Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-31047

Core: AddressSanitizer: heap-use-after-free settingsdialog.cpp:801

    XMLWordPrintable

Details

    • macOS
    • bd6e47ce4 (14.0)

    Description

      I've build Qt Creator 14 with -DWITH_SANITIZE:BOOL=ON and -DSANITIZE_FLAGS:STRING=address. I also had -DQTC_STATIC_BUILD:BOOL=ON for better callstacks.

      Then due to https://bugreports.qt.io/browse/QTCREATORBUG-31046 I've set ASAN_OPTIONS=detect_container_overflow=0.

      The in Qt Creator I've opened the Preferences... dialog and closed it via Esc key.

      Then the following was reported:

      =================================================================
==19306==ERROR: AddressSanitizer: heap-use-after-free on address 0x00031d6bf508 at pc 0x000101c02b88 bp 0x00016fdf68d0 sp 0x00016fdf68c8
READ of size 1 at 0x00031d6bf508 thread T0
    #0 0x101c02b84 in Core::Internal::SettingsDialog::execDialog() settingsdialog.cpp:801
    #1 0x101c03564 in Core::Internal::executeSettingsDialog(QWidget*, Utils::Id) settingsdialog.cpp:824
    #2 0x102316570 in Core::ICore::showOptionsDialog(Utils::Id, QWidget*) icore.cpp:474
    #3 0x1023a50fc in Core::Internal::ICorePrivate::registerDefaultActions()::$_18::operator()() const icore.cpp:1936
    #4 0x1023a4eb4 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void**) qobjectdefs_impl.h:137
    #5 0x1023a4d44 in void QtPrivate::FunctorCallable<Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call<QtPrivate::List<>, void>(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void*, void**) qobjectdefs_impl.h:345
    #6 0x1023a4cb4 in QtPrivate::QCallableObject<Core::Internal::ICorePrivate::registerDefaultActions()::$_18, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:555
    #7 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #8 0x1389eb70c in QAction::triggered(bool) moc_qaction.cpp:480
    #9 0x1011bafd0 in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<bool>, void, void (QAction::*)(bool)>::call(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:145
    #10 0x1011bac08 in void QtPrivate::FunctionPointer<void (QAction::*)(bool)>::call<QtPrivate::List<bool>, void>(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:182
    #11 0x1011ba7d0 in QtPrivate::QCallableObject<void (QAction::*)(bool), QtPrivate::List<bool>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:553
    #12 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #13 0x1389eb594 in QAction::activate(QAction::ActionEvent) qaction.cpp
    #14 0x137c14564 in QObject::event(QEvent*) qobject.cpp:1446
    #15 0x1367115d0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3287
    #16 0x136712424 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3238
    #17 0x137bd0a2c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1134
    #18 0x137bd1d14 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1932
    #19 0x13fc2b650 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:900
    #20 0x13fc2c708 in QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) qcocoaeventdispatcher.mm:922
    #21 0x1996c24d4 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x18 (CoreFoundation:arm64e+0x7e4d4)
    #22 0x1996c2468 in __CFRunLoopDoSource0+0xac (CoreFoundation:arm64e+0x7e468)
    #23 0x1996c21d8 in __CFRunLoopDoSources0+0xf0 (CoreFoundation:arm64e+0x7e1d8)
    #24 0x1996c0dc4 in __CFRunLoopRun+0x338 (CoreFoundation:arm64e+0x7cdc4)
    #25 0x1996c0430 in CFRunLoopRunSpecific+0x25c (CoreFoundation:arm64e+0x7c430)
    #26 0x1a3e64198 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x33198)
    #27 0x1a3e63e28 in ReceiveNextEventCommon+0xd8 (HIToolbox:arm64e+0x32e28)
    #28 0x1a3e63d2c in _BlockUntilNextEventMatchingListInModeWithFilter+0x48 (HIToolbox:arm64e+0x32d2c)
    #29 0x19cf1fd64 in _DPSNextEvent+0x290 (AppKit:arm64e+0x39d64)
    #30 0x19d715804 in -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2b8 (AppKit:arm64e+0x82f804)
    #31 0x19cf13098 in -[NSApplication run]+0x1d8 (AppKit:arm64e+0x2d098)
    #32 0x13fc2a29c in QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qcocoaeventdispatcher.mm:406
    #33 0x137bda588 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) qeventloop.cpp:182
    #34 0x137bd1080 in QCoreApplication::exec() qcoreapplication.cpp:1478
    #35 0x10001fee0 in main main.cpp:882
    #36 0x19925a0dc  (<unknown module>)

0x00031d6bf508 is located 200 bytes inside of 208-byte region [0x00031d6bf440,0x00031d6bf510)
freed by thread T0 here:
    #0 0x138e3152c in wrap__ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x6152c)
    #1 0x101c03b58 in Core::Internal::SettingsDialog::~SettingsDialog() settingsdialog.cpp:433
    #2 0x137c145a8 in QObject::event(QEvent*) qobject.cpp:1433
    #3 0x13675dc1c in QWidget::event(QEvent*) qwidget.cpp:9461
    #4 0x1367115d0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3287
    #5 0x136712ee0 in QApplication::notify(QObject*, QEvent*) qapplication.cpp
    #6 0x137bd0a2c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1134
    #7 0x137bd1d14 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1932
    #8 0x13fc2b650 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:900
    #9 0x13fc29e2c in QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qcocoaeventdispatcher.mm:487
    #10 0x101c02c0c in Core::Internal::SettingsDialog::execDialog() settingsdialog.cpp:802
    #11 0x101c03564 in Core::Internal::executeSettingsDialog(QWidget*, Utils::Id) settingsdialog.cpp:824
    #12 0x102316570 in Core::ICore::showOptionsDialog(Utils::Id, QWidget*) icore.cpp:474
    #13 0x1023a50fc in Core::Internal::ICorePrivate::registerDefaultActions()::$_18::operator()() const icore.cpp:1936
    #14 0x1023a4eb4 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void**) qobjectdefs_impl.h:137
    #15 0x1023a4d44 in void QtPrivate::FunctorCallable<Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call<QtPrivate::List<>, void>(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void*, void**) qobjectdefs_impl.h:345
    #16 0x1023a4cb4 in QtPrivate::QCallableObject<Core::Internal::ICorePrivate::registerDefaultActions()::$_18, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:555
    #17 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #18 0x1389eb70c in QAction::triggered(bool) moc_qaction.cpp:480
    #19 0x1011bafd0 in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<bool>, void, void (QAction::*)(bool)>::call(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:145
    #20 0x1011bac08 in void QtPrivate::FunctionPointer<void (QAction::*)(bool)>::call<QtPrivate::List<bool>, void>(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:182
    #21 0x1011ba7d0 in QtPrivate::QCallableObject<void (QAction::*)(bool), QtPrivate::List<bool>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:553
    #22 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #23 0x1389eb594 in QAction::activate(QAction::ActionEvent) qaction.cpp
    #24 0x137c14564 in QObject::event(QEvent*) qobject.cpp:1446
    #25 0x1367115d0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3287
    #26 0x136712424 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3238
    #27 0x137bd0a2c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1134
    #28 0x137bd1d14 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1932
    #29 0x13fc2b650 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:900

previously allocated by thread T0 here:
    #0 0x138e310ec in wrap__Znwm+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x610ec)
    #1 0x101c034b0 in Core::Internal::executeSettingsDialog(QWidget*, Utils::Id) settingsdialog.cpp:821
    #2 0x102316570 in Core::ICore::showOptionsDialog(Utils::Id, QWidget*) icore.cpp:474
    #3 0x1023a50fc in Core::Internal::ICorePrivate::registerDefaultActions()::$_18::operator()() const icore.cpp:1936
    #4 0x1023a4eb4 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void**) qobjectdefs_impl.h:137
    #5 0x1023a4d44 in void QtPrivate::FunctorCallable<Core::Internal::ICorePrivate::registerDefaultActions()::$_18>::call<QtPrivate::List<>, void>(Core::Internal::ICorePrivate::registerDefaultActions()::$_18&, void*, void**) qobjectdefs_impl.h:345
    #6 0x1023a4cb4 in QtPrivate::QCallableObject<Core::Internal::ICorePrivate::registerDefaultActions()::$_18, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:555
    #7 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #8 0x1389eb70c in QAction::triggered(bool) moc_qaction.cpp:480
    #9 0x1011bafd0 in QtPrivate::FunctorCall<QtPrivate::IndexesList<0>, QtPrivate::List<bool>, void, void (QAction::*)(bool)>::call(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:145
    #10 0x1011bac08 in void QtPrivate::FunctionPointer<void (QAction::*)(bool)>::call<QtPrivate::List<bool>, void>(void (QAction::*)(bool), QAction*, void**) qobjectdefs_impl.h:182
    #11 0x1011ba7d0 in QtPrivate::QCallableObject<void (QAction::*)(bool), QtPrivate::List<bool>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:553
    #12 0x137c1bc98 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4078
    #13 0x1389eb594 in QAction::activate(QAction::ActionEvent) qaction.cpp
    #14 0x137c14564 in QObject::event(QEvent*) qobject.cpp:1446
    #15 0x1367115d0 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3287
    #16 0x136712424 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3238
    #17 0x137bd0a2c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1134
    #18 0x137bd1d14 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1932
    #19 0x13fc2b650 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:900
    #20 0x13fc2c708 in QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) qcocoaeventdispatcher.mm:922
    #21 0x1996c24d4 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x18 (CoreFoundation:arm64e+0x7e4d4)
    #22 0x1996c2468 in __CFRunLoopDoSource0+0xac (CoreFoundation:arm64e+0x7e468)
    #23 0x1996c21d8 in __CFRunLoopDoSources0+0xf0 (CoreFoundation:arm64e+0x7e1d8)
    #24 0x1996c0dc4 in __CFRunLoopRun+0x338 (CoreFoundation:arm64e+0x7cdc4)
    #25 0x1996c0430 in CFRunLoopRunSpecific+0x25c (CoreFoundation:arm64e+0x7c430)
    #26 0x1a3e64198 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x33198)
    #27 0x1a3e63e28 in ReceiveNextEventCommon+0xd8 (HIToolbox:arm64e+0x32e28)
    #28 0x1a3e63d2c in _BlockUntilNextEventMatchingListInModeWithFilter+0x48 (HIToolbox:arm64e+0x32d2c)
    #29 0x19cf1fd64 in _DPSNextEvent+0x290 (AppKit:arm64e+0x39d64)

SUMMARY: AddressSanitizer: heap-use-after-free settingsdialog.cpp:801 in Core::Internal::SettingsDialog::execDialog()
Shadow bytes around the buggy address:
  0x00031d6bf280: 00 02 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00031d6bf300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00031d6bf380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00031d6bf400: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x00031d6bf480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x00031d6bf500: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x00031d6bf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00031d6bf600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x00031d6bf680: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x00031d6bf700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x00031d6bf780: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19306==ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            cadam Cristian Adam
            cadam Cristian Adam
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes