Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-20223

DiffEditor: heap-use-after-free/heap-buffer-overflow in DescriptionWidgetWatcher::descriptionWidget

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P1: Critical
    • Qt Creator 4.6.1
    • Qt Creator 4.6.0
    • All Other Issues, Editors
    • None
    • e806ea40ccaff89857604d53fc8e78a155ce9ad1

    Description

      =================================================================
      ==3105==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0001c1ea0 at pc 0x7fb1dea4d9ef bp 0x7fff78054720 sp 0x7fff78054710
      READ of size 8 at 0x60b0001c1ea0 thread T0
          #0 0x7fb1dea4d9ee in DiffEditor::DescriptionWidgetWatcher::descriptionWidget(Core::IEditor*) const /d1/creator/ut/4.6/asan/src/plugins/diffeditor/descriptionwidgetwatcher.cpp:72
          #1 0x7fb1dea4cf9b in operator() /d1/creator/ut/4.6/asan/src/plugins/diffeditor/descriptionwidgetwatcher.cpp:49
          #2 0x7fb1dea4e07d in call /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobjectdefs_impl.h:130
          #3 0x7fb1dea4df59 in call<QtPrivate::List<Core::IEditor*>, void> /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobjectdefs_impl.h:242
          #4 0x7fb1dea4de9b in impl /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobject_impl.h:168
          #5 0x7fb20e68b2b5 in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x29c2b5)
          #6 0x7fb1fedeabd4 in Core::EditorManager::editorOpened(Core::IEditor*) .moc/debug-shared/moc_editormanager.cpp:428
          #7 0x7fb1fe9794cc in Core::Internal::EditorManagerPrivate::addEditor(Core::IEditor*) editormanager/editormanager.cpp:1177
          #8 0x7fb1fe993165 in Core::EditorManager::openEditorWithContents(Core::Id, QString*, QByteArray const&, QString const&, QFlags<Core::EditorManager::OpenEditorFlag>) editormanager/editormanager.cpp:2810
          #9 0x7fb1dea67239 in DiffEditor::DiffEditorController::findOrCreateDocument(QString const&, QString const&) /d1/creator/ut/4.6/asan/src/plugins/diffeditor/diffeditorcontroller.cpp:80
          #10 0x7fb1da57663b in Git::Internal::GitClient::requestReload(QString const&, QString const&, QString const&, std::function<DiffEditor::DiffEditorController* (Core::IDocument*)>) const /d1/creator/ut/4.6/asan/src/plugins/git/gitclient.cpp:890
          #11 0x7fb1da577d2e in Git::Internal::GitClient::diffRepository(QString const&) /d1/creator/ut/4.6/asan/src/plugins/git/gitclient.cpp:934
          #12 0x7fb1da52d27d in operator() /d1/creator/ut/4.6/asan/src/plugins/git/gitplugin.cpp:284
          #13 0x7fb1da555be8 in _M_invoke /usr/include/c++/7/bits/std_function.h:316
          #14 0x7fb210687b73 in std::function<void ()>::operator()() const (/d1/creator/ut/4.6/asan/bin/../lib/qtcreator/libExtensionSystem.so.4+0x72b73)
          #15 0x7fb1da569086 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, std::function<void ()> >::call(std::function<void ()>&, void**) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobjectdefs_impl.h:130
          #16 0x7fb1da5685cc in void QtPrivate::Functor<std::function<void ()>, 0>::call<QtPrivate::List<>, void>(std::function<void ()>&, void*, void**) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobjectdefs_impl.h:242
          #17 0x7fb1da566bd3 in QtPrivate::QFunctorSlotObject<std::function<void ()>, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qobject_impl.h:168
          #18 0x7fb20e68b2b5 in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x29c2b5)
          #19 0x7fb20f7b2551 in QAction::triggered(bool) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x14d551)
          #20 0x7fb2101d082b in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<bool>, void, void (QAction::*)(bool)>::call(void (QAction::*)(bool), QAction*, void**) (/d1/creator/ut/4.6/asan/bin/../lib/qtcreator/libUtils.so.4+0x33a82b)
          #21 0x7fb2101d0394 in void QtPrivate::FunctionPointer<void (QAction::*)(bool)>::call<QtPrivate::List<bool>, void>(void (QAction::*)(bool), QAction*, void**) (/d1/creator/ut/4.6/asan/bin/../lib/qtcreator/libUtils.so.4+0x33a394)
          #22 0x7fb2101d00dc in QtPrivate::QSlotObject<void (QAction::*)(bool), QtPrivate::List<bool>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/d1/creator/ut/4.6/asan/bin/../lib/qtcreator/libUtils.so.4+0x33a0dc)
          #23 0x7fb20e68b2b5 in QMetaObject::activate(QObject*, int, int, void**) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x29c2b5)
          #24 0x7fb20f7b2551 in QAction::triggered(bool) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x14d551)
          #25 0x7fb20f7b49ef in QAction::activate(QAction::ActionEvent) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x14f9ef)
          #26 0x7fb20f7b52ae in QAction::event(QEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x1502ae)
          #27 0x7fb20f7b84bb in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x1534bb)
          #28 0x7fb20f7bf8e6 in QApplication::notify(QObject*, QEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Widgets.so.5+0x15a8e6)
          #29 0x7fb20e660e77 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x271e77)
          #30 0x7fb20f010d37 in QShortcutMap::dispatchEvent(QKeyEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x158d37)
          #31 0x7fb20f010df8 in QShortcutMap::tryShortcut(QKeyEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x158df8)
          #32 0x7fb20efc6851 in QWindowSystemInterface::handleShortcutEvent(QWindow*, unsigned long, int, QFlags<Qt::KeyboardModifier>, unsigned int, unsigned int, unsigned int, QString const&, bool, unsigned short) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x10e851)
          #33 0x7fb20efe1cbb in QGuiApplicationPrivate::processKeyEvent(QWindowSystemInterfacePrivate::KeyEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x129cbb)
          #34 0x7fb20efe6d64 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x12ed64)
          #35 0x7fb20efc2d7a in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Gui.so.5+0x10ad7a)
          #36 0x7fb1f81e1f9f  (/home/nik/opt/qt-5.9.0/5.9/gcc_64/plugins/platforms/../../lib/libQt5XcbQpa.so.5+0xb0f9f)
          #37 0x7fb209c68fb6 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4afb6)
          #38 0x7fb209c691ef  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b1ef)
          #39 0x7fb209c6927b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4b27b)
          #40 0x7fb20e6b293e in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x2c393e)
          #41 0x7fb20e65f5e9 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x2705e9)
          #42 0x7fb20e667a43 in QCoreApplication::exec() (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0x278a43)
          #43 0x55ea28938cf4 in main /d1/creator/ut/4.6/asan/src/app/main.cpp:546
          #44 0x7fb20d8741c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
          #45 0x55ea2891fc69 in _start (/d1/creator/ut/4.6/asan/bin/qtcreator+0xcc69)
      
      0x60b0001c1ea0 is located 64 bytes inside of 98-byte region [0x60b0001c1e60,0x60b0001c1ec2)
      freed by thread T367 (QThread) here:
          #0 0x7fb210a007b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
          #1 0x7fb1fe892a47 in QTypedArrayData<unsigned short>::deallocate(QArrayData*) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qarraydata.h:237
          #2 0x7fb1fe892544 in QString::~QString() /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qstring.h:1084
          #3 0x7fb1fec9418d in Core::LocatorFilterEntry::~LocatorFilterEntry() .moc/debug-shared/../../locator/ilocatorfilter.h:40
          #4 0x7fb1fec9763e in QList<Core::LocatorFilterEntry>::node_destruct(QList<Core::LocatorFilterEntry>::Node*, QList<Core::LocatorFilterEntry>::Node*) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qlist.h:494
          #5 0x7fb1fec95720 in QList<Core::LocatorFilterEntry>::dealloc(QListData::Data*) /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qlist.h:865
          #6 0x7fb1fec949cd in QList<Core::LocatorFilterEntry>::~QList() /home/nik/opt/qt-5.9.0/5.9/gcc_64/include/QtCore/qlist.h:827
          #7 0x7fb1fedaaca3 in Core::Internal::runSearch(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&) locator/locatorsearchutils.cpp:52
          #8 0x7fb1fed7bd8a in void Utils::Internal::runAsyncQFutureInterfaceDispatch<Core::LocatorFilterEntry, void (*)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>, QString>(std::integral_constant<bool, true>, QFutureInterface<Core::LocatorFilterEntry>, void (*&&)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>&&, QString&&) ../../libs/utils/runextensions.h:253
          #9 0x7fb1fed7bbff in void Utils::Internal::runAsyncMemberDispatch<Core::LocatorFilterEntry, void (*)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>, QString, void>(QFutureInterface<Core::LocatorFilterEntry>, void (*&&)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>&&, QString&&) ../../libs/utils/runextensions.h:270
          #10 0x7fb1fed7b962 in void Utils::Internal::runAsyncImpl<Core::LocatorFilterEntry, void (*)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>, QString>(QFutureInterface<Core::LocatorFilterEntry>, void (*&&)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*>&&, QString&&) ../../libs/utils/runextensions.h:299
          #11 0x7fb1fed7b4a1 in void Utils::Internal::AsyncJob<Core::LocatorFilterEntry, void (*)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*> const&, QString&>::runHelper<0ul, 1ul, 2ul>(std::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) (/d1/creator/ut/4.6/asan/lib/qtcreator/plugins/libCore.so+0x7064a1)
          #12 0x7fb1fed7b180 in Utils::Internal::AsyncJob<Core::LocatorFilterEntry, void (*)(QFutureInterface<Core::LocatorFilterEntry>&, QList<Core::ILocatorFilter*> const&, QString const&), QList<Core::ILocatorFilter*> const&, QString&>::run() ../../libs/utils/runextensions.h:348
          #13 0x7fb210231b79 in Utils::Internal::RunnableThread::run() /d1/creator/ut/4.6/asan/src/libs/utils/runextensions.cpp:39
          #14 0x7fb20e4984b9  (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0xa94b9)
          #15 0x7fb20e1d77fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
      
      previously allocated by thread T367 (QThread) here:
          #0 0x7fb210a00b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
          #1 0x7fb20e49960c in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0xaa60c)
      
      Thread T367 (QThread) created by T0 here:
          #0 0x7fb210959d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
          #1 0x7fb20e497a25 in QThread::start(QThread::Priority) (/home/nik/opt/qt-5.9.0/5.9/gcc_64/lib/libQt5Core.so.5+0xa8a25)
      
      SUMMARY: AddressSanitizer: heap-use-after-free /d1/creator/ut/4.6/asan/src/plugins/diffeditor/descriptionwidgetwatcher.cpp:72 in DiffEditor::DescriptionWidgetWatcher::descriptionWidget(Core::IEditor*) const
      Shadow bytes around the buggy address:
        0x0c1680030380: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c1680030390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c16800303a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
        0x0c16800303b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c16800303c0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
      =>0x0c16800303d0: fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa
        0x0c16800303e0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c16800303f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1680030400: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
        0x0c1680030410: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
        0x0c1680030420: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==3105==ABORTING
      ConnectionServer error: "QLocalSocket: Remote closed" "/tmp/QtCreator-hNJIOg/ClangBackEnd-3105"
      
      =================================================================
      ==3112==ERROR: LeakSanitizer: detected memory leaks
      
      Direct leak of 67584 byte(s) in 1 object(s) allocated from:
          #0 0x7fa721a8eb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
          #1 0x7fa71ee2a4ba in RegisterHandlers() (/d2/llvm/5.0/installs/qtc46_assertsOff/lib/libclang.so.5+0xfdb4ba)
      
      SUMMARY: AddressSanitizer: 67584 byte(s) leaked in 1 allocation(s).
      
       

      Attachments

        For Gerrit Dashboard: QTCREATORBUG-20223
        # Subject Branch Project Status CR V

        Activity

          People

            jkobus Jarek Kobus
            kosjar Nikolai Kosjar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes