[Interest] ASAN (Qt 6.4 + Glib) build shows stackoverflow in trivial Qt program

Thu Nov 10 09:23:52 CET 2022

so i tried using TSAN with my own build Glib and Qt, but it directly
crashes with a

System: Ubuntu 22.04 - Glib is the same version as the systems Glib from
the Glib git, Qt is 6.4 tag from git

*** stack smashing detected ***: terminated

without any other message

my test application is just

int main( int argc, char* argv[] )
{
   QApplication app( argc, argv );
   return app.exec();
}

so i re-build Glib and Qt with ASAN first to get a clue what the problem is

mkdir ~/qt6_dev

# 1. build Glib with --prefix
cd ~/qt6_dev
git clone https://gitlab.gnome.org/GNOME/glib.git
cd glib
git checkout 2.72.1
cd ..
mkdir glib-build
cd glib-build
meson setup ../glib -Dbuildtype=debug -Db_sanitize=address --prefix
~/qt6_dev/glib-install
meson compile
meson install

# 2. build Qt with ASAN + PKG_CONFIG_PATH set to the ASAN GLib build

cd ~/qt6_dev
git clone git://code.qt.io/qt/qt5.git qt6
cd qt6
git checkout v6.4.0
perl init-repository
cd ..
mkdir qt6-build
cd qt6-build
PKG_CONFIG_PATH=~/qt6_dev/glib-install/lib/x86_64-linux-gnu/pkgconfig
../qt6/qtbase/configure -debug -opensource -nomake examples -nomake
tests -sanitize address
cmake --build . --parallel 2

results in

https://pastebin.com/KiUqxEe9

linux at linux-virtual-machine:~/dev/test/qt_tsan_tests_dev/_build_gcc$
./qt_tsan_tests
qt.qpa.plugin: Could not find the Qt platform plugin "wayland" in ""
=================================================================
==72389==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe033c3af0 at pc 0x7f08b158106e bp 0x7ffe033c3770 sp 0x7ffe033c3760
WRITE of size 4 at 0x7ffe033c3af0 thread T0
     #0 0x7f08b158106d in value_lcopy_boolean
../glib/gobject/gvaluetypes.c:76
     #1 0x7f08b15289a1 in g_object_get_valist ../glib/gobject/gobject.c:2659
     #2 0x7f08b1529029 in g_object_get ../glib/gobject/gobject.c:2754
     #3 0x7f08b3eee24b in gtkSetting<bool>
/home/linux/qt6_dev/qt6/qtbase/src/plugins/platformthemes/gtk3/qgtk3theme.cpp:30
     #4 0x7f08b3eef12b in QGtk3Theme::appearance() const
/home/linux/qt6_dev/qt6/qtbase/src/plugins/platformthemes/gtk3/qgtk3theme.cpp:179
     #5 0x7f08bc0c5d6c in qt_fusionPalette()
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qplatformtheme.cpp:349
     #6 0x7f08bc0c727a in
QPlatformThemePrivate::initializeSystemPalette()
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qplatformtheme.cpp:399
     #7 0x7f08bc0c7356 in
QPlatformTheme::palette(QPlatformTheme::Palette) const
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qplatformtheme.cpp:439
     #8 0x7f08bdbb9a16 in QApplicationPrivate::basePalette() const
/home/linux/qt6_dev/qt6/qtbase/src/widgets/kernel/qapplication.cpp:1065
     #9 0x7f08bbf89e2c in QGuiApplicationPrivate::setPalette(QPalette
const&)
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:3372
     #10 0x7f08bbf8a161 in QGuiApplicationPrivate::updatePalette()
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:3344
     #11 0x7f08bbfb01bf in QGuiApplicationPrivate::init()
/home/linux/qt6_dev/qt6/qtbase/src/gui/kernel/qguiapplication.cpp:1603
     #12 0x7f08bdbd9d3c in QApplicationPrivate::init()
/home/linux/qt6_dev/qt6/qtbase/src/widgets/kernel/qapplication.cpp:462
     #13 0x7f08bdbd9ebc in QApplication::QApplication(int&, char**, int)
/home/linux/qt6_dev/qt6/qtbase/src/widgets/kernel/qapplication.cpp:450
     #14 0x5648a1e8f9d8 in main
/home/linux/dev/test/qt_tsan_tests_dev/qt_tsan_tests/main.cpp:8
     #15 0x7f08ba2e6d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
     #16 0x7f08ba2e6e3f in __libc_start_main_impl ../csu/libc-start.c:392
     #17 0x5648a1e8e3c4 in _start
(/home/linux/dev/test/qt_tsan_tests_dev/_build_gcc/qt_tsan_tests+0x43c4)

Address 0x7ffe033c3af0 is located in stack of thread T0 at offset 32 in
frame
     #0 0x7f08b3eee1c0 in gtkSetting<bool>
/home/linux/qt6_dev/qt6/qtbase/src/plugins/platformthemes/gtk3/qgtk3theme.cpp:26

   This frame has 1 object(s):
     [32, 33) 'value' (line 29) <== Memory access at offset 32 partially
overflows this variable
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism, swapcontext or vfork
       (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
../glib/gobject/gvaluetypes.c:76 in value_lcopy_boolean
Shadow bytes around the buggy address:
   0x100040670700: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00 00 f2
   0x100040670710: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3
   0x100040670720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
   0x100040670730: f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00
   0x100040670740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100040670750: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1[01]f3
   0x100040670760: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x100040670770: f1 f1 f1 f1 f1 f1 f8 f2 04 f2 04 f2 00 f2 f2 f2
   0x100040670780: 00 f2 f2 f2 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
   0x100040670790: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
   0x1000406707a0: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
   Shadow gap:              cc
==72389==ABORTING

is that a real bug (i thought ASAN can't false positive - like TSAN can)