Page MenuHomePhabricator

ASAN detected heap use after free in eldbus test suite
Closed, ResolvedPublic

Description

When running ninja test after compilation with address sanitizer.

25/44 eldbus-suite                            FAIL    19.06 s (exit status 1)

--- command ---
EFL_RUN_IN_TREE='1' /home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite
--- Listing only the last 100 lines from a long log. ---
    #19 0x7fd37bde9766 in srunner_run_tagged (/lib64/libcheck.so.0+0x6766)
    #20 0x406a01 in _efl_suite_run_end (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x406a01)
    #21 0x407357 in _efl_suite_build_and_run (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x407357)
    #22 0x407925 in main (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x407925)
    #23 0x7fd37bc1ff32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #24 0x405d8d in _start (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x405d8d)

0x60d000000110 is located 0 bytes inside of 144-byte region [0x60d000000110,0x60d0000001a0)
freed by thread T0 here:
    #0 0x7fd37c52f8af in __interceptor_free (/lib64/libasan.so.5+0x10d8af)
ERR<3241>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
    #1 0x7fd37c3b364e in _eldbus_signal_handler_del (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x5564e)
    #2 0x7fd37c3b3afa in eldbus_signal_handler_unref (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x55afa)
    #3 0x7fd37c3b3c19 in eldbus_signal_handler_del (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x55c19)
    #4 0x7fd37c383c0c in _eldbus_proxy_clear (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x25c0c)
    #5 0x7fd37c38480c in _on_object_free (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x2680c)
    #6 0x7fd37c38c860 in eldbus_cbs_free_dispatch (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x2e860)
    #7 0x7fd37c39ef21 in _eldbus_object_clear (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x40f21)
    #8 0x7fd37c39fae3 in _on_connection_free (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x41ae3)
    #9 0x7fd37c38c860 in eldbus_cbs_free_dispatch (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x2e860)
    #10 0x7fd37c391566 in _eldbus_connection_free (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x33566)
    #11 0x7fd37c392746 in eldbus_connection_unref (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x34746)
    #12 0x7fd37c3c3314 in _eldbus_model_efl_object_invalidate (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x65314)
    #13 0x7fd37c191a03 in efl_invalidate (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x40a03)
    #14 0x7fd37c17f216 in _efl_invalidate (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x2e216)
    #15 0x7fd37c182edf in _efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x31edf)
    #16 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
    #17 0x7fd37be73f3b in _efl_loop_consumer_efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x83f3b)
    #18 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
    #19 0x7fd37c17f33a in _efl_invalidate (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x2e33a)
    #20 0x7fd37c182edf in _efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x31edf)
    #21 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
    #22 0x7fd37be73f3b in _efl_loop_consumer_efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x83f3b)
    #23 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
    #24 0x7fd37c17f33a in _efl_invalidate (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x2e33a)
    #25 0x7fd37c182edf in _efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x31edf)
ERR<3242>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown()     #26 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
Cannot free eina_value internal memory pools -- still in use!
    #27 0x7fd37be73f3b in _efl_loop_consumer_efl_object_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x83f3b)
    #28 0x7fd37c18ea86 in efl_parent_set (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3da86)
    #29 0x7fd37c182b5b in efl_del (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eo/libeo.so.1+0x31b5b)

previously allocated by thread T0 here:
    #0 0x7fd37c52fea6 in __interceptor_calloc (/lib64/libasan.so.5+0x10dea6)
    #1 0x7fd37c3b2a4b in _eldbus_signal_handler_add (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x54a4b)
    #2 0x7fd37c388efc in eldbus_proxy_signal_handler_add (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x2aefc)
    #3 0x7fd37c3e45a6 in _eldbus_model_signal_callback_add (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x865a6)
    #4 0x7fd37c3e43ba in _eldbus_model_signal_signal_constructor (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x863ba)
    #5 0x7fd37c3e48e0 in eldbus_model_signal_constructor (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x868e0)
    #6 0x7fd37c3d9a3e in _eldbus_model_proxy_create_signals_children (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7ba3e)
    #7 0x7fd37c3d8ffc in _eldbus_model_proxy_listed (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7affc)
    #8 0x7fd37c3d91c1 in _eldbus_model_proxy_efl_model_children_count_get (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7b1c1)
    #9 0x7fd37c06fc08 in efl_model_children_count_get (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/efl/libefl.so.1+0xafc08)
    #10 0x420325 in children_slice_get (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x420325)
    #11 0x7fd37bde9744 in srunner_run_tagged (/lib64/libcheck.so.0+0x6744)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/stefan/EFL/efl/build/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x5591d) in eldbus_signal_handler_unref
Shadow bytes around the buggy address:
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c1a7fff8020: fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff8030: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff8060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3232==ABORTING
ERR<3240>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3245>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3244>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3247>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3249>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3248>:eldbus_model ../src/lib/eldbus/eldbus_model_arguments.c:211 eldbus_model_arguments_process_arguments() org.enlightenment.DBus.Canceled: Canceled by user.
ERR<3248>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!
ERR<3255>:eina_value ../src/lib/eina/eina_value.c:5522 eina_value_shutdown() Cannot free eina_value internal memory pools -- still in use!

Prettier outpur after running with -g -O0 compiled:

25/44 eldbus-suite                            FAIL     1.43 s (exit status 1)

--- command ---
EFL_RUN_IN_TREE='1' /home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite
--- Listing only the last 100 lines from a long log. ---
    #15 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #16 0x7f1aba4f8b5b in efl_del ../src/lib/eo/eo_base_class.c:687
    #17 0x41fdbf in _teardown ../src/tests/eldbus/eldbus_test_eldbus_model_proxy.c:52
    #18 0x7f1aba15ecdf  (/lib64/libcheck.so.0+0x5cdf)
    #19 0x7f1aba15f766 in srunner_run_tagged (/lib64/libcheck.so.0+0x6766)
    #20 0x406a01 in _efl_suite_run_end ../src/tests/eldbus/../efl_check.h:282
    #21 0x407357 in _efl_suite_build_and_run ../src/tests/eldbus/../efl_check.h:403
    #22 0x407925 in main ../src/tests/eldbus/eldbus_suite.c:49
    #23 0x7f1ab9f95f32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #24 0x405d8d in _start (/home/stefan/EFL/efl/build/src/tests/eldbus/eldbus_suite+0x405d8d)

0x60d000000110 is located 0 bytes inside of 144-byte region [0x60d000000110,0x60d0000001a0)
freed by thread T0 here:
    #0 0x7f1aba8a58af in __interceptor_free (/lib64/libasan.so.5+0x10d8af)
    #1 0x7f1aba72964e in _eldbus_signal_handler_del ../src/lib/eldbus/eldbus_signal_handler.c:258
    #2 0x7f1aba729afa in eldbus_signal_handler_unref ../src/lib/eldbus/eldbus_signal_handler.c:281
    #3 0x7f1aba729c19 in eldbus_signal_handler_del ../src/lib/eldbus/eldbus_signal_handler.c:289
    #4 0x7f1aba6f9c0c in _eldbus_proxy_clear ../src/lib/eldbus/eldbus_proxy.c:135
    #5 0x7f1aba6fa80c in _on_object_free ../src/lib/eldbus/eldbus_proxy.c:200
    #6 0x7f1aba702860 in eldbus_cbs_free_dispatch ../src/lib/eldbus/eldbus_core.c:331
    #7 0x7f1aba714f21 in _eldbus_object_clear ../src/lib/eldbus/eldbus_object.c:118
    #8 0x7f1aba715ae3 in _on_connection_free ../src/lib/eldbus/eldbus_object.c:183
    #9 0x7f1aba702860 in eldbus_cbs_free_dispatch ../src/lib/eldbus/eldbus_core.c:331
    #10 0x7f1aba707566 in _eldbus_connection_free ../src/lib/eldbus/eldbus_core.c:1199
    #11 0x7f1aba708746 in eldbus_connection_unref ../src/lib/eldbus/eldbus_core.c:1312
    #12 0x7f1aba739314 in _eldbus_model_efl_object_invalidate ../src/lib/eldbus/eldbus_model.c:80
    #13 0x7f1aba507a03 in efl_invalidate src/lib/eo/efl_object.eo.c:164
    #14 0x7f1aba4f5216 in _efl_invalidate ../src/lib/eo/eo_base_class.c:203
    #15 0x7f1aba4f8edf in _efl_object_parent_set ../src/lib/eo/eo_base_class.c:735
    #16 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #17 0x7f1aba1e9f3b in _efl_loop_consumer_efl_object_parent_set ../src/lib/ecore/efl_loop_consumer.c:36
    #18 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #19 0x7f1aba4f533a in _efl_invalidate ../src/lib/eo/eo_base_class.c:215
    #20 0x7f1aba4f8edf in _efl_object_parent_set ../src/lib/eo/eo_base_class.c:735
    #21 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #22 0x7f1aba1e9f3b in _efl_loop_consumer_efl_object_parent_set ../src/lib/ecore/efl_loop_consumer.c:36
    #23 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #24 0x7f1aba4f533a in _efl_invalidate ../src/lib/eo/eo_base_class.c:215
    #25 0x7f1aba4f8edf in _efl_object_parent_set ../src/lib/eo/eo_base_class.c:735
    #26 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #27 0x7f1aba1e9f3b in _efl_loop_consumer_efl_object_parent_set ../src/lib/ecore/efl_loop_consumer.c:36
    #28 0x7f1aba504a86 in efl_parent_set src/lib/eo/efl_object.eo.c:16
    #29 0x7f1aba4f8b5b in efl_del ../src/lib/eo/eo_base_class.c:687

previously allocated by thread T0 here:
    #0 0x7f1aba8a5ea6 in __interceptor_calloc (/lib64/libasan.so.5+0x10dea6)
    #1 0x7f1aba728a4b in _eldbus_signal_handler_add ../src/lib/eldbus/eldbus_signal_handler.c:174
    #2 0x7f1aba6feefc in eldbus_proxy_signal_handler_add ../src/lib/eldbus/eldbus_proxy.c:666
    #3 0x7f1aba75a5a6 in _eldbus_model_signal_callback_add ../src/lib/eldbus/eldbus_model_signal.c:63
    #4 0x7f1aba75a3ba in _eldbus_model_signal_signal_constructor ../src/lib/eldbus/eldbus_model_signal.c:42
    #5 0x7f1aba75a8e0 in eldbus_model_signal_constructor src/lib/eldbus/eldbus_model_signal.eo.c:4
    #6 0x7f1aba74fa3e in _eldbus_model_proxy_create_signals_children ../src/lib/eldbus/eldbus_model_proxy.c:465
    #7 0x7f1aba74effc in _eldbus_model_proxy_listed ../src/lib/eldbus/eldbus_model_proxy.c:368
    #8 0x7f1aba74f1c1 in _eldbus_model_proxy_efl_model_children_count_get ../src/lib/eldbus/eldbus_model_proxy.c:393
    #9 0x7f1aba3e5c08 in efl_model_children_count_get src/lib/efl/interfaces/efl_model.eo.c:22
    #10 0x420325 in children_slice_get ../src/tests/eldbus/eldbus_test_eldbus_model_proxy.c:121
    #11 0x7f1aba15f744 in srunner_run_tagged (/lib64/libcheck.so.0+0x6744)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/lib/eldbus/eldbus_signal_handler.c:274 in eldbus_signal_handler_unref
Shadow bytes around the buggy address:
  0x0c1a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a7fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a7fff8010: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x0c1a7fff8020: fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff8030: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1a7fff8050: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff8060: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17088==ABORTING

I am assigning this purely on the fact that it goes through #17 0x41fdbf in _teardown ../src/tests/eldbus/eldbus_test_eldbus_model_proxy.c:52 everytime I am hitting this.
If you could have a look and see if that comes from the model test code or from the actual eldbus lib that might already help.

Most likely I won't have time to look at this this week before I go on holiday. I will try to, but if by Friday I haven't proposed a patch for this, consider it will be done in September.

I have been digging around in this for a while and here is what seems to be happen to me.

There are signal_handler and proxy unrefs in eldbus model which are being called when the object itself is already deleted. Valgrind gives me a 4 byte invalid read which points to the magic check in the beginning of the object (checked on during the unref/del procedure)

An additional report that came up is an use after free access of sd->promise in _eldbus_model_proxy_cancel_cb. This, seems, racy somehow.

As I have no idea on eldbus model and the promise / future handling it uses I am a bit out of luck getting this fixed. I can only confirm that the following works around it to allow me do further testing (likely enough to leak or break other things)

diff --git a/src/lib/eldbus/eldbus_model_arguments.c b/src/lib/eldbus/eldbus_model_arguments.c
index ed6cbe2cce..3c4fb4e41c 100644
--- a/src/lib/eldbus/eldbus_model_arguments.c
+++ b/src/lib/eldbus/eldbus_model_arguments.c
@@ -73,7 +73,7 @@ _eldbus_model_arguments_efl_object_destructor(Eo *obj, Eldbus_Model_Arguments_Da
    eina_hash_free(pd->properties);

    eina_stringshare_del(pd->name);
-   eldbus_proxy_unref(pd->proxy);
+//   eldbus_proxy_unref(pd->proxy);

    efl_destructor(efl_super(obj, MY_CLASS));
 }
diff --git a/src/lib/eldbus/eldbus_model_proxy.c b/src/lib/eldbus/eldbus_model_proxy.c
index bf1f8fb931..5a8580d968 100644
--- a/src/lib/eldbus/eldbus_model_proxy.c
+++ b/src/lib/eldbus/eldbus_model_proxy.c
@@ -235,7 +235,7 @@ _eldbus_model_proxy_cancel_cb(Efl_Loop_Consumer *consumer EINA_UNUSED,
 {
    Eldbus_Model_Proxy_Property_Set_Data *sd = data;

-   sd->promise = NULL;
+   //sd->promise = NULL;
 }

 static Eldbus_Pending *
diff --git a/src/lib/eldbus/eldbus_model_signal.c b/src/lib/eldbus/eldbus_model_signal.c
index d1bb490195..9adab06bb7 100644
--- a/src/lib/eldbus/eldbus_model_signal.c
+++ b/src/lib/eldbus/eldbus_model_signal.c
@@ -67,12 +67,13 @@ static void
 _eldbus_model_signal_callback_del(Eldbus_Model_Signal_Data *pd)
 {
    EINA_SAFETY_ON_NULL_RETURN(pd);
-
+#if 0
    if (pd->handler)
      {
         eldbus_signal_handler_unref(pd->handler);
         pd->handler = NULL;
      }
+#endif
 }

 static void

Hopefully it will give you some hints where to look at least.

Just re-run some asan enabled testsuite runs and I now see this:

==20042==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000002c60 at pc 0x7fa764f4247e bp 0x7ffe2544cd60 sp 0x7ffe2544cd50
WRITE of size 8 at 0x603000002c60 thread T0
    #0 0x7fa764f4247d in _eldbus_model_proxy_cancel_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7a47d)
    #1 0x7fa764cfab25 in _efl_future_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3eb25)
    #2 0x7fa764dccb5d in _eina_future_cb_dispatch (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eina/libeina.so.1+0xabb5d)
    #3 0x7fa764dcce9d in _eina_future_dispatch_internal (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eina/libeina.so.1+0xabe9d)
    #4 0x7fa764dcd2b5 in _eina_future_dispatch (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eina/libeina.so.1+0xac2b5)
    #5 0x7fa764dcd6d1 in _scheduled_entry_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eina/libeina.so.1+0xac6d1)
    #6 0x7fa764cf5fab in _futures_dispatch_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eo/libeo.so.1+0x39fab)
    #7 0x7fa764cf7f78 in _event_callback_call (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3bf78)
    #8 0x7fa764cf88fa in _efl_object_event_callback_call (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3c8fa)
    #9 0x7fa764cf8ae3 in efl_event_callback_call (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eo/libeo.so.1+0x3cae3)
    #10 0x7fa7649df363 in _ecore_main_loop_iterate_internal (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x6d363)
    #11 0x7fa7649d93cd in _ecore_main_loop_begin (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x673cd)
    #12 0x7fa7649eccbe in _efl_loop_begin (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x7acbe)
    #13 0x7fa7649f2006 in efl_loop_begin (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x80006)
    #14 0x7fa7649d9887 in ecore_main_loop_begin (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/ecore/libecore.so.1+0x67887)
    #15 0x40f168 in efl_model_wait_for_event (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x40f168)
    #16 0x43e794 in _check_property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x43e794)
    #17 0x43e95b in property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x43e95b)
    #18 0x7fa76496b744 in tcase_run_tfun_fork /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:494
    #19 0x7fa76496b744 in srunner_iterate_tcase_tfuns /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:252
    #20 0x7fa76496b744 in srunner_run_tcase /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:401
    #21 0x7fa76496b744 in srunner_iterate_suites /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:218
    #22 0x7fa76496b744 in srunner_run_tagged /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:811
    #23 0x406a01 in _efl_suite_run_end (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x406a01)
    #24 0x407357 in _efl_suite_build_and_run (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x407357)
    #25 0x407925 in main (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x407925)
    #26 0x7fa7647a1f32 in __libc_start_main (/lib64/libc.so.6+0x23f32)
    #27 0x405d8d in _start (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x405d8d)

0x603000002c60 is located 16 bytes inside of 32-byte region [0x603000002c50,0x603000002c70)
freed by thread T0 here:
    #0 0x7fa7650998af in __interceptor_free (/lib64/libasan.so.5+0x10d8af)
    #1 0x7fa764f459c5 in _eldbus_model_proxy_property_set_data_free (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7d9c5)
    #2 0x7fa764f45790 in _eldbus_model_proxy_property_set_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7d790)
    #3 0x7fa764ef1ad7 in _on_proxy_message_cb (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x29ad7)
    #4 0x7fa764f0f7c0 in eldbus_pending_dispatch (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x477c0)
    #5 0x7fa764f0e60a in cb_pending (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x4660a)
    #6 0x7fa7643d2a3a in complete_pending_call_and_unlock ../../dbus/dbus-connection.c:2332

previously allocated by thread T0 here:
    #0 0x7fa765099ea6 in __interceptor_calloc (/lib64/libasan.so.5+0x10dea6)
    #1 0x7fa764f428cc in _eldbus_model_proxy_efl_model_property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7a8cc)
    #2 0x7fa764be313a in efl_model_property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/efl/libefl.so.1+0xab13a)
    #3 0x43e774 in _check_property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x43e774)
    #4 0x43e947 in property_set (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/eldbus_suite+0x43e947)
    #5 0x7fa76496b744 in tcase_run_tfun_fork /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:494
    #6 0x7fa76496b744 in srunner_iterate_tcase_tfuns /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:252
    #7 0x7fa76496b744 in srunner_run_tcase /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:401
    #8 0x7fa76496b744 in srunner_iterate_suites /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:218
    #9 0x7fa76496b744 in srunner_run_tagged /usr/src/debug/check-0.12.0-4.fc30.x86_64/src/check_run.c:811

SUMMARY: AddressSanitizer: heap-use-after-free (/home/stefan/EFL/efl/build-asan/src/tests/eldbus/../../lib/eldbus/libeldbus.so.1+0x7a47d) in _eldbus_model_proxy_cancel_cb
Shadow bytes around the buggy address:
  0x0c067fff8530: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff8540: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fff8550: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fff8560: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff8570: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8580: 00 00 fa fa fd fd fd fd fa fa fd fd[fd]fd fa fa
  0x0c067fff8590: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff85a0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff85b0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff85c0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff85d0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20042==ABORTING
stefan_schmidt closed this task as Resolved.Mon, Nov 18, 2:46 AM