BUG: sanitizer found use-after-free in WOutputLayoutItem's updateOutputs

[ZhongYic00]

• precond:
  • WLR_X11_OUTPUTS=2
  • -fsanitizer=address
• run
  • tinywl-qtquick
  • qtcreator -platform wayland

Result:

=> updateOutputs()
  => ~QList<QPointer<WOutput>>()
=> updateOutputs
  => QPointer<WOutput>() **use-after-free**

if use manually deep-copy or std::vector, won't trigger

[ZhongYic00]

==1390521==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060005e8580 at pc 0x7f51b8259a45 bp 0x7ffe12261040 sp 0x7ffe12261038
READ of size 8 at 0x6060005e8580 thread T0
    #0 0x7f51b8259a44 in QWeakPointer<QObject>::QWeakPointer(QWeakPointer<QObject> const&) /usr/include/x86_64-linux-gnu/qt6/QtCore/qsharedpointer_impl.h:558
    #1 0x7f51b8259362 in QPointer<Waylib::Server::WOutput>::QPointer(QPointer<Waylib::Server::WOutput> const&) /usr/include/x86_64-linux-gnu/qt6/QtCore/qpointer.h:17
    #2 0x7f51b834d3b3 in Waylib::Server::WOutputLayoutItemPrivate::updateOutputs() /home/zyc/DDM/treeland/waylib/src/server/qtquick/woutputlayoutitem.cpp:37
    #3 0x7f51b834b9af in Waylib::Server::WOutputLayoutItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/zyc/DDM/treeland/build/waylib/src/server/waylibserver_autogen/include/moc_woutputlayoutitem.cpp:199
    #4 0x7f51b4faac52  (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1aac52) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #5 0x7f51b815caa6 in Waylib::Server::WQuickObserver::transformChanged(QQuickItem*) /home/zyc/DDM/treeland/build/waylib/src/server/waylibserver_autogen/5PJCAAPZ7B/moc_wquickobserver.cpp:268
    #6 0x7f51b836ab32 in Waylib::Server::WQuickObserverPrivate::transformChanged(QQuickItem*) /home/zyc/DDM/treeland/waylib/src/server/qtquick/wquickobserver.cpp:22
    #7 0x7f51b67dacfa in QQuickItemPrivate::dirty(QQuickItemPrivate::DirtyType) (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1dacfa) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)
    #8 0x7f51b67dd19e in QQuickItem::setSize(QSizeF const&) (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1dd19e) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)
    #9 0x7f51b67a745e  (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1a745e) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)
    #10 0x7f51b67ce36c in QQuickItem::geometryChange(QRectF const&, QRectF const&) (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1ce36c) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)
    #11 0x7f51b82b19e3 in Waylib::Server::WSurfaceItem::geometryChange(QRectF const&, QRectF const&) /home/zyc/DDM/treeland/waylib/src/server/qtquick/wsurfaceitem.cpp:819
    #12 0x7f51b67dd1dc in QQuickItem::setSize(QSizeF const&) (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1dd1dc) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)
    #13 0x7f51b82b7f18 in Waylib::Server::WSurfaceItemPrivate::doResize(Waylib::Server::WSurfaceItem::ResizeMode) /home/zyc/DDM/treeland/waylib/src/server/qtquick/wsurfaceitem.cpp:1269
    #14 0x7f51b82b31f3 in Waylib::Server::WSurfaceItem::onSurfaceCommit() /home/zyc/DDM/treeland/waylib/src/server/qtquick/wsurfaceitem.cpp:939
    #15 0x7f51b839289b in Waylib::Server::WXdgSurfaceItem::onSurfaceCommit() /home/zyc/DDM/treeland/waylib/src/server/qtquick/private/wquickxdgshell.cpp:135
    #16 0x7f51b82cbb51 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (Waylib::Server::WSurfaceItem::*)()>::call(void (Waylib::Server::WSurfaceItem::*)(), Waylib::Server::WSurfaceItem*, void**) /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:145
    #17 0x7f51b82c97a5 in void QtPrivate::FunctionPointer<void (Waylib::Server::WSurfaceItem::*)()>::call<QtPrivate::List<>, void>(void (Waylib::Server::WSurfaceItem::*)(), Waylib::Server::WSurfaceItem*, void**) /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:182
    #18 0x7f51b82c693b in QtPrivate::QCallableObject<void (Waylib::Server::WSurfaceItem::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:520
    #19 0x7f51b4faa927  (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1aa927) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #20 0x7f51b7699f22 in QWLRoots::QWSurface::commit() /home/zyc/DDM/treeland/build/waylib/qwlroots/src/qwlroots_autogen/GZRP3O7STM/moc_qwcompositor.cpp:495
    #21 0x7f51b772f953 in QWLRoots::QWSurfacePrivate::on_commit(void*) /home/zyc/DDM/treeland/waylib/qwlroots/src/types/qwcompositor.cpp:164
    #22 0x7f51b78cff77 in callSlot1 /home/zyc/DDM/treeland/waylib/qwlroots/src/util/qwsignalconnector.cpp:29
    #23 0x7f51b91d69fb in wl_signal_emit_mutable (/lib/x86_64-linux-gnu/libwayland-server.so.0+0x99fb) (BuildId: fc01be5c783379fc68817c827d4d345da91647f1)
    #24 0x7f51b912f7d6  (/lib/x86_64-linux-gnu/libwlroots.so.12+0x847d6) (BuildId: 445296cf7892cfb6366bd00e9e6e1f15a3e9407a)
    #25 0x7f51b7afb019  (/lib/x86_64-linux-gnu/libffi.so.8+0x7019) (BuildId: d5565cc76899ebb5fdf631eb679285fa4a128754)
    #26 0x7f51b7afa4bd  (/lib/x86_64-linux-gnu/libffi.so.8+0x64bd) (BuildId: d5565cc76899ebb5fdf631eb679285fa4a128754)
    #27 0x7f51b7afabac in ffi_call (/lib/x86_64-linux-gnu/libffi.so.8+0x6bac) (BuildId: d5565cc76899ebb5fdf631eb679285fa4a128754)
    #28 0x7f51b91da8e0  (/lib/x86_64-linux-gnu/libwayland-server.so.0+0xd8e0) (BuildId: fc01be5c783379fc68817c827d4d345da91647f1)
    #29 0x7f51b91d5c3a  (/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8c3a) (BuildId: fc01be5c783379fc68817c827d4d345da91647f1)
    #30 0x7f51b91d88e1 in wl_event_loop_dispatch (/lib/x86_64-linux-gnu/libwayland-server.so.0+0xb8e1) (BuildId: fc01be5c783379fc68817c827d4d345da91647f1)
    #31 0x7f51b8226f31 in operator() /home/zyc/DDM/treeland/waylib/src/server/kernel/wserver.cpp:112
    #32 0x7f51b822af0a in call /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:137
    #33 0x7f51b822ae44 in call<QtPrivate::List<>, void> /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:339
    #34 0x7f51b822ad5d in impl /usr/include/x86_64-linux-gnu/qt6/QtCore/qobjectdefs_impl.h:522
    #35 0x7f51b4faa927  (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1aa927) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #36 0x7f51b4facf72 in QSocketNotifier::activated(QSocketDescriptor, QSocketNotifier::Type, QSocketNotifier::QPrivateSignal) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1acf72) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #37 0x7f51b4fafcaa in QSocketNotifier::event(QEvent*) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1afcaa) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #38 0x7f51b4f5fc97 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x15fc97) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #39 0x7f51b515776e  (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x35776e) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #40 0x7f51b472c213  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57213) (BuildId: 02afc45b0dbf5aad076f7c1c7f18ab78de4ca65f)
    #41 0x7f51b472f336  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a336) (BuildId: 02afc45b0dbf5aad076f7c1c7f18ab78de4ca65f)
    #42 0x7f51b472f94f in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a94f) (BuildId: 02afc45b0dbf5aad076f7c1c7f18ab78de4ca65f)
    #43 0x7f51b514f81f in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x34f81f) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #44 0x7f51b4f6a239 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x16a239) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #45 0x7f51b4f636d9 in QCoreApplication::exec() (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1636d9) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #46 0x5590028463fe in main /home/zyc/DDM/treeland/src/treeland/treeland.cpp:409
    #47 0x7f51b4842c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #48 0x7f51b4842d44 in __libc_start_main_impl ../csu/libc-start.c:360
    #49 0x5590028373e0 in _start (/home/zyc/DDM/treeland/build/src/treeland/treeland+0xec3e0) (BuildId: 8cdcbab753c5a792084a40502e7830915e22a726)

0x6060005e8580 is located 32 bytes inside of 64-byte region [0x6060005e8560,0x6060005e85a0)
freed by thread T0 here:
    #0 0x7f51b8ad7288 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f51b82593c8 in QArrayDataPointer<QPointer<Waylib::Server::WOutput> >::~QArrayDataPointer() /usr/include/x86_64-linux-gnu/qt6/QtCore/qarraydatapointer.h:104
    #2 0x7f51b8259281 in QList<QPointer<Waylib::Server::WOutput> >::~QList() /usr/include/x86_64-linux-gnu/qt6/QtCore/qlist.h:70
    #3 0x7f51b834d6f4 in Waylib::Server::WOutputLayoutItemPrivate::updateOutputs() /home/zyc/DDM/treeland/waylib/src/server/qtquick/woutputlayoutitem.cpp:52
    #4 0x7f51b834b9af in Waylib::Server::WOutputLayoutItem::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/zyc/DDM/treeland/build/waylib/src/server/waylibserver_autogen/include/moc_woutputlayoutitem.cpp:199
    #5 0x7f51b4faac52  (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x1aac52) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)
    #6 0x7f51b815caa6 in Waylib::Server::WQuickObserver::transformChanged(QQuickItem*) /home/zyc/DDM/treeland/build/waylib/src/server/waylibserver_autogen/5PJCAAPZ7B/moc_wquickobserver.cpp:268
    #7 0x7f51b836ab32 in Waylib::Server::WQuickObserverPrivate::transformChanged(QQuickItem*) /home/zyc/DDM/treeland/waylib/src/server/qtquick/wquickobserver.cpp:22
    #8 0x7f51b67d4ae3 in QQuickItemPrivate::transformChanged(QQuickItem*) (/lib/x86_64-linux-gnu/libQt6Quick.so.6+0x1d4ae3) (BuildId: 5a00e75dca8256e2755913f2f7f317ae53fccc4b)

previously allocated by thread T0 here:
    #0 0x7f51b8ad85bf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f51b502f8a7 in QArrayData::allocate(QArrayData**, long long, long long, long long, QArrayData::AllocationOption) (/lib/x86_64-linux-gnu/libQt6Core.so.6+0x22f8a7) (BuildId: 7d91bdd2e518bfdae2e83afa3055d19790dd5541)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/x86_64-linux-gnu/qt6/QtCore/qsharedpointer_impl.h:558 in QWeakPointer<QObject>::QWeakPointer(QWeakPointer<QObject> const&)