471970 – Closing the document while animation cache is being populated causes a crash under ASAN

Bug 471970 - Closing the document while animation cache is being populated causes a crash under ASAN

Summary: Closing the document while animation cache is being populated causes a crash ...

Status:	RESOLVED FIXED

Alias:	None

Product:	krita
Classification:	Applications
Component:	OpenGL Canvas (show other bugs)
Version:	git master (please specify the git hash!)
Platform:	Other Other

Importance:	NOR crash
Target Milestone:	---
Assignee:	Krita Bugs

URL:
Keywords:	release_blocker

Depends on:
Blocks:

Reported:	2023-07-05 11:09 UTC by Dmitry Kazakov
Modified:	2023-07-06 08:02 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/graphics/krita/-/commit/307b01789b5e93e20fdd8abcac497ce2c44d2ca2
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Dmitry Kazakov 2023-07-05 11:09:48 UTC

STEPS TO REPRODUCE
1. Open a huge document with animation
2. Check that the cache is being populated
3. Press Ctrl+W

=================================================================
==77748==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000f4a30 at pc 0x7fc5eac6bfdc bp 0x7ffcd81d4750 sp 0x7ffcd81d4740
READ of size 8 at 0x6020000f4a30 thread T0
    #0 0x7fc5eac6bfdb in KisTextureTile::~KisTextureTile() /home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108
    #1 0x7fc5eac52587 in KisOpenGLImageTextures::destroyImageTextureTiles() /home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:301
    #2 0x7fc5eac5bb1e in KisOpenGLImageTextures::~KisOpenGLImageTextures() /home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:134
    #3 0x7fc5eac5d2f5 in KisOpenGLImageTextures::~KisOpenGLImageTextures() /home/appimage/persistent/krita/libs/ui/opengl/kis_opengl_image_textures.cpp:138
    #4 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures> const*, KisOpenGLImageTextures*) /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
    #5 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::deref(KisSharedPtr<KisOpenGLImageTextures> const*, KisOpenGLImageTextures*) /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
    #6 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::deref() const /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:216
    #7 0x7fc5eba00470 in KisSharedPtr<KisOpenGLImageTextures>::~KisSharedPtr() /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:100
    #8 0x7fc5eba00470 in KisAnimationFrameCache::Private::~Private() /home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:42
    #9 0x7fc5eba00470 in QScopedPointerDeleter<KisAnimationFrameCache::Private>::cleanup(KisAnimationFrameCache::Private*) /home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:60
    #10 0x7fc5eba00470 in QScopedPointer<KisAnimationFrameCache::Private, QScopedPointerDeleter<KisAnimationFrameCache::Private> >::~QScopedPointer() /home/appimage/appimage-workspace/deps/usr/include/QtCore/qscopedpointer.h:107
    #11 0x7fc5eba00470 in KisAnimationFrameCache::~KisAnimationFrameCache() /home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
    #12 0x7fc5eba00dd5 in KisAnimationFrameCache::~KisAnimationFrameCache() /home/appimage/persistent/krita/libs/ui/kis_animation_frame_cache.cpp:224
    #13 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache> const*, KisAnimationFrameCache*) /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:202
    #14 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::deref(KisSharedPtr<KisAnimationFrameCache> const*, KisAnimationFrameCache*) /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:194
    #15 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::attach(KisAnimationFrameCache*) /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:509
    #16 0x7fc5eba31db2 in KisSharedPtr<KisAnimationFrameCache>::clear() /home/appimage/persistent/krita/libs/global/kis_shared_ptr.h:516
    #17 0x7fc5eba31db2 in KisAsyncAnimationCacheRenderer::clearFrameRegenerationState(bool) /home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:66
    #18 0x7fc5eba27343 in KisAsyncAnimationRendererBase::notifyFrameCancelled(int, KisAsyncAnimationRendererBase::CancelReason) /home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:150
    #19 0x7fc5eba2de7c in KisAsyncAnimationCacheRenderer::frameCancelledCallback(int, KisAsyncAnimationRendererBase::CancelReason) /home/appimage/persistent/krita/libs/ui/KisAsyncAnimationCacheRenderer.cpp:60
    #20 0x7fc5eba26e9e in KisAsyncAnimationRendererBase::slotFrameRegenerationCancelled() /home/appimage/persistent/krita/libs/ui/KisAsyncAnimationRendererBase.cpp:100
    #21 0x7fc5ea13a157 in KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:124
    #22 0x7fc5ea13a157 in KisAsyncAnimationRendererBase::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/appimage/appimage-workspace/krita-build/libs/ui/kritaui_autogen/EWIEGA46WW/moc_KisAsyncAnimationRendererBase.cpp:115
    #23 0x7fc5e24285dd in QObject::event(QEvent*) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qobject.cpp:1347
    #24 0x7fc5e2f5d7e2 in QApplicationPrivate::notify_helper(QObject*, QEvent*) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/widgets/kernel/qapplication.cpp:3637
    #25 0x7fc5eb6993d9 in KisApplication::notify(QObject*, QEvent*) /home/appimage/persistent/krita/libs/ui/KisApplication.cpp:768
    #26 0x7fc5e23fab59 in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1064
    #27 0x7fc5e23fdc46 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1821
    #28 0x7fc5e2455056 in postEventSourceDispatch /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:277
    #29 0x7fc5e08f117c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5217c)
    #30 0x7fc5e08f13ff  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff)
    #31 0x7fc5e08f14a2 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x524a2)
    #32 0x7fc5e24546a7 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:423
    #33 0x7fc5e23f946a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qeventloop.cpp:232
    #34 0x7fc5e2401a13 in QCoreApplication::exec() /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/corelib/kernel/qcoreapplication.cpp:1375
    #35 0x55da41a3ed84 in main /home/appimage/persistent/krita/krita/main.cc:731
    #36 0x7fc5e1bda082 in __libc_start_main ../csu/libc-start.c:308
    #37 0x55da41a427bd in _start (/home/appimage/appimage-workspace/krita.appdir/usr/bin/krita+0x1d7bd)

0x6020000f4a30 is located 0 bytes inside of 8-byte region [0x6020000f4a30,0x6020000f4a38)
freed by thread T0 here:
    #0 0x7fc5ec51760f in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
    #1 0x7fc5e287978f in QOpenGLContext::destroy() /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:655

previously allocated by thread T0 here:
    #0 0x7fc5ec5165a7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7fc5e2875ca9 in QOpenGLContext::functions() const /home/appimage/appimage-workspace/deps-build/ext_qt/ext_qt-prefix/src/ext_qt/qtbase/src/gui/kernel/qopenglcontext.cpp:741

SUMMARY: AddressSanitizer: heap-use-after-free /home/appimage/persistent/krita/libs/ui/opengl/kis_texture_tile.cpp:108 in KisTextureTile::~KisTextureTile()
Shadow bytes around the buggy address:
  0x0c04800168f0: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480016900: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 fa
  0x0c0480016910: fa fa 00 fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016920: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c0480016930: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c0480016940: fa fa 00 fa fa fa[fd]fa fa fa fd fd fa fa fd fa
  0x0c0480016950: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa fd fa
  0x0c0480016960: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 fa
  0x0c0480016970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016980: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480016990: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==77748==ABORTING

Comment 1 Dmitry Kazakov 2023-07-06 08:02:50 UTC

Git commit 307b01789b5e93e20fdd8abcac497ce2c44d2ca2 by Dmitry Kazakov.
Committed on 06/07/2023 at 08:02.
Pushed by dkazakov into branch 'master'.

Fix ASAN-crash on closing an image with animation

The owner of the animation cache (and textures) is the canvas,
so noone in his/her sanity should store a strong pointer to that.

M  +9    -3    libs/ui/KisAsyncAnimationCacheRenderer.cpp
M  +0    -10   libs/ui/kis_animation_cache_populator.cpp

https://invent.kde.org/graphics/krita/-/commit/307b01789b5e93e20fdd8abcac497ce2c44d2ca2