touch-packages team mailing list archive

Thread
Date

[Bug 1469611] Re: QQuickPixmapReader::asyncResponseFinished segfaults if a QQuickAsyncImageProvider returns an error response

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Timo Jyrinki <timo.jyrinki@xxxxxxxxxxxxx>
Date: Wed, 15 Jul 2015 08:16:09 -0000
Reply-to: Bug 1469611 <1469611@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

qtdeclarative-opensource-src (5.4.1-1ubuntu8) vivid; urgency=medium

  * debian/patches/Add-QQuickAsyncImageProvider.patch:
    - Fix segfault by importing https://codereview.qt-project.org/#/c/115522/
      and https://codereview.qt-project.org/#/c/120638/
      (LP: #1469611)

 -- Timo Jyrinki <timo-jyrinki@xxxxxxxxxx>  Tue, 07 Jul 2015 11:50:57
+0000

** Changed in: qtdeclarative-opensource-src (Ubuntu RTM)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtdeclarative-opensource-
src in Ubuntu.
https://bugs.launchpad.net/bugs/1469611

Title:
  QQuickPixmapReader::asyncResponseFinished segfaults if a
  QQuickAsyncImageProvider returns an error response

Status in qtdeclarative-opensource-src package in Ubuntu:
  Fix Released
Status in qtdeclarative-opensource-src package in Ubuntu RTM:
  Fix Released

Bug description:
  While working on the new thumbnailer, we've been using the new
  QQuickAsyncImageProvider API.  The API allows us to report errors by
  overriding the errorString() method on QQuickImageResponse to return a
  non-empty string.  However, if I do so the application crashes.

  Loading up the symbols to get a stack trace shows this to be a bug in
  the logic of QQuickPixmapReader::asyncResponseFinished:

          QQuickTextureFactory *t = 0;
          QQuickPixmapReply::ReadError error = QQuickPixmapReply::NoError;
          QString errorString;
          QSize readSize;
          if (!response->errorString().isEmpty()) {
              error = QQuickPixmapReply::Loading;
              errorString = response->errorString();
          } else {
              t = response->textureFactory();
         }
          mutex.lock();
          if (!cancelled.contains(job))
              job->postReply(error, errorString, t->textureSize(), t);
          mutex.unlock();

  If errorString() is not empty, then t will still be NULL.  It is then
  dereferenced to call t->textureSize() resulting in a segfault.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: libqt5quick5 5.4.2-1ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8
  Uname: Linux 3.19.0-20-generic x86_64
  ApportVersion: 2.17.3-0ubuntu4
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Jun 29 14:53:49 2015
  InstallationDate: Installed on 2013-10-29 (607 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
  SourcePackage: qtdeclarative-opensource-src
  UpgradeStatus: Upgraded to wily on 2015-06-13 (15 days ago)

  Test case (on desktop):

  - bzr branch lp:~jamesh/thumbnailer/no-fallback-albumart
  - sudo apt-get build-dep thumbnailer
  - sudo apt install libleveldb-dev cmake-extras libapparmor-dev libboost-filesystem-dev libboost-regex-dev libqtdbustest1-dev libunity-api-dev python3-tornado qml-module-qttest xvfb
  - cd no-fallback-albumart
  - cmake .
  - make
  - ctest -R qml --verbose
  -> check if crash (Segmentation fault (core dumped)) or no crash (don't mind tests pass/fail)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtdeclarative-opensource-src/+bug/1469611/+subscriptions

References

[Bug 1469611] [NEW] QQuickPixmapReader::asyncResponseFinished segfaults if a QQuickAsyncImageProvider returns an error response
From: James Henstridge, 2015-06-29