After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 378078 - extremely unlikely read-after-free in instance_real_class_get
extremely unlikely read-after-free in instance_real_class_get
Status: RESOLVED FIXED
Product: glib
Classification: Platform
Component: gobject
2.12.x
Other Linux
: Normal normal
: ---
Assigned To: gtkdev
gtkdev
Depends on:
Blocks:
 
 
Reported: 2006-11-22 11:10 UTC by Jonathan Matthew
Modified: 2006-12-16 04:34 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
test program (3.67 KB, text/plain)
2006-11-29 10:46 UTC, Jonathan Matthew 		  Details
patch (794 bytes, patch)
2006-11-29 10:49 UTC, Jonathan Matthew 		none Details | Review

Description Jonathan Matthew 2006-11-22 11:10:58 UTC 
gtype.c:instance_real_class_get accesses the InstanceRealClass pointer returned by g_bsearch_array_lookup after dropping the instance_real_class lock.  Between unlocking and dereferencing the pointer, another thread could cause the array to be reallocated, invalidating the pointer.  I believe I have actually seen valgrind complain about this.
Comment 1 Jonathan Matthew 2006-11-29 10:46:15 UTC 
Created attachment 77333 [details]
test program

Compile with gcc `pkg-config --cflags --libs gobject-2.0 gthread-2.0` test-object.c -o test-object

It's obviously a contrived hack, but when run under valgrind, it usually results in something like this:

==425== Invalid read of size 4
==425==    at 0x40593DF: g_type_instance_get_private (gtype.c:1518)
==425==    by 0x8048C0E: test_base_object_init (test-object.c:71)
==425==    by 0x405ECBB: g_type_create_instance (gtype.c:1559)
==425==    by 0x4045BC1: g_object_constructor (gobject.c:1041)
==425==    by 0x4043E37: g_object_newv (gobject.c:937)
==425==    by 0x40449B6: g_object_new_valist (gobject.c:981)
==425==    by 0x4044B6F: g_object_new (gobject.c:795)
==425==    by 0x8048C84: test_base_object_init (test-object.c:76)
==425==    by 0x405ECBB: g_type_create_instance (gtype.c:1559)
==425==    by 0x4045BC1: g_object_constructor (gobject.c:1041)
==425==    by 0x4043E37: g_object_newv (gobject.c:937)
==425==    by 0x40449B6: g_object_new_valist (gobject.c:981)
==425==  Address 0x5478034 is 2,036 bytes inside a block of size 3,656 free'd
==425==    at 0x401C487: realloc (vg_replace_malloc.c:306)
==425==    by 0x40A6B8A: g_realloc (gmem.c:168)
==425==    by 0x405EF9C: g_type_create_instance (gbsearcharray.h:216)
==425==    by 0x4045BC1: g_object_constructor (gobject.c:1041)
==425==    by 0x4043E37: g_object_newv (gobject.c:937)
==425==    by 0x40449B6: g_object_new_valist (gobject.c:981)
==425==    by 0x4044B6F: g_object_new (gobject.c:795)
==425==    by 0x8048C84: test_base_object_init (test-object.c:76)
==425==    by 0x405ECBB: g_type_create_instance (gtype.c:1559)
==425==    by 0x4045BC1: g_object_constructor (gobject.c:1041)
==425==    by 0x4043E37: g_object_newv (gobject.c:937)
==425==    by 0x40449B6: g_object_new_valist (gobject.c:981)

I haven't been able to come up with a test program that actually crashes with an unmodified glib, but if you set the auto shrink flag on the gbsearcharray in gtype.c it should crash a bit.

It runs multiple threads with no blocking operations, so it tends to make your desktop fairly useless for the duration.
Comment 2 Jonathan Matthew 2006-11-29 10:49:51 UTC 
Created attachment 77334 [details] [review]
patch

This fixes the error for me.
Comment 3 Jonathan Matthew 2006-11-29 10:53:29 UTC 
I'm pretty sure now that this is actually the cause of bug 343443, a crasher in rhythmbox with 20+ duplicates.
Comment 4 Hans Petter Jansson 2006-12-07 07:41:25 UTC 
I'm hitting this in one of my Flow unit tests.
Comment 5 Matthias Clasen 2006-12-16 04:34:14 UTC 
Fri Dec 15 2006  Matthias Clasen  <mclasen@redhat.com>

        * gtype.c (instance_real_class_get): Dereference the pointer
        before dropping the lock.  (#378078, Jonathan Matthew)