ASAN heap use after free on exit if Export dialog > Batch Export > Pages open in multipage document
Steps to reproduce:
- open Inkscape 1.3-dev (95ad7070, 2022-05-08) ASAN build
- Switch to pages tool and add a page
- open Export dialog (Ctrl+Shift+E)
- Switch to Batch > Pages
- Close with the close button in the top-right Edit: or it's enough to just close the dialog!
What happened?
- heap use after free inkscape_heap_use_after_free.txt
Inkscape 1.3-dev (95ad707027, 2022-05-08) ASAN build Linux Mint 20
==101834==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160003f8c08 at pc 0x7fbaff4453d4 bp 0x7fff5d99e2a0 sp 0x7fff5d99e290
READ of size 8 at 0x6160003f8c08 thread T0
#0 0x7fbaff4453d3 in Inkscape::UI::Dialog::ExportPreview::setDocument(SPDocument*) ../src/ui/widget/export-preview.cpp:77
#1 0x7fbafeb88abb in Inkscape::UI::Dialog::BatchItem::setDocument(SPDocument*) ../src/ui/dialog/export-batch.cpp:70
#2 0x7fbafeb88abb in Inkscape::UI::Dialog::BatchExport::setDocument(SPDocument*) ../src/ui/dialog/export-batch.cpp:752
#3 0x7fbafeb6425d in Inkscape::UI::Dialog::Export::~Export() ../src/ui/dialog/export.cpp:106
#4 0x7fbafeb64428 in Inkscape::UI::Dialog::Export::~Export() ../src/ui/dialog/export.cpp:108
#5 0x7fbafb8b5546 in g_datalist_clear ../../../glib/gdataset.c:273
#6 0x7fbafb9c5d0d in g_object_unref ../../../gobject/gobject.c:3499
#7 0x7fbafb9c5d0d in g_object_unref ../../../gobject/gobject.c:3391
#8 0x7fbafa225f8e in gtk_container_remove ../../../../gtk/gtkcontainer.c:1910
#9 0x7fbafeb2132e in Inkscape::UI::Dialog::DialogNotebook::~DialogNotebook() ../src/ui/dialog/dialog-notebook.cpp:215
#10 0x7fbafeb21860 in Inkscape::UI::Dialog::DialogNotebook::~DialogNotebook() ../src/ui/dialog/dialog-notebook.cpp:223
#11 0x7fbafeadaa36 in Inkscape::UI::Dialog::DialogMultipaned::~DialogMultipaned() ../src/ui/dialog/dialog-multipaned.cpp:428
#12 0x7fbafeadb2aa in Inkscape::UI::Dialog::DialogMultipaned::~DialogMultipaned() ../src/ui/dialog/dialog-multipaned.cpp:445
#13 0x7fbafeadaa36 in Inkscape::UI::Dialog::DialogMultipaned::~DialogMultipaned() ../src/ui/dialog/dialog-multipaned.cpp:428
#14 0x7fbafeadb2aa in Inkscape::UI::Dialog::DialogMultipaned::~DialogMultipaned() ../src/ui/dialog/dialog-multipaned.cpp:445
#15 0x7fbafea9bd28 in Inkscape::UI::Dialog::DialogContainer::~DialogContainer() ../src/ui/dialog/dialog-container.cpp:74
#16 0x7fbafea9bf2e in Inkscape::UI::Dialog::DialogContainer::~DialogContainer() ../src/ui/dialog/dialog-container.cpp:75
#17 0x7fbaff7b8c1c in SPDesktopWidget::on_unrealize() ../src/widgets/desktop-widget.cpp:539
#18 0x7fbafafc765a in Gtk::Widget_Class::unrealize_callback(_GtkWidget*) gtk/gtkmm/widget.cc:3767
#19 0x7fbafb9c0964 in _g_closure_invoke_va ../../../gobject/gclosure.c:873
#20 0x7fbafb9dfb47 in g_signal_emit_valist ../../../gobject/gsignal.c:3408
#21 0x7fbafb9e00f2 in g_signal_emit ../../../gobject/gsignal.c:3555
#22 0x7fbafa443c52 in gtk_widget_unrealize ../../../../gtk/gtkwidget.c:5578
#23 0x7fbafa1db54f in gtk_box_forall ../../../../gtk/gtkbox.c:2675
#24 0x7fbafa4482e5 in gtk_widget_real_unrealize ../../../../gtk/gtkwidget.c:12490
#25 0x7fbafb9c0964 in _g_closure_invoke_va ../../../gobject/gclosure.c:873
#26 0x7fbafb9dfb47 in g_signal_emit_valist ../../../gobject/gsignal.c:3408
#27 0x7fbafb9e00f2 in g_signal_emit ../../../gobject/gsignal.c:3555
#28 0x7fbafa443c52 in gtk_widget_unrealize ../../../../gtk/gtkwidget.c:5578
#29 0x7fbafa452a78 in gtk_window_forall ../../../../gtk/gtkwindow.c:8745
#30 0x7fbafaf24f5e in Gtk::Container_Class::forall_vfunc_callback(_GtkContainer*, int, void (*)(_GtkWidget*, void*), void*) gtk/gtkmm/container.cc:485
#31 0x7fbafa4482e5 in gtk_widget_real_unrealize ../../../../gtk/gtkwidget.c:12490
#32 0x7fbafa45561d in gtk_window_unrealize ../../../../gtk/gtkwindow.c:7852
#33 0x7fbafafc765a in Gtk::Widget_Class::unrealize_callback(_GtkWidget*) gtk/gtkmm/widget.cc:3767
#34 0x7fbafb9c0a55 in _g_closure_invoke_va ../../../gobject/gclosure.c:873
#35 0x7fbafb9dfb47 in g_signal_emit_valist ../../../gobject/gsignal.c:3408
#36 0x7fbafb9e00f2 in g_signal_emit ../../../gobject/gsignal.c:3555
#37 0x7fbafa443c52 in gtk_widget_unrealize ../../../../gtk/gtkwidget.c:5578
#38 0x7fbafa4465d7 in gtk_widget_dispose ../../../../gtk/gtkwidget.c:12157
#39 0x7fbafa45a27b in gtk_window_dispose ../../../../gtk/gtkwindow.c:3167
#40 0x7fbafa1cd91e in gtk_application_window_dispose ../../../../gtk/gtkapplicationwindow.c:804
#41 0x7fbafb9c74d0 in g_object_run_dispose ../../../gobject/gobject.c:1226
#42 0x7fbafafd355f in Gtk::Window::_release_c_instance() gtk/gtkmm/window.cc:113
#43 0x7fbafaf01e75 in Gtk::ApplicationWindow::~ApplicationWindow() gtk/gtkmm/applicationwindow.cc:173
#44 0x7fbaffe057ad in InkscapeWindow::~InkscapeWindow() ../src/inkscape-window.cpp:172
#45 0x7fbaffe05846 in InkscapeWindow::~InkscapeWindow() ../src/inkscape-window.cpp:175
#46 0x7fbaffe2f380 in InkscapeApplication::window_close(InkscapeWindow*) ../src/inkscape-application.cpp:486
#47 0x7fbaffe30012 in InkscapeApplication::destroy_window(InkscapeWindow*, bool) ../src/inkscape-application.cpp:894
#48 0x7fbaffe058fb in InkscapeWindow::on_delete_event(_GdkEventAny*) ../src/inkscape-window.cpp:300
#49 0x7fbafafc7f38 in Gtk::Widget_Class::delete_event_callback(_GtkWidget*, _GdkEventAny*) gtk/gtkmm/widget.cc:4405
#50 0x7fbafa49236e in _gtk_marshal_BOOLEAN__BOXEDv debian/build/deb/gtk/gtkmarshalers.c:129
#51 0x7fbafb9c0a55 in _g_closure_invoke_va ../../../gobject/gclosure.c:873
#52 0x7fbafb9dedf0 in g_signal_emit_valist ../../../gobject/gsignal.c:3408
#53 0x7fbafb9e00f2 in g_signal_emit ../../../gobject/gsignal.c:3555
#54 0x7fbafa43c9b2 in gtk_widget_event_internal ../../../../gtk/gtkwidget.c:7808
#55 0x7fbafa43c9b2 in gtk_widget_event_internal ../../../../gtk/gtkwidget.c:7677
#56 0x7fbafa2fa13c in gtk_main_do_event ../../../../gtk/gtkmain.c:1822
#57 0x7fbafa2fa13c in gtk_main_do_event ../../../../gtk/gtkmain.c:1690
#58 0x7fbaf9fb8f68 in _gdk_event_emit ../../../../gdk/gdkevents.c:73
#59 0x7fbaf9fec0f5 in gdk_event_source_dispatch ../../../../../gdk/x11/gdkeventsource.c:367
#60 0x7fbafb8d517c in g_main_dispatch ../../../glib/gmain.c:3309
#61 0x7fbafb8d517c in g_main_context_dispatch ../../../glib/gmain.c:3974
#62 0x7fbafb8d53ff in g_main_context_iterate ../../../glib/gmain.c:4047
#63 0x7fbafb8d54a2 in g_main_context_iteration ../../../glib/gmain.c:4108
#64 0x7fbafbaeefe4 in g_application_run ../../../gio/gapplication.c:2559
#65 0x55b06c59233b in main ../src/inkscape-main.cpp:259
#66 0x7fbaf90770b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#67 0x55b06c58f79d in _start (/home/nal/all/inkscape/asan/output/bin/inkscape+0x479d)
0x6160003f8c08 is located 392 bytes inside of 544-byte region [0x6160003f8a80,0x6160003f8ca0)
freed by thread T0 here:
#0 0x7fbb0150bc65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
#1 0x7fbafebad4ca in Inkscape::UI::Dialog::BatchItem::~BatchItem() ../src/ui/dialog/export-batch.cpp:62
#2 0x7fbafb8b5546 in g_datalist_clear ../../../glib/gdataset.c:273
previously allocated by thread T0 here:
#0 0x7fbb0150a587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x7fbafeb96bd0 in Inkscape::UI::Dialog::BatchExport::refreshItems() ../src/ui/dialog/export-batch.cpp:379
#2 0x7fbafeb9bf73 in Inkscape::UI::Dialog::BatchExport::onAreaTypeToggle(Inkscape::UI::Dialog::BatchExport::selection_mode) ../src/ui/dialog/export-batch.cpp:443
#3 0x7fbafeb9c345 in sigc::bound_mem_functor1<void, Inkscape::UI::Dialog::BatchExport, Inkscape::UI::Dialog::BatchExport::selection_mode>::operator()(Inkscape::UI::Dialog::BatchExport::selection_mode const&) const /usr/include/sigc++-2.0/sigc++/functors/mem_fun.h:2066
#4 0x7fbafeb9c345 in sigc::adaptor_functor<sigc::bound_mem_functor1<void, Inkscape::UI::Dialog::BatchExport, Inkscape::UI::Dialog::BatchExport::selection_mode> >::deduce_result_type<Inkscape::UI::Dialog::BatchExport::selection_mode&, void, void, void, void, void, void>::type sigc::adaptor_functor<sigc::bound_mem_functor1<void, Inkscape::UI::Dialog::BatchExport, Inkscape::UI::Dialog::BatchExport::selection_mode> >::operator()<Inkscape::UI::Dialog::BatchExport::selection_mode&>(Inkscape::UI::Dialog::BatchExport::selection_mode&) const /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:89
#5 0x7fbafeb9c345 in sigc::bind_functor<-1, sigc::bound_mem_functor1<void, Inkscape::UI::Dialog::BatchExport, Inkscape::UI::Dialog::BatchExport::selection_mode>, Inkscape::UI::Dialog::BatchExport::selection_mode, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>::operator()() /usr/include/sigc++-2.0/sigc++/adaptors/bind.h:1124
#6 0x7fbafeb9c345 in sigc::internal::slot_call0<sigc::bind_functor<-1, sigc::bound_mem_functor1<void, Inkscape::UI::Dialog::BatchExport, Inkscape::UI::Dialog::BatchExport::selection_mode>, Inkscape::UI::Dialog::BatchExport::selection_mode, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil, sigc::nil>, void>::call_it(sigc::internal::slot_rep*) /usr/include/sigc++-2.0/sigc++/functors/slot.h:136
#7 0x7fbafa8f7a7b in sigc::slot0<void>::operator()() const /usr/include/sigc++-2.0/sigc++/functors/slot.h:535
#8 0x7fbafa8f7a7b in Glib::SignalProxyNormal::slot0_void_callback(_GObject*, void*) glib/glibmm/signalproxy.cc:103
SUMMARY: AddressSanitizer: heap-use-after-free ../src/ui/widget/export-preview.cpp:77 in Inkscape::UI::Dialog::ExportPreview::setDocument(SPDocument*)
Shadow bytes around the buggy address:
0x0c2c80077130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80077140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c80077150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80077160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80077170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c80077180: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c80077190: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800771a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c800771b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800771c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c800771d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==101834==ABORTING
What should have happened?
- no crash
Version info
- Inkscape 1.3-dev (95ad7070, 2022-05-08) ASAN build Linux Mint 20
Not replicated with normal builds, so just opening directly here (who's going to replicate?)
Edited by Nathan Lee