Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-31898

BareMetal Plugin use after free

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Not Evaluated
    • None
    • Qt Creator 15.0.0 (15.0 branch)
    • Debugger
    • None

    Description

      Use after free detected during ASAN run:

      =================================================================
==50044==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000305b80 at pc 0x0001273fde40 bp 0x00016fdf5da0 sp 0x00016fdf5d98
READ of size 8 at 0x60b000305b80 thread T0
    #0 0x1273fde3c in QArrayDataPointer<BareMetal::Internal::IDebugServerProvider*>::data() const qarraydatapointer.h:120
    #1 0x1273fddb0 in QArrayDataPointer<BareMetal::Internal::IDebugServerProvider*>::constBegin() const qarraydatapointer.h:126
    #2 0x1273d88a8 in QList<BareMetal::Internal::IDebugServerProvider*>::begin() const qlist.h:629
    #3 0x1273fe6fc in decltype(fp.begin()) std::__1::begin[abi:ne180100]<QList<BareMetal::Internal::IDebugServerProvider*>>(QList<BareMetal::Internal::IDebugServerProvider*> const&) access.h:41
    #4 0x1273fe184 in QList<BareMetal::Internal::IDebugServerProvider*>::value_type Utils::findOr<QList<BareMetal::Internal::IDebugServerProvider*>, std::__1::__bind_r<bool, std::__1::equal_to<QString>, QString&, std::__1::__bind<QString (BareMetal::Internal::IDebugServerProvider::*&)() const, std::__1::placeholders::__ph<1> const&>>>(QList<BareMetal::Internal::IDebugServerProvider*> const&, QList<BareMetal::Internal::IDebugServerProvider*>::value_type, std::__1::__bind_r<bool, std::__1::equal_to<QString>, QString&, std::__1::__bind<QString (BareMetal::Internal::IDebugServerProvider::*&)() const, std::__1::placeholders::__ph<1> const&>>) algorithm.h:491
    #5 0x1273d9600 in std::__1::enable_if<std::is_copy_assignable<QList<BareMetal::Internal::IDebugServerProvider*>::value_type>::value, QList<BareMetal::Internal::IDebugServerProvider*>::value_type>::type Utils::findOrDefault<QList<BareMetal::Internal::IDebugServerProvider*>, std::__1::__bind_r<bool, std::__1::equal_to<QString>, QString&, std::__1::__bind<QString (BareMetal::Internal::IDebugServerProvider::*&)() const, std::__1::placeholders::__ph<1> const&>>>(QList<BareMetal::Internal::IDebugServerProvider*> const&, std::__1::__bind_r<bool, std::__1::equal_to<QString>, QString&, std::__1::__bind<QString (BareMetal::Internal::IDebugServerProvider::*&)() const, std::__1::placeholders::__ph<1> const&>>) algorithm.h:536
    #6 0x1273d92c8 in BareMetal::Internal::DebugServerProviderManager::findProvider(QString const&) debugserverprovidermanager.cpp:168
    #7 0x12737d34c in BareMetal::Internal::BareMetalDevice::~BareMetalDevice() baremetaldevice.cpp:35
    #8 0x12737d4f8 in BareMetal::Internal::BareMetalDevice::~BareMetalDevice() baremetaldevice.cpp:34
    #9 0x127382e44 in std::__1::default_delete<BareMetal::Internal::BareMetalDevice>::operator()[abi:ne180100](BareMetal::Internal::BareMetalDevice*) const unique_ptr.h:66
    #10 0x12738296c in std::__1::__shared_ptr_pointer<BareMetal::Internal::BareMetalDevice*, std::__1::shared_ptr<BareMetal::Internal::BareMetalDevice>::__shared_ptr_default_delete<BareMetal::Internal::BareMetalDevice, BareMetal::Internal::BareMetalDevice>, std::__1::allocator<BareMetal::Internal::BareMetalDevice>>::__on_zero_shared() shared_ptr.h:228
    #11 0x128105aa4 in std::__1::__shared_count::__release_shared[abi:ne180100]() shared_ptr.h:157
    #12 0x1281059c8 in std::__1::__shared_weak_count::__release_shared[abi:ne180100]() shared_ptr.h:186
    #13 0x128449ae0 in std::__1::shared_ptr<ProjectExplorer::IDevice>::~shared_ptr[abi:ne180100]() shared_ptr.h:648
    #14 0x12843cb6c in std::__1::shared_ptr<ProjectExplorer::IDevice>::~shared_ptr[abi:ne180100]() shared_ptr.h:646
    #15 0x128a53138 in void std::__1::__destroy_at[abi:ne180100]<std::__1::shared_ptr<ProjectExplorer::IDevice>, 0>(std::__1::shared_ptr<ProjectExplorer::IDevice>*) construct_at.h:67
    #16 0x128a530fc in std::__1::shared_ptr<ProjectExplorer::IDevice>* std::__1::__destroy[abi:ne180100]<std::__1::shared_ptr<ProjectExplorer::IDevice>*>(std::__1::shared_ptr<ProjectExplorer::IDevice>*, std::__1::shared_ptr<ProjectExplorer::IDevice>*) construct_at.h:82
    #17 0x128a53038 in void std::__1::destroy[abi:ne180100]<std::__1::shared_ptr<ProjectExplorer::IDevice>*>(std::__1::shared_ptr<ProjectExplorer::IDevice>*, std::__1::shared_ptr<ProjectExplorer::IDevice>*) construct_at.h:112
    #18 0x128a5300c in QtPrivate::QGenericArrayOps<std::__1::shared_ptr<ProjectExplorer::IDevice>>::destroyAll() qarraydataops.h:377
    #19 0x128a52dc4 in QArrayDataPointer<std::__1::shared_ptr<ProjectExplorer::IDevice>>::~QArrayDataPointer() qarraydatapointer.h:109
    #20 0x128a51c3c in QArrayDataPointer<std::__1::shared_ptr<ProjectExplorer::IDevice>>::~QArrayDataPointer() qarraydatapointer.h:107
    #21 0x128a547a4 in QList<std::__1::shared_ptr<ProjectExplorer::IDevice>>::~QList() qlist.h:72
    #22 0x128a3cecc in QList<std::__1::shared_ptr<ProjectExplorer::IDevice>>::~QList() qlist.h:72
    #23 0x128a72f8c in ProjectExplorer::Internal::DeviceManagerPrivate::~DeviceManagerPrivate() devicemanager.cpp:48
    #24 0x128a72b50 in ProjectExplorer::Internal::DeviceManagerPrivate::~DeviceManagerPrivate() devicemanager.cpp:44
    #25 0x128a72af4 in std::__1::default_delete<ProjectExplorer::Internal::DeviceManagerPrivate>::operator()[abi:ne180100](ProjectExplorer::Internal::DeviceManagerPrivate*) const unique_ptr.h:66
    #26 0x128a72a68 in std::__1::unique_ptr<ProjectExplorer::Internal::DeviceManagerPrivate, std::__1::default_delete<ProjectExplorer::Internal::DeviceManagerPrivate>>::reset[abi:ne180100](ProjectExplorer::Internal::DeviceManagerPrivate*) unique_ptr.h:266
    #27 0x128a7297c in std::__1::unique_ptr<ProjectExplorer::Internal::DeviceManagerPrivate, std::__1::default_delete<ProjectExplorer::Internal::DeviceManagerPrivate>>::~unique_ptr[abi:ne180100]() unique_ptr.h:236
    #28 0x128a462e0 in std::__1::unique_ptr<ProjectExplorer::Internal::DeviceManagerPrivate, std::__1::default_delete<ProjectExplorer::Internal::DeviceManagerPrivate>>::~unique_ptr[abi:ne180100]() unique_ptr.h:236
    #29 0x128a46428 in ProjectExplorer::DeviceManager::~DeviceManager() devicemanager.cpp:495
    #30 0x128a46488 in ProjectExplorer::DeviceManager::~DeviceManager() devicemanager.cpp:490
    #31 0x12978b4d4 in ProjectExplorer::ProjectExplorerPluginPrivate::~ProjectExplorerPluginPrivate() projectexplorer.cpp:460
    #32 0x1297415cc in ProjectExplorer::ProjectExplorerPluginPrivate::~ProjectExplorerPluginPrivate() projectexplorer.cpp:460
    #33 0x1297415f8 in ProjectExplorer::ProjectExplorerPluginPrivate::~ProjectExplorerPluginPrivate() projectexplorer.cpp:460
    #34 0x1296ba078 in ProjectExplorer::ProjectExplorerPlugin::~ProjectExplorerPlugin() projectexplorer.cpp:769
    #35 0x1296ba0e8 in ProjectExplorer::ProjectExplorerPlugin::~ProjectExplorerPlugin() projectexplorer.cpp:761
    #36 0x1296ba114 in ProjectExplorer::ProjectExplorerPlugin::~ProjectExplorerPlugin() projectexplorer.cpp:761
    #37 0x100c8b220 in ExtensionSystem::CppPluginSpec::kill() pluginspec.cpp:1369
    #38 0x100b74a34 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) pluginmanager.cpp:1760
    #39 0x100c06b0c in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0::operator()(ExtensionSystem::PluginSpec*) const pluginmanager.cpp:1087
    #40 0x100b76930 in void Utils::reverseForeach<QList<ExtensionSystem::PluginSpec*>, ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0>(QList<ExtensionSystem::PluginSpec*> const&, ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0 const&) algorithm.h:1309
    #41 0x100b76514 in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll() pluginmanager.cpp:1086
    #42 0x100b5b068 in ExtensionSystem::Internal::PluginManagerPrivate::shutdown() pluginmanager.cpp:1509
    #43 0x100b5ace4 in ExtensionSystem::PluginManager::shutdown() pluginmanager.cpp:425
    #44 0x10007c954 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()::operator()() const qobjectdefs_impl.h:142
    #45 0x10007c8b4 in void QtPrivate::FunctorCallBase::call_internal<void, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()>(void**, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()&&) qobjectdefs_impl.h:72
    #46 0x10007c7f8 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**) qobjectdefs_impl.h:141
    #47 0x10007c5b8 in void QtPrivate::FunctionPointer<void (*)()>::call<QtPrivate::List<>, void>(void (*)(), void*, void**) qobjectdefs_impl.h:224
    #48 0x10007c3f8 in QtPrivate::QCallableObject<void (*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:573
    #49 0x102fe0668 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4120
    #50 0x102f92600 in QCoreApplication::event(QEvent*) qcoreapplication.cpp:2100
    #51 0x101bf7afc in QApplication::event(QEvent*) qapplication.cpp:1688
    #52 0x100082b18 in SharedTools::QtSingleApplication::event(QEvent*) qtsingleapplication.cpp:103
    #53 0x101bf9268 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3294
    #54 0x101bfa214 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3245
    #55 0x102f8fb6c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1172
    #56 0x102f91524 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1972
    #57 0x1003e2314 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:901
    #58 0x1003e3464 in QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) qcocoaeventdispatcher.mm:923
    #59 0x1993154d4 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x18 (CoreFoundation:arm64e+0x7e4d4)
    #60 0x199315468 in __CFRunLoopDoSource0+0xac (CoreFoundation:arm64e+0x7e468)
    #61 0x1993151d8 in __CFRunLoopDoSources0+0xf0 (CoreFoundation:arm64e+0x7e1d8)
    #62 0x199313dc4 in __CFRunLoopRun+0x338 (CoreFoundation:arm64e+0x7cdc4)
    #63 0x199313430 in CFRunLoopRunSpecific+0x25c (CoreFoundation:arm64e+0x7c430)
    #64 0x1a3abd198 in RunCurrentEventLoopInMode+0x120 (HIToolbox:arm64e+0x33198)
    #65 0x1a3abcfd4 in ReceiveNextEventCommon+0x284 (HIToolbox:arm64e+0x32fd4)
    #66 0x1a3abcd2c in _BlockUntilNextEventMatchingListInModeWithFilter+0x48 (HIToolbox:arm64e+0x32d2c)
    #67 0x19cb72cc4 in _DPSNextEvent+0x290 (AppKit:arm64e+0x39cc4)
    #68 0x19d3694cc in -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]+0x2b8 (AppKit:arm64e+0x8304cc)
    #69 0x19cb65ff8 in -[NSApplication run]+0x1d8 (AppKit:arm64e+0x2cff8)
    #70 0x1003e0e4c in QCocoaEventDispatcher::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) qcocoaeventdispatcher.mm:407
    #71 0x102f9ad58 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) qeventloop.cpp:191
    #72 0x102f90390 in QCoreApplication::exec() qcoreapplication.cpp:1517
    #73 0x10001c2d4 in main main.cpp:909
    #74 0x198eab150  (<unknown module>)0x60b000305b80 is located 32 bytes inside of 112-byte region [0x60b000305b60,0x60b000305bd0)
freed by thread T0 here:
    #0 0x1023f82d4 in _ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x642d4)
    #1 0x1273d41b4 in BareMetal::Internal::DebugServerProviderManager::~DebugServerProviderManager() debugserverprovidermanager.cpp:64
    #2 0x102fd75a4 in QObjectPrivate::deleteChildren() qobject.cpp:2211
    #3 0x102fd7390 in QObject::~QObject() qobject.cpp:1138
    #4 0x100ac1144 in ExtensionSystem::IPlugin::~IPlugin() iplugin.cpp:173
    #5 0x1273979a8 in BareMetal::Internal::BareMetalPlugin::~BareMetalPlugin() baremetalplugin.cpp:22
    #6 0x127396d84 in BareMetal::Internal::BareMetalPlugin::~BareMetalPlugin() baremetalplugin.cpp:22
    #7 0x127396db0 in BareMetal::Internal::BareMetalPlugin::~BareMetalPlugin() baremetalplugin.cpp:22
    #8 0x100c8b220 in ExtensionSystem::CppPluginSpec::kill() pluginspec.cpp:1369
    #9 0x100b74a34 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) pluginmanager.cpp:1760
    #10 0x100c06b0c in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0::operator()(ExtensionSystem::PluginSpec*) const pluginmanager.cpp:1087
    #11 0x100b76930 in void Utils::reverseForeach<QList<ExtensionSystem::PluginSpec*>, ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0>(QList<ExtensionSystem::PluginSpec*> const&, ExtensionSystem::Internal::PluginManagerPrivate::deleteAll()::$_0 const&) algorithm.h:1309
    #12 0x100b76514 in ExtensionSystem::Internal::PluginManagerPrivate::deleteAll() pluginmanager.cpp:1086
    #13 0x100b5b068 in ExtensionSystem::Internal::PluginManagerPrivate::shutdown() pluginmanager.cpp:1509
    #14 0x100b5ace4 in ExtensionSystem::PluginManager::shutdown() pluginmanager.cpp:425
    #15 0x10007c954 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()::operator()() const qobjectdefs_impl.h:142
    #16 0x10007c8b4 in void QtPrivate::FunctorCallBase::call_internal<void, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()>(void**, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**)::'lambda'()&&) qobjectdefs_impl.h:72
    #17 0x10007c7f8 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (*)()>::call(void (*&)(), void**) qobjectdefs_impl.h:141
    #18 0x10007c5b8 in void QtPrivate::FunctionPointer<void (*)()>::call<QtPrivate::List<>, void>(void (*)(), void*, void**) qobjectdefs_impl.h:224
    #19 0x10007c3f8 in QtPrivate::QCallableObject<void (*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) qobjectdefs_impl.h:573
    #20 0x102fe0668 in void doActivate<false>(QObject*, int, void**) qobject.cpp:4120
    #21 0x102f92600 in QCoreApplication::event(QEvent*) qcoreapplication.cpp:2100
    #22 0x101bf7afc in QApplication::event(QEvent*) qapplication.cpp:1688
    #23 0x100082b18 in SharedTools::QtSingleApplication::event(QEvent*) qtsingleapplication.cpp:103
    #24 0x101bf9268 in QApplicationPrivate::notify_helper(QObject*, QEvent*) qapplication.cpp:3294
    #25 0x101bfa214 in QApplication::notify(QObject*, QEvent*) qapplication.cpp:3245
    #26 0x102f8fb6c in QCoreApplication::notifyInternal2(QObject*, QEvent*) qcoreapplication.cpp:1172
    #27 0x102f91524 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) qcoreapplication.cpp:1972
    #28 0x1003e2314 in QCocoaEventDispatcherPrivate::processPostedEvents() qcocoaeventdispatcher.mm:901
    #29 0x1003e3464 in QCocoaEventDispatcherPrivate::postedEventsSourceCallback(void*) qcocoaeventdispatcher.mm:923previously allocated by thread T0 here:
    #0 0x1023f7e94 in _Znwm+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x63e94)
    #1 0x1273d41ec in BareMetal::Internal::DebugServerProviderManager::instance() debugserverprovidermanager.cpp:76
    #2 0x1273d581c in BareMetal::Internal::setupDebugServerProviderManager(QObject*) debugserverprovidermanager.cpp:85
    #3 0x127396ddc in BareMetal::Internal::BareMetalPlugin::extensionsInitialized() baremetalplugin.cpp:47
    #4 0x100c8a578 in ExtensionSystem::CppPluginSpec::initializeExtensions() pluginspec.cpp:1321
    #5 0x100b74774 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugin(ExtensionSystem::PluginSpec*, ExtensionSystem::PluginSpec::State) pluginmanager.cpp:1752
    #6 0x100c32348 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugins()::$_0::operator()(ExtensionSystem::PluginSpec*) const pluginmanager.cpp:1431
    #7 0x100b7c188 in void Utils::reverseForeach<QList<ExtensionSystem::PluginSpec*>, ExtensionSystem::Internal::PluginManagerPrivate::loadPlugins()::$_0>(QList<ExtensionSystem::PluginSpec*> const&, ExtensionSystem::Internal::PluginManagerPrivate::loadPlugins()::$_0 const&) algorithm.h:1309
    #8 0x100b548c0 in ExtensionSystem::Internal::PluginManagerPrivate::loadPlugins() pluginmanager.cpp:1430
    #9 0x100b53b48 in ExtensionSystem::PluginManager::loadPlugins() pluginmanager.cpp:346
    #10 0x10001be04 in main main.cpp:893
    #11 0x198eab150  (<unknown module>)SUMMARY: AddressSanitizer: heap-use-after-free qarraydatapointer.h:120 in QArrayDataPointer<BareMetal::Internal::IDebugServerProvider*>::data() const
Shadow bytes around the buggy address:
  0x60b000305900: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60b000305980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60b000305a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60b000305a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x60b000305b00: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x60b000305b80:[fd]fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x60b000305c00: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60b000305c80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x60b000305d00: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
  0x60b000305d80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x60b000305e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==50044==ABORTING

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            hjk hjk
            madwinter Marcus Tillmanns
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes