the combo box to select the mode,
so it should be consistent with what the actual brush supports.

We need a better fix to make KisColorfulBrush more robust and
actually convert brush tip image to RGBA32 format automatically.
Right not the crash happens with grayscale brushes that use Indexed8
format.
(cherry picked from commit 1f911e88a7d738e90b9791c91de1e4eff331a5dd)

M  +1    -0    plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp

https://invent.kde.org/graphics/krita/commit/e80d1ba445c8cc961608efa2237eb9c27880d9c1
Comment 3 Dmitry Kazakov 2021-12-20 14:43:55 UTC 
Git commit 1f911e88a7d738e90b9791c91de1e4eff331a5dd by Dmitry Kazakov.
Committed on 20/12/2021 at 09:51.
Pushed by dkazakov into branch 'master'.

Fix an ASAN crash when switching to "g) Dry Bristles" from any RGBA brush

The KisPredefinedBrushChooser uses the combo box to select the mode,
so it should be consistent with what the actual brush supports.

We need a better fix to make KisColorfulBrush more robust and
actually convert brush tip image to RGBA32 format automatically.
Right not the crash happens with grayscale brushes that use Indexed8
format.

M  +1    -0    plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp

https://invent.kde.org/graphics/krita/commit/1f911e88a7d738e90b9791c91de1e4eff331a5dd
Comment 4 Dmitry Kazakov 2021-12-20 14:50:35 UTC 
Git commit 1f911e88a7d738e90b9791c91de1e4eff331a5dd by Dmitry Kazakov.
Committed on 20/12/2021 at 09:51.
Pushed by dkazakov into branch 'master'.

Fix an ASAN crash when switching to "g) Dry Bristles" from any RGBA brush

The KisPredefinedBrushChooser uses the combo box to select the mode,
so it should be consistent with what the actual brush supports.

We need a better fix to make KisColorfulBrush more robust and
actually convert brush tip image to RGBA32 format automatically.
Right not the crash happens with grayscale brushes that use Indexed8
format.

M  +1    -0    plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp

https://invent.kde.org/graphics/krita/commit/1f911e88a7d738e90b9791c91de1e4eff331a5dd
Comment 5 Dmitry Kazakov 2021-12-20 15:54:12 UTC 
Git commit e80d1ba445c8cc961608efa2237eb9c27880d9c1 by Dmitry Kazakov.
Committed on 20/12/2021 at 09:51.
Pushed by dkazakov into branch 'krita/5.0'.

Fix an ASAN crash when switching to "g) Dry Bristles" from any RGBA brush

The KisPredefinedBrushChooser uses the combo box to select the mode,
so it should be consistent with what the actual brush supports.

We need a better fix to make KisColorfulBrush more robust and
actually convert brush tip image to RGBA32 format automatically.
Right not the crash happens with grayscale brushes that use Indexed8
format.
(cherry picked from commit 1f911e88a7d738e90b9791c91de1e4eff331a5dd)

M  +1    -0    plugins/paintops/libpaintop/kis_predefined_brush_chooser.cpp

https://invent.kde.org/graphics/krita/commit/e80d1ba445c8cc961608efa2237eb9c27880d9c1
Comment 6 Dmitry Kazakov 2021-12-20 15:54:14 UTC 
Git commit 77a4a03ab8bfd4c9666511a57bd628172920b27d by Dmitry Kazakov.
Committed on 20/12/2021 at 11:20.
Pushed by dkazakov into branch 'master'.

Add safe asserts into KisColorfulBrush to avoid accidental memory corruption

M  +4    -0    libs/brush/KisColorfulBrush.cpp

https://invent.kde.org/graphics/krita/commit/77a4a03ab8bfd4c9666511a57bd628172920b27d
Comment 7 Dmitry Kazakov 2021-12-20 15:54:21 UTC 
Git commit 98a5a4d8d3540ed20b300b175904ae0c253f5e46 by Dmitry Kazakov.
Committed on 20/12/2021 at 11:23.
Pushed by dkazakov into branch 'krita/5.0'.

Add safe asserts into KisColorfulBrush to avoid accidental memory corruption
(cherry picked from commit 77a4a03ab8bfd4c9666511a57bd628172920b27d)

M  +4    -0    libs/brush/KisColorfulBrush.cpp

https://invent.kde.org/graphics/krita/commit/98a5a4d8d3540ed20b300b175904ae0c253f5e46