Address sanitizer detects a use after free when adding Genie to a patch.
Rack: 5551617afff182925940908eaf73a7d7361303cc
RPJ: 5b4b7d03746019210d4a4b0e7f414606f9b1664b
Build Command: make -j10 EXTRA_FLAGS=-fsanitize=address EXTRA_LDFLAGS=-fsanitize=address
[9.254 info src/app/Browser.cpp:89 chooseModel] Creating module RPJ Genie
[9.254 info src/app/Browser.cpp:93 chooseModel] Creating module widget RPJ Genie
=================================================================
==82150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000037940 at pc 0x00000c13e851 bp 0x00020636e990 sp 0x00020636e988
WRITE of size 4 at 0x619000037940 thread T15
#0 0xc13e850 in Genie::doPendulum(rack::engine::Module::ProcessArgs const&) Genie.cpp:97
#1 0x2113868 in rack::engine::Module::doProcess(rack::engine::Module::ProcessArgs const&) Module.cpp
#2 0x20fd4b7 in rack::engine::Engine::stepBlock(int) Engine.cpp:551
#3 0x210a6da in rack::engine::Engine_fallbackRun(rack::engine::Engine*) Engine.cpp:1324
#4 0x210d81a in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, void (*)(rack::engine::Engine*), rack::engine::Engine*> >(void*) thread:298
#5 0x7ff80354d4e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0)
#6 0x7ff803548f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a)
0x619000037940 is located 0 bytes to the right of 960-byte region [0x619000037580,0x619000037940)
allocated by thread T0 here:
#0 0xfc326d in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5426d)
#1 0x2115b1e in std::__1::vector<rack::engine::Output, std::__1::allocator<rack::engine::Output> >::__append(unsigned long) vector:1115
#2 0x210f7f9 in rack::engine::Module::config(int, int, int, int) Module.cpp:64
#3 0xc13ac9d in Genie::Genie() Genie.cpp:29
#4 0xc146ae4 in rack::plugin::Model* rack::createModel<Genie, GenieModuleWidget>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >)::TModel::createModule() helpers.hpp:27
#5 0x1f9c8ed in rack::app::browser::chooseModel(rack::plugin::Model*) Browser.cpp:90
#6 0x1f9885b in rack::app::browser::ModelBox::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:259
#7 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
#8 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
#9 0x1f9ad10 in rack::widget::Widget::onButton(rack::widget::Widget::ButtonEvent const&) Widget.hpp:234
#10 0x21375b8 in rack::ui::ScrollWidget::onButton(rack::widget::Widget::ButtonEvent const&) ScrollWidget.cpp:130
#11 0x1f97668 in rack::app::browser::Browser::onButton(rack::widget::Widget::ButtonEvent const&) Browser.cpp:781
#12 0x2131e94 in rack::ui::MenuOverlay::onButton(rack::widget::Widget::ButtonEvent const&) MenuOverlay.cpp:34
#13 0x1f66a48 in rack::widget::OpaqueWidget::onButton(rack::widget::Widget::ButtonEvent const&) OpaqueWidget.hpp:21
#14 0x215cc9a in rack::widget::EventState::handleButton(rack::math::Vec, int, int, int) event.cpp:134
#15 0x7ff80617ecd0 in -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:]+0x12fa (AppKit:x86_64+0x23ccd0)
#16 0x7ff8060f2e8d in -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:]+0xa15 (AppKit:x86_64+0x1b0e8d)
#17 0x7ff8060f225d in -[NSWindow(NSEventRouting) sendEvent:]+0x15f (AppKit:x86_64+0x1b025d)
#18 0x7ff8060f0633 in -[NSApplication(NSEvent) sendEvent:]+0x15f (AppKit:x86_64+0x1ae633)
#19 0x223ec30 in _glfwPollEventsCocoa cocoa_window.m:1419
#20 0x2169024 in rack::window::Window::step() Window.cpp:431
#21 0x2168dc3 in rack::window::Window::run() Window.cpp:409
#22 0xb329e1 in main standalone.cpp:240
#23 0x100f3652d in start+0x1cd (dyld:x86_64+0x552d)
#24 0x100f30fff (<unknown module>)
Thread T15 created by T0 here:
#0 0xfb08cc in wrap_pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x418cc)
#1 0x210d6d7 in std::__1::thread::thread<void (&)(rack::engine::Engine*), rack::engine::Engine*, void>(void (&)(rack::engine::Engine*), rack::engine::Engine*&&) thread:314
#2 0x210a1ea in rack::engine::Engine::startFallbackThread() Engine.cpp:1348
#3 0xb32930 in main standalone.cpp:227
#4 0x100f3652d in start+0x1cd (dyld:x86_64+0x552d)
#5 0x100f30fff (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow Genie.cpp:97 in Genie::doPendulum(rack::engine::Module::ProcessArgs const&)
Shadow bytes around the buggy address:
0x1c3200006ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3200006f20: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x1c3200006f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200006f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200006f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3200006f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==82150==ABORTING
zsh: abort ./Rack -d
Address sanitizer detects a use after free when adding Genie to a patch.
Rack: 5551617afff182925940908eaf73a7d7361303cc RPJ: 5b4b7d03746019210d4a4b0e7f414606f9b1664b Build Command:
make -j10 EXTRA_FLAGS=-fsanitize=address EXTRA_LDFLAGS=-fsanitize=address