ephy-web-view.c: heap-use-after-free on shutdown
I use epiphany 3.36.1 and webkitgtk 2.28.2 compiled under clang/address sanitizer. When I shut down Epiphany it prints:
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
Fontconfig error: Cannot load default config file
=================================================================
==31987==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100030d760 at pc 0x00000049bbdd bp 0x7ffd14cc6890 sp 0x7ffd14cc6040
READ of size 27 at 0x61100030d760 thread T0
#0 0x49bbdc in __interceptor_strcmp.part.0 /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:452:3
#1 0x7f6211b55d3e in password_manager_query_finished_cb /src/gnome/epiphany-3.36.1/build-asan/../embed/ephy-web-view.c:2406:7
#2 0x7f62105f42ae in retrieve_secret_cb /src/gnome/epiphany-3.36.1/build-asan/../lib/sync/ephy-password-manager.c:614:7
#3 0x7f6210f84e38 in g_task_return_now /git/gnome/glib/build_A/../gio/gtask.c:1214:7
#4 0x7f6210f8597c in g_task_return.part.0 /git/gnome/glib/build_A/../gio/gtask.c:1283:15
#5 0x7f61fda7d6fa in on_retrieve_load /src/gnome/libsecret-0.20.3/build_A/../libsecret/secret-item.c:1264:3
#6 0x7f6210f84e38 in g_task_return_now /git/gnome/glib/build_A/../gio/gtask.c:1214:7
#7 0x7f6210f8597c in g_task_return.part.0 /git/gnome/glib/build_A/../gio/gtask.c:1283:15
#8 0x7f61fda7d024 in on_item_load_secret /src/gnome/libsecret-0.20.3/build_A/../libsecret/secret-item.c:1112:3
#9 0x7f6210f84e38 in g_task_return_now /git/gnome/glib/build_A/../gio/gtask.c:1214:7
#10 0x7f6210f8597c in g_task_return.part.0 /git/gnome/glib/build_A/../gio/gtask.c:1283:15
#11 0x7f6210fe6772 in reply_cb /git/gnome/glib/build_A/../gio/gdbusproxy.c:2555:7
#12 0x7f6210f84e38 in g_task_return_now /git/gnome/glib/build_A/../gio/gtask.c:1214:7
#13 0x7f6210f8597c in g_task_return.part.0 /git/gnome/glib/build_A/../gio/gtask.c:1283:15
#14 0x7f6210fdbfbe in g_dbus_connection_call_done /git/gnome/glib/build_A/../gio/gdbusconnection.c:5763:5
#15 0x7f6210f84e38 in g_task_return_now /git/gnome/glib/build_A/../gio/gtask.c:1214:7
#16 0x7f6210f84e78 in complete_in_idle_cb /git/gnome/glib/build_A/../gio/gtask.c:1228:3
#17 0x7f6210da517d in g_main_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3309:28
#18 0x7f6210da517d in g_main_context_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3974:7
#19 0x7f6210da54ff in g_main_context_iterate.isra.0 /git/gnome/glib/build_A/../glib/gmain.c:4047:5
#20 0x7f6210da558e in g_main_context_iteration /git/gnome/glib/build_A/../glib/gmain.c:4108:12
#21 0x7f6210fb0f1c in g_application_run /git/gnome/glib/build_A/../gio/gapplication.c:2559:7
#22 0x4fa1e3 in main /src/gnome/epiphany-3.36.1/build-asan/../src/ephy-main.c:427:12
#23 0x7f6210662b5a in __libc_start_main /src/glibc-2.29/csu/../csu/libc-start.c:308:16
#24 0x420779 in _start /src/glibc-2.29/csu/../sysdeps/x86_64/start.S:120
0x61100030d760 is located 160 bytes inside of 248-byte region [0x61100030d6c0,0x61100030d7b8)
freed by thread T0 here:
#0 0x4c10ff in free /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x7f62078fa81c in IPC::Decoder::~Decoder() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Decoder.cpp:76:9
#2 0x7f62078ea421 in std::default_delete<IPC::Decoder>::operator()(IPC::Decoder*) const /usr/local/bin/../lib/gcc/x86_64-pc-linux-gnu/9.3.1/../../../../include/c++/9.3.1/bits/unique_ptr.h:81:2
#3 0x7f62078ea421 in std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >::~unique_ptr() /usr/local/bin/../lib/gcc/x86_64-pc-linux-gnu/9.3.1/../../../../include/c++/9.3.1/bits/unique_ptr.h:292:4
#4 0x7f62078ea421 in IPC::Connection::dispatchIncomingMessages() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Connection.cpp:1181:5
#5 0x7f620581c210 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x413e210)
#6 0x7f620581c210 in WTF::RunLoop::performWork() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#7 0x7f6205951cf8 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x4273cf8)
#8 0x7f6205951cf8 in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#9 0x7f6210da517d in g_main_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3309:28
#10 0x7f6210da517d in g_main_context_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3974:7
previously allocated by thread T16 (ReceiveQueue) here:
#0 0x4c140f in malloc /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7f620596c3bf in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x428e3bf)
#2 0x7f620596c3bf in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#3 0x7f62078fa1bd in IPC::copyBuffer(unsigned char const*, unsigned long) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Decoder.cpp:41:45
#4 0x7f62078fa1bd in IPC::Decoder::Decoder(unsigned char const*, unsigned long, void (*)(unsigned char const*, unsigned long), WTF::Vector<IPC::Attachment, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Decoder.cpp:48:47
#5 0x7f62079235ec in std::_MakeUniq<IPC::Decoder>::__single_object std::make_unique<IPC::Decoder, unsigned char*&, unsigned long, std::nullptr_t, WTF::Vector<IPC::Attachment, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >(unsigned char*&, unsigned long&&, std::nullptr_t&&, WTF::Vector<IPC::Attachment, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) /usr/local/bin/../lib/gcc/x86_64-pc-linux-gnu/9.3.1/../../../../include/c++/9.3.1/bits/unique_ptr.h:857:34
#6 0x7f62079235ec in decltype(auto) WTF::makeUnique<IPC::Decoder, unsigned char*&, unsigned long, std::nullptr_t, WTF::Vector<IPC::Attachment, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >(unsigned char*&, unsigned long&&, std::nullptr_t&&, WTF::Vector<IPC::Attachment, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&) /src/gnome/webkitgtk-2.28.2/build-asan/DerivedSources/ForwardingHeaders/wtf/StdLibExtras.h:483:12
#7 0x7f62079235ec in IPC::Connection::processMessage() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp:219:20
#8 0x7f6207924c27 in IPC::Connection::readyReadHandler() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp:326:18
#9 0x7f620792a4a9 in IPC::Connection::open()::$_0::operator()(GIOCondition) const /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/unix/ConnectionUnix.cpp:349:28
#10 0x7f620792a4a9 in WTF::Detail::CallableWrapper<IPC::Connection::open()::$_0, int, GIOCondition>::call(GIOCondition) /src/gnome/webkitgtk-2.28.2/build-asan/DerivedSources/ForwardingHeaders/wtf/Function.h:52:39
#11 0x7f6210f75406 in socket_source_dispatch /git/gnome/glib/build_A/../gio/gsocket.c:4009:10
Thread T16 (ReceiveQueue) created by T0 here:
#0 0x43e9b2 in pthread_create /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
#1 0x7f6205956b28 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x4278b28)
#2 0x7f6205956b28 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#3 0x7f62058224ce in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x41444ce)
#4 0x7f62058224ce in WTF::Thread::create(char const*, WTF::Function<void ()>&&) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#5 0x7f62059465e9 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x42685e9)
#6 0x7f62059465e9 in WTF::WorkQueue::platformInitialize(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#7 0x7f62058c05dd in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x41e25dd)
#8 0x7f62058c05dd in WTF::WorkQueue::create(char const*, WTF::WorkQueue::Type, WTF::WorkQueue::QOS) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#9 0x7f62078df5a9 in IPC::Connection::Connection(int, bool, IPC::Connection::Client&) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Connection.cpp:269:25
#10 0x7f62078df343 in IPC::Connection::createServerConnection(int, IPC::Connection::Client&) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/Platform/IPC/Connection.cpp:231:26
#11 0x7f6207ab50d4 in WebKit::AuxiliaryProcessProxy::didFinishLaunching(WebKit::ProcessLauncher*, int) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/UIProcess/AuxiliaryProcessProxy.cpp:211:20
#12 0x7f6207c69059 in WebKit::WebProcessProxy::didFinishLaunching(WebKit::ProcessLauncher*, int) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/WebKit/UIProcess/WebProcessProxy.cpp:895:28
#13 0x7f620581c4a4 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x413e4a4)
#14 0x7f620581c4a4 in WTF::RunLoop::performWork() /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#15 0x7f6205951cf8 in JSC::ParseHash::hashForConstruct() const (/usr/local/lib/libjavascriptcoregtk-4.0.so.18+0x4273cf8)
#16 0x7f6205951cf8 in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) /src/gnome/webkitgtk-2.28.2/build-asan/../Source/JavaScriptCore/parser/Parser.h:2082:93
#17 0x7f6210da517d in g_main_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3309:28
#18 0x7f6210da517d in g_main_context_dispatch /git/gnome/glib/build_A/../glib/gmain.c:3974:7
SUMMARY: AddressSanitizer: heap-use-after-free /src/llvm/llvm-10.0.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:452:3 in __interceptor_strcmp.part.0
Shadow bytes around the buggy address:
0x0c2280059a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280059aa0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c2280059ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280059ac0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2280059ad0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280059ae0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x0c2280059af0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c2280059b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280059b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280059b20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280059b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
(WebKitWebProcess:2): Gdk-WARNING **: 18:53:42.986: Failed to read portal settings: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.portal.Desktop was not provided by any .service files
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
xkbcommon: ERROR: Key "<LFSH>" added to modifier map for multiple modifiers; Using Lock, ignoring Shift
Fontconfig error: Cannot load default config file
(WebKitWebProcess:2): Gdk-WARNING **: 18:53:48.112: Failed to read portal settings: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.portal.Desktop was not provided by any .service files
WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.
EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
error in client communication (pid 32114)
Gdk-Message: 18:53:48.278: Error flushing display: Protocol error