TuxOn - Use after free when deleting TuxOn from a patch [intermittent]

[RareBreeds]

Address sanitizer detects a use after free when deleting TuxOn from a patch.

To reproduce:

• Build with address sanitizer enabled
• Add TuxOn to a patch
• Hover over the module and hit backspace / delete to remove it
• Address sanitizer should trigger a crash
• If it doesn't crash repeat the add and remove a few times, often it happens on the first or second try, once it took up to 10 tries

Rack: 5551617afff182925940908eaf73a7d7361303cc
RPJ: 5b4b7d0
Build Command: make -j10 EXTRA_FLAGS=-fsanitize=address EXTRA_LDFLAGS=-fsanitize=address
OS: macOS Monterey
Device: M1 MacBook Pro - have reproduced with native apple silicon and x86 builds

=================================================================
==82179==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000496a90 at pc 0x00000f68b1fe bp 0x00020cf16950 sp 0x00020cf16948
WRITE of size 4 at 0x611000496a90 thread T13
    #0 0xf68b1fd in TuxOn::process(rack::engine::Module::ProcessArgs const&) TuxOn.cpp:301
    #1 0x5702868 in rack::engine::Module::doProcess(rack::engine::Module::ProcessArgs const&) Module.cpp
    #2 0x56ec4b7 in rack::engine::Engine::stepBlock(int) Engine.cpp:551
    #3 0x56f96da in rack::engine::Engine_fallbackRun(rack::engine::Engine*) Engine.cpp:1324
    #4 0x56fc81a in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(rack::engine::Engine*), rack::engine::Engine*> >(void*) thread:298
    #5 0x7ff80354d4e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
    #6 0x7ff803548f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)

0x611000496a90 is located 144 bytes inside of 200-byte region [0x611000496a00,0x611000496ac8)
freed by thread T0 here:
    #0 0x45b268d in wrap__ZdlPv+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5468d)
    #1 0x574158d in rack::widget::Widget::clearChildren() Widget.cpp:243
    #2 0x55d43cd in rack::app::ModuleWidget::~ModuleWidget() ModuleWidget.cpp:49
    #3 0xf50cf3d in BraveModuleWidget::~BraveModuleWidget() BlindCurve.cpp:52
    #4 0x55dcd73 in rack::app::ModuleWidget::removeAction() ModuleWidget.cpp:928
    #5 0x55d943e in rack::app::ModuleWidget::onHoverKey(rack::widget::Widget::HoverKeyEvent const&) ModuleWidget.cpp:353
    #6 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #7 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #8 0x561ec42 in rack::app::RackWidget::onHoverKey(rack::widget::Widget::HoverKeyEvent const&) RackWidget.cpp:176
    #9 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #10 0x57477c2 in rack::widget::ZoomWidget::onHoverKey(rack::widget::Widget::HoverKeyEvent const&) ZoomWidget.hpp:35
    #11 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #12 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #13 0x572736c in rack::ui::ScrollWidget::onHoverKey(rack::widget::Widget::HoverKeyEvent const&) ScrollWidget.cpp:175
    #14 0x55568a7 in void rack::widget::Widget::recursePositionEvent<void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent>(void (rack::widget::Widget::*)(rack::widget::Widget::HoverKeyEvent const&), rack::widget::Widget::HoverKeyEvent const&) Widget.hpp:197
    #15 0x5648522 in rack::app::Scene::onHoverKey(rack::widget::Widget::HoverKeyEvent const&) Scene.cpp:323
    #16 0x574e49c in rack::widget::EventState::handleKey(rack::math::Vec, int, int, int, int) event.cpp:334
    #17 0x575645f in rack::window::keyCallback(GLFWwindow*, int, int, int, int) Window.cpp:225
    #18 0x582c82d in -[GLFWContentView keyDown:] cocoa_window.m:580
    #19 0x7ff8060f4065 in -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:]+0x1bed (AppKit:x86_64+0x1b2065)
    #20 0x7ff8060f225d in -[NSWindow(NSEventRouting) sendEvent:]+0x15f (AppKit:x86_64+0x1b025d)
    #21 0x7ff8060f1087 in -[NSApplication(NSEvent) sendEvent:]+0xbb3 (AppKit:x86_64+0x1af087)
    #22 0x582dc30 in _glfwPollEventsCocoa cocoa_window.m:1419
    #23 0x5758024 in rack::window::Window::step() Window.cpp:431
    #24 0x5757dc3 in rack::window::Window::run() Window.cpp:409
    #25 0x41219e1 in main standalone.cpp:240
    #26 0x1043e152d in start+0x1cd (dyld:x86_64+0x552d)
    #27 0x1043dbfff  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x45b226d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5426d)
    #1 0xf681ebe in TuxOn::TuxOn() TuxOn.hpp:115
    #2 0xf6ed424 in rack::plugin::Model* rack::createModel<TuxOn, TuxOnModuleWidget>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >)::TModel::createModule() helpers.hpp:27
    #3 0x558b8ed in rack::app::browser::chooseModel(rack::plugin::Model*) Browser.cpp:90
    #4 0x558785b in rack::app::browser::ModelBox::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:259
    #5 0x5589d10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #6 0x5589d10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #7 0x5589d10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
    #8 0x57265b8 in rack::ui::ScrollWidget::onButton(rack::widget::Widget::ButtonEvent const&) ScrollWidget.cpp:130
    #9 0x5586668 in rack::app::browser::Browser::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:781
    #10 0x5720e94 in rack::ui::MenuOverlay::onButton(rack::widget::Widget::ButtonEvent const&) MenuOverlay.cpp:34
    #11 0x5555a48 in rack::widget::OpaqueWidget::onButton(rack::widget::Widget::ButtonEvent const&) OpaqueWidget.hpp:21
    #12 0x574bc9a in rack::widget::EventState::handleButton(rack::math::Vec, int, int, int) event.cpp:134
    #13 0x7ff80617ecd0 in -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:]+0x12fa (AppKit:x86_64+0x23ccd0)
    #14 0x7ff8060f2e8d in -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:]+0xa15 (AppKit:x86_64+0x1b0e8d)
    #15 0x7ff8060f225d in -[NSWindow(NSEventRouting) sendEvent:]+0x15f (AppKit:x86_64+0x1b025d)
    #16 0x7ff8060f0633 in -[NSApplication(NSEvent) sendEvent:]+0x15f (AppKit:x86_64+0x1ae633)
    #17 0x582dc30 in _glfwPollEventsCocoa cocoa_window.m:1419
    #18 0x5758024 in rack::window::Window::step() Window.cpp:431
    #19 0x5757dc3 in rack::window::Window::run() Window.cpp:409
    #20 0x41219e1 in main standalone.cpp:240
    #21 0x1043e152d in start+0x1cd (dyld:x86_64+0x552d)
    #22 0x1043dbfff  (<unknown module>)

Thread T13 created by T0 here:
    #0 0x459f8cc in wrap_pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x418cc)
    #1 0x56fc6d7 in std::__1::thread::thread<void (&)(rack::engine::Engine*), rack::engine::Engine*, void>(void (&)(rack::engine::Engine*), rack::engine::Engine*&&) thread:314
    #2 0x56f91ea in rack::engine::Engine::startFallbackThread() Engine.cpp:1348
    #3 0x4121930 in main standalone.cpp:227
    #4 0x1043e152d in start+0x1cd (dyld:x86_64+0x552d)
    #5 0x1043dbfff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free TuxOn.cpp:301 in TuxOn::process(rack::engine::Module::ProcessArgs const&)
Shadow bytes around the buggy address:
  0x1c2200092d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200092d10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200092d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200092d30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x1c2200092d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2200092d50: fd fd[fd]fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x1c2200092d60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2200092d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2200092d80: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x1c2200092d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200092da0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82179==ABORTING
zsh: abort      ./Rack -d