Use After Free in Masking Example in GTK4 Demo
Steps to reproduce
- Compile and run git GTK4 demo in a Fedora Rawhide container with address sanitizer enabled.
- Open Masking example
- Wait for a few seconds
Current behavior
Address Sanitizer terminates the demo because a use-after-free was detected. It runs normally without sanitizer.
Expected outcome
Runs normally regardless of sanitizer.
Version information
GTK 4.13.6-26d15a0196
Updated Fedora Rawhide container inside a Ubuntu 23.10 host with X11.
GSK Renderer: GL, OpenGL 4.5, GLX 1.4, Mesa llvmpipe (LLVM 17.0.6, 256 bits)
meson options: -Db_sanitize=address
Additional information
Sanitizer output:
Click to expand
==21589==ERROR: AddressSanitizer: heap-use-after-free on address 0x50400021dfe8 at pc 0x7fd187db0abf bp 0x7ffcb99bfdb0 sp 0x7ffcb99bfda8
WRITE of size 4 at 0x50400021dfe8 thread T0
#0 0x7fd187db0abe in gsk_gl_texture_library_real_compact ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:122
#1 0x7fd187db0c29 in gsk_gl_texture_library_begin_frame ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:298
#2 0x7fd187d5a642 in gsk_gl_driver_begin_frame ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgldriver.c:585
#3 0x7fd187d169f8 in gsk_gl_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderer.c:384
#4 0x7fd187cb7fae in gsk_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gskrenderer.c:508
#5 0x7fd1877f449b in gtk_widget_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwidget.c:11971
#6 0x7fd187806d74 in surface_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwindow.c:4752
#7 0x7fd187b5db4b in _gdk_marshal_BOOLEAN__BOXEDv gdk/gdkmarshalers.c:130
#8 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#9 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#10 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#11 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#12 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1370
#13 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1346
#14 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#15 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#16 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#17 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#18 0x7fd187c4ca0b in gdk_frame_clock_paint_idle ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdkframeclockidle.c:634
#19 0x7fd186d11501 in g_timeout_dispatch (/lib64/libglib-2.0.so.0+0x111501) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#20 0x7fd186d03c8f in g_main_dispatch (/lib64/libglib-2.0.so.0+0x103c8f) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#21 0x7fd186d0f397 in g_main_context_iterate_unlocked.isra.0 (/lib64/libglib-2.0.so.0+0x10f397) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#22 0x7fd186d102ae in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x1102ae) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#23 0x7fd18687765c in g_application_run (/lib64/libgio-2.0.so.0+0x27765c) (BuildId: ad1fe90c83f2fa77a0ac39d80db67f55d204cdb4)
#24 0x426b2f in main ../../../../../../../../../Projects/gnome/applications/gtk/demos/gtk-demo/main.c:1127
#25 0x7fd185a3d087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 6e09ff6dd1afe67075ab5b072f393af9dab4e95f)
#26 0x7fd185a3d14a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 6e09ff6dd1afe67075ab5b072f393af9dab4e95f)
#27 0x427004 in _start (/home/khalid/.var/app/org.gnome.Builder/cache/gnome-builder/projects/gtk/builds/default-podman-89a5ebb2b38e6c660ce5c0ee35546f545c0ca432bfbc6a6146e1b77ea528d791-x86_64-wip-kabus-misc-leaks2/demos/gtk-demo/gtk4-demo+0x427004) (BuildId: 15219ca069850cf770d7b60e4dda6a6d92ff062a)
0x50400021dfe8 is located 24 bytes inside of 48-byte region [0x50400021dfd0,0x50400021e000)
freed by thread T0 here:
#0 0x7fd188af5578 in free.part.0 (/lib64/libasan.so.8+0xf5578) (BuildId: 5f400d3daa460d4bc745d32f2f61db0509689f90)
#1 0x7fd186cd8817 in g_hash_table_iter_remove (/lib64/libglib-2.0.so.0+0xd8817) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#2 0x7fd187db04a1 in gsk_gl_texture_library_real_compact ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:117
#3 0x7fd187db0c29 in gsk_gl_texture_library_begin_frame ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:298
#4 0x7fd187d5a642 in gsk_gl_driver_begin_frame ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgldriver.c:585
#5 0x7fd187d169f8 in gsk_gl_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderer.c:384
#6 0x7fd187cb7fae in gsk_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gskrenderer.c:508
#7 0x7fd1877f449b in gtk_widget_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwidget.c:11971
#8 0x7fd187806d74 in surface_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwindow.c:4752
#9 0x7fd187b5db4b in _gdk_marshal_BOOLEAN__BOXEDv gdk/gdkmarshalers.c:130
#10 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#11 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#12 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#13 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#14 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1370
#15 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1346
#16 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#17 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#18 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#19 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#20 0x7fd187c4ca0b in gdk_frame_clock_paint_idle ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdkframeclockidle.c:634
#21 0x7fd186d11501 in g_timeout_dispatch (/lib64/libglib-2.0.so.0+0x111501) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#22 0x7fd186d03c8f in g_main_dispatch (/lib64/libglib-2.0.so.0+0x103c8f) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#23 0x7fd186d0f397 in g_main_context_iterate_unlocked.isra.0 (/lib64/libglib-2.0.so.0+0x10f397) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#24 0x7fd186d102ae in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x1102ae) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#25 0x7fd18687765c in g_application_run (/lib64/libgio-2.0.so.0+0x27765c) (BuildId: ad1fe90c83f2fa77a0ac39d80db67f55d204cdb4)
#26 0x426b2f in main ../../../../../../../../../Projects/gnome/applications/gtk/demos/gtk-demo/main.c:1127
#27 0x7fd185a3d087 in __libc_start_call_main (/lib64/libc.so.6+0x2a087) (BuildId: 6e09ff6dd1afe67075ab5b072f393af9dab4e95f)
#28 0x7fd185a3d14a in __libc_start_main_alias_2 (/lib64/libc.so.6+0x2a14a) (BuildId: 6e09ff6dd1afe67075ab5b072f393af9dab4e95f)
#29 0x427004 in _start (/home/khalid/.var/app/org.gnome.Builder/cache/gnome-builder/projects/gtk/builds/default-podman-89a5ebb2b38e6c660ce5c0ee35546f545c0ca432bfbc6a6146e1b77ea528d791-x86_64-wip-kabus-misc-leaks2/demos/gtk-demo/gtk4-demo+0x427004) (BuildId: 15219ca069850cf770d7b60e4dda6a6d92ff062a)
previously allocated by thread T0 here:
#0 0x7fd188af6290 in calloc (/lib64/libasan.so.8+0xf6290) (BuildId: 5f400d3daa460d4bc745d32f2f61db0509689f90)
#1 0x7fd186d2443d in g_malloc0 (/lib64/libglib-2.0.so.0+0x12443d) (BuildId: 26abd15408d2d4afe765d0adb19e93829d9eef02)
#2 0x7fd187db17d9 in gsk_gl_texture_library_pack ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:390
#3 0x7fd187d63606 in gsk_gl_glyph_library_add ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglglyphlibrary.c:417
#4 0x7fd187d80585 in gsk_gl_glyph_library_lookup_or_add ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglglyphlibraryprivate.h:94
#5 0x7fd187d80585 in gsk_gl_render_job_visit_text_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:3041
#6 0x7fd187d9a365 in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4191
#7 0x7fd187da475d in gsk_gl_render_job_visit_transform_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:2079
#8 0x7fd187d9a409 in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4206
#9 0x7fd187da3613 in gsk_gl_render_job_visit_node_with_offscreen ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4425
#10 0x7fd187d98520 in gsk_gl_render_job_visit_mask_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:3413
#11 0x7fd187d98520 in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4156
#12 0x7fd187da3613 in gsk_gl_render_job_visit_node_with_offscreen ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4425
#13 0x7fd187d984be in gsk_gl_render_job_visit_mask_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:3404
#14 0x7fd187d984be in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4156
#15 0x7fd187d9633d in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4111
#16 0x7fd187d9633d in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4111
#17 0x7fd187d9633d in gsk_gl_render_job_visit_node ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4111
#18 0x7fd187dac3f8 in gsk_gl_render_job_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderjob.c:4544
#19 0x7fd187d16a3d in gsk_gl_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskglrenderer.c:386
#20 0x7fd187cb7fae in gsk_renderer_render ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gskrenderer.c:508
#21 0x7fd1877f449b in gtk_widget_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwidget.c:11971
#22 0x7fd187806d74 in surface_render ../../../../../../../../../Projects/gnome/applications/gtk/gtk/gtkwindow.c:4752
#23 0x7fd187b5db4b in _gdk_marshal_BOOLEAN__BOXEDv gdk/gdkmarshalers.c:130
#24 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#25 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#26 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#27 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#28 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1370
#29 0x7fd187c836f4 in gdk_surface_paint_on_clock ../../../../../../../../../Projects/gnome/applications/gtk/gdk/gdksurface.c:1346
#30 0x7fd188928a8c in _g_closure_invoke_va (/lib64/libgobject-2.0.so.0+0x49a8c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#31 0x7fd188962e1e in signal_emit_valist_unlocked (/lib64/libgobject-2.0.so.0+0x83e1e) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#32 0x7fd18897a88c in g_signal_emit_valist (/lib64/libgobject-2.0.so.0+0x9b88c) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
#33 0x7fd18897a9a3 in g_signal_emit (/lib64/libgobject-2.0.so.0+0x9b9a3) (BuildId: a796d0de9cac0a96549f9ef3970f4fb61a829c90)
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../../../../../../Projects/gnome/applications/gtk/gsk/gl/gskgltexturelibrary.c:122 in gsk_gl_texture_library_real_compact
Shadow bytes around the buggy address:
0x50400021dd00: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
0x50400021dd80: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
0x50400021de00: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x50400021de80: fa fa 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x50400021df00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x50400021df80: fa fa 00 00 00 00 00 fa fa fa fd fd fd[fd]fd fd
0x50400021e000: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x50400021e080: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
0x50400021e100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x50400021e180: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fa
0x50400021e200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==21589==ABORTING
Edited by Khalid Abu Shawarib