Textedit: Destroy keyboard when not used
Opened this issue · 1 comments
brianwatling commented
nk_console_textedit_button_back_click calls nk_console_free_children on button->parent which by definition frees the button itself. When this is invoked nk_console_button_render then proceeds to do postprocessing for disabled and up/down/tooltip on the deleted button and triggers a use after free crash. Instead the button should queue itself to be deleted in another phase or some other solution should be found.
I first noticed the crash in a debug build of my own project - I use mimalloc which can detect some use-after-free bugs in debug mode. Running the demo with ASAN confirmed the root cause and gave the (trimmed) trace below.
$ ./nuklear_console_demo_sdl
=================================================================
==78974==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00010fdac at pc 0x5ddbc8dd3c5d bp 0x7ffc5dafa9b0 sp 0x7ffc5dafa9a0
READ of size 4 at 0x60d00010fdac thread T0
#0 0x5ddbc8dd3c5c in nk_console_button_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x454c5c)
#1 0x5ddbc8de4950 in nk_console_row_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x465950)
#2 0x5ddbc8dfc203 in nk_console_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47d203)
#3 0x5ddbc8dfbe9f in nk_console_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47ce9f)
#4 0x5ddbc8e023e6 in nuklear_console_demo_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x4833e6)
#5 0x5ddbc8e02fb2 in main (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x483fb2)
#6 0x73b7b7429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x73b7b7429e3f in __libc_start_main_impl ../csu/libc-start.c:392
#8 0x5ddbc8bfbbe4 in _start (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x27cbe4)
0x60d00010fdac is located 28 bytes inside of 144-byte region [0x60d00010fd90,0x60d00010fe20)
freed by thread T0 here:
#0 0x73b7b80be470 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x5ddbc8c103a6 in nk_mfree (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x2913a6)
#2 0x5ddbc8dfc8df in nk_console_mfree (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47d8df)
#3 0x5ddbc8dfd91a in nk_console_free (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47e91a)
#4 0x5ddbc8dfddd5 in nk_console_free_children (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47edd5)
#5 0x5ddbc8dfd907 in nk_console_free (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47e907)
#6 0x5ddbc8dfddd5 in nk_console_free_children (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47edd5)
#7 0x5ddbc8de59ee in nk_console_textedit_button_back_click (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x4669ee)
#8 0x5ddbc8df7264 in nk_console_trigger_event (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x478264)
#9 0x5ddbc8dd3bc6 in nk_console_button_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x454bc6)
#10 0x5ddbc8de4950 in nk_console_row_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x465950)
#11 0x5ddbc8dfc203 in nk_console_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47d203)
#12 0x5ddbc8dfbe9f in nk_console_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x47ce9f)
#13 0x5ddbc8e023e6 in nuklear_console_demo_render (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x4833e6)
#14 0x5ddbc8e02fb2 in main (nuklear_console/demo/sdl_renderer/nuklear_console_demo_sdl+0x483fb2)
#15 0x73b7b7429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58