Skip to content

GitLab

Closed
Created by RingBot@RingBotOwner

gnome: deleting an account results in ASAN heap-use-after-free detection

Issue generated from Tuleap's migration script. Originally submitted by: Stepan Salenikovich (ssalenik)

Removing "New Account" "ba6584f1a7caa8e2"
[New Thread 0x7fffcdcd3700 (LWP 22903)]
=================================================================
==22088==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000023a50 at pc 0x0000004eac8f bp 0x7fffffffbda0 sp 0x7fffffffbd90
READ of size 4 at 0x604000023a50 thread T0
    \#0 0x4eac8e in QModelIndex::isValid() const /usr/include/x86\_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:64
    \#1 0x4eac8e in operator() /home/ssalenikovich/projects/ring-client-gnome/src/accountview.cpp:458
    \#2 0x4eac8e in call /usr/include/x86\_64-linux-gnu/qt5/QtCore/qobjectdefs\_impl.h:494
    \#3 0x4eac8e in call<QtPrivate::List<const QModelIndex&, const QModelIndex&>, void> /usr/include/x86\_64-linux-gnu/qt5/QtCore/qobjectdefs\_impl.h:551
    \#4 0x4eac8e in impl /usr/include/x86\_64-linux-gnu/qt5/QtCore/qobject\_impl.h:192
    \#5 0x7ffff39f2616 in QMetaObject::activate(QObject\*, int, int, void\*\*) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x2b2616)
    \#6 0x7ffff39732a9 in QItemSelectionModel::currentChanged(QModelIndex const&, QModelIndex const&) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x2332a9)
    \#7 0x7ffff397b47c  (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x23b47c)
    \#8 0x7ffff397bec8  (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x23bec8)
    \#9 0x7ffff39f2789 in QMetaObject::activate(QObject\*, int, int, void\*\*) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x2b2789)
    \#10 0x7ffff3a698e3 in QAbstractItemModel::rowsAboutToBeRemoved(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x3298e3)
    \#11 0x7ffff396a642 in QAbstractItemModel::beginRemoveRows(QModelIndex const&, int, int) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x22a642)
    \#12 0x5f49dc in AccountModel::remove(Account\*) /home/ssalenikovich/projects/ring-lrc/src/accountmodel.cpp:932
    \#13 0x4ec91e in remove\_account /home/ssalenikovich/projects/ring-client-gnome/src/accountview.cpp:273
    \#14 0x7ffff555e243  (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10243)
    \#15 0x7ffff5578a45 in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2aa45)
    \#16 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
    \#17 0x7ffff66953fc  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x11c3fc)
    \#18 0x7ffff6695464  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x11c464)
    \#19 0x7ffff555e014 in g\_closure\_invoke (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10014)
    \#20 0x7ffff556fb9b  (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x21b9b)
    \#21 0x7ffff5578dfb in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2adfb)
    \#22 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
    \#23 0x7ffff66934ef  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x11a4ef)
    \#24 0x7fffee1f0d8f in ffi\_call\_unix64 (/usr/lib/x86\_64-linux-gnu/libffi.so.6+0x5d8f)
    \#25 0x7fffee1f07f7 in ffi\_call (/usr/lib/x86\_64-linux-gnu/libffi.so.6+0x57f7)
    \#26 0x7ffff555ed64 in g\_cclosure\_marshal\_generic\_va (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10d64)
    \#27 0x7ffff555e243  (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10243)
    \#28 0x7ffff5578a45 in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2aa45)
    \#29 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
    \#30 0x7ffff673c090  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x1c3090)
    \#31 0x7ffff5560e2d in g\_cclosure\_marshal\_VOID\_\_BOXEDv (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x12e2d)
    \#32 0x7ffff555e243  (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10243)
    \#33 0x7ffff5578a45 in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2aa45)
    \#34 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
    \#35 0x7ffff67396ad  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x1c06ad)
    \#36 0x7ffff673aafa  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x1c1afa)
    \#37 0x7ffff673d534  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x1c4534)
    \#38 0x7ffff671025a in gtk\_event\_controller\_handle\_event (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x19725a)
    \#39 0x7ffff68b896c  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x33f96c)
    \#40 0x7ffff6782379  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x209379)
    \#41 0x7ffff555e243  (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x10243)
    \#42 0x7ffff5578557 in g\_signal\_emit\_valist (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2a557)
    \#43 0x7ffff557912e in g\_signal\_emit (/usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0+0x2b12e)
    \#44 0x7ffff68bc283  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x343283)
    \#45 0x7ffff677f81d  (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x20681d)
    \#46 0x7ffff67814cd in gtk\_main\_do\_event (/usr/lib/x86\_64-linux-gnu/libgtk-3.so.0+0x2084cd)
    \#47 0x7ffff62fd321  (/usr/lib/x86\_64-linux-gnu/libgdk-3.so.0+0x58321)
    \#48 0x7ffff5288ff6 in g\_main\_context\_dispatch (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x49ff6)
    \#49 0x7ffff528924f  (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x4a24f)
    \#50 0x7ffff52892fb in g\_main\_context\_iteration (/lib/x86\_64-linux-gnu/libglib-2.0.so.0+0x4a2fb)
    \#51 0x7ffff584aafb in g\_application\_run (/usr/lib/x86\_64-linux-gnu/libgio-2.0.so.0+0xa9afb)
    \#52 0x4bcb93 in main /home/ssalenikovich/projects/ring-client-gnome/src/main.cpp:34
    \#53 0x7ffff2af5a3f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x20a3f)
    \#54 0x4bc9e8 in \_start (/home/ssalenikovich/projects/ring-client-gnome/build/gnome-ring+0x4bc9e8)

0x604000023a50 is located 0 bytes inside of 40-byte region [0x604000023a50,0x604000023a78)
freed by thread T0 here:
    \#0 0x7ffff6f02eaa in operator delete(void\*) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99eaa)
    \#1 0x7ffff39695ce in QPersistentModelIndex::operator=(QModelIndex const&) (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x2295ce)

previously allocated by thread T0 here:
    \#0 0x7ffff6f028b2 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x998b2)
    \#1 0x7ffff3966791  (/usr/lib/x86\_64-linux-gnu/libQt5Core.so.5+0x226791)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/x86\_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:64 QModelIndex::isValid() const
Shadow bytes around the buggy address:
  0x0c087fffc6f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffc700: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffc710: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffc720: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fffc730: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fd
=>0x0c087fffc740: fa fa fd fd fd fd fd fd fa fa[fd]fd fd fd fd fa
  0x0c087fffc750: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 04
  0x0c087fffc760: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fffc770: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fffc780: fa fa 00 00 00 00 05 fa fa fa fd fd fd fd fd fa
  0x0c087fffc790: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==22088==ABORTING