Bug 358722 - ASAN: Use after free
Summary: ASAN: Use after free
Status: RESOLVED FIXED
Alias: None
Product: kwin
Classification: Plasma
Component: compositing (show other bugs)
Version: git master
Platform: Other Linux
: NOR crash
Target Milestone: ---
Assignee: KWin default assignee
URL: https://git.reviewboard.kde.org/r/126...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-29 08:07 UTC by Kevin Funk
Modified: 2016-02-01 07:31 UTC (History)
1 user (show)

See Also:
Latest Commit: http://commits.kde.org/kwin/fbf14306d7677ca9c860e3fcbce31f535a0801ab
Version Fixed In:
Sentry Crash Report:
mgraesslin: ReviewRequest+

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Funk 2016-01-29 08:07:40 UTC 
Built kwin with ASAN enabled, to detect potential memory leaks.

Instead, detected a heap-use-after free when exiting kwin_x11.

==5038==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200001a0b8 at pc 0x7f24ba11fe11 bp 0x7ffc4766d910 sp 0x7ffc4766d908
READ of size 8 at 0x61200001a0b8 thread T0
    #0 0x7f24ba11fe10 in KWin::Compositor::hasScene() const /home/kfunk/devel/src/kf5/kwin/composite.h:74:16
    #1 0x7f24ba72dee0 in KWin::Workspace::compositing() const /home/kfunk/devel/src/kf5/kwin/composite.cpp:956:28
    #2 0x7f24ba72e88b in KWin::Toplevel::compositing() const /home/kfunk/devel/src/kf5/kwin/composite.cpp:1033:12
    #3 0x7f24ba7326ab in KWin::Toplevel::addWorkspaceRepaint(QRect const&) /home/kfunk/devel/src/kf5/kwin/composite.cpp:1202:10
    #4 0x7f24ba1b1dc5 in KWin::Client::releaseWindow(bool) /home/kfunk/devel/src/kf5/kwin/client.cpp:226:9
    #5 0x7f24ba021a8e in KWin::Workspace::~Workspace() /home/kfunk/devel/src/kf5/kwin/workspace.cpp:444:9
    #6 0x7f24ba0228b3 in KWin::Workspace::~Workspace() /home/kfunk/devel/src/kf5/kwin/workspace.cpp:427:1
    #7 0x7f24ba3e9b4a in KWin::Application::destroyWorkspace() /home/kfunk/devel/src/kf5/kwin/main.cpp:416:5
    #8 0x7f24bb432e80 in KWin::ApplicationX11::lostSelection() /home/kfunk/devel/src/kf5/kwin/main_x11.cpp:139:5
    #9 0x7f24bb44689c in KWin::ApplicationX11::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/kfunk/devel/build/kf5/kwin/moc_main_x11.cpp:137:17
    #10 0x7f24b453a8e9 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b58e9)
    #11 0x7f24b538ac71 in KSelectionOwner::lostOwnership() /home/kfunk/devel/build/kf5/kwindowsystem/src/moc_kselectionowner.cpp:144:5
    #12 0x7f24b5364946 in KSelectionOwner::filterEvent(void*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:378:14
    #13 0x7f24b5365569 in KSelectionOwner::Private::nativeEventFilter(QByteArray const&, void*, long*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:117:16
    #14 0x7f24b450869e in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28369e)
    #15 0x7f24a5754253 in QXcbConnection::handleXcbEvent(xcb_generic_event_t*) (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x3d253)
    #16 0x7f24a5755002 in QXcbConnection::processXcbEvents() (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x3e002)
    #17 0x7f24b453b7b0 in QObject::event(QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b67b0)
    #18 0x7f24b4e009db in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x15b9db)
    #19 0x7f24b4e05ea5 in QApplication::notify(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x160ea5)
    #20 0x7f24ba3e30aa in KWin::Application::notify(QObject*, QEvent*) /home/kfunk/devel/src/kf5/kwin/main.cpp:246:26
    #21 0x7f24b450bd7a in QCoreApplication::notifyInternal(QObject*, QEvent*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x286d7a)
    #22 0x7f24b450e175 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x289175)
    #23 0x7f24b455fa71 in QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2daa71)
    #24 0x7f24a57b7a1c  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0xa0a1c)
    #25 0x7f24b4509509 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x284509)
    #26 0x7f24b45115eb in QCoreApplication::exec() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28c5eb)
    #27 0x7f24bb436158 in kdemain /home/kfunk/devel/src/kf5/kwin/main_x11.cpp:316:12
    #28 0x4ddbc5 in main /home/kfunk/devel/build/kf5/kwin/kwin_x11_dummy.cpp:3:43
    #29 0x7f24b2d16a3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #30 0x436488 in _start (/home/kfunk/devel/install/kf5/bin/kwin_x11+0x436488)

0x61200001a0b8 is located 248 bytes inside of 264-byte region [0x612000019fc0,0x61200001a0c8)
freed by thread T0 here:
    #0 0x4dcee2 in operator delete(void*) (/home/kfunk/devel/install/kf5/bin/kwin_x11+0x4dcee2)
    #1 0x7f24ba715a50 in KWin::Compositor::~Compositor() /home/kfunk/devel/src/kf5/kwin/composite.cpp:150:1
    #2 0x7f24ba3e9d3a in KWin::Application::destroyCompositor() /home/kfunk/devel/src/kf5/kwin/main.cpp:421:5
    #3 0x7f24bb432e73 in KWin::ApplicationX11::lostSelection() /home/kfunk/devel/src/kf5/kwin/main_x11.cpp:138:5
    #4 0x7f24bb44689c in KWin::ApplicationX11::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/kfunk/devel/build/kf5/kwin/moc_main_x11.cpp:137:17
    #5 0x7f24b453a8e9 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b58e9)
    #6 0x7f24b538ac71 in KSelectionOwner::lostOwnership() /home/kfunk/devel/build/kf5/kwindowsystem/src/moc_kselectionowner.cpp:144:5
    #7 0x7f24b5364946 in KSelectionOwner::filterEvent(void*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:378:14
    #8 0x7f24b5365569 in KSelectionOwner::Private::nativeEventFilter(QByteArray const&, void*, long*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:117:16
    #9 0x7f24b450869e in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28369e)

previously allocated by thread T0 here:
    #0 0x4dc922 in operator new(unsigned long) (/home/kfunk/devel/install/kf5/bin/kwin_x11+0x4dc922)
    #1 0x7f24ba70ecb5 in KWin::Compositor::create(QObject*) /home/kfunk/devel/src/kf5/kwin/composite.cpp:80:227
    #2 0x7f24ba01667a in KWin::Workspace::Workspace(QString const&) /home/kfunk/devel/src/kf5/kwin/workspace.cpp:194:24
    #3 0x7f24ba3e8f22 in KWin::Application::createWorkspace() /home/kfunk/devel/src/kf5/kwin/main.cpp:373:12
    #4 0x7f24bb4390fe in KWin::ApplicationX11::performStartup()::$_3::operator()() const /home/kfunk/devel/src/kf5/kwin/main_x11.cpp:181:9
    #5 0x7f24bb438c9e in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, KWin::ApplicationX11::performStartup()::$_3>::call(KWin::ApplicationX11::performStartup()::$_3, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:495:13
    #6 0x7f24bb438aaf in void QtPrivate::Functor<KWin::ApplicationX11::performStartup()::$_3, 0>::call<QtPrivate::List<>, void>(KWin::ApplicationX11::performStartup()::$_3&, void*, void**) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobjectdefs_impl.h:552:13
    #7 0x7f24bb4385cc in QtPrivate::QFunctorSlotObject<KWin::ApplicationX11::performStartup()::$_3, 0, QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/x86_64-linux-gnu/qt5/QtCore/qobject_impl.h:192:17
    #8 0x7f24b453a776 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b5776)
    #9 0x7f24b538aca4 in KSelectionOwner::claimedOwnership() /home/kfunk/devel/build/kf5/kwindowsystem/src/moc_kselectionowner.cpp:150:5
    #10 0x7f24b53642e1 in KSelectionOwner::Private::claimSucceeded() /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:206:10
    #11 0x7f24b53649e0 in KSelectionOwner::filterEvent(void*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:391:17
    #12 0x7f24b5365569 in KSelectionOwner::Private::nativeEventFilter(QByteArray const&, void*, long*) /home/kfunk/devel/src/kf5/kwindowsystem/src/platforms/xcb/kselectionowner.cpp:117:16
    #13 0x7f24b450869e in QAbstractEventDispatcher::filterNativeEvent(QByteArray const&, void*, long*) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x28369e)

SUMMARY: AddressSanitizer: heap-use-after-free /home/kfunk/devel/src/kf5/kwin/composite.h:74 KWin::Compositor::hasScene() const
Shadow bytes around the buggy address:
  0x0c247fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb3f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffb400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fffb410: fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa
  0x0c247fffb420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5038==ABORTING

Reproducible: Always
Comment 1 Martin Flöser 2016-01-29 08:34:34 UTC 
looks like Compositor is dead already.
Comment 2 Kevin Funk 2016-01-29 09:03:10 UTC 
0x61200001a0b8 is located 248 bytes inside of 264-byte region [0x612000019fc0,0x61200001a0c8)
freed by thread T0 here:
    #0 0x4dcee2 in operator delete(void*) (/home/kfunk/devel/install/kf5/bin/kwin_x11+0x4dcee2)
    #1 0x7f24ba715a50 in KWin::Compositor::~Compositor() /home/kfunk/devel/src/kf5/kwin/composite.cpp:150:1

Yes :)
Comment 3 Martin Flöser 2016-01-29 09:16:55 UTC 
I know I hit that one before but apparently only fixed on Wayland
Comment 4 Thomas Lübking 2016-01-29 11:05:44 UTC 
Workspace holds a pointer pointing Compositor::self() which is nuked by Application::destroyCompositor() (so m_compositor in workspace now dangles)

This was previously prevented by noop'ing destroyCompositor() as long as there was Workspace::self() and boke with

commit 1998d5ac1ad92011505f0e00761ccc618099fa19
Date:   Tue Nov 10 08:52:40 2015 +0100

    [wayland] Improve tear-down to not crash if X11 applications are still around
    
    We need to destroy the compositor after Xwayland terminated and after
    the internal Wayland connection is destroyed. This means when destroying
    the Workspace we may no longer destroy the Compositor at the same time.
    Also we need to ensure that other tear down functionality doesn't call
    into the no longer existing internal client connection.
    
    With this change kwin doesn't crash when exiting with Wayland and/or
    X11 windows still open.


.......
 void Application::destroyCompositor()
 {
-    if (Workspace::self()) {
-        // compositor is destroyed together with Workspace
-        return;
-    }
     delete Compositor::self();
 }
.......
Comment 5 Martin Flöser 2016-02-01 07:31:31 UTC 
Git commit fbf14306d7677ca9c860e3fcbce31f535a0801ab by Martin Gräßlin.
Committed on 01/02/2016 at 07:31.
Pushed by graesslin into branch 'master'.

Set Workspace::m_compositor to null when Compositor gets destroyed

Fixes regression from 1998d5ac1ad92011505f0e00761ccc618099fa19.
REVIEW: 126925

M  +1    -0    workspace.cpp

http://commits.kde.org/kwin/fbf14306d7677ca9c860e3fcbce31f535a0801ab