Using two input devices simultaneously causes heap overflow + undefined behavior

[Febbe]

(Please complete the following information, and then delete this line)

Affects versions :

• OS: Linux Mint 19.03
• Display Protocol X11
• 3.22.x
• Version: current master

Describe the bug
Undefined behaviour and crash when using two fingers or finger and stylus at the same time, or stylus(pen) and then finger(handtool)

To Reproduce
Steps to reproduce the behavior:

1. compile with CXXFLAGS=-stdlib=libstdc++ -g -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer
2. open xournalpp over console
3. do the above described actions

Expected behavior
No undefined behaviour, no crash, no heap-buffer-overflow

Additional context
May be the reason for #1471 #1475 #1457 .

Starting program: /home/febbe/ClionProjects/xournalpp/cmake-build-sanitizers/src/xournalpp ..
warning: the debug information found in "/lib64/ld-2.23.so" does not match "/lib64/ld-linux-x86-64.so.2" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

** (xournalpp:23404): WARNING **: Unsupported input method: xim, changed to: ibus
[New Thread 0x7fffe3f34700 (LWP 23405)]
[New Thread 0x7fffe3733700 (LWP 23406)]
ALSA lib pcm_dsnoop.c:606:(snd_pcm_dsnoop_open) unable to open slave
ALSA lib pcm_dmix.c:1029:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.rear
ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.center_lfe
ALSA lib pcm.c:2266:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.side
[New Thread 0x7fffdd802700 (LWP 23407)]
[Thread 0x7fffdd802700 (LWP 23407) exited]
[New Thread 0x7fffdd802700 (LWP 23408)]
[Thread 0x7fffdd802700 (LWP 23408) exited]
ALSA lib pcm_dmix.c:1029:(snd_pcm_dmix_open) unable to open slave
[New Thread 0x7fffdd802700 (LWP 23409)]
[Thread 0x7fffdd802700 (LWP 23409) exited]
[New Thread 0x7fffdd802700 (LWP 23410)]
[Thread 0x7fffdd802700 (LWP 23410) exited]
[New Thread 0x7fffdd802700 (LWP 23411)]
[Thread 0x7fffdd802700 (LWP 23411) exited]

(xournalpp:23404): Gtk-CRITICAL **: gtk_widget_queue_resize: assertion 'GTK_IS_WIDGET (widget)' failed
[New Thread 0x7fffdd802700 (LWP 23412)]
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:207:35: runtime error: member call on address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  be be be be be be be be  be be be be be be be be  be be be be
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:207:35 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:444:3: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:444:3 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:398:10: runtime error: member access within address 0x6210003ae900 which does not point to an object of type 'Point'
0x6210003ae900: note: object has invalid vptr
 16 00 00 4c  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:398:10 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:574:21: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:574:21 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:579:32: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:579:32 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:581:25: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:581:25 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:582:25: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:582:25 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:584:25: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:584:25 in 
/home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:585:25: runtime error: member access within address 0x6210003bed00 which does not point to an object of type 'Point'
0x6210003bed00: note: object has invalid vptr
 19 00 80 27  be be be be be be be be  76 00 00 00 aa 00 aa ff  a2 bf 93 55 34 17 75 40  ea a0 0e 6a
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/febbe/ClionProjects/xournalpp/src/model/Stroke.cpp:585:25 in 
=================================================================
==23404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400039af80 at pc 0x00000062be47 bp 0x7fffffffc5d0 sp 0x7fffffffbd70
READ of size 56 at 0x60400039af80 thread T0
    #0 0x62be46 in memcpy (/home/febbe/ClionProjects/xournalpp/cmake-build-sanitizers/src/xournalpp+0x62be46)
    #1 0x7ffff75e45d5 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x685d5)
    #2 0x7ffff69a2b97 in gdk_event_copy (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x30b97)
    #3 0xb98fef in InputEvent::copy() /home/febbe/ClionProjects/xournalpp/src/gui/inputdevices/InputEvents.cpp:16:28
    #4 0xb9fba9 in PenInputHandler::updateLastEvent(InputEvent*) /home/febbe/ClionProjects/xournalpp/src/gui/inputdevices/PenInputHandler.cpp:42:27
    #5 0xba39ee in PenInputHandler::actionMotion(InputEvent*) /home/febbe/ClionProjects/xournalpp/src/gui/inputdevices/PenInputHandler.cpp:290:8
    #6 0xbada0e in StylusInputHandler::handleImpl(InputEvent*) /home/febbe/ClionProjects/xournalpp/src/gui/inputdevices/StylusInputHandler.cpp:70:9
    #7 0xb93073 in InputContext::handle(_GdkEvent*) /home/febbe/ClionProjects/xournalpp/src/gui/inputdevices/InputContext.cpp
    #8 0x7ffff6e60099  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x213099)
    #9 0x7ffff55ea1d3  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x101d3)
    #10 0x7ffff56044b7 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a4b7)
    #11 0x7ffff560508e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2b08e)
    #12 0x7ffff6f9db32  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x350b32)
    #13 0x7ffff6e5d3bd  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x2103bd)
    #14 0x7ffff6e5f1bb in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x2121bb)
    #15 0x7ffff69ccd91  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x5ad91)
    #16 0x7ffff75c6196 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a196)
    #17 0x7ffff75c63ef  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a3ef)
    #18 0x7ffff75c6711 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a711)
    #19 0x7ffff6e5e394 in gtk_main (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x211394)
    #20 0x7ed90a in XournalMain::run(int, char**) /home/febbe/ClionProjects/xournalpp/src/control/XournalMain.cpp:427:2
    #21 0x6f17d5 in main /home/febbe/ClionProjects/xournalpp/src/Xournalpp.cpp:42:21
    #22 0x7ffff2d7282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #23 0x611378 in _start (/home/febbe/ClionProjects/xournalpp/cmake-build-sanitizers/src/xournalpp+0x611378)

0x60400039af80 is located 0 bytes to the right of 48-byte region [0x60400039af50,0x60400039af80)
allocated by thread T0 here:
    #0 0x6bd313 in __interceptor_malloc (/home/febbe/ClionProjects/xournalpp/cmake-build-sanitizers/src/xournalpp+0x6bd313)
    #1 0x7ffff75cb7b8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7b8)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/febbe/ClionProjects/xournalpp/cmake-build-sanitizers/src/xournalpp+0x62be46) in memcpy
Shadow bytes around the buggy address:
  0x0c088006b5a0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088006b5b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088006b5c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088006b5d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088006b5e0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
=>0x0c088006b5f0:[fa]fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c088006b600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088006b610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088006b620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088006b630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088006b640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23404==ABORTING
[Thread 0x7fffe3733700 (LWP 23406) exited]
[Thread 0x7fffe3f34700 (LWP 23405) exited]
[Thread 0x7ffff7f0fa80 (LWP 23404) exited]
[Inferior 1 (process 23404) exited with code 01]

[lehmanju]

Output on GNOME/Wayland with gtk 3.24.11 (also on 3.24.10)

Seems to be caused by two pointers which are available simultaneous and update the XournalWidget allocation.

ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.rear
ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.center_lfe
ALSA lib pcm.c:2564:(snd_pcm_open_noupdate) Unknown PCM cards.pcm.side
ALSA lib pcm_route.c:869:(find_matching_chmap) Found no matching channel map
ALSA lib pcm_route.c:869:(find_matching_chmap) Found no matching channel map
ALSA lib pcm_route.c:869:(find_matching_chmap) Found no matching channel map
ALSA lib pcm_route.c:869:(find_matching_chmap) Found no matching channel map
connect(2) call to /dev/shm/jack-1000/default/jack_0 failed (err=Datei oder Verzeichnis nicht gefunden)
attempt to connect to server failed
connect(2) call to /dev/shm/jack-1000/default/jack_0 failed (err=Datei oder Verzeichnis nicht gefunden)
attempt to connect to server failed
ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port
ALSA lib pcm_oss.c:377:(_snd_pcm_oss_open) Unknown field port
ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card
ALSA lib pcm_usb_stream.c:486:(_snd_pcm_usb_stream_open) Invalid type for card
connect(2) call to /dev/shm/jack-1000/default/jack_0 failed (err=Datei oder Verzeichnis nicht gefunden)
attempt to connect to server failed

(xournalpp:77750): Gtk-CRITICAL **: 22:54:00.665: gtk_widget_queue_resize: assertion 'GTK_IS_WIDGET (widget)' failed

(xournalpp:77750): Gtk-WARNING **: 22:54:00.699: Theme parsing error: <data>:1:22: Junk at end of value for font-family
xkbcommon: ERROR: Key "<LFSH>" added to modifier map for multiple modifiers; Using Lock, ignoring Shift
/home/julius/xournalpp/src/model/Stroke.cpp:207:35: runtime error: member call on address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  be be be be be be be be  be be be be be be be be  be be be be
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:207:35 in 
/home/julius/xournalpp/src/model/Stroke.cpp:444:3: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:444:3 in 
/home/julius/xournalpp/src/model/Stroke.cpp:398:10: runtime error: member access within address 0x62100084d100 which does not point to an object of type 'Point'
0x62100084d100: note: object has invalid vptr
 67 00 80 33  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:398:10 in 
/home/julius/xournalpp/src/model/Stroke.cpp:574:21: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:574:21 in 
/home/julius/xournalpp/src/model/Stroke.cpp:579:32: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:579:32 in 
/home/julius/xournalpp/src/model/Stroke.cpp:581:25: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:581:25 in 
/home/julius/xournalpp/src/model/Stroke.cpp:582:25: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:582:25 in 
/home/julius/xournalpp/src/model/Stroke.cpp:584:25: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:584:25 in 
/home/julius/xournalpp/src/model/Stroke.cpp:585:25: runtime error: member access within address 0x62100084bd00 which does not point to an object of type 'Point'
0x62100084bd00: note: object has invalid vptr
 6e 00 00 77  be be be be be be be be  76 00 00 00 aa 00 aa ff  ef 69 84 e5 36 c5 7b 40  59 ee 69 84
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:585:25 in 

(xournalpp:77750): Gtk-CRITICAL **: 22:54:06.990: _gtk_style_animation_is_finished: assertion 'GTK_IS_STYLE_ANIMATION (animation)' failed

(xournalpp:77750): GLib-GObject-CRITICAL **: 22:54:06.990: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
/home/julius/xournalpp/src/model/Stroke.cpp:434:3: runtime error: member access within address 0x62100074f500 which does not point to an object of type 'Point'
0x62100074f500: note: object has invalid vptr
 fc 00 80 35  be be be be be be be be  76 00 00 00 aa 00 aa ff  2c f7 34 c2 9e 87 77 40  7c 1a 61 b9
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/julius/xournalpp/src/model/Stroke.cpp:434:3 in 

** (xournalpp:77750): WARNING **: 22:55:18.028: [Crash Handler] Crashed with signal 11

** (xournalpp:77750): WARNING **: 22:55:18.097: [Crash Handler] Wrote crash log to: /home/julius/.xournalpp/errorlogs/errorlog.20190928-225518.log

** (xournalpp:77750): WARNING **: 22:55:18.386: Trying to emergency save the current open document…

** (xournalpp:77750): WARNING **: 22:55:18.390: Successfully saved document to "/home/julius/.xournalpp//emergencysave.xopp"
=================================================================
==77750==ERROR: AddressSanitizer: alloc-dealloc-mismatch (operator new [] vs operator delete) on 0x614000307c40
    #0 0x560176f59a50 in operator delete(void*) (/home/julius/xournalpp/cmake-build-debug/src/xournalpp+0x93da50)
    #1 0x5601773444e6 in DoubleArrayAttribute::~DoubleArrayAttribute() /home/julius/xournalpp/src/control/xml/DoubleArrayAttribute.cpp:16:2
    #2 0x560177344b9e in DoubleArrayAttribute::~DoubleArrayAttribute() /home/julius/xournalpp/src/control/xml/DoubleArrayAttribute.cpp:13:1
    #3 0x5601773518d8 in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:36:3
    #4 0x56017734c95d in XmlAudioNode::~XmlAudioNode() /home/julius/xournalpp/src/control/xml/XmlAudioNode.cpp:15:1
    #5 0x56017735925d in XmlPointNode::~XmlPointNode() /home/julius/xournalpp/src/control/xml/XmlPointNode.cpp:24:1
    #6 0x5601773592de in XmlPointNode::~XmlPointNode() /home/julius/xournalpp/src/control/xml/XmlPointNode.cpp:12:1
    #7 0x5601773513b9 in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:28:3
    #8 0x56017735227e in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:22:1
    #9 0x5601773513b9 in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:28:3
    #10 0x56017735227e in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:22:1
    #11 0x5601773513b9 in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:28:3
    #12 0x56017735227e in XmlNode::~XmlNode() /home/julius/xournalpp/src/control/xml/XmlNode.cpp:22:1
    #13 0x56017748aaba in SaveHandler::~SaveHandler() /home/julius/xournalpp/src/control/xojfile/SaveHandler.cpp:36:2
    #14 0x560177ad87c3 in emergencySave() /home/julius/xournalpp/src/util/CrashHandler.cpp:53:1
    #15 0x560177ad7a11 in crashHandler(int) /home/julius/xournalpp/src/util/CrashHandlerUnix.h:107:2
    #16 0x7f6f229ae7df  (/usr/lib/libc.so.6+0x3a7df)
    #17 0x7f6f22ad61ae in __memset_avx2_unaligned_erms (/usr/lib/libc.so.6+0x1621ae)
    #18 0x560176e84a47 in __interceptor_memset.part.0 (/home/julius/xournalpp/cmake-build-debug/src/xournalpp+0x868a47)
    #19 0x7f6f2421aad0 in g_slice_alloc0 (/usr/lib/libglib-2.0.so.0+0x4bad0)
    #20 0x7f6f23de29bb in gtk_widget_path_new /home/julius/gtk-main/build/../gtk/gtkwidgetpath.c:120:10
    #21 0x7f6f23b3e730 in gtk_box_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkbox.c:1425:22
    #22 0x7f6f23b91ac5 in gtk_container_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:3884:10
    #23 0x7f6f23b3e71a in gtk_box_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkbox.c:1419:10
    #24 0x7f6f23b91ac5 in gtk_container_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:3884:10
    #25 0x7f6f23b8ae14 in gtk_container_real_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:2761:10
    #26 0x7f6f23b91ac5 in gtk_container_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:3884:10
    #27 0x7f6f23b3e71a in gtk_box_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkbox.c:1419:10
    #28 0x7f6f23b91ac5 in gtk_container_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:3884:10
    #29 0x7f6f23b8ae14 in gtk_container_real_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:2761:10
    #30 0x7f6f23b91ac5 in gtk_container_get_path_for_child /home/julius/gtk-main/build/../gtk/gtkcontainer.c:3884:10
    #31 0x7f6f23bc6b14 in gtk_css_widget_node_create_widget_path /home/julius/gtk-main/build/../gtk/gtkcsswidgetnode.c:208:12
    #32 0x7f6f23d2c7eb in _gtk_style_context_peek_style_property /home/julius/gtk-main/build/../gtk/gtkstylecontext.c:1661:10
    #33 0x7f6f23ddecb5 in gtk_widget_style_get_valist /home/julius/gtk-main/build/../gtk/gtkwidget.c:13312:20
    #34 0x7f6f23ddf029 in gtk_widget_style_get /home/julius/gtk-main/build/../gtk/gtkwidget.c:13350:3
    #35 0x7f6f23cfd3e9 in gtk_scrollbar_update_style /home/julius/gtk-main/build/../gtk/gtkscrollbar.c:160:3
    #36 0x7f6f23cfd74b in gtk_scrollbar_style_updated /home/julius/gtk-main/build/../gtk/gtkscrollbar.c:182:3
    #37 0x7f6f234b2b49 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x23b49)
    #38 0x7f6f234b37ef in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x247ef)
    #39 0x7f6f234b2b49 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x23b49)
    #40 0x7f6f234b37ef in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x247ef)
    #41 0x7f6f23d2d684 in gtk_style_context_validate /home/julius/gtk-main/build/../gtk/gtkstylecontext.c:2424:3
    #42 0x7f6f23bc6d20 in gtk_css_widget_node_validate /home/julius/gtk-main/build/../gtk/gtkcsswidgetnode.c:133:9
    #43 0x7f6f23baae9f in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1391:3
    #44 0x7f6f23baae9f in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #45 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #46 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #47 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #48 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #49 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #50 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #51 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #52 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #53 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #54 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #55 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #56 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #57 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1398:9
    #58 0x7f6f23baaeca in gtk_css_node_validate_internal /home/julius/gtk-main/build/../gtk/gtkcssnode.c:1376:1
    #59 0x7f6f23b8fb00 in gtk_container_idle_sizer /home/julius/gtk-main/build/../gtk/gtkcontainer.c:2054:7
    #60 0x7f6f234b2b49 in g_signal_emit_valist (/usr/lib/libgobject-2.0.so.0+0x23b49)
    #61 0x7f6f234b37ef in g_signal_emit (/usr/lib/libgobject-2.0.so.0+0x247ef)
    #62 0x7f6f239b5f3e in gdk_frame_clock_paint_idle /home/julius/gtk-main/build/../gdk/gdkframeclockidle.c:428:19
    #63 0x7f6f239a1ba8 in gdk_threads_dispatch /home/julius/gtk-main/build/../gdk/gdk.c:777:11
    #64 0x7f6f24238a73  (/usr/lib/libglib-2.0.so.0+0x69a73)
    #65 0x7f6f2423927e in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a27e)
    #66 0x7f6f2423b1c0  (/usr/lib/libglib-2.0.so.0+0x6c1c0)
    #67 0x7f6f2423c0d2 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x6d0d2)
    #68 0x7f6f23c729e4 in gtk_main /home/julius/gtk-main/build/../gtk/gtkmain.c:1323:7
    #69 0x5601770f2253 in XournalMain::run(int, char**) /home/julius/xournalpp/src/control/XournalMain.cpp:427:2
    #70 0x560176f5c2d3 in main /home/julius/xournalpp/src/Xournalpp.cpp:32:21
    #71 0x7f6f2299aee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)
    #72 0x560176e3d5fd in _start (/home/julius/xournalpp/cmake-build-debug/src/xournalpp+0x8215fd)

0x614000307c40 is located 0 bytes inside of 448-byte region [0x614000307c40,0x614000307e00)
allocated by thread T0 here:
    #0 0x560176f58db0 in operator new[](unsigned long) (/home/julius/xournalpp/cmake-build-debug/src/xournalpp+0x93cdb0)
    #1 0x56017748fe19 in SaveHandler::visitStroke(XmlPointNode*, Stroke*) /home/julius/xournalpp/src/control/xojfile/SaveHandler.cpp:158:20
    #2 0x560177492585 in SaveHandler::visitLayer(XmlNode*, Layer*) /home/julius/xournalpp/src/control/xojfile/SaveHandler.cpp:206:4
    #3 0x56017749b902 in SaveHandler::visitPage(XmlNode*, PageRef, Document*, int) /home/julius/xournalpp/src/control/xojfile/SaveHandler.cpp:351:3
    #4 0x56017748d30c in SaveHandler::prepareSave(Document*) /home/julius/xournalpp/src/control/xojfile/SaveHandler.cpp:90:3
    #5 0x560177ad7ff3 in emergencySave() /home/julius/xournalpp/src/util/CrashHandler.cpp:42:10
    #6 0x560177ad7a11 in crashHandler(int) /home/julius/xournalpp/src/util/CrashHandlerUnix.h:107:2
    #7 0x7f6f229ae7df  (/usr/lib/libc.so.6+0x3a7df)
    #8 0x7f6f2421aad0 in g_slice_alloc0 (/usr/lib/libglib-2.0.so.0+0x4bad0)

SUMMARY: AddressSanitizer: alloc-dealloc-mismatch (/home/julius/xournalpp/cmake-build-debug/src/xournalpp+0x93da50) in operator delete(void*)
==77750==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==77750==ABORTING

[Technius]

Also occurs when using a stylus and a mouse simultaneously.

[Technius]

The heap overflow occurs here: https://gitlab.gnome.org/GNOME/gtk/blob/gtk-3-24/gdk/gdkevents.c#L720; it appears that switching between devices with different numbers of axes causes the error (e.g. mouse has 4, pressure-sensitive stylus has 6).

Edit: Possible cause may be because a grab is released and acquired: https://developer.gnome.org/gdk3/stable/gdk3-Events.html#gdk-event-get-source-device

[...] if the event wasn’t caused by interaction with a hardware device. This may happen for example in synthesized crossing events after a GdkWindow updates its geometry or a grab is acquired/released.

Edit 2: Indeed. Moving the stylus and then moving the mouse does not cause an error, but moving the mouse and then moving the stylus causes the heap overflow.

Edit 3: To be clear, I'm not suggesting that this is a GTK bug; this seems more like a GTK "gotcha" that we need to be careful about.

Edit 4: You can see how the change in axes count causes the crash by inserting the following line into the top of InputEvent::copy:

if (this->sourceEvent->any.type == GDK_MOTION_NOTIFY) {
    g_message("%i", gdk_device_get_n_axes(this->sourceEvent->motion.device));
}

[lehmanju]

The crash that ocurrs when drawing the second stroke with a pen looks like its related to ZoomControl::onWidgetSizeChangedEvent again which we already tried to fix but results in more complications. Without a rewrite here (and especially without removal of the old system) this is pretty much hopeless in my eyes.

EDIT: Crash only appears if pen is lifted between strokes (pointer is switched)

EDIT 2: Might not be related to zoom at all but to overall repainting. Stack is always stuck at some css style stuff. (gtk_css_node_validate)