Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: P1: Critical
Fix Version/s: 6.7.0 FF
Affects Version/s: dev
Component/s: QPA: Wayland
Labels:
- ASAN

Commits:
53de6634c (dev)

Description

********* Start testing of tst_primaryselectionv1 *********
Config: Using QtTest library 6.7.0, Qt 6.7.0 (x86_64-little_endian-lp64 shared (dynamic) debug build; by GCC 9.3.1 20200406 [revision 6db837a5288ee3ca5ec504fbd5a765817e556ac2]), opensuse-leap 15.5
PASS   : tst_primaryselectionv1::initTestCase()
PASS   : tst_primaryselectionv1::bindsToManager()
PASS   : tst_primaryselectionv1::createsPrimaryDevice()
PASS   : tst_primaryselectionv1::createsPrimaryDeviceForNewSeats()
PASS   : tst_primaryselectionv1::pasteAscii()
PASS   : tst_primaryselectionv1::pasteUtf8()
PASS   : tst_primaryselectionv1::destroysPreviousSelection()
PASS   : tst_primaryselectionv1::destroysSelectionOnLeave()
PASS   : tst_primaryselectionv1::copy()
PASS   : tst_primaryselectionv1::cleanupTestCase()
Totals: 10 passed, 0 failed, 0 skipped, 0 blacklisted, 1251ms
********* Finished testing of tst_primaryselectionv1 *********
=================================================================

==2063==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000010050 at pc 0x55721073fab3 bp 0x7efe6de40720 sp 0x7efe6de40718

READ of size 8 at 0x60d000010050 thread T1

    #0 0x55721073fab2 in QtWaylandServer::zwp_primary_selection_device_v1::destroy_func(wl_resource*) tests/auto/client/shared/qwayland-server-wp-primary-selection-unstable-v1.cpp:345
    #1 0x7efe7625e221  (/usr/lib64/libwayland-server.so.0+0x9221)
    #2 0x7efe76262f1f  (/usr/lib64/libwayland-server.so.0+0xdf1f)
    #3 0x7efe762634fe  (/usr/lib64/libwayland-server.so.0+0xe4fe)
    #4 0x7efe7625e37c in wl_client_destroy (/usr/lib64/libwayland-server.so.0+0x937c)
    #5 0x7efe7625e45f  (/usr/lib64/libwayland-server.so.0+0x945f)
    #6 0x7efe762602a9 in wl_event_loop_dispatch (/usr/lib64/libwayland-server.so.0+0xb2a9)
    #7 0x5572105facd9 in MockCompositor::CoreCompositor::dispatch(int) /home/qt/work/qt/qtwayland/tests/auto/client/shared/corecompositor.cpp:66
    #8 0x5572105f9535 in operator() /home/qt/work/qt/qtwayland/tests/auto/client/shared/corecompositor.cpp:18
    #9 0x5572105fb889 in __invoke_impl<void, MockCompositor::CoreCompositor::CoreCompositor(MockCompositor::CoreCompositor::CompositorType, int)::<lambda()> > /usr/include/c++/9/bits/invoke.h:60
    #10 0x5572105fb83e in __invoke<MockCompositor::CoreCompositor::CoreCompositor(MockCompositor::CoreCompositor::CompositorType, int)::<lambda()> > /usr/include/c++/9/bits/invoke.h:95
    #11 0x5572105fb7eb in _M_invoke<0> /usr/include/c++/9/thread:244
    #12 0x5572105fb7c1 in operator() /usr/include/c++/9/thread:251
    #13 0x5572105fb7a5 in _M_run /usr/include/c++/9/thread:195
    #14 0x7efe74a59ac2  (/usr/lib64/libstdc++.so.6+0xdcac2)
    #15 0x7efe745fa6e9 in start_thread (/lib64/libpthread.so.0+0xa6e9)
    #16 0x7efe7451094e in clone (/lib64/libc.so.6+0x11794e)

0x60d000010050 is located 32 bytes inside of 136-byte region [0x60d000010030,0x60d0000100b8)

freed by thread T1 here:

    #0 0x7efe79265e45 in operator delete(void*, unsigned long) (/usr/lib64/libasan.so.5+0x10ce45)
    #1 0x5572108f20a8 in PrimarySelectionDeviceV1::~PrimarySelectionDeviceV1() /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:85
    #2 0x5572108d5858 in PrimarySelectionDeviceV1::zwp_primary_selection_device_v1_destroy_resource(QtWaylandServer::zwp_primary_selection_device_v1::Resource*) /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:135
    #3 0x55721073fa2f in QtWaylandServer::zwp_primary_selection_device_v1::destroy_func(wl_resource*) tests/auto/client/shared/qwayland-server-wp-primary-selection-unstable-v1.cpp:342
    #4 0x7efe7625e221  (/usr/lib64/libwayland-server.so.0+0x9221)

previously allocated by thread T1 here:

    #0 0x7efe792649bf in operator new(unsigned long) (/usr/lib64/libasan.so.5+0x10b9bf)
    #1 0x5572108d5e41 in PrimarySelectionDeviceManagerV1::deviceFor(MockCompositor::Seat*) /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:164
    #2 0x5572108d60aa in PrimarySelectionDeviceManagerV1::zwp_primary_selection_device_manager_v1_get_device(QtWaylandServer::zwp_primary_selection_device_manager_v1::Resource*, unsigned int, wl_resource*) /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:189
    #3 0x55721073e9e5 in QtWaylandServer::zwp_primary_selection_device_manager_v1::handle_get_device(wl_client*, wl_resource*, unsigned int, wl_resource*) tests/auto/client/shared/qwayland-server-wp-primary-selection-unstable-v1.cpp:207
    #4 0x7efe731766dc  (/usr/lib64/libffi.so.7+0x66dc)

Thread T1 created by T0 here:

    #0 0x7efe791951d2 in pthread_create (/usr/lib64/libasan.so.5+0x3c1d2)
    #1 0x7efe74a59e3b in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/usr/lib64/libstdc++.so.6+0xdce3b)
    #2 0x5572105f97f7 in MockCompositor::CoreCompositor::CoreCompositor(MockCompositor::CoreCompositor::CompositorType, int) /home/qt/work/qt/qtwayland/tests/auto/client/shared/corecompositor.cpp:20
    #3 0x557210699e9e in MockCompositor::DefaultCompositor::DefaultCompositor(MockCompositor::CoreCompositor::CompositorType, int) /home/qt/work/qt/qtwayland/tests/auto/client/shared/mockcompositor.cpp:10
    #4 0x5572108d61be in PrimarySelectionCompositor::PrimarySelectionCompositor() /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:215
    #5 0x5572108d6be3 in tst_primaryselectionv1::tst_primaryselectionv1() /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:226
    #6 0x5572108c6e5d in main /home/qt/work/qt/qtwayland/tests/auto/client/primaryselectionv1/tst_primaryselectionv1.cpp:476
    #7 0x7efe7442e24c in __libc_start_main (/lib64/libc.so.6+0x3524c)

SUMMARY: AddressSanitizer: heap-use-after-free tests/auto/client/shared/qwayland-server-wp-primary-selection-unstable-v1.cpp:345 in QtWaylandServer::zwp_primary_selection_device_v1::destroy_func(wl_resource*)

Shadow bytes around the buggy address:

  0x0c1a7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1a7fffa000: fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd fd fd
  0x0c1a7fffa010: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2063==ABORTING
sanitizer-testrunner.py     INFO: Test exit code was: 1
sanitizer-testrunner.py    ERROR: ASAN issues detected