KiCad

Bug #1847532
Comment #4

Comment 4 for bug 1847532

Revision history for this message

Ian McInerney (imcinerney) wrote on 2019-10-09:

0001-Ensure-that-all-tools-are-cancelled-before-destroyin.patch Edit (10.9 KiB, text/plain)

Ok, ASAN managed to give a better stack trace and analysis. What seems to be happening is that wxWidgets is trying to destroy a child object, but that child object lives in the stack frame of a tool routine instead of on the heap. The easiest way to fix this is to simply ensure all tools are cancelled before we destroy the frame, that way all stack items will have been destroyed on their own. The attached patch does that for all the tool-based windows I could think of (basically if any window uses a tool manager, we should ensure the stack is empty before destroying the frame).

=================================================================
==29942==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7fbe3f2c15d0 in thread T0
    #0 0x40965f in operator delete(void*) (/master/build/debug/pcbnew/pcbnew+0x40965f)
    #1 0x7fbe3ce3a421 in STATUS_TEXT_POPUP::~STATUS_TEXT_POPUP() /master/include/status_popup.h:83:34
    #2 0x7fbe459cc39b in wxWindowBase::Destroy() ../src/common/wincmn.cpp:576:12
    #3 0x7fbe459cc3d3 in wxWindowBase::DestroyChildren() ../src/common/wincmn.cpp:608:37
    #4 0x7fbe457fb146 in wxWindow::~wxWindow() ../src/gtk/window.cpp:2519:20
    #5 0x7fbe3cccfbfc in EDA_BASE_FRAME::~EDA_BASE_FRAME() /master/common/eda_base_frame.cpp:161:1
    #6 0x7fbe3cdc9b77 in KIWAY_PLAYER::~KIWAY_PLAYER() /master/common/kiway_player.cpp:66:40
    #7 0x7fbe3cd317af in EDA_DRAW_FRAME::~EDA_DRAW_FRAME() /master/common/eda_draw_frame.cpp:191:1
    #8 0x7fbe3c505318 in PCB_BASE_FRAME::~PCB_BASE_FRAME() /master/pcbnew/pcb_base_frame.cpp:109:1
    #9 0x7fbe3b545316 in PCB_BASE_EDIT_FRAME::~PCB_BASE_EDIT_FRAME() /master/pcbnew/pcb_base_edit_frame.cpp:55:1
    #10 0x7fbe3b565542 in PCB_EDIT_FRAME::~PCB_EDIT_FRAME() /master/pcbnew/pcb_edit_frame.cpp:342:1
    #11 0x7fbe3b5655d8 in PCB_EDIT_FRAME::~PCB_EDIT_FRAME() /master/pcbnew/pcb_edit_frame.cpp:338:1
    #12 0x7fbe452939c6 in wxAppConsoleBase::DeletePendingObjects() ../src/common/appbase.cpp:591:16
    #13 0x7fbe45293a48 in wxAppConsoleBase::ProcessIdle() ../src/common/appbase.cpp:397:25
    #14 0x7fbe458944a7 in wxAppBase::ProcessIdle() ../src/common/appcmn.cpp:366:50
    #15 0x7fbe457be094 in wxApp::DoIdle() ../src/gtk/app.cpp:159:31
    #16 0x7fbe457be1b6 ../src/gtk/app.cpp:107:28
    #17 0x7fbe437d07da (/lib64/libglib-2.0.so.0+0x4c7da)
    #18 0x7fbe437d3edc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fedc)
    #19 0x7fbe437d426f (/lib64/libglib-2.0.so.0+0x5026f)
    #20 0x7fbe437d45a2 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x505a2)
    #21 0x7fbe43e12b3c in gtk_main (/lib64/libgtk-3.so.0+0x24db3c)
    #22 0x7fbe457ddbc4 in wxGUIEventLoop::DoRun() ../src/gtk/evtloop.cpp:65:17
    #23 0x7fbe452d6170 in wxEventLoopBase::Run() ../src/common/evtloopcmn.cpp:78:17
    #24 0x7fbe45296c69 in wxAppConsoleBase::MainLoop() ../src/common/appbase.cpp:334:40
    #25 0x417f49 in APP_SINGLE_TOP::OnRun() /master/common/single_top.cpp:197:26
    #26 0x7fbe4532aabb in wxEntry(int&, wchar_t**) ../src/common/init.cpp:506:31
    #27 0x40be4e in main /master/common/single_top.cpp:271:1
    #28 0x7fbe442fcf32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #29 0x2ef02d in _start (/master/build/debug/pcbnew/pcbnew+0x2ef02d)

Address 0x7fbe3f2c15d0 is located in stack of thread T0 at offset 1488 in frame
#0 0x7fbe3b6edd1f in DRAWING_TOOL::DrawZone(TOOL_EVENT const&) /master/pcbnew/tools/drawing_tool.cpp:1382

  This frame has 27 object(s):
    [32, 48) 'scopedDrawMode' (line 1395)
    [64, 72) 'sourceZone' (line 1400)
    [96, 120) 'params' (line 1405)
    [160, 656) 'zoneTool' (line 1418)
    [720, 864) 'polyGeomMgr' (line 1422)
    [928, 960) 'tool' (line 1424)
    [992, 1032) 'ref.tmp' (line 1424)
    [1072, 1073) 'started' (line 1431)
    [1088, 1424) 'grid' (line 1432)
    [1488, 2288) 'status' (line 1433) <== Memory access at offset 1488 is inside this variable
    [2416, 2432) 'ref.tmp64' (line 1434)
    [2448, 2496) 'ref.tmp71' (line 1435)
    [2528, 2576) 'ref.tmp74' (line 1435)
    [2608, 2624) 'ref.tmp89' (line 1439)
    [2640, 2720) 'ref.tmp96' (line 1442)
    [2752, 2896) 'ref.tmp97' (line 1442)
    [2960, 2968) 'layers' (line 1445)
    [2992, 3000) 'cursorPos' (line 1449)
    [3024, 3032) 'ref.tmp141' (line 1449)
    [3056, 3072) 'ref.tmp142' (line 1449)
    [3088, 3112) 'ref.tmp154' (line 1449)
    [3152, 3168) 'ref.tmp163' (line 1451)
    [3184, 3208) 'cleanup' (line 1453)
    [3248, 3256) 'p' (line 1556)
    [3280, 3288) 'ref.tmp319' (line 1556)
    [3312, 3320) 'ref.tmp323' (line 1556)
    [3344, 3360) 'ref.tmp358' (line 1570)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: bad-free (/master/build/debug/pcbnew/pcbnew+0x40965f) in operator delete(void*)

=================================================================
==29942==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7fbe3f2c15d0 in thread T0
    #0 0x40965f in operator delete(void*) (/master/build/debug/pcbnew/pcbnew+0x40965f)
    #1 0x7fbe3ce3a421 in STATUS_TEXT_POPUP::~STATUS_TEXT_POPUP() /master/include/status_popup.h:83:34
    #2 0x7fbe459cc39b in wxWindowBase::Destroy() ../src/common/wincmn.cpp:576:12
    #3 0x7fbe459cc3d3 in wxWindowBase::DestroyChildren() ../src/common/wincmn.cpp:608:37
    #4 0x7fbe457fb146 in wxWindow::~wxWindow() ../src/gtk/window.cpp:2519:20
    #5 0x7fbe3cccfbfc in EDA_BASE_FRAME::~EDA_BASE_FRAME() /master/common/eda_base_frame.cpp:161:1
    #6 0x7fbe3cdc9b77 in KIWAY_PLAYER::~KIWAY_PLAYER() /master/common/kiway_player.cpp:66:40
    #7 0x7fbe3cd317af in EDA_DRAW_FRAME::~EDA_DRAW_FRAME() /master/common/eda_draw_frame.cpp:191:1
    #8 0x7fbe3c505318 in PCB_BASE_FRAME::~PCB_BASE_FRAME() /master/pcbnew/pcb_base_frame.cpp:109:1
    #9 0x7fbe3b545316 in PCB_BASE_EDIT_FRAME::~PCB_BASE_EDIT_FRAME() /master/pcbnew/pcb_base_edit_frame.cpp:55:1
    #10 0x7fbe3b565542 in PCB_EDIT_FRAME::~PCB_EDIT_FRAME() /master/pcbnew/pcb_edit_frame.cpp:342:1
    #11 0x7fbe3b5655d8 in PCB_EDIT_FRAME::~PCB_EDIT_FRAME() /master/pcbnew/pcb_edit_frame.cpp:338:1
    #12 0x7fbe452939c6 in wxAppConsoleBase::DeletePendingObjects() ../src/common/appbase.cpp:591:16
    #13 0x7fbe45293a48 in wxAppConsoleBase::ProcessIdle() ../src/common/appbase.cpp:397:25
    #14 0x7fbe458944a7 in wxAppBase::ProcessIdle() ../src/common/appcmn.cpp:366:50
    #15 0x7fbe457be094 in wxApp::DoIdle() ../src/gtk/app.cpp:159:31
    #16 0x7fbe457be1b6  ../src/gtk/app.cpp:107:28
    #17 0x7fbe437d07da  (/lib64/libglib-2.0.so.0+0x4c7da)
    #18 0x7fbe437d3edc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fedc)
    #19 0x7fbe437d426f  (/lib64/libglib-2.0.so.0+0x5026f)
    #20 0x7fbe437d45a2 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x505a2)
    #21 0x7fbe43e12b3c in gtk_main (/lib64/libgtk-3.so.0+0x24db3c)
    #22 0x7fbe457ddbc4 in wxGUIEventLoop::DoRun() ../src/gtk/evtloop.cpp:65:17
    #23 0x7fbe452d6170 in wxEventLoopBase::Run() ../src/common/evtloopcmn.cpp:78:17
    #24 0x7fbe45296c69 in wxAppConsoleBase::MainLoop() ../src/common/appbase.cpp:334:40
    #25 0x417f49 in APP_SINGLE_TOP::OnRun() /master/common/single_top.cpp:197:26
    #26 0x7fbe4532aabb in wxEntry(int&, wchar_t**) ../src/common/init.cpp:506:31
    #27 0x40be4e in main /master/common/single_top.cpp:271:1
    #28 0x7fbe442fcf32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #29 0x2ef02d in _start (/master/build/debug/pcbnew/pcbnew+0x2ef02d)

Address 0x7fbe3f2c15d0 is located in stack of thread T0 at offset 1488 in frame
    #0 0x7fbe3b6edd1f in DRAWING_TOOL::DrawZone(TOOL_EVENT const&) /master/pcbnew/tools/drawing_tool.cpp:1382