Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-15938

ASAN: heap-use-after-free in Debugger::Internal::DebuggerPlugin::~DebuggerPlugin()

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Not Evaluated
    • Qt Creator 4.0.0-rc1
    • Qt Creator 4.0.0-rc1
    • Debugger
    • None
    • 259c3cb4d48cdfb11a17b51ae1df597f37841aac

    Description

      1. Start Qt Creator asan build with clean settings
      2. Quit Qt Creator

      ...produces:

      =================================================================
==12525==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000685130 at pc 0x7f7e2b5266f1 bp 0x7ffeaa381790 sp 0x7ffeaa381788
READ of size 8 at 0x60d000685130 thread T0
    #0 0x7f7e2b5266f0 in Utils::DebuggerMainWindow::modeWindow() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggermainwindow.cpp:124:12
    #1 0x7f7e2b6d59bd in Debugger::Internal::DebugMode::widget() const /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:516:47
    #2 0x7f7e356884e7 in Core::Internal::MainWindow::removeContextObject(Core::IContext*) /home/nik/dev/creator/creator-ut/src/plugins/coreplugin/mainwindow.cpp:893:23
    #3 0x7f7e35d18d91 in Core::ModeManager::aboutToRemoveObject(QObject*) /home/nik/dev/creator/creator-ut/src/plugins/coreplugin/modemanager.cpp:231:5
    #4 0x7f7e35d3d55c in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<QObject*>, void, void (Core::ModeManager::*)(QObject*)>::call(void (Core::ModeManager::*)(QObject*), Core::ModeManager*, void**) /home/nik/usr/qt-5.6.0-install/5.6/gcc_64/include/QtCore/qobjectdefs_impl.h:501:14
    #5 0x7f7e35d3d051 in void QtPrivate::FunctionPointer<void (Core::ModeManager::*)(QObject*)>::call<QtPrivate::List<QObject*>, void>(void (Core::ModeManager::*)(QObject*), Core::ModeManager*, void**) /home/nik/usr/qt-5.6.0-install/5.6/gcc_64/include/QtCore/qobjectdefs_impl.h:520:13
    #6 0x7f7e35d3c77b in QtPrivate::QSlotObject<void (Core::ModeManager::*)(QObject*), QtPrivate::List<QObject*>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/nik/usr/qt-5.6.0-install/5.6/gcc_64/include/QtCore/qobject_impl.h:143:17
    #7 0x7f7e542fd40d in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/usr/qt-5.6.0-install/5.6/gcc_64/lib/libQt5Core.so.5+0x29540d)
    #8 0x7f7e56dfe73b in ExtensionSystem::PluginManager::aboutToRemoveObject(QObject*) /home/nik/dev/creator/creator-ut_build_asan/src/libs/extensionsystem/.moc/debug-shared/moc_pluginmanager.cpp:196:5
    #9 0x7f7e56cb30a6 in ExtensionSystem::Internal::PluginManagerPrivate::removeObject(QObject*) /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1210:10
    #10 0x7f7e56cb271c in ExtensionSystem::PluginManager::removeObject(QObject*) /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:332:5
    #11 0x7f7e56ca9e37 in ExtensionSystem::IPlugin::~IPlugin() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/iplugin.cpp:195:9
    #12 0x7f7e2b5db4da in Debugger::Internal::DebuggerPlugin::~DebuggerPlugin() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:3179:1
    #13 0x7f7e2b5db663 in Debugger::Internal::DebuggerPlugin::~DebuggerPlugin() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:3175:1
    #14 0x7f7e56d82258 in ExtensionSystem::Internal::PluginSpecPrivate::kill() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginspec.cpp:1046:5
    #15 0x7f7e56cceb28 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1364:9
    #16 0x7f7e56cd0371 in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:933:9
    #17 0x7f7e56cb7c49 in ExtensionSystem::Internal::PluginManagerPrivate::shutdown() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1259:5
    #18 0x7f7e56cb7746 in ExtensionSystem::PluginManager::shutdown() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:435:5
    #19 0x7f7e56dfda8b in ExtensionSystem::PluginManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/nik/dev/creator/creator-ut_build_asan/src/libs/extensionsystem/.moc/debug-shared/moc_pluginmanager.cpp:105:17
    #20 0x7f7e542fccee in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/usr/qt-5.6.0-install/5.6/gcc_64/lib/libQt5Core.so.5+0x294cee)
    #21 0x7f7e542d9dfa in QCoreApplication::exec() (/home/nik/usr/qt-5.6.0-install/5.6/gcc_64/lib/libQt5Core.so.5+0x271dfa)
    #22 0x51aac0 in main /home/nik/dev/creator/creator-ut/src/app/main.cpp:527:12
    #23 0x7f7e52b2dec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #24 0x442904 in _start (/home/nik/dev/creator/creator-ut_build_asan/bin/qtcreator+0x442904)

0x60d000685130 is located 128 bytes inside of 136-byte region [0x60d0006850b0,0x60d000685138)
freed by thread T0 here:
    #0 0x4e9302 in operator delete(void*) (/home/nik/dev/creator/creator-ut_build_asan/bin/qtcreator+0x4e9302)
    #1 0x7f7e2b524890 in Utils::DebuggerMainWindow::~DebuggerMainWindow() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggermainwindow.cpp:81:1
    #2 0x7f7e2b56640f in Debugger::Internal::DebuggerPluginPrivate::~DebuggerPluginPrivate() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:1057:5
    #3 0x7f7e2b5666f3 in Debugger::Internal::DebuggerPluginPrivate::~DebuggerPluginPrivate() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:1045:1
    #4 0x7f7e2b5db4b7 in Debugger::Internal::DebuggerPlugin::~DebuggerPlugin() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:3176:5
    #5 0x7f7e2b5db663 in Debugger::Internal::DebuggerPlugin::~DebuggerPlugin() /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:3175:1
    #6 0x7f7e56d82258 in ExtensionSystem::Internal::PluginSpecPrivate::kill() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginspec.cpp:1046:5
    #7 0x7f7e56cceb28 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1364:9
    #8 0x7f7e56cd0371 in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:933:9
    #9 0x7f7e56cb7c49 in ExtensionSystem::Internal::PluginManagerPrivate::shutdown() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1259:5
    #10 0x7f7e56cb7746 in ExtensionSystem::PluginManager::shutdown() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:435:5
    #11 0x7f7e56dfda8b in ExtensionSystem::PluginManager::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/nik/dev/creator/creator-ut_build_asan/src/libs/extensionsystem/.moc/debug-shared/moc_pluginmanager.cpp:105:17
    #12 0x7f7e542fccee in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/usr/qt-5.6.0-install/5.6/gcc_64/lib/libQt5Core.so.5+0x294cee)
    #13 0x7f7e542d9dfa in QCoreApplication::exec() (/home/nik/usr/qt-5.6.0-install/5.6/gcc_64/lib/libQt5Core.so.5+0x271dfa)
    #14 0x51aac0 in main /home/nik/dev/creator/creator-ut/src/app/main.cpp:527:12
    #15 0x7f7e52b2dec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
    #0 0x4e8d42 in operator new(unsigned long) (/home/nik/dev/creator/creator-ut_build_asan/bin/qtcreator+0x4e8d42)
    #1 0x7f7e2b57389c in Debugger::Internal::DebuggerPluginPrivate::initialize(QStringList const&, QString*) /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:1244:20
    #2 0x7f7e2b5dc0e3 in Debugger::Internal::DebuggerPlugin::initialize(QStringList const&, QString*) /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggerplugin.cpp:3210:12
    #3 0x7f7e56d806a7 in ExtensionSystem::Internal::PluginSpecPrivate::initializePlugin() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginspec.cpp:978:10
    #4 0x7f7e56ccfc60 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1393:9
    #5 0x7f7e56cb3e1c in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugins() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:1225:9
    #6 0x7f7e56cb335f in ExtensionSystem::PluginManager::loadPlugins() /home/nik/dev/creator/creator-ut/src/libs/extensionsystem/pluginmanager.cpp:363:12
    #7 0x51a5c4 in main /home/nik/dev/creator/creator-ut/src/app/main.cpp:511:5
    #8 0x7f7e52b2dec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free /home/nik/dev/creator/creator-ut/src/plugins/debugger/debuggermainwindow.cpp:124 Utils::DebuggerMainWindow::modeWindow()
Shadow bytes around the buggy address:
  0x0c1a800c89d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a800c89e0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800c89f0: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1a800c8a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a800c8a10: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c1a800c8a20: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
  0x0c1a800c8a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800c8a40: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a800c8a50: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1a800c8a60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800c8a70: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12525==ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            hjk hjk
            kosjar Nikolai Kosjar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes