Hw-accelerated decoding with VA-API #5
Assignees
Milestone
Comments
yol
pushed a commit
that referenced
this issue
May 28, 2017
Report from Android O tesing on O:
From: <android-developer-preview-no-reply@google.com>
Date: Apr 19, 2017 21:20
Subject: Native crash when trying to open Kodi addon
To: <developers@kodi.tv>
Cc: <androidsupport@kodi.tv>
Hello,
In preparation for the upcoming release of Android O, we've been
rigorously testing popular applications on Google Play, including ”Kodi"
[org.xbmc.kodi].
During testing, we uncovered a bug specific to your application running
on the Android O Developer Preview. Here are the details:
Step(s) to Reproduce:
Install “Kodi” application from Play store
Launch the application
Tap Add-Ons from the menu
Expected Result(s):
App should not crash when tapping Add-Ons
Observed Result(s):
App crashes when tapping Add-Ons
Possible Root Cause(s):
It looks like Kodi is fetching an icon from PackageManager and
calling this method: icon.getBitmap(). This used to work in N and below
because all Icons were png, in which they could be cast to
BitmapDrawable. However, starting in the next OS, there is no guarantee
icon drawable objects can automatically convert to BitmapDrawable.
There is also no guarantee that all of BitmapDrawable's methods (such as
getBitmap) will be readily available.
Log:
java_vm_ext.cc:504] JNI DETECTED ERROR IN APPLICATION: mid == null
Revision: '0'
ABI: 'arm64'
pid: 9423, tid: 9469, name: Thread-5 >>> org.xbmc.kodi <<<
signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
Abort message: 'java_vm_ext.cc:504] JNI DETECTED ERROR IN APPLICATION:
mid == null'
x0 0000000000000000 x1 00000000000024fd x2 0000000000000006
x3 0000000000000008
x4 0000000000000114 x5 00000000000000ff x6 0000000000000000
x7 0080808080808080
x8 0000000000000083 x9 6cd9bf0d77661d2f x10 0000000000000001
x11 0000000000000001
x12 ffffffffffffffff x13 0000000000000008 x14 ffffffffffffffff
x15 0030fcf94d051582
x16 00000073abd6d300 x17 00000073abd0f3fc x18 0000000000000020
x19 00000000000024cf
x20 00000000000024fd x21 0000007388714700 x22 0000000000000002
x23 00000000000000c1
x24 00000000000009b7 x25 000000738c527600 x26 00000000000009b6
x27 00000073883fea20
x28 0000000000000059 x29 00000073883fe8c0 x30 00000073abcc390c
sp 00000073883fe880 pc 00000073abd0f404 pstate
0000000000000000
backtrace:
#00 pc 0000000000069404 /system/lib64/libc.so (tgkill+8)
#1 pc 000000000001d908 /system/lib64/libc.so (abort+80)
#2 pc 00000000004325bc /system/lib64/libart.so
(_ZN3art7Runtime5AbortEPKc+528)
#3 pc 0000000000432ccc /system/lib64/libart.so
(_ZN3art7Runtime7AborterEPKc+24)
#4 pc 000000000051c578 /system/lib64/libart.so
(_ZN7android4base10LogMessageD1Ev+1016)
#5 pc 00000000002d0920 /system/lib64/libart.so
(_ZN3art9JavaVMExt8JniAbortEPKcS2_+1716)
#6 pc 00000000002d0bec /system/lib64/libart.so
(_ZN3art9JavaVMExt9JniAbortFEPKcS2_z+176)
#7 pc 000000000031482c /system/lib64/libart.so
(_ZN3art3JNI17CallObjectMethodVEP7_JNIEnvP8_jobjectP10_jmethodIDSt9__va_list+1440)
#8 pc 00000000013b8920 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so
(_ZN3jni7details20call_jhobject_methodEP7_JNIEnvP8_jobjectP10_jmethodIDz+148)
#9 pc 000000000139f7a4 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so
(_ZN18CJNIBitmapDrawable9getBitmapEv+148)
#10 pc 000000000130b8ac /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so
(_ZN5XFILE15CFileAndroidApp8ReadIconEPPhPjS3_+1008)
#11 pc 0000000000cb33fc /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so
(_ZN12CBaseTexture12LoadFromFileERKSsjjbS1_+232)
#12 pc 0000000000e8d6b0 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so (_ZN12CImageLoader6DoWorkEv+524)
#13 pc 0000000000ad8ab8 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so (_ZN10CJobWorker7ProcessEv+68)
#14 pc 0000000000b69184 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so (_ZN7CThread6ActionEv+44)
#15 pc 0000000000b69418 /data/app/org.xbmc.kodi-TYKIN-
5zBb80hcqOZMy_tw==/lib/arm64/libkodi.so
(_ZN7CThread12staticThreadEPv+148)
#16 pc 0000000000065db4 /system/lib64/libc.so
(_ZL15__pthread_startPv+36)
#17 pc 000000000001ec9c /system/lib64/libc.so (__start_thread+68)
We wanted to let you know so you could take a look and address the
issue.
Please do not reply to this message. If you discover an issue with the
platform running Android O Dev Preview, please file a bug in our issue
tracker.
Thanks!
Android Support Team
|
Closed #19 |
yol
pushed a commit
that referenced
this issue
Jun 10, 2018
This was missing in commit 61dfb26 Found by GCC/ASAN: ASAN:DEADLYSIGNAL ================================================================= ==3618==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x556a3a027be2 bp 0x7f517d4d2140 sp 0x7f517d4d2120 T41) ==3618==The signal is caused by a READ memory access. ==3618==Hint: address points to the zero page. #0 0x556a3a027be1 in VideoPicture::operator=(VideoPicture const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x22dfbe1) #1 0x556a3a026e24 in VideoPicture::SetParams(VideoPicture const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x22dee24) #2 0x556a3a061ebe in VAAPI::CVaapiDecodedPicture::operator=(VAAPI::CVaapiDecodedPicture const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2319ebe) #3 0x556a3a061e75 in VAAPI::CVaapiDecodedPicture::CVaapiDecodedPicture(VAAPI::CVaapiDecodedPicture const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2319e75) #4 0x556a3a0514d3 in VAAPI::COutput::Flush() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x23094d3) #5 0x556a3a04eff4 in VAAPI::COutput::StateMachine(int, Actor::Protocol*, Actor::Message*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2306ff4) #6 0x556a3a050752 in VAAPI::COutput::Process() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2308752) #7 0x556a3a82ca0c in CThread::Action() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae4a0c) #8 0x556a3a82c0f8 in CThread::staticThread(void*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae40f8) #9 0x7f51a8e7f5a9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x75a9) #10 0x7f51a0288cbe in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf6cbe)
yol
pushed a commit
that referenced
this issue
Jun 10, 2018
Fixes several nullptr dereference bugs which could occur after the VNSI connection was closed by VDR, e.g.: ``` Program terminated with signal SIGSEGV, Segmentation fault. #0 __GI___pthread_mutex_lock (mutex=0xf0) at ../nptl/pthread_mutex_lock.c:65 65 ../nptl/pthread_mutex_lock.c: No such file or directory. [Current thread is 1 (Thread 0x7fabcc406980 (LWP 686))] (gdb) bt #0 __GI___pthread_mutex_lock (mutex=0xf0) at ../nptl/pthread_mutex_lock.c:65 #1 0x000055afd0fd788c in (anonymous namespace)::CRecursiveMutex::lock (this=0xf0) at xbmc/threads/platform/RecursiveMutex.h:45 #2 0x000055afd0fd8978 in (anonymous namespace)::CountingLockable<XbmcThreads::CRecursiveMutex>::lock (this=0xf0) at xbmc/threads/Lockables.h:63 #3 0x000055afd0fd87c6 in (anonymous namespace)::UniqueLock<CCriticalSection>::UniqueLock (this=0x7ffd221f0450, lockable=...) at xbmc/threads/Lockables.h:132 #4 0x000055afd0ff3fed in CSingleLock::CSingleLock (this=0x7ffd221f0450, cs=...) at xbmc/threads/SingleLock.h:39 #5 0x000055afd1bc6147 in PVR::CPVRChannelGroup::GroupName (this=0x0) at xbmc/pvr/channels/PVRChannelGroup.cpp:1142 #6 0x000055afd1b31555 in PVR::CGUIWindowPVRBase::UpdateButtons (this=0x55afd6d030b0) at xbmc/pvr/windows/GUIWindowPVRBase.cpp:480 #7 0x000055afd1b39898 in PVR::CGUIWindowPVRRecordingsBase::UpdateButtons (this=0x55afd6d030b0) at xbmc/pvr/windows/GUIWindowPVRRecordings.cpp:187 #8 0x000055afd1459dc7 in CGUIMediaWindow::Update (this=0x55afd6d030b0, strDirectory=..., updateFilterPath=true) at xbmc/windows/GUIMediaWindow.cpp:905 ```
yol
pushed a commit
that referenced
this issue
Jun 10, 2018
Class `CBusyWaiter` derives from `CThread`, and its only instance lives in the stack frame of `CGUIDialogBusy::Wait()`. Commit cc8364a triggered an ancient Kodi crash bug based on a misunderstanding how destructors work in C++, introduced in commit 64427d4 (coincidentally by the same author). Anyway, that commit cc8364a changed how cancellation gets triggered, making it more likely. And if that cancellation happens, nobody takes care for stopping the CThread properly; `~CThread()` calls `StopThread()`, but by then, the `CBusyWaiter` instance has already been morphed back to its base class `CThread`. This however triggers the crash in the still-running thread. This class morphing while calling destructors is what makes the whole `~CThread()` implementation wrong from the bottom: calling `StopThread()` from the base class destructor can never ever work properly, because it will crash the thread in any case. And if no thread were running anymore, the call would be useless. All uses of `CThread` without additional calls to `StopThread()` are a crash bug, but this commit fixes only the instance in class `CBusyWaiter`, by adding another `StopThread()` call to its destructor. This is how the crash looks like: ``` Thread 1 (Thread 0x7ff1d37fe700 (LWP 1394)): #0 __GI___pthread_mutex_lock (mutex=0x66657270747265d3) at ../nptl/pthread_mutex_lock.c:65 #1 0x0000562afcf3352c in (anonymous namespace)::CRecursiveMutex::lock (this=0x66657270747265d3) at xbmc/threads/platform/RecursiveMutex.h:45 #2 0x0000562afcf34618 in (anonymous namespace)::CountingLockable<XbmcThreads::CRecursiveMutex>::lock (this=0x66657270747265d3) at xbmc/threads/Lockables.h:63 #3 0x0000562afcf34466 in (anonymous namespace)::UniqueLock<CCriticalSection>::UniqueLock (this=0x7ff1d37fdb80, lockable=...) at xbmc/threads/Lockables.h:132 #4 0x0000562afcf3356f in CSingleLock::CSingleLock (this=0x7ff1d37fdb80, cs=...) at xbmc/threads/SingleLock.h:38 #5 0x0000562afd4ee7c7 in (anonymous namespace)::CEventGroup::Set (this=0x6665727074726563, child=0x7ffeca201060) at xbmc/threads/Event.h:127 #6 0x0000562afd4ee2db in CEvent::Set (this=0x7ffeca201060) at xbmc/threads/Event.cpp:70 #7 0x0000562afd4f16ff in CThread::staticThread (data=0x7ffeca200f80) at xbmc/threads/Thread.cpp:133 #8 0x00007ff20bd955aa in start_thread (arg=0x7ff1d37fe700) at pthread_create.c:463 #9 0x00007ff20321acbf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 ``` And this is the thread which created the `CBusyWaiter` (at the time of the crash it had already moved on): ``` Thread 19 (Thread 0x7ff20c191980 (LWP 1353)): #0 0x00007ff209da1c83 in ?? () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #1 0x00007ff209d9c3c6 in ?? () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #2 0x00007ff209dcc0ab in ?? () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #3 0x00007ff209dd0c9e in ?? () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #4 0x00007ff209dd11fe in ?? () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #5 0x00007ff209dd1526 in sqlite3_prepare_v2 () from /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 #6 0x0000562afd755a56 in (anonymous namespace)::SqliteDataset::query (this=0x562b03898080, query=...) at xbmc/dbwrappers/sqlitedataset.cpp:649 #7 0x0000562afd33a824 in CVideoDatabase::GetScraperForPath (this=0x562b02530f00, strPath=..., settings=..., foundDirectly=@0x7ffeca201b6f: false) at xbmc/video/VideoDatabase.cpp:7297 #8 0x0000562afd33b831 in CVideoDatabase::GetContentForPath (this=0x562b02530f00, strPath=...) at xbmc/video/VideoDatabase.cpp:7426 #9 0x0000562afd27dc6c in CGUIWindowVideoNav::LoadVideoInfo (items=..., database=..., allowReplaceLabels=true) at xbmc/video/windows/GUIWindowVideoNav.cpp:578 #10 0x0000562afd27db95 in CGUIWindowVideoNav::LoadVideoInfo (this=0x562b02530760, items=...) at xbmc/video/windows/GUIWindowVideoNav.cpp:564 #11 0x0000562afd27ce81 in CGUIWindowVideoNav::GetDirectory (this=0x562b02530760, strDirectory=..., items=...) at xbmc/video/windows/GUIWindowVideoNav.cpp:545 #12 0x0000562afd3b4e35 in CGUIMediaWindow::Update (this=0x562b02530760, strDirectory=..., updateFilterPath=true) at xbmc/windows/GUIMediaWindow.cpp:806 #13 0x0000562afd274a96 in CGUIWindowVideoBase::Update (this=0x562b02530760, strDirectory=..., updateFilterPath=true) at xbmc/video/windows/GUIWindowVideoBase.cpp:1247 #14 0x0000562afd27ae04 in CGUIWindowVideoNav::Update (this=0x562b02530760, strDirectory=..., updateFilterPath=true) at xbmc/video/windows/GUIWindowVideoNav.cpp:340 #15 0x0000562afd3b6e91 in CGUIMediaWindow::OnClick (this=0x562b02530760, iItem=2, player=...) at xbmc/windows/GUIMediaWindow.cpp:1072 #16 0x0000562afd270a66 in CGUIWindowVideoBase::OnClick (this=0x562b02530760, iItem=2, player=...) at xbmc/video/windows/GUIWindowVideoBase.cpp:609 #17 0x0000562afd283ec0 in CGUIWindowVideoNav::OnClick (this=0x562b02530760, iItem=2, player=...) at xbmc/video/windows/GUIWindowVideoNav.cpp:1205 #18 0x0000562afd3b7867 in CGUIMediaWindow::OnSelect (this=0x562b02530760, item=2) at xbmc/windows/GUIMediaWindow.cpp:1141 #19 0x0000562afd270c1b in CGUIWindowVideoBase::OnSelect (this=0x562b02530760, iItem=2) at xbmc/video/windows/GUIWindowVideoBase.cpp:627 #20 0x0000562afd3b1978 in CGUIMediaWindow::OnMessage (this=0x562b02530760, message=...) at xbmc/windows/GUIMediaWindow.cpp:319 #21 0x0000562afd26e169 in CGUIWindowVideoBase::OnMessage (this=0x562b02530760, message=...) at xbmc/video/windows/GUIWindowVideoBase.cpp:200 #22 0x0000562afd27a666 in CGUIWindowVideoNav::OnMessage (this=0x562b02530760, message=...) at xbmc/video/windows/GUIWindowVideoNav.cpp:254 #23 0x0000562afd61dbba in CGUIControl::SendWindowMessage (this=0x562b03547780, message=...) at xbmc/guilib/GUIControl.cpp:316 #24 0x0000562afd60ebaa in CGUIBaseContainer::OnClick (this=0x562b03547780, actionID=7) at xbmc/guilib/GUIBaseContainer.cpp:793 #25 0x0000562afd60cce7 in CGUIBaseContainer::OnAction (this=0x562b03547780, action=...) at xbmc/guilib/GUIBaseContainer.cpp:407 #26 0x0000562afd64570b in CGUIFixedListContainer::OnAction (this=0x562b03547780, action=...) at xbmc/guilib/GUIFixedListContainer.cpp:81 #27 0x0000562afd6a69fc in CGUIWindow::OnAction (this=0x562b02530760, action=...) at xbmc/guilib/GUIWindow.cpp:435 #28 0x0000562afd3b0d43 in CGUIMediaWindow::OnAction (this=0x562b02530760, action=...) at xbmc/windows/GUIMediaWindow.cpp:202 #29 0x0000562afd26dcb7 in CGUIWindowVideoBase::OnAction (this=0x562b02530760, action=...) at xbmc/video/windows/GUIWindowVideoBase.cpp:111 #30 0x0000562afd2797a0 in CGUIWindowVideoNav::OnAction (this=0x562b02530760, action=...) at xbmc/video/windows/GUIWindowVideoNav.cpp:105 #31 0x0000562afd6b3c14 in CGUIWindowManager::HandleAction (this=0x562b01d17c60, action=...) at xbmc/guilib/GUIWindowManager.cpp:1100 #32 0x0000562afd6b39ce in CGUIWindowManager::OnAction (this=0x562b01d17c60, action=...) at xbmc/guilib/GUIWindowManager.cpp:1050 #33 0x0000562afd8e1888 in CApplication::OnAction (this=0x562b01a4d5d0, action=...) at xbmc/Application.cpp:1924 #34 0x0000562afd5b729a in CInputManager::ExecuteInputAction (this=0x562b01bb8680, action=...) at xbmc/input/InputManager.cpp:704 #35 0x0000562afd5b6c86 in CInputManager::HandleKey (this=0x562b01bb8680, key=...) at xbmc/input/InputManager.cpp:644 #36 0x0000562afd5b5ed8 in CInputManager::OnKey (this=0x562b01bb8680, key=...) at xbmc/input/InputManager.cpp:483 #37 0x0000562afd5b5be6 in CInputManager::OnEvent (this=0x562b01bb8680, newEvent=...) at xbmc/input/InputManager.cpp:442 #38 0x0000562afd8d8aaf in CApplication::HandlePortEvents (this=0x562b01a4d5d0) at xbmc/Application.cpp:341 #39 0x0000562afd8e4fe6 in CApplication::FrameMove (this=0x562b01a4d5d0, processEvents=true, processGUI=true) at xbmc/Application.cpp:2647 #40 0x0000562afd9add56 in CXBApplicationEx::Run (this=0x562b01a4d5d0, params=...) at xbmc/XBApplicationEx.cpp:107 #41 0x0000562afd528974 in XBMC_Run (renderGUI=true, params=...) at xbmc/platform/xbmc.cpp:88 #42 0x0000562afcef1e72 in main (argc=4, argv=0x7ffeca2096e8) at xbmc/platform/posix/main.cpp:108 ```
yol
pushed a commit
that referenced
this issue
Jun 10, 2018
Probably many more attributes need to be protected, but this commit
aims to fix just this crash bug:
```
==2579==ERROR: AddressSanitizer: heap-use-after-free on address 0x611003c48200 at pc 0x555558929511 bp 0x7fffc7fc2710 sp 0x7fffc7fc2708
READ of size 8 at 0x611003c48200 thread T168 (PVRManager)
#0 0x555558929510 in std::_Sp_counted_ptr<PVR::CPVRTimerType*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d5510)
#1 0x555557165886 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x1c11886)
#2 0x555557162ff9 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x1c0eff9)
#3 0x555558913621 in std::__shared_ptr<PVR::CPVRTimerType, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33bf621)
#4 0x555558913663 in std::shared_ptr<PVR::CPVRTimerType>::~shared_ptr() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33bf663)
#5 0x555558926430 in void std::_Destroy<std::shared_ptr<PVR::CPVRTimerType> >(std::shared_ptr<PVR::CPVRTimerType>*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d2430)
#6 0x555558924b2e in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<PVR::CPVRTimerType>*>(std::shared_ptr<PVR::CPVRTimerType>*, std::shared_ptr<PVR::CPVRTimerType>*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d0b2e)
#7 0x5555589201a7 in void std::_Destroy<std::shared_ptr<PVR::CPVRTimerType>*>(std::shared_ptr<PVR::CPVRTimerType>*, std::shared_ptr<PVR::CPVRTimerType>*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33cc1a7)
#8 0x55555891a094 in void std::_Destroy<std::shared_ptr<PVR::CPVRTimerType>*, std::shared_ptr<PVR::CPVRTimerType> >(std::shared_ptr<PVR::CPVRTimerType>*, std::shared_ptr<PVR::CPVRTimerType>*, std::allocator<std::shared_ptr<PVR::CPVRTimerType> >&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33c6094)
#9 0x555558916a51 in std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > >::~vector() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33c2a51)
#10 0x555558e3fe5b in PVR::CPVRTimerType::CreateFromAttributes(unsigned int, unsigned int, int) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38ebe5b)
#11 0x555558e0ac61 in PVR::CPVRTimerInfoTag::CPVRTimerInfoTag(bool) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38b6c61)
#12 0x555558e26831 in PVR::CPVRTimers::UpdateEntries(PVR::CPVRTimersContainer const&, std::vector<int, std::allocator<int> > const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38d2831)
#13 0x555558e24fa6 in PVR::CPVRTimers::Update() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38d0fa6)
#14 0x555558e24b11 in PVR::CPVRTimers::Load() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38d0b11)
#15 0x555558fd3397 in PVR::CPVRManager::LoadComponents(PVR::CPVRGUIProgressHandler*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x3a7f397)
#16 0x555558fd2362 in PVR::CPVRManager::Process() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x3a7e362)
#17 0x555558038fe0 in CThread::Action() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae4fe0)
#18 0x5555580386cc in CThread::staticThread(void*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae46cc)
#19 0x7ffff6c0e5a9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x75a9)
#20 0x7fffee013cbe in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf6cbe)
0x611003c48200 is located 0 bytes inside of 216-byte region [0x611003c48200,0x611003c482d8)
freed by thread T166 (JobWorker) here:
#0 0x7ffff6f01040 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdc040)
#1 0x555558e4071b in PVR::CPVRTimerType::~CPVRTimerType() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x38ec71b)
#2 0x555558929540 in std::_Sp_counted_ptr<PVR::CPVRTimerType*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d5540)
#3 0x555557165886 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x1c11886)
#4 0x55555738a63a in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_count<(__gnu_cxx::_Lock_policy)2> const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x1e3663a)
#5 0x555558926844 in std::__shared_ptr<PVR::CPVRTimerType, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<PVR::CPVRTimerType, (__gnu_cxx::_Lock_policy)2> const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d2844)
#6 0x55555892686e in std::shared_ptr<PVR::CPVRTimerType>::operator=(std::shared_ptr<PVR::CPVRTimerType> const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d286e)
#7 0x5555589268b8 in std::shared_ptr<PVR::CPVRTimerType>* std::__copy_move<false, false, std::random_access_iterator_tag>::__copy_m<std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType>*>(std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType>*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d28b8)
#8 0x555558924ed2 in std::shared_ptr<PVR::CPVRTimerType>* std::__copy_move_a<false, std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType>*>(std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType> const*, std::shared_ptr<PVR::CPVRTimerType>*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33d0ed2)
#9 0x55555892094e in __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > > std::__copy_move_a2<false, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > > >(__gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33cc94e)
#10 0x55555891b4ad in __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > > std::copy<__gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > > >(__gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType> const*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >, __gnu_cxx::__normal_iterator<std::shared_ptr<PVR::CPVRTimerType>*, std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > >) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33c74ad)
#11 0x55555891757f in std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > >::operator=(std::vector<std::shared_ptr<PVR::CPVRTimerType>, std::allocator<std::shared_ptr<PVR::CPVRTimerType> > > const&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x33c357f)
#12 0x5555588e314e in PVR::CPVRClient::GetAddonProperties() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x338f14e)
#13 0x555558f89eec in PVR::CPVRClients::ConnectionStateChange(PVR::CPVRClient*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, PVR_CONNECTION_STATE, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x3a35eec)
#14 0x55555904915e in PVR::CPVRClientConnectionJob::DoWork() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x3af515e)
#15 0x555557ea8995 in CJobWorker::Process() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2954995)
#16 0x555558038fe0 in CThread::Action() (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae4fe0)
#17 0x5555580386cc in CThread::staticThread(void*) (/usr/local/stow/kodi-asan/lib/kodi/kodi-x11+0x2ae46cc)
#18 0x7ffff6c0e5a9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x75a9)
```
yol
pushed a commit
that referenced
this issue
Apr 11, 2024
Only remove the child if the node is actually a child.
==51989==ERROR: AddressSanitizer: heap-use-after-free on address 0x511003b69210 at pc 0x5ce4b249275e bp 0x7fff43e1d430 sp 0x7fff43e1d428
READ of size 8 at 0x511003b69210 thread T0
#0 0x5ce4b249275d in TiXmlAttributeSet::First() /usr/include/tinyxml.h:915:50
#1 0x5ce4b2492098 in TiXmlElement::FirstAttribute() /usr/include/tinyxml.h:1087:61
#2 0x5ce4b2bb091e in CGUIIncludes::ResolveParametersForNode(TiXmlElement*, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>>> const&) xbmc/guilib/GUIIncludes.cpp:586:37
#3 0x5ce4b2bae9bb in CGUIIncludes::ResolveIncludes(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:485:9
#4 0x5ce4b2ba8eaf in CGUIIncludes::Resolve(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:312:3
#5 0x5ce4b2ba8fce in CGUIIncludes::Resolve(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:318:5
#6 0x5ce4b3e808d3 in ADDON::CSkinInfo::ResolveIncludes(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/addons/Skin.cpp:307:14
#7 0x5ce4b2e00084 in CGUIWindow::Prepare(std::unique_ptr<TiXmlElement, std::default_delete<TiXmlElement>> const&) xbmc/guilib/GUIWindow.cpp:168:15
#8 0x5ce4b2dff45e in CGUIWindow::LoadXML(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/guilib/GUIWindow.cpp:155:15
#9 0x5ce4b2dfd540 in CGUIWindow::Load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) xbmc/guilib/GUIWindow.cpp:109:14
#10 0x5ce4b2e1cac5 in CGUIWindow::AllocResources(bool) xbmc/guilib/GUIWindow.cpp:765:7
#11 0x5ce4b2e14c77 in CGUIWindow::OnMessage(CGUIMessage&) xbmc/guilib/GUIWindow.cpp:594:52
#12 0x5ce4b19ce9d2 in CGUIWindowHome::OnMessage(CGUIMessage&) xbmc/windows/GUIWindowHome.cpp:182:22
#13 0x5ce4b2e613a1 in CGUIWindowManager::ActivateWindow_Internal(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:896:15
#14 0x5ce4b2e5ce3c in CGUIWindowManager::ActivateWindow(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:802:5
#15 0x5ce4b683ad63 in int (anonymous namespace)::ActivateWindow<true>(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) xbmc/interfaces/builtins/GUIBuiltins.cpp:109:52
#16 0x5ce4b6822865 in CBuiltins::Execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/interfaces/builtins/Builtins.cpp:158:14
#17 0x5ce4b34047ff in CApplication::ExecuteXBMCAction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::shared_ptr<CGUIListItem> const&) xbmc/application/Application.cpp:3037:32
#18 0x5ce4b3400a16 in CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp:3013:14
#19 0x5ce4b34058a0 in non-virtual thunk to CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp
#20 0x5ce4b2e52261 in CGUIWindowManager::SendMessage(CGUIMessage&) xbmc/guilib/GUIWindowManager.cpp:510:23
#21 0x5ce4b2e7cc7f in CGUIWindowManager::DispatchThreadMessages() xbmc/guilib/GUIWindowManager.cpp:1572:7
#22 0x5ce4b3405bfa in CApplication::Process() xbmc/application/Application.cpp:3139:48
#23 0x5ce4b33ddc98 in CApplication::Run() xbmc/application/Application.cpp:1855:5
#24 0x5ce4b251b323 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#25 0x5ce4af14af0f in main xbmc/platform/posix/main.cpp:70:16
#26 0x76d804243ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#27 0x76d804243d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#28 0x5ce4af010b94 in _start (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa317b94) (BuildId: 923aa634157be6adc50052366abd3ca0edfeffc0)
0x511003b69210 is located 208 bytes inside of 216-byte region [0x511003b69140,0x511003b69218)
freed by thread T0 here:
#0 0x5ce4af148d72 in operator delete(void*, unsigned long) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa44fd72) (BuildId: 923aa634157be6adc50052366abd3ca0edfeffc0)
#1 0x76d80670ea48 in TiXmlNode::RemoveChild(TiXmlNode*) (/usr/lib/libtinyxml.so.0+0x8a48) (BuildId: 2f5d236264d4d695dbe432f41e1eb46c7bc2d5d4)
#2 0x5ce4b2bae9a3 in CGUIIncludes::ResolveIncludes(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:482:9
#3 0x5ce4b2ba8eaf in CGUIIncludes::Resolve(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:312:3
#4 0x5ce4b2ba8fce in CGUIIncludes::Resolve(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/guilib/GUIIncludes.cpp:318:5
#5 0x5ce4b3e808d3 in ADDON::CSkinInfo::ResolveIncludes(TiXmlElement*, std::map<std::shared_ptr<INFO::InfoBool>, bool, std::less<std::shared_ptr<INFO::InfoBool>>, std::allocator<std::pair<std::shared_ptr<INFO::InfoBool> const, bool>>>*) xbmc/addons/Skin.cpp:307:14
#6 0x5ce4b2e00084 in CGUIWindow::Prepare(std::unique_ptr<TiXmlElement, std::default_delete<TiXmlElement>> const&) xbmc/guilib/GUIWindow.cpp:168:15
#7 0x5ce4b2dff45e in CGUIWindow::LoadXML(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/guilib/GUIWindow.cpp:155:15
#8 0x5ce4b2dfd540 in CGUIWindow::Load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) xbmc/guilib/GUIWindow.cpp:109:14
#9 0x5ce4b2e1cac5 in CGUIWindow::AllocResources(bool) xbmc/guilib/GUIWindow.cpp:765:7
#10 0x5ce4b2e14c77 in CGUIWindow::OnMessage(CGUIMessage&) xbmc/guilib/GUIWindow.cpp:594:52
#11 0x5ce4b19ce9d2 in CGUIWindowHome::OnMessage(CGUIMessage&) xbmc/windows/GUIWindowHome.cpp:182:22
#12 0x5ce4b2e613a1 in CGUIWindowManager::ActivateWindow_Internal(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:896:15
#13 0x5ce4b2e5ce3c in CGUIWindowManager::ActivateWindow(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:802:5
#14 0x5ce4b683ad63 in int (anonymous namespace)::ActivateWindow<true>(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) xbmc/interfaces/builtins/GUIBuiltins.cpp:109:52
#15 0x5ce4b6822865 in CBuiltins::Execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/interfaces/builtins/Builtins.cpp:158:14
#16 0x5ce4b34047ff in CApplication::ExecuteXBMCAction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::shared_ptr<CGUIListItem> const&) xbmc/application/Application.cpp:3037:32
#17 0x5ce4b3400a16 in CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp:3013:14
#18 0x5ce4b34058a0 in non-virtual thunk to CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp
#19 0x5ce4b2e52261 in CGUIWindowManager::SendMessage(CGUIMessage&) xbmc/guilib/GUIWindowManager.cpp:510:23
#20 0x5ce4b2e7cc7f in CGUIWindowManager::DispatchThreadMessages() xbmc/guilib/GUIWindowManager.cpp:1572:7
#21 0x5ce4b3405bfa in CApplication::Process() xbmc/application/Application.cpp:3139:48
#22 0x5ce4b33ddc98 in CApplication::Run() xbmc/application/Application.cpp:1855:5
#23 0x5ce4b251b323 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#24 0x5ce4af14af0f in main xbmc/platform/posix/main.cpp:70:16
#25 0x76d804243ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
previously allocated by thread T0 here:
#0 0x5ce4af147e12 in operator new(unsigned long) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa44ee12) (BuildId: 923aa634157be6adc50052366abd3ca0edfeffc0)
#1 0x76d806711497 in TiXmlElement::Clone() const (/usr/lib/libtinyxml.so.0+0xb497) (BuildId: 2f5d236264d4d695dbe432f41e1eb46c7bc2d5d4)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/tinyxml.h:915:50 in TiXmlAttributeSet::First()
Shadow bytes around the buggy address:
0x511003b68f80: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x511003b69180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x511003b69200: fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x511003b69480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==51989==ABORTING
yol
pushed a commit
that referenced
this issue
Apr 11, 2024
See comment in code for information.
==30885==ERROR: AddressSanitizer: heap-use-after-free on address 0x51800050bbe8 at pc 0x56aa085d20db bp 0x7ffd92777f50 sp 0x7ffd92777f48
READ of size 1 at 0x51800050bbe8 thread T0
#0 0x56aa085d20da in CGUIAction::ExecuteActions(int, int, std::shared_ptr<CGUIListItem> const&) const xbmc/guilib/GUIAction.cpp:86:9
#1 0x56aa084b7701 in CStaticListProvider::OnClick(std::shared_ptr<CGUIListItem> const&) xbmc/guilib/listproviders/StaticProvider.cpp:136:40
#2 0x56aa0862e065 in CGUIBaseContainer::OnClick(int) xbmc/guilib/GUIBaseContainer.cpp:881:27
#3 0x56aa0862b09c in CGUIBaseContainer::OnAction(CAction const&) xbmc/guilib/GUIBaseContainer.cpp:474:28
#4 0x56aa08c4bdf5 in CGUIWrappingListContainer::OnAction(CAction const&) xbmc/guilib/GUIWrappingListContainer.cpp:75:29
#5 0x56aa08b8f441 in CGUIWindow::OnAction(CAction const&) xbmc/guilib/GUIWindow.cpp:429:27
#6 0x56aa08bee00c in CGUIWindowManager::HandleAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1199:20
#7 0x56aa08bec973 in CGUIWindowManager::OnAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1144:11
#8 0x56aa0912be04 in CApplication::OnAction(CAction const&) xbmc/application/Application.cpp:913:54
#9 0x56aa0c914de1 in CInputManager::ExecuteInputAction(CAction const&) xbmc/input/InputManager.cpp:746:29
#10 0x56aa0c921842 in CInputManager::HandleKey(CKey const&) xbmc/input/InputManager.cpp:680:10
#11 0x56aa0c91c2ec in CInputManager::OnKeyUp(CKey const&) xbmc/input/InputManager.cpp:693:5
#12 0x56aa0c917737 in CInputManager::OnEvent(XBMC_Event&) xbmc/input/InputManager.cpp:361:7
#13 0x56aa090fe458 in CAppInboundProtocol::HandleEvents() xbmc/application/AppInboundProtocol.cpp:113:43
#14 0x56aa0915b240 in CApplication::FrameMove(bool, bool) xbmc/application/Application.cpp:1756:17
#15 0x56aa0915f200 in CApplication::Run() xbmc/application/Application.cpp:1860:7
#16 0x56aa0829c3e3 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#17 0x56aa04ecbfcf in main xbmc/platform/posix/main.cpp:70:16
#18 0x7517fb043ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#19 0x7517fb043d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#20 0x56aa04d91c54 in _start (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa317c54) (BuildId: 7f84180dd757174de6de03b115843129667234d3)
0x51800050bbe8 is located 872 bytes inside of 880-byte region [0x51800050b880,0x51800050bbf0)
freed by thread T0 here:
#0 0x56aa04ec996a in operator delete(void*) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa44f96a) (BuildId: 7f84180dd757174de6de03b115843129667234d3)
#1 0x56aa08ae24d1 in CGUIStaticItem::~CGUIStaticItem() xbmc/guilib/GUIStaticItem.h:55:38
#2 0x56aa05922763 in std::_Sp_counted_ptr<CGUIStaticItem*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/shared_ptr_base.h:428:9
#3 0x56aa04ecd0bc in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/shared_ptr_base.h:346:8
#4 0x56aa04eccca9 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/shared_ptr_base.h:1071:11
#5 0x56aa050d1c6c in std::__shared_ptr<CGUIListItem, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/shared_ptr_base.h:1524:31
#6 0x56aa050c6ee8 in std::shared_ptr<CGUIListItem>::~shared_ptr() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/shared_ptr.h:175:11
#7 0x56aa08465110 in void std::_Destroy<std::shared_ptr<CGUIListItem>>(std::shared_ptr<CGUIListItem>*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_construct.h:151:19
#8 0x56aa0846505e in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<CGUIListItem>*>(std::shared_ptr<CGUIListItem>*, std::shared_ptr<CGUIListItem>*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_construct.h:163:6
#9 0x56aa08465024 in void std::_Destroy<std::shared_ptr<CGUIListItem>*>(std::shared_ptr<CGUIListItem>*, std::shared_ptr<CGUIListItem>*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_construct.h:195:7
#10 0x56aa084a624b in void std::_Destroy<std::shared_ptr<CGUIListItem>*, std::shared_ptr<CGUIListItem>>(std::shared_ptr<CGUIListItem>*, std::shared_ptr<CGUIListItem>*, std::allocator<std::shared_ptr<CGUIListItem>>&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/alloc_traits.h:947:7
#11 0x56aa084a624b in std::vector<std::shared_ptr<CGUIListItem>, std::allocator<std::shared_ptr<CGUIListItem>>>::~vector() /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_vector.h:732:2
#12 0x56aa086169e5 in CGUIBaseContainer::~CGUIBaseContainer() xbmc/guilib/GUIBaseContainer.cpp:117:1
#13 0x56aa08c4a148 in CGUIWrappingListContainer::~CGUIWrappingListContainer() xbmc/guilib/GUIWrappingListContainer.cpp:26:59
#14 0x56aa08c4a198 in CGUIWrappingListContainer::~CGUIWrappingListContainer() xbmc/guilib/GUIWrappingListContainer.cpp:26:59
#15 0x56aa08758935 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#16 0x56aa08743bb9 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:56:3
#17 0x56aa08743c48 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:55:1
#18 0x56aa08758935 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#19 0x56aa08743bb9 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:56:3
#20 0x56aa08743c48 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:55:1
#21 0x56aa08758935 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#22 0x56aa08743bb9 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:56:3
#23 0x56aa08743c48 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:55:1
#24 0x56aa08758935 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#25 0x56aa08743bb9 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:56:3
#26 0x56aa08743c48 in CGUIControlGroup::~CGUIControlGroup() xbmc/guilib/GUIControlGroup.cpp:55:1
#27 0x56aa08758935 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#28 0x56aa08b9f39d in CGUIWindow::ClearAll() xbmc/guilib/GUIWindow.cpp:816:21
#29 0x56aa08b9ed97 in CGUIWindow::FreeResources(bool) xbmc/guilib/GUIWindow.cpp:799:53
#30 0x56aa08bf8e34 in CGUIWindowManager::DeInitialize() xbmc/guilib/GUIWindowManager.cpp:1452:14
#31 0x56aa09264d22 in CApplicationSkinHandling::UnloadSkin() xbmc/application/ApplicationSkinHandling.cpp:235:29
#32 0x56aa0925e0fd in CApplicationSkinHandling::LoadSkin(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/application/ApplicationSkinHandling.cpp:111:3
#33 0x56aa0926a8e6 in CApplicationSkinHandling::ReloadSkin(bool) xbmc/application/ApplicationSkinHandling.cpp:390:7
#34 0x56aa0c635399 in ReloadSkin(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) xbmc/interfaces/builtins/SkinBuiltins.cpp:46:12
#35 0x56aa0c5a39e5 in CBuiltins::Execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/interfaces/builtins/Builtins.cpp:158:14
#36 0x56aa0918597f in CApplication::ExecuteXBMCAction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::shared_ptr<CGUIListItem> const&) xbmc/application/Application.cpp:3037:32
#37 0x56aa09181b96 in CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp:3013:14
#38 0x56aa09186a20 in non-virtual thunk to CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp
#39 0x56aa08bd33e1 in CGUIWindowManager::SendMessage(CGUIMessage&) xbmc/guilib/GUIWindowManager.cpp:510:23
#40 0x56aa085d2502 in CGUIAction::ExecuteActions(int, int, std::shared_ptr<CGUIListItem> const&) const xbmc/guilib/GUIAction.cpp:89:52
#41 0x56aa084b7701 in CStaticListProvider::OnClick(std::shared_ptr<CGUIListItem> const&) xbmc/guilib/listproviders/StaticProvider.cpp:136:40
#42 0x56aa0862e065 in CGUIBaseContainer::OnClick(int) xbmc/guilib/GUIBaseContainer.cpp:881:27
#43 0x56aa0862b09c in CGUIBaseContainer::OnAction(CAction const&) xbmc/guilib/GUIBaseContainer.cpp:474:28
#44 0x56aa08c4bdf5 in CGUIWrappingListContainer::OnAction(CAction const&) xbmc/guilib/GUIWrappingListContainer.cpp:75:29
#45 0x56aa08b8f441 in CGUIWindow::OnAction(CAction const&) xbmc/guilib/GUIWindow.cpp:429:27
#46 0x56aa08bee00c in CGUIWindowManager::HandleAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1199:20
#47 0x56aa08bec973 in CGUIWindowManager::OnAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1144:11
#48 0x56aa0912be04 in CApplication::OnAction(CAction const&) xbmc/application/Application.cpp:913:54
#49 0x56aa0c914de1 in CInputManager::ExecuteInputAction(CAction const&) xbmc/input/InputManager.cpp:746:29
xbmc#50 0x56aa0c921842 in CInputManager::HandleKey(CKey const&) xbmc/input/InputManager.cpp:680:10
xbmc#51 0x56aa0c91c2ec in CInputManager::OnKeyUp(CKey const&) xbmc/input/InputManager.cpp:693:5
xbmc#52 0x56aa0c917737 in CInputManager::OnEvent(XBMC_Event&) xbmc/input/InputManager.cpp:361:7
xbmc#53 0x56aa090fe458 in CAppInboundProtocol::HandleEvents() xbmc/application/AppInboundProtocol.cpp:113:43
xbmc#54 0x56aa0915b240 in CApplication::FrameMove(bool, bool) xbmc/application/Application.cpp:1756:17
xbmc#55 0x56aa0915f200 in CApplication::Run() xbmc/application/Application.cpp:1860:7
xbmc#56 0x56aa0829c3e3 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
xbmc#57 0x56aa04ecbfcf in main xbmc/platform/posix/main.cpp:70:16
xbmc#58 0x7517fb043ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
previously allocated by thread T0 here:
#0 0x56aa04ec8ed2 in operator new(unsigned long) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa44eed2) (BuildId: 7f84180dd757174de6de03b115843129667234d3)
#1 0x56aa084b3183 in CStaticListProvider::CStaticListProvider(TiXmlElement const*, int) xbmc/guilib/listproviders/StaticProvider.cpp:28:33
#2 0x56aa0849c590 in std::__detail::_MakeUniq<CStaticListProvider>::__single_object std::make_unique<CStaticListProvider, TiXmlElement const*, int&>(TiXmlElement const*&&, int&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/unique_ptr.h:1070:34
#3 0x56aa0849bac7 in IListProvider::CreateSingle(TiXmlNode const*, int) xbmc/guilib/listproviders/IListProvider.cpp:34:12
#4 0x56aa0849b582 in IListProvider::Create(TiXmlNode const*, int) xbmc/guilib/listproviders/IListProvider.cpp:25:12
#5 0x56aa0864bbe8 in CGUIBaseContainer::LoadListProvider(TiXmlElement*, int, bool) xbmc/guilib/GUIBaseContainer.cpp:1282:20
#6 0x56aa0871b1c3 in CGUIControlFactory::Create(int, CRectGen<float> const&, TiXmlElement*, bool) xbmc/guilib/GUIControlFactory.cpp:1543:17
#7 0x56aa08b884c4 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:281:38
#8 0x56aa08b8a088 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:309:9
#9 0x56aa08b8a088 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:309:9
#10 0x56aa08b8a088 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:309:9
#11 0x56aa08b8a088 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:309:9
#12 0x56aa08b87cf6 in CGUIWindow::Load(TiXmlElement*) xbmc/guilib/GUIWindow.cpp:264:11
#13 0x56aa08b80657 in CGUIWindow::LoadXML(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/guilib/GUIWindow.cpp:155:10
#14 0x56aa08b7e6c0 in CGUIWindow::Load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) xbmc/guilib/GUIWindow.cpp:109:14
#15 0x56aa08b9dc45 in CGUIWindow::AllocResources(bool) xbmc/guilib/GUIWindow.cpp:765:7
#16 0x56aa08b95df7 in CGUIWindow::OnMessage(CGUIMessage&) xbmc/guilib/GUIWindow.cpp:594:52
#17 0x56aa08be2521 in CGUIWindowManager::ActivateWindow_Internal(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:896:15
#18 0x56aa08bddfbc in CGUIWindowManager::ActivateWindow(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:802:5
#19 0x56aa0c5b75f3 in int (anonymous namespace)::ActivateWindow<false>(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) xbmc/interfaces/builtins/GUIBuiltins.cpp:109:52
#20 0x56aa0c5a39e5 in CBuiltins::Execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/interfaces/builtins/Builtins.cpp:158:14
#21 0x56aa0918597f in CApplication::ExecuteXBMCAction(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::shared_ptr<CGUIListItem> const&) xbmc/application/Application.cpp:3037:32
#22 0x56aa09181b96 in CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp:3013:14
#23 0x56aa09186a20 in non-virtual thunk to CApplication::OnMessage(CGUIMessage&) xbmc/application/Application.cpp
#24 0x56aa08bd33e1 in CGUIWindowManager::SendMessage(CGUIMessage&) xbmc/guilib/GUIWindowManager.cpp:510:23
#25 0x56aa085d2502 in CGUIAction::ExecuteActions(int, int, std::shared_ptr<CGUIListItem> const&) const xbmc/guilib/GUIAction.cpp:89:52
#26 0x56aa0867f896 in CGUIButtonControl::OnClick() xbmc/guilib/GUIButtonControl.cpp:393:16
#27 0x56aa08677e86 in CGUIButtonControl::OnAction(CAction const&) xbmc/guilib/GUIButtonControl.cpp:212:5
#28 0x56aa08b8f441 in CGUIWindow::OnAction(CAction const&) xbmc/guilib/GUIWindow.cpp:429:27
#29 0x56aa08bee00c in CGUIWindowManager::HandleAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1199:20
#30 0x56aa08bec973 in CGUIWindowManager::OnAction(CAction const&) const xbmc/guilib/GUIWindowManager.cpp:1144:11
#31 0x56aa0912be04 in CApplication::OnAction(CAction const&) xbmc/application/Application.cpp:913:54
#32 0x56aa0c914de1 in CInputManager::ExecuteInputAction(CAction const&) xbmc/input/InputManager.cpp:746:29
#33 0x56aa0c921842 in CInputManager::HandleKey(CKey const&) xbmc/input/InputManager.cpp:680:10
#34 0x56aa0c91c2ec in CInputManager::OnKeyUp(CKey const&) xbmc/input/InputManager.cpp:693:5
#35 0x56aa0c917737 in CInputManager::OnEvent(XBMC_Event&) xbmc/input/InputManager.cpp:361:7
#36 0x56aa090fe458 in CAppInboundProtocol::HandleEvents() xbmc/application/AppInboundProtocol.cpp:113:43
#37 0x56aa0915b240 in CApplication::FrameMove(bool, bool) xbmc/application/Application.cpp:1756:17
#38 0x56aa0915f200 in CApplication::Run() xbmc/application/Application.cpp:1860:7
#39 0x56aa0829c3e3 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#40 0x56aa04ecbfcf in main xbmc/platform/posix/main.cpp:70:16
#41 0x7517fb043ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
SUMMARY: AddressSanitizer: heap-use-after-free xbmc/guilib/GUIAction.cpp:86:9 in CGUIAction::ExecuteActions(int, int, std::shared_ptr<CGUIListItem> const&) const
Shadow bytes around the buggy address:
0x51800050b900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51800050b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51800050ba00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51800050ba80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51800050bb00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x51800050bb80: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fa fa
0x51800050bc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51800050bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51800050bd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51800050bd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x51800050be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30885==ABORTING
yol
pushed a commit
that referenced
this issue
May 10, 2024
When using a skin that doesn't provide a CGUIEditControl, GUIDialogSettingsBase
creates its own. When switching to a skin that does provide one, it loads it
from the skin, overwrites the pointer to its own edit control (memory leak!)
but still thinks it owns the control because m_newOriginalEdit is true. In
DeleteControls() it then deletes the edit control that it doesn't own.
Cleaning up and resetting the flag in FreeControls() solves the problem.
ASAN error:
==29999==ERROR: AddressSanitizer: heap-use-after-free on address 0x51d0015bd080 at pc 0x5dcd1a23e410 bp 0x7ffe96645b50 sp 0x7ffe96645b48
READ of size 8 at 0x51d0015bd080 thread T0
#0 0x5dcd1a23e40f in CGUIDialogSettingsBase::DeleteControls() xbmc/settings/dialogs/GUIDialogSettingsBase.cpp:476:5
#1 0x5dcd1a22b1c0 in CGUIDialogSettingsBase::~CGUIDialogSettingsBase() xbmc/settings/dialogs/GUIDialogSettingsBase.cpp:77:3
#2 0x5dcd1a27e8a8 in CGUIDialogSettingsManagerBase::~CGUIDialogSettingsManagerBase() xbmc/settings/dialogs/GUIDialogSettingsManagerBase.cpp:19:63
#3 0x5dcd19fee328 in CGUIWindowSettingsCategory::~CGUIWindowSettingsCategory() xbmc/settings/windows/GUIWindowSettingsCategory.cpp:66:57
#4 0x5dcd19fee438 in CGUIWindowSettingsCategory::~CGUIWindowSettingsCategory() xbmc/settings/windows/GUIWindowSettingsCategory.cpp:66:57
#5 0x5dcd1899e2ea in CGUIWindowManager::DestroyWindow(int) xbmc/guilib/GUIWindowManager.cpp:489:5
#6 0x5dcd1899d5bd in CGUIWindowManager::DestroyWindows() xbmc/guilib/GUIWindowManager.cpp:459:5
#7 0x5dcd18f2e94e in CApplication::Cleanup() xbmc/application/Application.cpp:1917:34
#8 0x5dcd18f2d405 in CApplication::Run() xbmc/application/Application.cpp:1876:3
#9 0x5dcd1806a143 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#10 0x5dcd14c97b2f in main xbmc/platform/posix/main.cpp:70:16
#11 0x7fb259c43ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#12 0x7fb259c43d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#13 0x5dcd14b5d7b4 in _start (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa3197b4) (BuildId: e4bf2336bbd9ba3ae66ffab4d8a0bca77c50c089)
0x51d0015bd080 is located 0 bytes inside of 2096-byte region [0x51d0015bd080,0x51d0015bd8b0)
freed by thread T0 here:
#0 0x5dcd14c954ca in operator delete(void*) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa4514ca) (BuildId: e4bf2336bbd9ba3ae66ffab4d8a0bca77c50c089)
#1 0x5dcd18582f01 in CGUIEditControl::~CGUIEditControl() xbmc/guilib/GUIEditControl.cpp:106:39
#2 0x5dcd18526695 in CGUIControlGroup::ClearAll() xbmc/guilib/GUIControlGroup.cpp:525:5
#3 0x5dcd1896d04d in CGUIWindow::ClearAll() xbmc/guilib/GUIWindow.cpp:816:21
#4 0x5dcd1896ca47 in CGUIWindow::FreeResources(bool) xbmc/guilib/GUIWindow.cpp:799:53
#5 0x5dcd189c6ae4 in CGUIWindowManager::DeInitialize() xbmc/guilib/GUIWindowManager.cpp:1452:14
#6 0x5dcd190329d2 in CApplicationSkinHandling::UnloadSkin() xbmc/application/ApplicationSkinHandling.cpp:235:29
#7 0x5dcd18f2dd81 in CApplication::Cleanup() xbmc/application/Application.cpp:1895:47
#8 0x5dcd18f2d405 in CApplication::Run() xbmc/application/Application.cpp:1876:3
#9 0x5dcd1806a143 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#10 0x5dcd14c97b2f in main xbmc/platform/posix/main.cpp:70:16
#11 0x7fb259c43ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
previously allocated by thread T0 here:
#0 0x5dcd14c94a32 in operator new(unsigned long) (/home/mark/Coding/Repos/kodi-git/build_clang_debug_sanitizer/kodi.bin+0xa450a32) (BuildId: e4bf2336bbd9ba3ae66ffab4d8a0bca77c50c089)
#1 0x5dcd184dd051 in CGUIControlFactory::Create(int, CRectGen<float> const&, TiXmlElement*, bool) xbmc/guilib/GUIControlFactory.cpp:1298:17
#2 0x5dcd18956174 in CGUIWindow::LoadControl(TiXmlElement*, CGUIControlGroup*, CRectGen<float> const&) xbmc/guilib/GUIWindow.cpp:281:38
#3 0x5dcd189559a6 in CGUIWindow::Load(TiXmlElement*) xbmc/guilib/GUIWindow.cpp:264:11
#4 0x5dcd18578d5a in CGUIDialog::Load(TiXmlElement*) xbmc/guilib/GUIDialog.cpp:39:22
#5 0x5dcd1894e307 in CGUIWindow::LoadXML(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/guilib/GUIWindow.cpp:155:10
#6 0x5dcd1894c370 in CGUIWindow::Load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) xbmc/guilib/GUIWindow.cpp:109:14
#7 0x5dcd1896b8f5 in CGUIWindow::AllocResources(bool) xbmc/guilib/GUIWindow.cpp:765:7
#8 0x5dcd18963aa7 in CGUIWindow::OnMessage(CGUIMessage&) xbmc/guilib/GUIWindow.cpp:594:52
#9 0x5dcd1857a996 in CGUIDialog::OnMessage(CGUIMessage&) xbmc/guilib/GUIDialog.cpp:93:19
#10 0x5dcd1a2332c2 in CGUIDialogSettingsBase::OnMessage(CGUIMessage&) xbmc/settings/dialogs/GUIDialogSettingsBase.cpp:264:22
#11 0x5dcd19feeab3 in CGUIWindowSettingsCategory::OnMessage(CGUIMessage&) xbmc/settings/windows/GUIWindowSettingsCategory.cpp:75:38
#12 0x5dcd189b01d1 in CGUIWindowManager::ActivateWindow_Internal(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:896:15
#13 0x5dcd189abc6c in CGUIWindowManager::ActivateWindow(int, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&, bool, bool) xbmc/guilib/GUIWindowManager.cpp:802:5
#14 0x5dcd189a9ac5 in CGUIWindowManager::ActivateWindow(int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/guilib/GUIWindowManager.cpp:779:3
#15 0x5dcd19030b15 in CApplicationSkinHandling::LoadSkin(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/application/ApplicationSkinHandling.cpp:186:50
#16 0x5dcd19038596 in CApplicationSkinHandling::ReloadSkin(bool) xbmc/application/ApplicationSkinHandling.cpp:390:7
#17 0x5dcd1c404429 in ReloadSkin(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) xbmc/interfaces/builtins/SkinBuiltins.cpp:46:12
#18 0x5dcd1c372a75 in CBuiltins::Execute(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) xbmc/interfaces/builtins/Builtins.cpp:158:14
#19 0x5dcd18f1bf6a in CApplication::OnApplicationMessage(KODI::MESSAGING::ThreadMessage*) xbmc/application/Application.cpp:1577:30
#20 0x5dcd18f27390 in non-virtual thunk to CApplication::OnApplicationMessage(KODI::MESSAGING::ThreadMessage*) xbmc/application/Application.cpp
#21 0x5dcd181b400d in KODI::MESSAGING::CApplicationMessenger::ProcessMessage(KODI::MESSAGING::ThreadMessage*) xbmc/messaging/ApplicationMessenger.cpp:244:17
#22 0x5dcd181b6325 in KODI::MESSAGING::CApplicationMessenger::ProcessMessages() xbmc/messaging/ApplicationMessenger.cpp:217:5
#23 0x5dcd18f5501a in CApplication::Process() xbmc/application/Application.cpp:3156:38
#24 0x5dcd18f2cac8 in CApplication::Run() xbmc/application/Application.cpp:1855:5
#25 0x5dcd1806a143 in XBMC_Run xbmc/platform/xbmc.cpp:61:26
#26 0x5dcd14c97b2f in main xbmc/platform/posix/main.cpp:70:16
#27 0x7fb259c43ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
SUMMARY: AddressSanitizer: heap-use-after-free xbmc/settings/dialogs/GUIDialogSettingsBase.cpp:476:5 in CGUIDialogSettingsBase::DeleteControls()
Shadow bytes around the buggy address:
0x51d0015bce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51d0015bce80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51d0015bcf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51d0015bcf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x51d0015bd000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x51d0015bd080:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51d0015bd100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51d0015bd180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51d0015bd200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51d0015bd280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x51d0015bd300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29999==ABORTING
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Seems this was already supported previously, should be easy to port
The text was updated successfully, but these errors were encountered: