serenity icon indicating copy to clipboard operation
serenity copied to clipboard
verified publisher icon SerenityOS

Ladybird: heap-use-after-free on app exit after opening InspectorWindow

Open ADKaster opened this issue 2 years ago • 0 comments

Steps:

  1. Build Qt chrome with ASAN/UBSAN
  2. Export sanitizer options
export ASAN_OPTIONS='strict_string_checks=1:check_initialization_order=1:strict_init_order=1:detect_stack_use_after_return=0'
export UBSAN_OPTIONS='print_stacktrace=1:print_summary=1:halt_on_error=1'
  1. Open new-tab.html ./Meta/serenity.sh run lagom ladybird
  2. Open inspector
  3. Close inspector and close window (OR just close window)

Result: QObject destruction order SNAFU

Note that on my Ubuntu 22.04 machine, using XWayland results in ASAN errors on startup. Using QT_QPA_PLATFORM=wayland allows the program to run with ASAN enabled.

ASAN backtrace 
=================================================================
==2400866==ERROR: AddressSanitizer: heap-use-after-free on address 0x52000001771e at pc 0x7ff7879516d4 bp 0x7fff6b179240 sp 0x7fff6b179238
READ of size 2 at 0x52000001771e thread T0
    #0 0x7ff7879516d3 in load /home/andrew/serenity/Meta/Lagom/../../AK/Atomic.h:322:16
    #1 0x7ff7879516d3 in operator unsigned short /home/andrew/serenity/Meta/Lagom/../../AK/Atomic.h:317:16
    #2 0x7ff7879516d3 in AK::Function<void (AK::DeprecatedString const&)>::clear(bool) /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:223:44
    #3 0x7ff7879381b1 in operator= /home/andrew/serenity/Meta/Lagom/../../AK/Function.h:141:9
    #4 0x7ff7879381b1 in WebView::InspectorClient::~InspectorClient() /home/andrew/serenity/Userland/Libraries/LibWebView/InspectorClient.cpp:169:45
    #5 0x556ed4fe80ea in operator() /home/andrew/serenity/Meta/Lagom/../../AK/DefaultDelete.h:17:9
    #6 0x556ed4fe80ea in clear /home/andrew/serenity/Meta/Lagom/../../AK/OwnPtr.h:110:9
    #7 0x556ed4fe80ea in ~OwnPtr /home/andrew/serenity/Meta/Lagom/../../AK/OwnPtr.h:45:9
    #8 0x556ed4fe80ea in Ladybird::InspectorWidget::~InspectorWidget() /home/andrew/serenity/Ladybird/Qt/InspectorWidget.cpp:128:35
    #9 0x556ed4fe813d in Ladybird::InspectorWidget::~InspectorWidget() /home/andrew/serenity/Ladybird/Qt/InspectorWidget.cpp:128:35
    #10 0x7ff785fa799a in QObjectPrivate::deleteChildren() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1a799a) (BuildId: 10c2c7ccc13f5d4a41be5530fed7514a09239f8d)
    #11 0x7ff786dd4ab7 in QWidget::~QWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x1d4ab7) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #12 0x556ed501d27d in Ladybird::Tab::~Tab() /home/andrew/serenity/Ladybird/Qt/Tab.cpp:580:1
    #13 0x7ff785fa799a in QObjectPrivate::deleteChildren() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1a799a) (BuildId: 10c2c7ccc13f5d4a41be5530fed7514a09239f8d)
    #14 0x7ff786dd4ab7 in QWidget::~QWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x1d4ab7) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #15 0x7ff786f8763c in QStackedWidget::~QStackedWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x38763c) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #16 0x7ff785fa799a in QObjectPrivate::deleteChildren() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1a799a) (BuildId: 10c2c7ccc13f5d4a41be5530fed7514a09239f8d)
    #17 0x7ff786dd4ab7 in QWidget::~QWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x1d4ab7) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #18 0x7ff786fae9ec in QTabWidget::~QTabWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x3ae9ec) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #19 0x7ff785fa799a in QObjectPrivate::deleteChildren() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1a799a) (BuildId: 10c2c7ccc13f5d4a41be5530fed7514a09239f8d)
    #20 0x7ff786dd4ab7 in QWidget::~QWidget() (/lib/x86_64-linux-gnu/libQt6Widgets.so.6+0x1d4ab7) (BuildId: 0306bb82622a98068b88cae599deb7f8e1178bb3)
    #21 0x556ed5083e76 in serenity_main(Main::Arguments) /home/andrew/serenity/Ladybird/Qt/main.cpp:169:1
    #22 0x556ed508a947 in main /home/andrew/serenity/Userland/Libraries/LibMain/Main.cpp:39:19
    #23 0x7ff77c629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x7ff77c629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #25 0x556ed4e8f764 in _start (/home/andrew/serenity/Build/lagom/bin/Ladybird+0x16f764) (BuildId: 100670fc1f328cd0)

0x52000001771e is located 1694 bytes inside of 3480-byte region [0x520000017080,0x520000017e18)
freed by thread T0 here:
    #0 0x556ed4f68e5d in operator delete(void*) (/home/andrew/serenity/Build/lagom/bin/Ladybird+0x248e5d) (BuildId: 100670fc1f328cd0)
    #1 0x7ff785fa799a in QObjectPrivate::deleteChildren() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1a799a) (BuildId: 10c2c7ccc13f5d4a41be5530fed7514a09239f8d)

previously allocated by thread T0 here:
    #0 0x556ed4f685fd in operator new(unsigned long) (/home/andrew/serenity/Build/lagom/bin/Ladybird+0x2485fd) (BuildId: 100670fc1f328cd0)
    #1 0x556ed5005a32 in Ladybird::Tab::Tab(Ladybird::BrowserWindow*, Ladybird::WebContentOptions const&, AK::StringView) /home/andrew/serenity/Ladybird/Qt/Tab.cpp:62:14
    #2 0x556ed4fb6954 in Ladybird::BrowserWindow::create_new_tab(Web::HTML::ActivateTab) /home/andrew/serenity/Ladybird/Qt/BrowserWindow.cpp:464:21
    #3 0x556ed4fb61ae in Ladybird::BrowserWindow::new_tab(QString const&, Web::HTML::ActivateTab) /home/andrew/serenity/Ladybird/Qt/BrowserWindow.cpp:450:17
    #4 0x556ed4fada29 in Ladybird::BrowserWindow::BrowserWindow(AK::Vector<AK::URL, 0ul> const&, WebView::CookieJar&, Ladybird::WebContentOptions const&, AK::StringView) /home/andrew/serenity/Ladybird/Qt/BrowserWindow.cpp:427:9
    #5 0x556ed5083835 in serenity_main(Main::Arguments) /home/andrew/serenity/Ladybird/Qt/main.cpp:150:29
    #6 0x556ed508a947 in main /home/andrew/serenity/Userland/Libraries/LibMain/Main.cpp:39:19
    #7 0x7ff77c629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/andrew/serenity/Meta/Lagom/../../AK/Atomic.h:322:16 in load
Shadow bytes around the buggy address:
  0x520000017480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x520000017700: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x520000017980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2400866==ABORTING

=================================================================
==2400880==ERROR: LeakSanitizer: detected memory leaks

cc @trflynn89

ADKaster avatar Dec 13 '23 18:12 ADKaster