Use-after-free in gcal_week_grid_forall()
I can't reproduce this, but what happened was: in month view, I created an event at 11 AM on some day, then I dragged the event to another day, and then dragged it to a third day. gnome-calender crashed. When I reopened gnome-calendar, the event had been successfully moved to the third day, so I guess the crash occurred after saving the event.
We see:
- ChildData is allocated in gcal_week_grid_add_event(), gcal-week-grid.c:1119
- Freed at gcal-week-view.c:364, sadly that's a call to gcal_week_grid_remove_event() and it doesn't show where inside the call, but I think we can assume inside gcal_range_tree_remove_range()
- Memory later reused at gcal-week-grid.c:258
Seems like a memory safety issue somewhere inside GCalRangeTree.
$ G_DEBUG=fatal-criticals jhbuild run gnome-calendar
=================================================================
==2138594==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000f8f650 at pc 0x0000004a876b bp 0x7ffe9efe5610 sp 0x7ffe9efe5600
READ of size 8 at 0x602000f8f650 thread T0
#0 0x4a876a in gcal_week_grid_forall ../../../../Projects/gnome-calendar/src/views/gcal-week-grid.c:258
#1 0x7f331d93d728 in gtk_container_forall /home/mcatanzaro/Projects/gtk/gtk/gtkcontainer.c:2444
#2 0x7f331d93d57e in gtk_container_get_request_mode /home/mcatanzaro/Projects/gtk/gtk/gtkcontainer.c:2383
#3 0x7f331db24f9a in gtk_widget_get_request_mode /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:459
#4 0x7f331db245b5 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:154
#5 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#6 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#7 0x7f331d8da307 in gtk_box_get_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1608
#8 0x7f331d8db1f6 in gtk_box_get_content_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:2068
#9 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#10 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#11 0x7f331d8da688 in gtk_box_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1722
#12 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#13 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#14 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#15 0x7f331db25a76 in _gtk_widget_get_preferred_size_for_size /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:871
#16 0x7f331dc001bd in gtk_viewport_measure /home/mcatanzaro/Projects/gtk/gtk/gtkviewport.c:165
#17 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#18 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#19 0x7f331dc02352 in gtk_viewport_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkviewport.c:1069
#20 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#21 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#22 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#23 0x7f331db042b8 in gtk_scrolled_window_measure /home/mcatanzaro/Projects/gtk/gtk/gtkscrolledwindow.c:1851
#24 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#25 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#26 0x7f331db09a4f in gtk_scrolled_window_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkscrolledwindow.c:4093
#27 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#28 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#29 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#30 0x7f331d8da307 in gtk_box_get_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1608
#31 0x7f331d8db1f6 in gtk_box_get_content_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:2068
#32 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#33 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#34 0x7f331d8da688 in gtk_box_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1722
#35 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#36 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#37 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#38 0x7f331db326cd in gtk_stack_measure /home/mcatanzaro/Projects/gtk/gtk/gtkstack.c:2410
#39 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#40 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#41 0x7f331db32472 in gtk_stack_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkstack.c:2311
#42 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#43 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#44 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#45 0x7f331d8da307 in gtk_box_get_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1608
#46 0x7f331d8db1f6 in gtk_box_get_content_size /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:2068
#47 0x7f331d946a90 in gtk_css_custom_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcsscustomgadget.c:124
#48 0x7f331d94c1db in gtk_css_gadget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtkcssgadget.c:683
#49 0x7f331d8da688 in gtk_box_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkbox.c:1722
#50 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#51 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#52 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#53 0x7f331d8d2d37 in gtk_bin_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkbin.c:198
#54 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#55 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#56 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#57 0x7f331dc33651 in gtk_window_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkwindow.c:8838
#58 0x7f331d8c8589 in gtk_application_window_real_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtkapplicationwindow.c:576
#59 0x7f331db24674 in gtk_widget_query_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:181
#60 0x7f331db24e67 in gtk_widget_compute_size_for_orientation /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:399
#61 0x7f331db250bd in gtk_widget_get_preferred_width /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:492
#62 0x7f331db255c2 in _gtk_widget_get_preferred_size_and_baseline /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:685
#63 0x7f331db256ee in gtk_widget_get_preferred_size /home/mcatanzaro/Projects/gtk/gtk/gtksizerequest.c:750
#64 0x7f331dc35d5c in gtk_window_compute_hints /home/mcatanzaro/Projects/gtk/gtk/gtkwindow.c:10298
#65 0x7f331dc34e89 in gtk_window_compute_configure_request /home/mcatanzaro/Projects/gtk/gtk/gtkwindow.c:9610
#66 0x7f331dc3545a in gtk_window_move_resize /home/mcatanzaro/Projects/gtk/gtk/gtkwindow.c:9819
#67 0x7f331dc32e6c in gtk_window_check_resize /home/mcatanzaro/Projects/gtk/gtk/gtkwindow.c:8570
#68 0x7f331d066af5 in _g_closure_invoke_va ../gobject/gclosure.c:873
#69 0x7f331d07f812 in g_signal_emit_valist ../gobject/gsignal.c:3407
#70 0x7f331d07fd92 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x2cd92)
#71 0x7f331d93d096 in gtk_container_check_resize /home/mcatanzaro/Projects/gtk/gtk/gtkcontainer.c:2175
#72 0x7f331d93ccc5 in gtk_container_idle_sizer /home/mcatanzaro/Projects/gtk/gtk/gtkcontainer.c:2065
#73 0x7f331d066af5 in _g_closure_invoke_va ../gobject/gclosure.c:873
#74 0x7f331d07f812 in g_signal_emit_valist ../gobject/gsignal.c:3407
#75 0x7f331d07fd92 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x2cd92)
#76 0x7f331d6a9e1b in _gdk_frame_clock_emit_layout /home/mcatanzaro/Projects/gtk/gdk/gdkframeclock.c:637
#77 0x7f331d6aac3c in gdk_frame_clock_paint_idle /home/mcatanzaro/Projects/gtk/gdk/gdkframeclockidle.c:428
#78 0x7f331d68dd99 in gdk_threads_dispatch /home/mcatanzaro/Projects/gtk/gdk/gdk.c:769
#79 0x7f331dfdd310 in g_timeout_dispatch ../glib/gmain.c:4800
#80 0x7f331dfdc76e in g_main_dispatch ../glib/gmain.c:3309
#81 0x7f331dfdcaf7 in g_main_context_iterate ../glib/gmain.c:4047
#82 0x7f331dfdcbc2 in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x52bc2)
#83 0x7f331d19186c in g_application_run (/lib64/libgio-2.0.so.0+0xe586c)
#84 0x422346 in main ../../../../Projects/gnome-calendar/src/main.c:39
#85 0x7f331cb11041 in __libc_start_main ../csu/libc-start.c:308
#86 0x41e2ad in _start (/home/mcatanzaro/Projects/GNOME/install/bin/gnome-calendar+0x41e2ad)
0x602000f8f650 is located 0 bytes inside of 16-byte region [0x602000f8f650,0x602000f8f660)
freed by thread T0 here:
#0 0x7f331e191317 in __interceptor_free (/lib64/libasan.so.6+0xb0317)
#1 0x7f331dfe298c in g_free (/lib64/libglib-2.0.so.0+0x5898c)
#2 0x444ec2 in gcal_week_view_update_event ../../../../Projects/gnome-calendar/src/views/gcal-week-view.c:364
#3 0x4744db in update_subscriber_event ../../../../Projects/gnome-calendar/src/core/gcal-timeline.c:206
#4 0x476e9a in timeline_source_dispatch ../../../../Projects/gnome-calendar/src/core/gcal-timeline.c:651
#5 0x7f331dfdc76e in g_main_dispatch ../glib/gmain.c:3309
previously allocated by thread T0 here:
#0 0x7f331e191677 in __interceptor_malloc (/lib64/libasan.so.6+0xb0677)
#1 0x7f331dfe2898 in g_malloc (/lib64/libglib-2.0.so.0+0x58898)
#2 0x4ad778 in gcal_week_grid_add_event ../../../../Projects/gnome-calendar/src/views/gcal-week-grid.c:1119
#3 0x444e01 in gcal_week_view_add_event ../../../../Projects/gnome-calendar/src/views/gcal-week-view.c:348
#4 0x474487 in add_event_to_subscriber ../../../../Projects/gnome-calendar/src/core/gcal-timeline.c:194
#5 0x476bed in timeline_source_dispatch ../../../../Projects/gnome-calendar/src/core/gcal-timeline.c:621
#6 0x7f331dfdc76e in g_main_dispatch ../glib/gmain.c:3309
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../Projects/gnome-calendar/src/views/gcal-week-grid.c:258 in gcal_week_grid_forall
Shadow bytes around the buggy address:
0x0c04801e9e70: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04801e9e80: fa fa fa fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c04801e9e90: fa fa fd fa fa fa fd fa fa fa fa fa fa fa fa fa
0x0c04801e9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04801e9eb0: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04801e9ec0: fa fa fa fa fa fa fd fa fa fa[fd]fd fa fa fd fd
0x0c04801e9ed0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fa fa
0x0c04801e9ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04801e9ef0: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04801e9f00: fa fa fa fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c04801e9f10: fa fa fd fa fa fa fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2138594==ABORTING