mirror of
https://gitlab.freedesktop.org/pipewire/pipewire
synced 2024-10-04 15:10:20 +00:00
test: loop: add test which destroys managed source before reentering
Add a test which triggers two event sources in the loop's "before"
control hook, and destroys the second source in the loop's "after"
control hook, and then reenters the loop in the event handler of
the first source. At the moment, this test triggers a use-after-free.
==2973914==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000440 [...]
READ of size 4 at 0x608000000440 thread T0
#0 0x7fa97f60c6b7 in loop_iterate ../spa/plugins/support/loop.c:376
#1 0x7fa98472c1eb in pw_main_loop_run ../src/pipewire/main-loop.c:148
#2 0x559995af7a76 in destroy_managed_source_before_dispatch_recurse ../test/test-loop.c:355
#3 0x559995b02678 in start_test_nofork ../test/pwtest.c:882
#4 0x559995b06191 in run_test ../test/pwtest.c:1087
#5 0x559995b0948a in run_tests ../test/pwtest.c:1283
#6 0x559995b0aea4 in main ../test/pwtest.c:1482
#7 0x7fa98360130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
#8 0x7fa9836013c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#9 0x559995aed754 in _start (/home/pb/temp/src/pipewire/build/test/test-loop+0x26754)
0x608000000440 is located 32 bytes inside of 96-byte region [0x608000000420,0x608000000480)
freed by thread T0 here:
#0 0x7fa984ffda79 in __interceptor_free /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x7fa97f60b03a in process_destroy ../spa/plugins/support/loop.c:344
#2 0x7fa97f60cbf8 in loop_iterate ../spa/plugins/support/loop.c:387
#3 0x559995af5b62 in dmsbd_recurse_on_event ../test/test-loop.c:298
#4 0x7fa97f60d826 in source_io_func ../spa/plugins/support/loop.c:396
#5 0x7fa97f60c7e7 in loop_iterate ../spa/plugins/support/loop.c:377
#6 0x7fa98472c1eb in pw_main_loop_run ../src/pipewire/main-loop.c:148
#7 0x559995af7a76 in destroy_managed_source_before_dispatch_recurse ../test/test-loop.c:355
#8 0x559995b02678 in start_test_nofork ../test/pwtest.c:882
#9 0x559995b06191 in run_test ../test/pwtest.c:1087
#10 0x559995b0948a in run_tests ../test/pwtest.c:1283
#11 0x559995b0aea4 in main ../test/pwtest.c:1482
#12 0x7fa98360130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
previously allocated by thread T0 here:
#0 0x7fa984ffdfb9 in __interceptor_calloc /usr/src/debug/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7fa97f60d883 in loop_add_io ../spa/plugins/support/loop.c:408
#2 0x559995af75de in destroy_managed_source_before_dispatch_recurse ../test/test-loop.c:349
#3 0x559995b02678 in start_test_nofork ../test/pwtest.c:882
#4 0x559995b06191 in run_test ../test/pwtest.c:1087
#5 0x559995b0948a in run_tests ../test/pwtest.c:1283
#6 0x559995b0aea4 in main ../test/pwtest.c:1482
#7 0x7fa98360130f in __libc_start_call_main (/usr/lib/libc.so.6+0x2d30f)
SUMMARY: AddressSanitizer: heap-use-after-free ../spa/plugins/support/loop.c:376 in loop_iterate
This commit is contained in:
Barnabás Pőcze
Wim Taymans
parent
b1c189fa86
commit
529b6fd1b8
|
|
@ -280,12 +280,93 @@ PWTEST(destroy_managed_source_before_dispatch)
|
|||
return PWTEST_PASS;
|
||||
}
|
||||
|
||||
struct dmsbd_recurse_data {
|
||||
struct pw_loop *l;
|
||||
struct pw_main_loop *ml;
|
||||
struct spa_source *a, *b;
|
||||
struct spa_hook hook;
|
||||
bool first;
|
||||
};
|
||||
|
||||
static void dmsbd_recurse_on_event(void *data, int fd, uint32_t mask)
|
||||
{
|
||||
struct dmsbd_recurse_data *d = data;
|
||||
|
||||
pwtest_errno_ok(read(fd, &(uint64_t){0}, sizeof(uint64_t)));
|
||||
|
||||
pw_loop_enter(d->l);
|
||||
pw_loop_iterate(d->l, 0);
|
||||
pw_loop_leave(d->l);
|
||||
|
||||
pw_main_loop_quit(d->ml);
|
||||
}
|
||||
|
||||
static void dmswp_recurse_before(void *data)
|
||||
{
|
||||
struct dmsbd_recurse_data *d = data;
|
||||
|
||||
if (d->first) {
|
||||
pwtest_errno_ok(write(d->a->fd, &(uint64_t){1}, sizeof(uint64_t)));
|
||||
pwtest_errno_ok(write(d->b->fd, &(uint64_t){1}, sizeof(uint64_t)));
|
||||
}
|
||||
}
|
||||
|
||||
static void dmsbd_recurse_after(void *data)
|
||||
{
|
||||
struct dmsbd_recurse_data *d = data;
|
||||
|
||||
if (d->first) {
|
||||
pw_loop_destroy_source(d->l, d->b);
|
||||
|
||||
d->first = false;
|
||||
}
|
||||
}
|
||||
|
||||
static const struct spa_loop_control_hooks dmsbd_recurse_hooks = {
|
||||
SPA_VERSION_LOOP_CONTROL_HOOKS,
|
||||
.before = dmswp_recurse_before,
|
||||
.after = dmsbd_recurse_after,
|
||||
};
|
||||
|
||||
PWTEST(destroy_managed_source_before_dispatch_recurse)
|
||||
{
|
||||
pw_init(NULL, NULL);
|
||||
|
||||
struct dmsbd_recurse_data data = {
|
||||
.first = true,
|
||||
};
|
||||
|
||||
data.ml = pw_main_loop_new(NULL);
|
||||
pwtest_ptr_notnull(data.ml);
|
||||
|
||||
data.l = pw_main_loop_get_loop(data.ml);
|
||||
pwtest_ptr_notnull(data.l);
|
||||
|
||||
data.l = pw_main_loop_get_loop(data.ml);
|
||||
pwtest_ptr_notnull(data.l);
|
||||
|
||||
data.a = pw_loop_add_io(data.l, eventfd(0, 0), SPA_IO_IN, true, dmsbd_recurse_on_event, &data);
|
||||
data.b = pw_loop_add_io(data.l, eventfd(0, 0), SPA_IO_IN, true, on_event_fail_if_called, NULL);
|
||||
pwtest_ptr_notnull(data.a);
|
||||
pwtest_ptr_notnull(data.b);
|
||||
|
||||
pw_loop_add_hook(data.l, &data.hook, &dmsbd_recurse_hooks, &data);
|
||||
|
||||
pw_main_loop_run(data.ml);
|
||||
pw_main_loop_destroy(data.ml);
|
||||
|
||||
pw_deinit();
|
||||
|
||||
return PWTEST_PASS;
|
||||
}
|
||||
|
||||
PWTEST_SUITE(support)
|
||||
{
|
||||
pwtest_add(pwtest_loop_destroy2, PWTEST_NOARG);
|
||||
pwtest_add(pwtest_loop_recurse1, PWTEST_NOARG);
|
||||
pwtest_add(pwtest_loop_recurse2, PWTEST_NOARG);
|
||||
pwtest_add(destroy_managed_source_before_dispatch, PWTEST_NOARG);
|
||||
pwtest_add(destroy_managed_source_before_dispatch_recurse, PWTEST_NOARG);
|
||||
|
||||
return PWTEST_PASS;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue