Skip to content

GitLab

Closed (moved)
Opened by RingBot@RingBotOwner

lrc: heap-use-after-free detected by ASAN when deleting an account

Issue generated from Tuleap's migration script. Originally submitted by: Stepan Salenikovich (ssalenik)

systematic

Removing "Test" "a8d2da906eae7749"

==30971==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400031df90 at pc 0x4ebfa9 bp 0x7fffffffc150 sp 0x7fffffffc140
READ of size 4 at 0x60400031df90 thread T0
#0 0x4ebfa8 in QModelIndex::isValid() const /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:64
#1 0x4ebfa8 in operator() /home/ssalenikovich/projects/ring-client-gnome/src/accountview.cpp:461
#2 0x4ebfa8 in call /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:494
#3 0x4ebfa8 in call<QtPrivate::List<const QModelIndex&, const QModelIndex&>, void> /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:551
#4 0x4ebfa8 in impl /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:192
#5 0x7ffff50db359 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x312359)
#6 0x7ffff505b099 in QItemSelectionModel::currentChanged(QModelIndex const&, QModelIndex const&) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x292099)
#7 0x7ffff50637a9 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x29a7a9)
#8 0x7ffff50652e8 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x29c2e8)
#9 0x7ffff50db9c8 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x3129c8)
#10 0x7ffff51593d3 in QAbstractItemModel::rowsAboutToBeRemoved(QModelIndex const&, int, int, QAbstractItemModel::QPrivateSignal) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x3903d3)
#11 0x7ffff5053589 in QAbstractItemModel::beginRemoveRows(QModelIndex const&, int, int) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28a589)
#12 0x6023db in AccountModel::remove(Account*) /home/ssalenikovich/projects/ring-lrc/src/accountmodel.cpp:904
#13 0x4edb43 in remove_account /home/ssalenikovich/projects/ring-client-gnome/src/accountview.cpp:282
#14 0x7ffff562b503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#15 0x7ffff5644fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#16 0x7ffff56458fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#17 0x7ffff674121c (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x10821c)
#18 0x7ffff6741274 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x108274)
#19 0x7ffff562b503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#20 0x7ffff5644fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#21 0x7ffff56458fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#22 0x7ffff673f1ff (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1061ff)
#23 0x7fffee813d8f in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5d8f)
#24 0x7fffee8137f7 in ffi_call (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x57f7)
#25 0x7ffff562bf3b in g_cclosure_marshal_generic_va (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10f3b)
#26 0x7ffff562b503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#27 0x7ffff5644fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#28 0x7ffff56458fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#29 (closed) 0x7ffff67e4290 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ab290)
#30 (closed) 0x7ffff562e29d in g_cclosure_marshal_VOID__BOXEDv (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x1329d)
#31 (closed) 0x7ffff562b503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#32 (closed) 0x7ffff5644fa6 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29fa6)
#33 (closed) 0x7ffff56458fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#34 (closed) 0x7ffff67e187d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1a887d)
#35 (moved) 0x7ffff67e2cca (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1a9cca)
#36 (closed) 0x7ffff67e5704 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ac704)
#37 (closed) 0x7ffff67b8daa in gtk_event_controller_handle_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x17fdaa)
#38 (closed) 0x7ffff6954fdc (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x31bfdc)
#39 (closed) 0x7ffff6827608 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ee608)
#40 (closed) 0x7ffff562b503 (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x10503)
#41 (closed) 0x7ffff5644a4f in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x29a4f)
#42 (moved) 0x7ffff56458fe in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a8fe)
#43 (closed) 0x7ffff69588c3 (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x31f8c3)
#44 (closed) 0x7ffff6824f1d (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1ebf1d)
#45 (moved) 0x7ffff6826b2d in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x1edb2d)
#46 (moved) 0x7ffff63c3b41 (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x50b41)
#47 (closed) 0x7ffff5355c3c in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49c3c)
#48 (closed) 0x7ffff5355f1f (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49f1f)
#49 (closed) 0x7ffff5355fcb in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x49fcb)
#50 (closed) 0x7ffff591667b in g_application_run (/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0+0xa967b)
#51 (closed) 0x4b957f in main /home/ssalenikovich/projects/ring-client-gnome/src/main.cpp:45
#52 (closed) 0x7ffff2c14a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
#53 (closed) 0x4b93d8 in _start (/home/ssalenikovich/projects/ring-client-gnome/build/gnome-ring+0x4b93d8)

0x60400031df90 is located 0 bytes inside of 40-byte region [0x60400031df90,0x60400031dfb8)
freed by thread T0 here:
#0 0x7ffff6f556af in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x586af)
#1 0x7ffff505094e in QPersistentModelIndex::operator=(QModelIndex const&) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28794e)

previously allocated by thread T0 here:
#0 0x7ffff6f551af in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x581af)
#1 0x7ffff504d485 (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x284485)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/x86_64-linux-gnu/qt5/QtCore/qabstractitemmodel.h:64 QModelIndex::isValid() const
Shadow bytes around the buggy address:
0x0c088005bba0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c088005bbb0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 04 fa
0x0c088005bbc0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088005bbd0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 02 fa
0x0c088005bbe0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x0c088005bbf0: fa fa[fd]fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c088005bc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088005bc10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088005bc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088005bc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088005bc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==30971==ABORTING
[Thread 0x7fffdba76700 (LWP 30978) exited]
[Thread 0x7ffff7f15a40 (LWP 30971) exited]
[Inferior 1 (process 30971) exited with code 01]