Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-117066

ERROR: AddressSanitizer: heap-use-after-free in QtGrpcClientServerStreamTest::Deadline()

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • 6.5.4, 6.6.1, 6.7.0 FF
    • dev
    • GRPC
    • e1690fa8f (dev), c1352140e (6.6), 05c67b5e0 (6.5)

    Description

      From an ASAN-enabled run one week ago. Full log here.

      QINFO  : QtGrpcClientServerStreamTest::Deadline(Http2Client:MessageLatency * ExpectedMessageCount * 0.9) "send back  \"Stream4\"\n"
QDEBUG : QtGrpcClientServerStreamTest::Deadline(Http2Client:MessageLatency * ExpectedMessageCount * 0.9) setCachingEnabled:  56  bytesDownloaded
QCRITICAL: QtGrpcClientServerStreamTest::Deadline(Http2Client:MessageLatency * ExpectedMessageCount * 0.9) QNetworkReplyImpl: backend error: caching was enabled after some bytes had been written
=================================================================

      ==19389==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300007b2e0 at pc 0x7fb35a0e5a09 bp 0x7ffc22de5ab0 sp 0x7ffc22de5aa8

      READ of size 1 at 0x60300007b2e0 thread T0

          #0 0x7fb35a0e5a08  (/home/qt/work/install/lib/libQt6Core.so.6+0x32ba08)
    #1 0x7fb35a0e1a1b in QDebug::putByteArray(char const*, unsigned long, QDebug::Latin1Content) (/home/qt/work/install/lib/libQt6Core.so.6+0x327a1b)
    #2 0x7fb35c3c6afc  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x206afc)
    #3 0x7fb35c3dd74c  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x21d74c)
    #4 0x7fb35c3e15ec  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x2215ec)
    #5 0x7fb35c3e10d6  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x2210d6)
    #6 0x7fb35c3e0e0d  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x220e0d)
    #7 0x7fb35a25378f  (/home/qt/work/install/lib/libQt6Core.so.6+0x49978f)
    #8 0x7fb35a397464  (/home/qt/work/install/lib/libQt6Core.so.6+0x5dd464)
    #9 0x7fb35a3812ae in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) (/home/qt/work/install/lib/libQt6Core.so.6+0x5c72ae)
    #10 0x7fb35bc598f6 in QNetworkReply::finished() (/home/qt/work/install/lib/libQt6Network.so.6+0x1e58f6)
    #11 0x7fb35bea6436  (/home/qt/work/install/lib/libQt6Network.so.6+0x432436)
    #12 0x7fb35be9c4af  (/home/qt/work/install/lib/libQt6Network.so.6+0x4284af)
    #13 0x7fb35bea814c  (/home/qt/work/install/lib/libQt6Network.so.6+0x43414c)
    #14 0x7fb35a36c20e in QMetaCallEvent::placeMetaCall(QObject*) (/home/qt/work/install/lib/libQt6Core.so.6+0x5b220e)
    #15 0x7fb35a36e950 in QObject::event(QEvent*) (/home/qt/work/install/lib/libQt6Core.so.6+0x5b4950)
    #16 0x7fb35a2461fb in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) (/home/qt/work/install/lib/libQt6Core.so.6+0x48c1fb)
    #17 0x7fb35a2459e0  (/home/qt/work/install/lib/libQt6Core.so.6+0x48b9e0)
    #18 0x7fb35a2458a7 in QCoreApplication::notify(QObject*, QEvent*) (/home/qt/work/install/lib/libQt6Core.so.6+0x48b8a7)
    #19 0x7fb35a2456b9 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/home/qt/work/install/lib/libQt6Core.so.6+0x48b6b9)
    #20 0x7fb35a246e48 in QCoreApplication::sendEvent(QObject*, QEvent*) (/home/qt/work/install/lib/libQt6Core.so.6+0x48ce48)
    #21 0x7fb35a249567 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/home/qt/work/install/lib/libQt6Core.so.6+0x48f567)
    #22 0x7fb35a24802d in QCoreApplication::sendPostedEvents(QObject*, int) (/home/qt/work/install/lib/libQt6Core.so.6+0x48e02d)
    #23 0x7fb35abebfd0  (/home/qt/work/install/lib/libQt6Core.so.6+0xe31fd0)
    #24 0x7fb35852c82a in g_main_context_dispatch (/usr/lib64/libglib-2.0.so.0+0x5582a)
    #25 0x7fb35852cbcf  (/usr/lib64/libglib-2.0.so.0+0x55bcf)
    #26 0x7fb35852cc5b in g_main_context_iteration (/usr/lib64/libglib-2.0.so.0+0x55c5b)
    #27 0x7fb35abed51a in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/qt/work/install/lib/libQt6Core.so.6+0xe3351a)
    #28 0x7fb35a24662d in QCoreApplication::processEvents(QFlags<QEventLoop::ProcessEventsFlag>, QDeadlineTimer) (/home/qt/work/install/lib/libQt6Core.so.6+0x48c62d)
    #29 0x7fb35a3da765 in QTest::qWait(std::chrono::duration<long, std::ratio<1l, 1000l> >) (/home/qt/work/install/lib/libQt6Core.so.6+0x620765)
    #30 0x7fb35a3da571 in QTest::qWait(int) (/home/qt/work/install/lib/libQt6Core.so.6+0x620571)
    #31 0x55e072531857 in QtGrpcClientServerStreamTest::Deadline() /home/qt/work/qt/qtgrpc/tests/auto/grpc/client/serverstream/tst_grpc_client_serverstream.cpp:402
    #32 0x55e072532d86 in QtGrpcClientServerStreamTest::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/grpc/client/serverstream/tst_grpc_client_serverstream_autogen/include/tst_grpc_client_serverstream.moc:148
    #33 0x7fb35a2914f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
    #34 0x7fb35a28f17e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
    #35 0x7fb35cbb02d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
    #36 0x7fb35cbab26d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
    #37 0x7fb35cb89873  (/home/qt/work/install/lib/libQt6Test.so.6+0xa3873)
    #38 0x7fb35cb8b5d8  (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
    #39 0x7fb35cb8e37a  (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
    #40 0x7fb35cb90e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
    #41 0x7fb35cb8fb67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
    #42 0x55e072532b8a in main /home/qt/work/qt/qtgrpc/tests/auto/grpc/client/serverstream/tst_grpc_client_serverstream.cpp:419
    #43 0x7fb35946a24c in __libc_start_main (/lib64/libc.so.6+0x3524c)
    #44 0x55e072517979 in _start ../sysdeps/x86_64/start.S:120

      0x60300007b2e0 is located 0 bytes inside of 25-byte region [0x60300007b2e0,0x60300007b2f9)

      freed by thread T0 here:

          #0 0x7fb35cdbf7b7 in operator delete(void*) (/usr/lib64/libasan.so.5+0x10c7b7)
    #1 0x7fb35c401758  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x241758)
    #2 0x7fb35c40178f  (/home/qt/work/install/lib/libQt6Grpc.so.6+0x24178f)
    #3 0x7fb35a3987bc  (/home/qt/work/install/lib/libQt6Core.so.6+0x5de7bc)
    #4 0x7fb35a391f55  (/home/qt/work/install/lib/libQt6Core.so.6+0x5d7f55)
    #5 0x7fb35a36d9d8 in QObject::~QObject() (/home/qt/work/install/lib/libQt6Core.so.6+0x5b39d8)
    #6 0x7fb35c3f75a2 in QAbstractGrpcClient::~QAbstractGrpcClient() (/home/qt/work/install/lib/libQt6Grpc.so.6+0x2375a2)
    #7 0x7fb35ca6b158 in qtgrpc::tests::TestService::Client::~Client() (/home/qt/work/qt/qtgrpc_standalone_tests/tests/auto/grpc/client/shared/client_service/libtst_grpc_client_qtgrpc_gen.so+0x7c158)
    #8 0x55e07256e55d in void __gnu_cxx::new_allocator<qtgrpc::tests::TestService::Client>::destroy<qtgrpc::tests::TestService::Client>(qtgrpc::tests::TestService::Client*) /usr/include/c++/9/ext/new_allocator.h:153
    #9 0x55e07256e4e4 in void std::allocator_traits<std::allocator<qtgrpc::tests::TestService::Client> >::destroy<qtgrpc::tests::TestService::Client>(std::allocator<qtgrpc::tests::TestService::Client>&, qtgrpc::tests::TestService::Client*) /usr/include/c++/9/bits/alloc_traits.h:497
    #10 0x55e07256e1fa in std::_Sp_counted_ptr_inplace<qtgrpc::tests::TestService::Client, std::allocator<qtgrpc::tests::TestService::Client>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/9/bits/shared_ptr_base.h:557
    #11 0x55e07255659c in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:155
    #12 0x55e07254f5b1 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/9/bits/shared_ptr_base.h:730
    #13 0x55e07254c3cb in std::__shared_ptr<qtgrpc::tests::TestService::Client, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (/home/qt/work/qt/qtgrpc_standalone_tests/tests/auto/grpc/client/serverstream/tst_grpc_client_serverstream+0x573cb)
    #14 0x55e07256bf6f in std::__shared_ptr<qtgrpc::tests::TestService::Client, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<qtgrpc::tests::TestService::Client, (__gnu_cxx::_Lock_policy)2>&&) /usr/include/c++/9/bits/shared_ptr_base.h:1265
    #15 0x55e07256b30b in std::shared_ptr<qtgrpc::tests::TestService::Client>::operator=(std::shared_ptr<qtgrpc::tests::TestService::Client>&&) /usr/include/c++/9/bits/shared_ptr.h:335
    #16 0x55e072569598 in GrpcClientTestBase::init() /home/qt/work/qt/qtgrpc/tests/auto/grpc/client/shared/client_test_common/grpcclienttestbase.cpp:41
    #17 0x55e072568451 in GrpcClientTestBase::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) tests/auto/grpc/client/shared/client_test_common/tst_grpc_client_test_common_autogen/EWIEGA46WW/moc_grpcclienttestbase.cpp:102
    #18 0x7fb35a2914f9 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d74f9)
    #19 0x7fb35a28f17e in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) (/home/qt/work/install/lib/libQt6Core.so.6+0x4d517e)
    #20 0x7fb35cbb02d4 in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<void>(QObject*, Qt::ConnectionType, QTemplatedMetaMethodReturnArgument<void>) const (/home/qt/work/install/lib/libQt6Test.so.6+0xca2d4)
    #21 0x7fb35cbab26d in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const (/home/qt/work/install/lib/libQt6Test.so.6+0xc526d)
    #22 0x7fb35cb89660  (/home/qt/work/install/lib/libQt6Test.so.6+0xa3660)
    #23 0x7fb35cb8b5d8  (/home/qt/work/install/lib/libQt6Test.so.6+0xa55d8)
    #24 0x7fb35cb8e37a  (/home/qt/work/install/lib/libQt6Test.so.6+0xa837a)
    #25 0x7fb35cb90e2d in QTest::qRun() (/home/qt/work/install/lib/libQt6Test.so.6+0xaae2d)
    #26 0x7fb35cb8fb67 in QTest::qExec(QObject*, int, char**) (/home/qt/work/install/lib/libQt6Test.so.6+0xa9b67)
    #27 0x55e072532b8a in main /home/qt/work/qt/qtgrpc/tests/auto/grpc/client/serverstream/tst_grpc_client_serverstream.cpp:419
    #28 0x7fb35946a24c in __libc_start_main (/lib64/libc.so.6+0x3524c)

      previously allocated by thread T0 here:

          #0 0x7fb35cdbe9bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
    #1 0x7fb359ae153b in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) (/usr/lib64/libstdc++.so.6+0x14c53b)

      SUMMARY: AddressSanitizer: heap-use-after-free (/home/qt/work/install/lib/libQt6Core.so.6+0x32ba08)

      Shadow bytes around the buggy address:

        0x0c0680007600: fa fa 00 00 00 03 fa fa fd fd fd fd fa fa fd fd
  0x0c0680007610: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680007620: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680007630: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c0680007640: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c0680007650: fd fd fd fa fa fa fd fd fd fd fa fa[fd]fd fd fd
  0x0c0680007660: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680007670: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680007680: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
  0x0c0680007690: fa fa 00 00 00 02 fa fa fd fd fd fd fa fa fd fd
  0x0c06800076a0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19389==ABORTING
sanitizer-testrunner.py     INFO: Test exit code was: 1
sanitizer-testrunner.py    ERROR: ASAN issues detected

      Attachments

        For Gerrit Dashboard: QTBUG-117066
        # Subject Branch Project Status CR V
        506559,3 Fix ASAN issue when QGrpcChannelOperation view is requested after free dev qt/qtgrpc Status: ABANDONED 0 0
        506571,4 Change the way the service name is stored in QAbstractGrpcClient dev qt/qtgrpc Status: MERGED +2 0
        507348,3 Change the way the service name is stored in QAbstractGrpcClient 6.6 qt/qtgrpc Status: MERGED +2 0
        508002,2 Change the way the service name is stored in QAbstractGrpcClient 6.5 qt/qtgrpc Status: MERGED +2 0

        Activity

          People

            kokujawa Konrad Kujawa (Inactive)
            jimis Dimitrios Apostolou
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews