Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-21996

heap-use-after-free in TaskScheduler

    XMLWordPrintable

Details

    Description

      11:36:14: Starting /d1/creator/4.9/builds/unit_asan/unittest/unittest --gtest_filter=TaskScheduler.AddTasks...

Note: Google Test filter = TaskScheduler.AddTasks

[==========] Running 1 test from 1 test suite.

[----------] Global test environment set-up.

[----------] 1 test from TaskScheduler

[ RUN      ] TaskScheduler.AddTasks

[       OK ] TaskScheduler.AddTasks (0 ms)

[----------] 1 test from TaskScheduler (0 ms total)



[----------] Global test environment tear-down

[==========] 1 test from 1 test suite ran. (0 ms total)

[  PASSED  ] 1 test.

=================================================================

==30347==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c000000708 at pc 0x5613a24ef139 bp 0x7ffc6914fb70 sp 0x7ffc6914fb60

READ of size 8 at 0x61c000000708 thread T0


#0 0x5613a24ef138 in _ZZZN12ClangBackEnd13TaskSchedulerIN7testing8NiceMockI20MockProcessorManagerEESt8functionIFvRNS_18ProcessorInterfaceEEEE8addTasksEOSt6vectorIS9_SaIS9_EEENKUlT_E_clISt17reference_wrapperIS6_EEES7_SF_ENKUlvE_clEv ../../../source/src/tools/clangpchmanagerbackend/source/taskscheduler.h:93

#1 0x5613a24febd2 in _ZN12ClangBackEnd13TaskSchedulerIN7testing8NiceMockI20MockProcessorManagerEESt8functionIFvRNS_18ProcessorInterfaceEEEE13CallableEventIZZNSA_8addTasksEOSt6vectorIS9_SaIS9_EEENKUlT_E_clISt17reference_wrapperIS6_EEES7_SG_EUlvE_ED2Ev ../../../source/src/tools/clangpchmanagerbackend/source/taskscheduler.h:168

#2 0x5613a24febf9 in _ZN12ClangBackEnd13TaskSchedulerIN7testing8NiceMockI20MockProcessorManagerEESt8functionIFvRNS_18ProcessorInterfaceEEEE13CallableEventIZZNSA_8addTasksEOSt6vectorIS9_SaIS9_EEENKUlT_E_clISt17reference_wrapperIS6_EEES7_SG_EUlvE_ED0Ev ../../../source/src/tools/clangpchmanagerbackend/source/taskscheduler.h:169

#3 0x7ffadce54fb7 in QCoreApplicationPrivate::cleanupThreadData() (/home/nik/opt/qt-5.9.5/5.9.5/gcc_64/lib/libQt5Core.so.5+0x27bfb7)

#4 0x7ffadce55069 in QCoreApplicationPrivate::~QCoreApplicationPrivate() (/home/nik/opt/qt-5.9.5/5.9.5/gcc_64/lib/libQt5Core.so.5+0x27c069)

#5 0x7ffadce55188 in QCoreApplicationPrivate::~QCoreApplicationPrivate() (/home/nik/opt/qt-5.9.5/5.9.5/gcc_64/lib/libQt5Core.so.5+0x27c188)

#6 0x7ffadce84d3b in QObject::~QObject() (/home/nik/opt/qt-5.9.5/5.9.5/gcc_64/lib/libQt5Core.so.5+0x2abd3b)

#7 0x7ffadce54d11 in QCoreApplication::~QCoreApplication() (/home/nik/opt/qt-5.9.5/5.9.5/gcc_64/lib/libQt5Core.so.5+0x27bd11)

#8 0x5613a2103c42 in main ../../../source/tests/unit/unittest/unittests-main.cpp:46

#9 0x7ffadbcabb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

#10 0x5613a0e71a59 in _start (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x6cda59)




0x61c000000708 is located 1672 bytes inside of 1704-byte region [0x61c000000080,0x61c000000728)

freed by thread T0 here:


#0 0x7ffae22969d8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe19d8)

#1 0x5613a24fb3b4 in ~TaskScheduler_AddTasks_Test ../../../source/tests/unit/unittest/taskscheduler-test.cpp:83

#2 0x5613a0ea208e in testing::Test::DeleteSelf_() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x6fe08e)

#3 0x5613a0f12f67 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x76ef67)

#4 0x5613a0f044f6 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /d1/googletest/googletest/src/gtest.cc:2460

#5 0x5613a0ebcbaf in testing::TestInfo::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x718baf)

#6 0x5613a0ebd735 in testing::TestSuite::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x719735)

#7 0x5613a0ed9b5a in testing::internal::UnitTestImpl::RunAllTests() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x735b5a)

#8 0x5613a0f15ab5 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x771ab5)

#9 0x5613a0f06c8d in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /d1/googletest/googletest/src/gtest.cc:2460

#10 0x5613a0ed6695 in testing::UnitTest::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x732695)

#11 0x5613a21037b6 in RUN_ALL_TESTS() /d1/googletest/googletest/include/gtest/gtest.h:2499

#12 0x5613a2103c29 in main ../../../source/tests/unit/unittest/unittests-main.cpp:53

#13 0x7ffadbcabb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)




previously allocated by thread T0 here:


#0 0x7ffae2295458 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0458)

#1 0x5613a24ff3d8 in CreateTest /d1/googletest/googletest/include/gtest/internal/gtest-internal.h:492

#2 0x5613a0f13135 in testing::Test* testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::TestFactoryBase, testing::Test*>(testing::internal::TestFactoryBase*, testing::Test* (testing::internal::TestFactoryBase::*)(), char const*) (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x76f135)

#3 0x5613a0f04ba8 in testing::Test* testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::TestFactoryBase, testing::Test*>(testing::internal::TestFactoryBase*, testing::Test* (testing::internal::TestFactoryBase::*)(), char const*) /d1/googletest/googletest/src/gtest.cc:2460

#4 0x5613a0ebcaec in testing::TestInfo::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x718aec)

#5 0x5613a0ebd735 in testing::TestSuite::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x719735)

#6 0x5613a0ed9b5a in testing::internal::UnitTestImpl::RunAllTests() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x735b5a)

#7 0x5613a0f15ab5 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x771ab5)

#8 0x5613a0f06c8d in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /d1/googletest/googletest/src/gtest.cc:2460

#9 0x5613a0ed6695 in testing::UnitTest::Run() (/d1/creator/4.9/builds/unit_asan/unittest/unittest+0x732695)

#10 0x5613a21037b6 in RUN_ALL_TESTS() /d1/googletest/googletest/include/gtest/gtest.h:2499

#11 0x5613a2103c29 in main ../../../source/tests/unit/unittest/unittests-main.cpp:53

#12 0x7ffadbcabb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)




SUMMARY: AddressSanitizer: heap-use-after-free ../../../source/src/tools/clangpchmanagerbackend/source/taskscheduler.h:93 in _ZZZN12ClangBackEnd13TaskSchedulerIN7testing8NiceMockI20MockProcessorManagerEESt8functionIFvRNS_18ProcessorInterfaceEEEE8addTasksEOSt6vectorIS9_SaIS9_EEENKUlT_E_clISt17reference_wrapperIS6_EEES7_SF_ENKUlvE_clEv

Shadow bytes around the buggy address:

  0x0c387fff8090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c387fff80a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c387fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c387fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c387fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c387fff80e0: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa

  0x0c387fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c387fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c387fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c387fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c387fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==30347==ABORTING

11:36:15: /d1/creator/4.9/builds/unit_asan/unittest/unittest exited with code 1

      Attachments

        For Gerrit Dashboard: QTCREATORBUG-21996
        # Subject Branch Project Status CR V
        253588,10 Clang: Fix resource allocation in tests 4.9 qt-creator/qt-creator Status: ABANDONED -1 0

        Activity

          People

            Unassigned Unassigned
            kosjar Nikolai Kosjar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes