[Webkit-unassigned] [Bug 255678] New: [GStreamer] GstGLContext use-after-free

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 19 14:04:54 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=255678

            Bug ID: 255678
           Summary: [GStreamer] GstGLContext use-after-free
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pgriffis at igalia.com
                CC: bugs-noreply at webkitgtk.org

When closing the application this triggers ASAN:

    #0 0x7fef0bd3dc03 in WTF::GRefPtr<_GstGLContext>::operator=(_GstGLContext*) /home/tingping/Projects/WebKit/_build/WTF/Headers/wtf/glib/GRefPtr.h:157:14
    #1 0x7fef0bd3dc03 in WebCore::PlatformDisplay::terminateEGLDisplay() /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.cpp:355:20
    #2 0x7fef0bd3dc03 in WebCore::PlatformDisplay::initializeEGLDisplay()::$_4::operator()() const /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.cpp:344:26
    #3 0x7fef0bd3dc03 in WebCore::PlatformDisplay::initializeEGLDisplay()::$_4::__invoke() /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.cpp:341:21
    #4 0x7feef75820b4 in __run_exit_handlers (/lib64/libc.so.6+0x3f0b4) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #5 0x7feef758222f in exit (/lib64/libc.so.6+0x3f22f) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #6 0x7feef756a516 in __libc_start_call_main (/lib64/libc.so.6+0x27516) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #7 0x7feef756a5c8 in __libc_start_main at GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
    #8 0x255454 in _start (/home/tingping/Projects/WebKit/_build/bin/WebKitWebProcess+0x255454) (BuildId: 9f6dd881b3dab5d1)

0x60f00003eaf8 is located 136 bytes inside of 168-byte region [0x60f00003ea70,0x60f00003eb18)
freed by thread T0 here:
    #0 0x309218 in __interceptor_free.part.0 (/home/tingping/Projects/WebKit/_build/bin/WebKitWebProcess+0x309218) (BuildId: 9f6dd881b3dab5d1)
    #1 0x7feeffe4d986 in bmalloc::DebugHeap::free(void*) /home/tingping/Projects/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:140:5
    #2 0x7feeffe4d986 in pas_debug_heap_free /home/tingping/Projects/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:239:31
    #3 0x7feeffea1625 in bmalloc_heap_config_specialized_try_deallocate_not_small_exclusive_segregated /home/tingping/Projects/WebKit/Source/bmalloc/libpas/src/libpas/pas_deallocate.h:104:9
    #4 0x7feeffc424c8 in pas_try_deallocate_impl(pas_thread_local_cache*, void*, pas_heap_config, pas_deallocation_mode) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/pas_deallocate.h:171:12
    #5 0x7feeffc424c8 in pas_try_deallocate(void*, pas_heap_config, pas_deallocation_mode) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/pas_deallocate.h:207:12
    #6 0x7feeffc424c8 in pas_deallocate(void*, pas_heap_config) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/pas_deallocate.h:213:5
    #7 0x7feeffc424c8 in bmalloc_deallocate_inline(void*) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:572:5
    #8 0x7feeffc424c8 in bmalloc::api::free(void*, bmalloc::HeapKind) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/bmalloc.h:145:5
    #9 0x7feeffc424c8 in WTF::fastFree(void*) /home/tingping/Projects/WebKit/Source/WTF/wtf/FastMalloc.cpp:566:5
    #10 0x7fef0be8b545 in WebCore::PlatformDisplay::operator delete(void*) /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.h:68:44
    #11 0x7fef0be8b545 in WebCore::PlatformDisplayWayland::~PlatformDisplayWayland() /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/wayland/PlatformDisplayWayland.cpp:95:1
    #12 0x7fef0bd3deaa in std::default_delete<WebCore::PlatformDisplay>::operator()(WebCore::PlatformDisplay*) const /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/unique_ptr.h:95:2
    #13 0x7fef0bd3deaa in std::unique_ptr<WebCore::PlatformDisplay, std::default_delete<WebCore::PlatformDisplay>>::~unique_ptr() /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/unique_ptr.h:396:4
    #14 0x7feef75820b4 in __run_exit_handlers (/lib64/libc.so.6+0x3f0b4) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)

previously allocated by thread T0 here:
    #0 0x30a1e7 in malloc (/home/tingping/Projects/WebKit/_build/bin/WebKitWebProcess+0x30a1e7) (BuildId: 9f6dd881b3dab5d1)
    #1 0x7feeffe4d606 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /home/tingping/Projects/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:118:20
    #2 0x7feeffe4d606 in pas_debug_heap_malloc /home/tingping/Projects/WebKit/Source/bmalloc/bmalloc/DebugHeap.cpp:224:38
    #3 0x7feeffe56a58 in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long) /home/tingping/Projects/WebKit/Source/bmalloc/libpas/src/libpas/pas_local_allocator_inlines.h
    #4 0x7feeffe56558 in bmalloc_allocate_casual /home/tingping/Projects/WebKit/Source/bmalloc/libpas/src/libpas/bmalloc_heap.c:64:19
    #5 0x7feeffc3fdf2 in bmalloc_allocate_inline(unsigned long) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/bmalloc_heap_inlines.h:120:12
    #6 0x7feeffc3fdf2 in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) /home/tingping/Projects/WebKit/_build/bmalloc/Headers/bmalloc/bmalloc.h:72:16
    #7 0x7feeffc3fdf2 in WTF::fastMalloc(unsigned long) /home/tingping/Projects/WebKit/Source/WTF/wtf/FastMalloc.cpp:533:20
    #8 0x7fef0be8b179 in WebCore::PlatformDisplay::operator new(unsigned long) /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.h:68:44
    #9 0x7fef0be8b179 in WebCore::PlatformDisplayWayland::create(_GdkDisplay*) /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/wayland/PlatformDisplayWayland.cpp:75:68
    #10 0x7fef0bd37b79 in WebCore::PlatformDisplay::createPlatformDisplay() /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.cpp
    #11 0x7fef0bd3dd2c in WebCore::PlatformDisplay::sharedDisplay()::$_2::operator()() const /home/tingping/Projects/WebKit/Source/WebCore/platform/graphics/PlatformDisplay.cpp:175:19
    #12 0x7fef0bd3dd2c in void std::__invoke_impl<void, WebCore::PlatformDisplay::sharedDisplay()::$_2>(std::__invoke_other, WebCore::PlatformDisplay::sharedDisplay()::$_2&&) /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/invoke.h:61:14
    #13 0x7fef0bd3dd2c in std::__invoke_result<WebCore::PlatformDisplay::sharedDisplay()::$_2>::type std::__invoke<WebCore::PlatformDisplay::sharedDisplay()::$_2>(WebCore::PlatformDisplay::sharedDisplay()::$_2&&) /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/bits/invoke.h:96:14
    #14 0x7fef0bd3dd2c in void std::call_once<WebCore::PlatformDisplay::sharedDisplay()::$_2>(std::once_flag&, WebCore::PlatformDisplay::sharedDisplay()::$_2&&)::'lambda'()::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/mutex:852:4
    #15 0x7fef0bd3dd2c in std::once_flag::_Prepare_execution::_Prepare_execution<void std::call_once<WebCore::PlatformDisplay::sharedDisplay()::$_2>(std::once_flag&, WebCore::PlatformDisplay::sharedDisplay()::$_2&&)::'lambda'()>(WebCore::PlatformDisplay::sharedDisplay()::$_2&)::'lambda'()::operator()() const /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/mutex:788:21
    #16 0x7fef0bd3dd2c in std::once_flag::_Prepare_execution::_Prepare_execution<void std::call_once<WebCore::PlatformDisplay::sharedDisplay()::$_2>(std::once_flag&, WebCore::PlatformDisplay::sharedDisplay()::$_2&&)::'lambda'()>(WebCore::PlatformDisplay::sharedDisplay()::$_2&)::'lambda'()::__invoke() /usr/bin/../lib/gcc/x86_64-redhat-linux/12/../../../../include/c++/12/mutex:788:16
    #17 0x7feef75d3086 in __pthread_once_slow (/lib64/libc.so.6+0x90086) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)

SUMMARY: AddressSanitizer: heap-use-after-free /home/tingping/Projects/WebKit/_build/WTF/Headers/wtf/glib/GRefPtr.h:157:14 in WTF::GRefPtr<_GstGLContext>::operator=(_GstGLContext*)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230419/28b1500e/attachment-0001.htm>

More information about the webkit-unassigned mailing list