REGRESSION: CloseDownClient use-after-free
Submitted by Jeremy Huddleston Sequoia
Assigned to Xorg Project Team
Description
Created attachment 126462 Full Report
With current master (527c6baa plus some patches I've sent to xorg-devel recently), ASan is tripping over a use-after-free on shutdown in CloseDownClient.
Application Specific Information: X.Org X Server 1.18.99.1 Build Date: 20160911
==96458==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000065a68 at pc 0x00010266b648 bp 0x70000a972500 sp 0x70000a9724f8 WRITE of size 8 at 0x612000065a68 thread T6 #0 0x10266b647 in __xorg_list_del list.h:183 #1 (closed) 0x10262b104 in xorg_list_del list.h:204 #2 0x10262d190 in CloseDownClient dispatch.c:3416 #3 (closed) 0x10262e530 in KillAllClients dispatch.c:3498 #4 (closed) 0x10262c41a in Dispatch dispatch.c:503 #5 (closed) 0x10266ccd1 in dix_main main.c:301 #6 (closed) 0x1020560ca in server_thread quartzStartup.c:66 #7 (closed) 0x7fffc5f16aaa in _pthread_body (libsystem_pthread.dylib+0x3aaa) #8 (closed) 0x7fffc5f169f6 in _pthread_start (libsystem_pthread.dylib+0x39f6) #9 0x7fffc5f161fc in thread_start (libsystem_pthread.dylib+0x31fc)
0x612000065a68 is located 40 bytes inside of 312-byte region [0x612000065a40,0x612000065b78) freed by thread T6 here: #0 0x102f80e29 in wrap_free (libclang_rt.asan_osx_dynamic.dylib+0x4ae29) #1 (closed) 0x102718475 in _dixFreeObjectWithPrivates privates.c:538 #2 0x10262db1a in CloseDownClient dispatch.c:3482 #3 (closed) 0x10262e530 in KillAllClients dispatch.c:3498 #4 (closed) 0x10262c41a in Dispatch dispatch.c:503 #5 (closed) 0x10266ccd1 in dix_main main.c:301 #6 (closed) 0x1020560ca in server_thread quartzStartup.c:66 #7 (closed) 0x7fffc5f16aaa in _pthread_body (libsystem_pthread.dylib+0x3aaa) #8 (closed) 0x7fffc5f169f6 in _pthread_start (libsystem_pthread.dylib+0x39f6) #9 0x7fffc5f161fc in thread_start (libsystem_pthread.dylib+0x31fc)
previously allocated by thread T6 here: #0 0x102f80c60 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x4ac60) #1 (closed) 0x10271811f in _dixAllocateObjectWithPrivates privates.c:486 #2 0x102666b1c in NextAvailableClient dispatch.c:3536 #3 (closed) 0x102872f9a in AllocNewConnection connection.c:737 #4 (closed) 0x102873a0c in EstablishNewConnections connection.c:817 #5 (closed) 0x1026711c0 in ProcessWorkQueue dixutils.c:523 #6 (closed) 0x10285e3ad in WaitForSomething WaitFor.c:208 #7 (closed) 0x10262b376 in Dispatch dispatch.c:413 #8 (closed) 0x10266ccd1 in dix_main main.c:301 #9 0x1020560ca in server_thread quartzStartup.c:66 #10 (closed) 0x7fffc5f16aaa in _pthread_body (libsystem_pthread.dylib+0x3aaa) #11 (closed) 0x7fffc5f169f6 in _pthread_start (libsystem_pthread.dylib+0x39f6) #12 (closed) 0x7fffc5f161fc in thread_start (libsystem_pthread.dylib+0x31fc)
Thread T6 created by T0 here: #0 0x102f773e9 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib+0x413e9) #1 (closed) 0x102055e51 in create_thread quartzStartup.c:78 #2 0x102055cac in QuartzInitServer quartzStartup.c:95 #3 (closed) 0x10202a7ba in X11ApplicationMain X11Application.m:1286 #4 (closed) 0x10203bae0 in X11ControllerMain X11Controller.m:984 #5 (closed) 0x1020564a5 in server_main quartzStartup.c:127 #6 (closed) 0x10200067b in do_start_x11_server bundle-main.c:436 #7 (closed) 0x102003da4 in _Xstart_x11_server mach_startupServer.c:189 #8 (closed) 0x102005106 in mach_startup_server mach_startupServer.c:399 #9 0x7fffc5e26186 in mach_msg_server mach_msg.c:563 #10 (closed) 0x102000d98 in main bundle-main.c:774 #11 (closed) 0x7fffc5cff254 in start (libdyld.dylib+0x5254)
SUMMARY: AddressSanitizer: heap-use-after-free list.h:183 in __xorg_list_del Shadow bytes around the buggy address: 0x1c240000caf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c240000cb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x1c240000cb10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x1c240000cb20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c240000cb30: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x1c240000cb40: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd 0x1c240000cb50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c240000cb60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x1c240000cb70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x1c240000cb80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c240000cb90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==96458==ABORTING
This is a regression over xserver-1.18.x
Attachment 126462, "Full Report":
X11.bin_2016-09-11-135944_tonberry.crash
Version: git