search

keinstein / mutabor

Perform dynamic tunings in realtime music or use them for procesing MIDI files
http://www.math.tu-dresden.de/~mutabor
GNU General Public License v2.0
6 stars 1 forks source link

Need some locking mechanism to prevent multiple dialogs on on icon. Was: Crash after deleting a BoxChannel #6

Closed keinstein closed 6 years ago

keinstein commented 6 years ago

Steps to reproduce: Create a box with two channels, connect them to two devices. Hit OK. Double click the box and delete the channel. Mutabor crashes.

keinstein commented 6 years ago

Backtrace:

=================================================================
==16355==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000c41080 at pc 0x5574d9cca8f3 bp 0x7ffe23767d40 sp 0x7ffe23767d38
READ of size 8 at 0x618000c41080 thread T0
    #0 0x5574d9cca8f2 in mutaborGUI::MutBoxShape::readDialog(mutaborGUI::BoxDlg*) mutabor/src/wxGUI/Routing/BoxShape.cpp:607
    #1 0x5574d9cc81f4 in mutaborGUI::MutBoxShape::DoLeftDblClick() mutabor/src/wxGUI/Routing/BoxShape.cpp:422
    #2 0x5574d9ccc779 in mutaborGUI::MutBoxShape::CmLeftDblClick(wxCommandEvent&) mutabor/src/wxGUI/Routing/BoxShape.h:146
    #3 0x7fe5b13afd64 in wxAppConsoleBase::HandleEvent(wxEvtHandler*, void (wxEvtHandler::*)(wxEvent&), wxEvent&) const (/home/tobias/.local/lib/libwx_baseu-3.0.so.0+0xe7d64)

0x618000c41080 is located 0 bytes inside of 816-byte region [0x618000c41080,0x618000c413b0)
freed by thread T0 here:
    #0 0x7fe5b38f7cf8 in operator delete(void*, unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xebcf8)
    #1 0x5574d9ca47cd in mutaborGUI::MutBoxChannelShape::~MutBoxChannelShape() mutabor/src/wxGUI/Routing/BoxChannelShape.cpp:93
    #2 0x7fe5b13b0bfe in wxAppConsoleBase::DeletePendingObjects() (/home/tobias/.local/lib/libwx_baseu-3.0.so.0+0xe8bfe)
    #3 0x7fe5b13b0ebf in wxAppConsoleBase::ProcessIdle() (/home/tobias/.local/lib/libwx_baseu-3.0.so.0+0xe8ebf)
    #4 0x7fe5b1fdc910 in wxAppBase::ProcessIdle() (/usr/lib/x86_64-linux-gnu/libwx_gtk2u_core-3.0.so.0+0x32f910)

previously allocated by thread T0 here:
    #0 0x7fe5b38f6900 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xea900)
    #1 0x5574d9a2c0b3 in mutaborGUI::GUIRouteFactory::DoCreateBoxChannelShape(boost::mutabor::intrusive_ptr<mutabor::TRouteClass<boost::mutabor::intrusive_ptr<mutabor::InputDeviceClass>, boost::mutabor::intrusive_ptr<mutabor::OutputDeviceClass>, boost::mutabor::intrusive_ptr<mutabor::BoxClass> > >&, wxWindow*) const mutabor/src/wxGUI/Routing/GUIRoute.cpp:645
    #2 0x5574d9c1cc53 in mutaborGUI::GUIRouteFactory::CreateBoxChannelShape(boost::mutabor::intrusive_ptr<mutabor::TRouteClass<boost::mutabor::intrusive_ptr<mutabor::InputDeviceClass>, boost::mutabor::intrusive_ptr<mutabor::OutputDeviceClass>, boost::mutabor::intrusive_ptr<mutabor::BoxClass> > >&, wxWindow*) mutabor/src/wxGUI/Routing/GUIRoute.h:310
    #3 0x5574d9c1cc53 in mutaborGUI::MutRouteWnd::createRoutes(wxSizerFlags) mutabor/src/wxGUI/MutRouteWnd.cpp:346
    #4 0x5574d9c28ab9 in mutaborGUI::MutRouteWnd::InitShapes() mutabor/src/wxGUI/MutRouteWnd.cpp:237
    #5 0x5574d9c2a382 in mutaborGUI::MutRouteWnd::MutRouteWnd(wxWindow*, wxPoint const&, wxSize const&) mutabor/src/wxGUI/MutRouteWnd.cpp:207

SUMMARY: AddressSanitizer: heap-use-after-free mutabor/src/wxGUI/Routing/BoxShape.cpp:607 in mutaborGUI::MutBoxShape::readDialog(mutaborGUI::BoxDlg*)
Shadow bytes around the buggy address:
  0x0c30801801c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c30801801d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c30801801e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c30801801f0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c3080180200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3080180210:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3080180220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3080180230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3080180240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3080180250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3080180260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16355==ABORTING
Abgebrochen
keinstein commented 6 years ago

This occurred during a very slow session. Maybe I managed to double click the box icon multiple times before the dialog opened. If I remember right I pressed „Delete Box“ twice before I removed the routes and pressed „OK“. If this were three dialogs at the same position this would explain the behaviour.

keinstein commented 6 years ago

As far as I can see now, the error comes from the fact that a double click event generates a command event that actually calls the method. I have added a flag that is cleared when a double click event is handled and that is reset after finishing the asynchronous call of the handler function. Tests are running.