Uploaded image for project: 'Qt Creator'
  1. Qt Creator
  2. QTCREATORBUG-33086

Left-over code actions can crash Creator

    XMLWordPrintable

Details

    • db2217e64 (master)

    Description

      Sequence of events:

      1.  Write piece of code with clangd enabled. Omit the semicolon at the end of the statement.
      2. See diagnostic appear (text marker plus light bulb).
      3. Turn off clangd.
      4. Text marker disappears, light bulb stays around.
      5. Click on the light bulb.
      6. Observe below crash.
       =================================================================
==4122536==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c1644a28e90 at pc 0x7be5df96db65 bp 0x7ffd48731430 sp 0x7ffd48731420
READ of size 8 at 0x7c1644a28e90 thread T0
    #0 0x7be5df96db64 in LanguageClient::Client::hostPathMapper() const /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/client.cpp:2352
    #1 0x7be5df96dcf9 in LanguageClient::Client::serverUriToHostPath(LanguageServerProtocol::DocumentUri const&) const /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/client.cpp:2359
    #2 0x7be5dfd319be in LanguageClient::applyTextDocumentEdit(LanguageClient::Client const*, LanguageServerProtocol::TextDocumentEdit const&) /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/languageclientutils.cpp:80
    #3 0x7be5dfd38cab in LanguageClient::applyDocumentChange(LanguageClient::Client const*, LanguageServerProtocol::DocumentChange const&) /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/languageclientutils.cpp:356
    #4 0x7be5dfd32c84 in LanguageClient::applyWorkspaceEdit(LanguageClient::Client const*, LanguageServerProtocol::WorkspaceEdit const&) /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/languageclientutils.cpp:122
    #5 0x7be5dfd33243 in operator() /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/languageclientutils.cpp:169
    #6 0x7be5dfd4314a in __invoke_impl<void, LanguageClient::updateCodeActionRefactoringMarker(Client*, const QList<LanguageServerProtocol::CodeAction>&, const LanguageServerProtocol::DocumentUri&)::<lambda(const LanguageServerProtocol::CodeAction&, const LanguageServerProtocol::Range&)>::<lambda(const TextEditor::TextEditorWidget*)>&, TextEditor::TextEditorWidget*> /usr/include/c++/15.1.1/bits/invoke.h:63
    #7 0x7be5dfd4276b in __invoke_r<void, LanguageClient::updateCodeActionRefactoringMarker(Client*, const QList<LanguageServerProtocol::CodeAction>&, const LanguageServerProtocol::DocumentUri&)::<lambda(const LanguageServerProtocol::CodeAction&, const LanguageServerProtocol::Range&)>::<lambda(const TextEditor::TextEditorWidget*)>&, TextEditor::TextEditorWidget*> /usr/include/c++/15.1.1/bits/invoke.h:113
    #8 0x7be5dfd413b7 in _M_invoke /usr/include/c++/15.1.1/bits/std_function.h:292
    #9 0x7be5e2c964a3 in std::function<void (TextEditor::TextEditorWidget*)>::operator()(TextEditor::TextEditorWidget*) const /usr/include/c++/15.1.1/bits/std_function.h:593
    #10 0x7be5e3121e94 in TextEditor::TextEditorWidget::mousePressEvent(QMouseEvent*) /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/texteditor/texteditor.cpp:7290
    #11 0x7fe649d5ac25 in QWidget::event(QEvent*) (/usr/lib/libQt6Widgets.so.6+0x15ac25) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #12 0x7fe649e04145 in QFrame::event(QEvent*) (/usr/lib/libQt6Widgets.so.6+0x204145) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #13 0x7be5e30f9205 in TextEditor::TextEditorWidget::viewportEvent(QEvent*) /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/texteditor/texteditor.cpp:5022
    #14 0x7fe648b66a1b in QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (/usr/lib/libQt6Core.so.6+0x166a1b) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #15 0x7fe649d0198f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt6Widgets.so.6+0x10198f) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #16 0x7fe649d05958 in QApplication::notify(QObject*, QEvent*) (/usr/lib/libQt6Widgets.so.6+0x105958) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #17 0x7fe648b67557 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt6Core.so.6+0x167557) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #18 0x7fe649cf6f31 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool, bool) (/usr/lib/libQt6Widgets.so.6+0xf6f31) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #19 0x7fe649d76942  (/usr/lib/libQt6Widgets.so.6+0x176942) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #20 0x7fe649d77bb7  (/usr/lib/libQt6Widgets.so.6+0x177bb7) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #21 0x7fe649d0199f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt6Widgets.so.6+0x10199f) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #22 0x7fe648b67557 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt6Core.so.6+0x167557) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #23 0x7fe6493946aa in QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent*) (/usr/lib/libQt6Gui.so.6+0x1946aa) (BuildId: cb0f3f284ff6ec63feb842a6271006e41fdf8297)
    #24 0x7fe649424493 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Gui.so.6+0x224493) (BuildId: cb0f3f284ff6ec63feb842a6271006e41fdf8297)
    #25 0x7fe6437b22a6  (/usr/lib/qt6/plugins/platforms/../../../libQt6XcbQpa.so.6+0x592a6) (BuildId: d97d86de41abce822094b21e1474ceb84aa36e76)
    #26 0x7fe647bc787c  (/usr/lib/libglib-2.0.so.0+0x5e87c) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #27 0x7fe647bc8cd6  (/usr/lib/libglib-2.0.so.0+0x5fcd6) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #28 0x7fe647bc8ee4 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x5fee4) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #29 0x7fe648e33c61 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x433c61) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #30 0x7fe648b73935 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x173935) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #31 0x7fe648b6bc30 in QCoreApplication::exec() (/usr/lib/libQt6Core.so.6+0x16bc30) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #32 0x55a38e966f22 in main /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/app/main.cpp:1024
    #33 0x7fe6484376b4  (/usr/lib/libc.so.6+0x276b4) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #34 0x7fe648437768 in __libc_start_main (/usr/lib/libc.so.6+0x27768) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #35 0x55a38e955754 in _start (/sda/home/christian/dev/qtcreator/super-master/Debug_System_Q_cf5cdc38b16d96f/install-root/usr/local/bin/qtcreator+0x16754) (BuildId: 4473f031b61165e047e19ab5cac626832c607ef7)0x7c1644a28e90 is located 16 bytes inside of 32-byte region [0x7c1644a28e80,0x7c1644a28ea0)
freed by thread T0 here:
    #0 0x7fe64bd22b8d in operator delete(void*, unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:155
    #1 0x7be5d6a30d9e in ClangCodeModel::Internal::ClangdClient::~ClangdClient() /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/clangcodemodel/clangdclient.cpp:512
    #2 0x7be5dfbb66e2 in operator() /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/languageclientmanager.cpp:254
    #3 0x7be5dfbcbc83 in operator() /usr/include/qt6/QtCore/qobjectdefs_impl.h:116
    #4 0x7be5dfbcc2cd in call_internal<void, QtPrivate::FunctorCall<std::integer_sequence<long unsigned int>, QtPrivate::List<>, void, LanguageClient::LanguageClientManager::deleteClient(LanguageClient::Client*, bool)::<lambda()> >::call(LanguageClient::LanguageClientManager::deleteClient(LanguageClient::Client*, bool)::<lambda()>&, void**)::<lambda()> > /usr/include/qt6/QtCore/qobjectdefs_impl.h:65
    #5 0x7be5dfbcbda1 in call /usr/include/qt6/QtCore/qobjectdefs_impl.h:115
    #6 0x7be5dfbca5c8 in call<QtPrivate::List<>, void> /usr/include/qt6/QtCore/qobjectdefs_impl.h:337
    #7 0x7be5dfbc930e in impl /usr/include/qt6/QtCore/qobjectdefs_impl.h:547
    #8 0x7fe648bbff23 in QObject::event(QEvent*) (/usr/lib/libQt6Core.so.6+0x1bff23) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #9 0x7fe649d0199f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt6Widgets.so.6+0x10199f) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #10 0x7fe648b67557 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt6Core.so.6+0x167557) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #11 0x7fe648b6793a in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/libQt6Core.so.6+0x16793a) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #12 0x7fe648e37137  (/usr/lib/libQt6Core.so.6+0x437137) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #13 0x7fe647bc787c  (/usr/lib/libglib-2.0.so.0+0x5e87c) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #14 0x7fe647bc8cd6  (/usr/lib/libglib-2.0.so.0+0x5fcd6) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #15 0x7fe647bc8ee4 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x5fee4) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #16 0x7fe648e33c61 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x433c61) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #17 0x7fe648b73935 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x173935) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #18 0x7fe648b6bc30 in QCoreApplication::exec() (/usr/lib/libQt6Core.so.6+0x16bc30) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #19 0x55a38e966f22 in main /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/app/main.cpp:1024
    #20 0x7fe6484376b4  (/usr/lib/libc.so.6+0x276b4) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #21 0x7fe648437768 in __libc_start_main (/usr/lib/libc.so.6+0x27768) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #22 0x55a38e955754 in _start (/sda/home/christian/dev/qtcreator/super-master/Debug_System_Q_cf5cdc38b16d96f/install-root/usr/local/bin/qtcreator+0x16754) (BuildId: 4473f031b61165e047e19ab5cac626832c607ef7)previously allocated by thread T0 here:
    #0 0x7fe64bd21a2d in operator new(unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:86
    #1 0x7be5d6cb29e9 in operator() /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/clangcodemodel/clangmodelmanagersupport.cpp:563
    #2 0x7be5d6cc6c1f in operator() /usr/include/qt6/QtCore/qobjectdefs_impl.h:116
    #3 0x7be5d6cc7acb in call_internal<void, QtPrivate::FunctorCall<std::integer_sequence<long unsigned int>, QtPrivate::List<>, void, ClangCodeModel::Internal::ClangModelManagerSupport::updateLanguageClient(ProjectExplorer::Project*)::<lambda()> >::call(ClangCodeModel::Internal::ClangModelManagerSupport::updateLanguageClient(ProjectExplorer::Project*)::<lambda()>&, void**)::<lambda()> > /usr/include/qt6/QtCore/qobjectdefs_impl.h:65
    #4 0x7be5d6cc6d3d in call /usr/include/qt6/QtCore/qobjectdefs_impl.h:115
    #5 0x7be5d6cc5164 in call<QtPrivate::List<>, void> /usr/include/qt6/QtCore/qobjectdefs_impl.h:337
    #6 0x7be5d6cc331e in impl /usr/include/qt6/QtCore/qobjectdefs_impl.h:547
    #7 0x7fe648bce36e  (/usr/lib/libQt6Core.so.6+0x1ce36e) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #8 0x7fe648d2b4e3 in QFutureWatcherBase::event(QEvent*) (/usr/lib/libQt6Core.so.6+0x32b4e3) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #9 0x7fe649d0199f in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/libQt6Widgets.so.6+0x10199f) (BuildId: 7b843a564ea0ce060eef1bfabe1a955bc47cd51c)
    #10 0x7fe648b67557 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt6Core.so.6+0x167557) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #11 0x7fe648b6793a in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/libQt6Core.so.6+0x16793a) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #12 0x7fe648e37137  (/usr/lib/libQt6Core.so.6+0x437137) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #13 0x7fe647bc787c  (/usr/lib/libglib-2.0.so.0+0x5e87c) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #14 0x7fe647bc8cd6  (/usr/lib/libglib-2.0.so.0+0x5fcd6) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #15 0x7fe647bc8ee4 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x5fee4) (BuildId: 76920f1986164cf5c1b50c6ef7b2ed18edf92400)
    #16 0x7fe648e33c61 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x433c61) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #17 0x7fe648b73935 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt6Core.so.6+0x173935) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #18 0x7fe648b6bc30 in QCoreApplication::exec() (/usr/lib/libQt6Core.so.6+0x16bc30) (BuildId: bdfe7d97295493eb03c75b73280c4f03827da307)
    #19 0x55a38e966f22 in main /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/app/main.cpp:1024
    #20 0x7fe6484376b4  (/usr/lib/libc.so.6+0x276b4) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #21 0x7fe648437768 in __libc_start_main (/usr/lib/libc.so.6+0x27768) (BuildId: 468e3585c794491a48ea75fceb9e4d6b1464fc35)
    #22 0x55a38e955754 in _start (/sda/home/christian/dev/qtcreator/super-master/Debug_System_Q_cf5cdc38b16d96f/install-root/usr/local/bin/qtcreator+0x16754) (BuildId: 4473f031b61165e047e19ab5cac626832c607ef7)SUMMARY: AddressSanitizer: heap-use-after-free /sda/home/christian/dev/qtcreator/super-master/src/qtcreator/src/plugins/languageclient/client.cpp:2352 in LanguageClient::Client::hostPathMapper() const
Shadow bytes around the buggy address:
  0x7c1644a28c00: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x7c1644a28c80: 00 06 fa fa fa fa fa fa fa fa fd fd fd fa fa fa
  0x7c1644a28d00: fd fd fd fa fa fa fd fd fd fd fa fa fa fa fa fa
  0x7c1644a28d80: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 00 00
  0x7c1644a28e00: 00 06 fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x7c1644a28e80: fd fd[fd]fd fa fa 00 00 00 00 fa fa 00 00 00 06
  0x7c1644a28f00: fa fa 00 00 00 06 fa fa fa fa fa fa fa fa fa fa
  0x7c1644a28f80: fa fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x7c1644a29000: fd fd fd fa fa fa 00 00 00 00 fa fa fd fd fd fa
  0x7c1644a29080: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x7c1644a29100: fa fa fa fa 00 00 00 00 fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4122536==ABORTING

      Attachments

        For Gerrit Dashboard: QTCREATORBUG-33086
        # Subject Branch Project Status CR V
        655135,3 LanguageClient: guard client access when handling refactorings master qt-creator/qt-creator Status: MERGED +2 0

        Activity

          People

            davschul David Schulz
            kandeler Christian Kandeler
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes