Nil A
2023-10-25 19:44:22 UTC
Hello, All!
Из меня, наверное, хороший бы тестировщик вышел. Умею я таки юзкейсы задвинуть.
Как воспроизвести?
1. Добавить EchoArea на несуществующий файл, например, я тогда верифицировал
другой баг https://github.com/golded-plus/golded-plus/issues/29
EchoArea golded.test /home/fido/msgbase/golded.test -b squish
2. Нажать alt-c, Catch All.
И тут есть два интересных последствия.
Во-первых, в golded.log запишется вот такое
---------- Wed 25 Oct 23, GoldED+/LNX 1.1.5-b20231021 (Oct 22 2023 08:25:41)
! 19:03:11 Open error exit at [gmosqsh1.cpp,172].
! 19:03:11 A Squish msgbase file could not be opened.
: 19:03:11 /home/fido/msgbase/golded.test.sqd.
: 19:03:11 Linux 2.6.32-042stab145.3 CPU UNKNOWN reports error 2: No such file
or directory.
! 19:03:11 Function track dump follows:
- 19:03:11 01223357 void SquishArea::raw_close()
- 19:03:11 01223293 int SquishArea::test_open(const char*)
- 19:03:11 01223288 void SquishArea::raw_open()
- 19:03:11 01223273 virtual void SquishArea::open()
[...skip...]
Во-вторых, случится heap-use-after-free
==27907==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000720c
at pc 0x00000041a9b4 bp 0x7ffc50f66560 sp 0x7ffc50f66558
READ of size 4 at 0x60f00000720c thread T0
#0 0x41a9b3 in gwindow::activate_quick()
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:372
#1 0x41abb5 in gwindow::close()
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:383
#2 0x86d4e5 in GMsgBodyView::Destroy()
/home/fido/src/golded-plus/golded3/geview.cpp:453
#3 0x86be0c in GMsgBodyView::~GMsgBodyView()
/home/fido/src/golded-plus/golded3/geview.cpp:417
#4 0x86c08d in GMsgBodyView::~GMsgBodyView()
/home/fido/src/golded-plus/golded3/geview.cpp:418
#5 0x5b3c7d in Cleanup() /home/fido/src/golded-plus/golded3/gedoss.cpp:196
#6 0x7fe2da9741a8 (/lib/x86_64-linux-gnu/libc.so.6+0x3c1a8)
#7 0x7fe2da9741f4 in exit (/lib/x86_64-linux-gnu/libc.so.6+0x3c1f4)
#8 0x5b7731 in ErrorExit(int)
/home/fido/src/golded-plus/golded3/gedoss.cpp:701
#9 0x944a55 in SquishArea::test_open(char const*)
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:177
#10 0x944e2c in SquishArea::raw_open()
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:200
#11 0x94637f in SquishArea::open()
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:237
#12 0x87e9d5 in Area::Open()
/home/fido/src/golded-plus/golded3/gmarea.cpp:376
#13 0x543744 in GPickArealist::AreaCatchUp(unsigned int)
/home/fido/src/golded-plus/golded3/gearea.cpp:542
#14 0x5487a4 in GPickArealist::handle_key()
/home/fido/src/golded-plus/golded3/gearea.cpp:701
#15 0xbae3d7 in gwinpick::default_handle_key()
/home/fido/src/golded-plus/goldlib/gcui/gwinpick.cpp:454
#16 0xbb1c77 in gwinpick::run_picker()
/home/fido/src/golded-plus/goldlib/gcui/gwinpick.cpp:594
#17 0x552351 in GPickArealist::Run(char const*, int, int&)
/home/fido/src/golded-plus/golded3/gearea.cpp:1030
#18 0x552b7f in AreaPick(char*, int, int*)
/home/fido/src/golded-plus/golded3/gearea.cpp:1057
#19 0x7d4c92 in NewArea(bool)
/home/fido/src/golded-plus/golded3/geread2.cpp:545
#20 0x7c612c in GoNextMsg()
/home/fido/src/golded-plus/golded3/geread.cpp:1481
#21 0x7c6202 in GotoNextMsg()
/home/fido/src/golded-plus/golded3/geread.cpp:1505
#22 0x7bd3ba in Reader() /home/fido/src/golded-plus/golded3/geread.cpp:697
#23 0x6c7755 in main /home/fido/src/golded-plus/golded3/gemain.cpp:54
#24 0x7fe2da959f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#25 0x408fb8
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x408fb8)
0x60f00000720c is located 92 bytes inside of 168-byte region
[0x60f0000071b0,0x60f000007258)
freed by thread T0 here:
#0 0x7fe2dc31b307 in __interceptor_free
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0xaed8eb in throw_free_debug(void*, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:478
#2 0xaeeeba in throw_xfree_debug(void*, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:760
#3 0xb5ef19 in wclose()
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:253
#4 0xb5f42e in wcloseall()
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:281
#5 0x5b361b in Cleanup() /home/fido/src/golded-plus/golded3/gedoss.cpp:158
#6 0x7fe2da9741a8 (/lib/x86_64-linux-gnu/libc.so.6+0x3c1a8)
previously allocated by thread T0 here:
#0 0x7fe2dc31b89e in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0xaebff7 in throw_calloc_debug(unsigned long, unsigned long, char
const*, int) /home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:333
#2 0xaebe9b in throw_malloc_debug(unsigned long, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:305
#3 0xaeed8f in throw_xmalloc_debug(unsigned long, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:729
#4 0xb5db8e in wopen(int, int, int, int, int, int, int, int, int)
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:160
#5 0x52e5e4 in gwindow::open(int, int, int, int, int, int, int, int, int)
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x52e5e4)
#6 0x52e8df in gwindow::openxy(int, int, int, int, int, int, int, int, int)
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x52e8df)
#7 0x86cbd6 in GMsgBodyView::Create()
/home/fido/src/golded-plus/golded3/geview.cpp:428
#8 0x7b5203 in Reader() /home/fido/src/golded-plus/golded3/geread.cpp:238
#9 0x6c7755 in main /home/fido/src/golded-plus/golded3/gemain.cpp:54
#10 0x7fe2da959f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:372 in
gwindow::activate_quick()
Best Regards, Nil
Из меня, наверное, хороший бы тестировщик вышел. Умею я таки юзкейсы задвинуть.
Как воспроизвести?
1. Добавить EchoArea на несуществующий файл, например, я тогда верифицировал
другой баг https://github.com/golded-plus/golded-plus/issues/29
EchoArea golded.test /home/fido/msgbase/golded.test -b squish
2. Нажать alt-c, Catch All.
И тут есть два интересных последствия.
Во-первых, в golded.log запишется вот такое
---------- Wed 25 Oct 23, GoldED+/LNX 1.1.5-b20231021 (Oct 22 2023 08:25:41)
! 19:03:11 Open error exit at [gmosqsh1.cpp,172].
! 19:03:11 A Squish msgbase file could not be opened.
: 19:03:11 /home/fido/msgbase/golded.test.sqd.
: 19:03:11 Linux 2.6.32-042stab145.3 CPU UNKNOWN reports error 2: No such file
or directory.
! 19:03:11 Function track dump follows:
- 19:03:11 01223357 void SquishArea::raw_close()
- 19:03:11 01223293 int SquishArea::test_open(const char*)
- 19:03:11 01223288 void SquishArea::raw_open()
- 19:03:11 01223273 virtual void SquishArea::open()
[...skip...]
Во-вторых, случится heap-use-after-free
==27907==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000720c
at pc 0x00000041a9b4 bp 0x7ffc50f66560 sp 0x7ffc50f66558
READ of size 4 at 0x60f00000720c thread T0
#0 0x41a9b3 in gwindow::activate_quick()
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:372
#1 0x41abb5 in gwindow::close()
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:383
#2 0x86d4e5 in GMsgBodyView::Destroy()
/home/fido/src/golded-plus/golded3/geview.cpp:453
#3 0x86be0c in GMsgBodyView::~GMsgBodyView()
/home/fido/src/golded-plus/golded3/geview.cpp:417
#4 0x86c08d in GMsgBodyView::~GMsgBodyView()
/home/fido/src/golded-plus/golded3/geview.cpp:418
#5 0x5b3c7d in Cleanup() /home/fido/src/golded-plus/golded3/gedoss.cpp:196
#6 0x7fe2da9741a8 (/lib/x86_64-linux-gnu/libc.so.6+0x3c1a8)
#7 0x7fe2da9741f4 in exit (/lib/x86_64-linux-gnu/libc.so.6+0x3c1f4)
#8 0x5b7731 in ErrorExit(int)
/home/fido/src/golded-plus/golded3/gedoss.cpp:701
#9 0x944a55 in SquishArea::test_open(char const*)
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:177
#10 0x944e2c in SquishArea::raw_open()
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:200
#11 0x94637f in SquishArea::open()
/home/fido/src/golded-plus/goldlib/gmb3/gmosqsh1.cpp:237
#12 0x87e9d5 in Area::Open()
/home/fido/src/golded-plus/golded3/gmarea.cpp:376
#13 0x543744 in GPickArealist::AreaCatchUp(unsigned int)
/home/fido/src/golded-plus/golded3/gearea.cpp:542
#14 0x5487a4 in GPickArealist::handle_key()
/home/fido/src/golded-plus/golded3/gearea.cpp:701
#15 0xbae3d7 in gwinpick::default_handle_key()
/home/fido/src/golded-plus/goldlib/gcui/gwinpick.cpp:454
#16 0xbb1c77 in gwinpick::run_picker()
/home/fido/src/golded-plus/goldlib/gcui/gwinpick.cpp:594
#17 0x552351 in GPickArealist::Run(char const*, int, int&)
/home/fido/src/golded-plus/golded3/gearea.cpp:1030
#18 0x552b7f in AreaPick(char*, int, int*)
/home/fido/src/golded-plus/golded3/gearea.cpp:1057
#19 0x7d4c92 in NewArea(bool)
/home/fido/src/golded-plus/golded3/geread2.cpp:545
#20 0x7c612c in GoNextMsg()
/home/fido/src/golded-plus/golded3/geread.cpp:1481
#21 0x7c6202 in GotoNextMsg()
/home/fido/src/golded-plus/golded3/geread.cpp:1505
#22 0x7bd3ba in Reader() /home/fido/src/golded-plus/golded3/geread.cpp:697
#23 0x6c7755 in main /home/fido/src/golded-plus/golded3/gemain.cpp:54
#24 0x7fe2da959f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#25 0x408fb8
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x408fb8)
0x60f00000720c is located 92 bytes inside of 168-byte region
[0x60f0000071b0,0x60f000007258)
freed by thread T0 here:
#0 0x7fe2dc31b307 in __interceptor_free
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0xaed8eb in throw_free_debug(void*, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:478
#2 0xaeeeba in throw_xfree_debug(void*, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:760
#3 0xb5ef19 in wclose()
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:253
#4 0xb5f42e in wcloseall()
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:281
#5 0x5b361b in Cleanup() /home/fido/src/golded-plus/golded3/gedoss.cpp:158
#6 0x7fe2da9741a8 (/lib/x86_64-linux-gnu/libc.so.6+0x3c1a8)
previously allocated by thread T0 here:
#0 0x7fe2dc31b89e in __interceptor_calloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0xaebff7 in throw_calloc_debug(unsigned long, unsigned long, char
const*, int) /home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:333
#2 0xaebe9b in throw_malloc_debug(unsigned long, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:305
#3 0xaeed8f in throw_xmalloc_debug(unsigned long, char const*, int)
/home/fido/src/golded-plus/goldlib/gall/gmemdbg.cpp:729
#4 0xb5db8e in wopen(int, int, int, int, int, int, int, int, int)
/home/fido/src/golded-plus/goldlib/gcui/gwinbase.cpp:160
#5 0x52e5e4 in gwindow::open(int, int, int, int, int, int, int, int, int)
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x52e5e4)
#6 0x52e8df in gwindow::openxy(int, int, int, int, int, int, int, int, int)
(/home/fido/src/golded-plus/build_asan/golded3/golded+0x52e8df)
#7 0x86cbd6 in GMsgBodyView::Create()
/home/fido/src/golded-plus/golded3/geview.cpp:428
#8 0x7b5203 in Reader() /home/fido/src/golded-plus/golded3/geread.cpp:238
#9 0x6c7755 in main /home/fido/src/golded-plus/golded3/gemain.cpp:54
#10 0x7fe2da959f44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/fido/src/golded-plus/goldlib/gcui/gwindow.h:372 in
gwindow::activate_quick()
Best Regards, Nil