use-after-free when quitting application
epiphany
compiled from 9a58a901, and libhandy
from libhandy@a578492e.
Configured:
CFLAGS="-ggdb3" meson setup build -D optimization=g -D debug=true -D prefix=/usr -D b_sanitize=address,undefined -D developer_mode=true
Started:
meson devenv -C build
LD_PRELOAD=/usr/lib/libasan.so ./src/epiphany
Then simply closing the window is enough to trigger a use-after-free:
=================================================================
==1190343==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000363da0 at pc 0x7f40a791e759 bp 0x7fffafca3bf0 sp 0x7fffafca3be0
READ of size 8 at 0x606000363da0 thread T0
#0 0x7f40a791e758 in hdy_stackable_box_get_visible_child ../subprojects/libhandy/src/hdy-stackable-box.c:952
#1 0x7f40a7923a3b in hdy_stackable_box_remove ../subprojects/libhandy/src/hdy-stackable-box.c:2317
#2 0x7f40a7858216 in hdy_deck_remove ../subprojects/libhandy/src/hdy-deck.c:701
#3 0x7f40a8d4189e in g_cclosure_marshal_VOID__OBJECTv (/usr/lib/libgobject-2.0.so.0+0x1189e)
#4 0x7f40a8d60c95 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x30c95)
#5 0x7f40a8d60e03 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x30e03)
#6 0x7f40a905bd87 in gtk_container_remove (/usr/lib/libgtk-3.so.0+0x104d87)
#7 0x7f40a9296ea8 (/usr/lib/libgtk-3.so.0+0x33fea8)
#8 0x7f40a9b2a866 in ephy_pages_view_dispose ../src/ephy-pages-view.c:100
#9 0x7f40a8d44d11 in g_object_run_dispose (/usr/lib/libgobject-2.0.so.0+0x14d11)
#10 0x7f40a7923fba in hdy_stackable_box_forall ../subprojects/libhandy/src/hdy-stackable-box.c:2348
#11 0x7f40a78585a0 in hdy_deck_forall ../subprojects/libhandy/src/hdy-deck.c:710
#12 0x7f40a905b6db (/usr/lib/libgtk-3.so.0+0x1046db)
#13 0x7f40a8d42dfc in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x12dfc)
#14 0x7f40a8d5f0f0 (/usr/lib/libgobject-2.0.so.0+0x2f0f0)
#15 0x7f40a8d60ba6 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x30ba6)
#16 0x7f40a8d60e03 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x30e03)
#17 0x7f40a9296edd (/usr/lib/libgtk-3.so.0+0x33fedd)
#18 0x7f40a8d44d11 in g_object_run_dispose (/usr/lib/libgobject-2.0.so.0+0x14d11)
#19 0x7f40a7923fba in hdy_stackable_box_forall ../subprojects/libhandy/src/hdy-stackable-box.c:2348
#20 0x7f40a78585a0 in hdy_deck_forall ../subprojects/libhandy/src/hdy-deck.c:710
#21 0x7f40a905b6db (/usr/lib/libgtk-3.so.0+0x1046db)
#22 0x7f40a8d42dfc in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x12dfc)
#23 0x7f40a8d5f0f0 (/usr/lib/libgobject-2.0.so.0+0x2f0f0)
#24 0x7f40a8d60ba6 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x30ba6)
#25 0x7f40a8d60e03 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x30e03)
#26 0x7f40a9296edd (/usr/lib/libgtk-3.so.0+0x33fedd)
#27 0x7f40a8d4fa90 in g_object_unref (/usr/lib/libgobject-2.0.so.0+0x1fa90)
#28 0x7f40a9004519 (/usr/lib/libgtk-3.so.0+0xad519)
#29 0x7f40a7960dfb in hdy_window_mixin_remove ../subprojects/libhandy/src/hdy-window-mixin.c:262
#30 0x7f40a7963c79 in hdy_window_mixin_destroy ../subprojects/libhandy/src/hdy-window-mixin.c:473
#31 0x7f40a7836f3a in hdy_application_window_destroy ../subprojects/libhandy/src/hdy-application-window.c:78
#32 0x7f40a9b57a01 in ephy_window_destroy ../src/ephy-window.c:3292
#33 0x7f40a8d42ebe in g_closure_invoke (/usr/lib/libgobject-2.0.so.0+0x12ebe)
#34 0x7f40a8d5f0f0 (/usr/lib/libgobject-2.0.so.0+0x2f0f0)
#35 0x7f40a8d60ba6 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x30ba6)
#36 0x7f40a8d60e03 in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x30e03)
#37 0x7f40a9296edd (/usr/lib/libgtk-3.so.0+0x33fedd)
#38 0x7f40a92a32e0 (/usr/lib/libgtk-3.so.0+0x34c2e0)
#39 0x7f40a90034d7 (/usr/lib/libgtk-3.so.0+0xac4d7)
#40 0x7f40a9b58a0b in ephy_window_dispose ../src/ephy-window.c:3099
#41 0x7f40a8d44d11 in g_object_run_dispose (/usr/lib/libgobject-2.0.so.0+0x14d11)
#42 0x7f40a9b5f914 in finish_window_close_after_modified_forms_check ../src/ephy-window.c:4185
#43 0x7f40a9b5fd15 in continue_window_close_after_modified_forms_check ../src/ephy-window.c:4232
#44 0x7f40a9b5ff20 in window_has_modified_forms_cb ../src/ephy-window.c:4257
#45 0x7f40a8e30d33 (/usr/lib/libgio-2.0.so.0+0xa3d33)
#46 0x7f40a8e34a88 (/usr/lib/libgio-2.0.so.0+0xa7a88)
#47 0x7f40a9bd8a3e in has_modified_forms_timeout_cb ../embed/ephy-web-view.c:3263
#48 0x7f40a8c486d7 (/usr/lib/libglib-2.0.so.0+0x556d7)
#49 0x7f40a8c47ee2 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x54ee2)
#50 0x7f40a8c9e0f8 (/usr/lib/libglib-2.0.so.0+0xab0f8)
#51 0x7f40a8c45454 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x52454)
#52 0x7f40a8e686ed in g_application_run (/usr/lib/libgio-2.0.so.0+0xdb6ed)
#53 0x5612a4efc398 in main ../src/ephy-main.c:428
#54 0x7f40a7f1730f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#55 0x7f40a7f173c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#56 0x5612a4efa5f4 in _start (./src/epiphany/build/src/epiphany+0xb5f4)
0x606000363da0 is located 0 bytes inside of 64-byte region [0x606000363da0,0x606000363de0)
freed by thread T0 here:
#0 0x7f40a9f2da79 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7f40a791ac6b in free_child_info ../subprojects/libhandy/src/hdy-stackable-box.c:179
#2 0x7f40a7923b0e in glib_autoptr_clear_HdyStackableBoxChildInfo ../subprojects/libhandy/src/hdy-stackable-box.c:182
#3 0x7f40a7923b0e in glib_autoptr_cleanup_HdyStackableBoxChildInfo ../subprojects/libhandy/src/hdy-stackable-box.c:182
#4 0x7f40a7923b0e in hdy_stackable_box_remove ../subprojects/libhandy/src/hdy-stackable-box.c:2305
#5 0x7f40a7858216 in hdy_deck_remove ../subprojects/libhandy/src/hdy-deck.c:701
#6 0x7f40a8d4189e in g_cclosure_marshal_VOID__OBJECTv (/usr/lib/libgobject-2.0.so.0+0x1189e)
previously allocated by thread T0 here:
#0 0x7f40a9f2dfb9 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7f40a8c51291 in g_malloc0 (/usr/lib/libglib-2.0.so.0+0x5e291)
#2 0x7f40a79280a1 in hdy_stackable_box_add ../subprojects/libhandy/src/hdy-stackable-box.c:2293
#3 0x7f40a785817c in hdy_deck_add ../subprojects/libhandy/src/hdy-deck.c:694
#4 0x7f40a8d4189e in g_cclosure_marshal_VOID__OBJECTv (/usr/lib/libgobject-2.0.so.0+0x1189e)
SUMMARY: AddressSanitizer: heap-use-after-free ../subprojects/libhandy/src/hdy-stackable-box.c:952 in hdy_stackable_box_get_visible_child
Shadow bytes around the buggy address:
0x0c0c80064760: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c80064770: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c80064780: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80064790: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c800647a0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 04 fa
=>0x0c0c800647b0: fa fa fa fa[fd]fd fd fd fd fd fd fd fa fa fa fa
0x0c0c800647c0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
0x0c0c800647d0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c800647e0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c800647f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80064800: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1190343==ABORTING
PS. I have added libhandy
as a subproject because my distribution does not ship libhandy 1.5 or newer:
$ cat subprojects/libhandy.wrap
[wrap-git]
url = https://gitlab.gnome.org/GNOME/libhandy.git
revision = head
[provide]
libhandy-1 = libhandy_dep
PS2. I am not sure if this is an epiphany or libhandy issue.