After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 636263 - valgrind fixes
valgrind fixes
Status: RESOLVED FIXED
Product: gjs
Classification: Bindings
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: gjs-maint
gjs-maint
Depends on:
Blocks:
 
 
Reported: 2010-12-01 23:14 UTC by Colin Walters
Modified: 2010-12-01 23:39 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
function: Don't read freed memory if a callback is freed during invocation (2.09 KB, patch)
2010-12-01 23:20 UTC, Colin Walters 		committed Details | Review
function: Don't unref info before we're done using it (1.40 KB, patch)
2010-12-01 23:24 UTC, Colin Walters 		committed Details | Review

Description Colin Walters 2010-12-01 23:14:57 UTC 
==11331== Invalid read of size 4
==11331==    at 0xC05608D: gjs_invoke_c_function (function.c:664)
==11331==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078207F1: JS_EvaluateUCScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820867: JS_EvaluateScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x4C1522D: gjs_context_eval (context.c:793)
==11331==    by 0x4C154C9: gjs_context_eval_file (context.c:874)
==11331==    by 0x40135B: test (gjs-unit.c:88)
==11331==    by 0x54E48B2: g_test_run_suite_internal (gtestutils.c:1174)
==11331==    by 0x54E4A25: g_test_run_suite_internal (gtestutils.c:1233)
==11331==  Address 0xd8c7ac0 is 64 bytes inside a block of size 72 free'd
==11331==    at 0x4A05187: free (vg_replace_malloc.c:325)
==11331==    by 0x54C5872: g_free (gmem.c:263)
==11331==    by 0x54DC510: g_slice_free1 (gslice.c:907)
==11331==    by 0x34074057C8: ffi_closure_unix64_inner (in /usr/lib64/libffi.so.5.0.10)
==11331==    by 0x3407405FC3: ffi_closure_unix64 (in /usr/lib64/libffi.so.5.0.10)
==11331==    by 0x3407405E5B: ffi_call_unix64 (in /usr/lib64/libffi.so.5.0.10)
==11331==    by 0x3407405BE3: ffi_call (in /usr/lib64/libffi.so.5.0.10)
==11331==    by 0xC0565D4: gjs_invoke_c_function (function.c:621)
==11331==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331== 
==11331== Invalid read of size 8
==11331==    at 0xC272E50: g_struct_info_get_size (gistructinfo.c:192)
==11331==    by 0xC0568D6: gjs_invoke_c_function (function.c:521)
==11331==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078207F1: JS_EvaluateUCScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820867: JS_EvaluateScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x4C1522D: gjs_context_eval (context.c:793)
==11331==    by 0x4C154C9: gjs_context_eval_file (context.c:874)
==11331==    by 0x40135B: test (gjs-unit.c:88)
==11331==    by 0x54E48B2: g_test_run_suite_internal (gtestutils.c:1174)
==11331==  Address 0x585ca38 is 24 bytes inside a block of size 72 free'd
==11331==    at 0x4A05187: free (vg_replace_malloc.c:325)
==11331==    by 0x54C5872: g_free (gmem.c:263)
==11331==    by 0x54DC510: g_slice_free1 (gslice.c:907)
==11331==    by 0xC055ECE: gjs_invoke_c_function (function.c:518)
==11331==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x34078207F1: JS_EvaluateUCScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x3407820867: JS_EvaluateScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==11331==    by 0x4C1522D: gjs_context_eval (context.c:793)
==11331==    by 0x4C154C9: gjs_context_eval_file (context.c:874)
Comment 1 Colin Walters 2010-12-01 23:20:14 UTC 
Created attachment 175683 [details] [review]
function: Don't read freed memory if a callback is freed during invocation

==11331== Invalid read of size 4
==11331==    at 0xC05608D: gjs_invoke_c_function (function.c:664)

This happens when a function calls the GDestroyNotify for SCOPE_ASYNC
callback while the function is being called.  We'd try to check
for callback->scope == SCOPE_CALL, but callback is already free()d.

Save the scope value so we don't try to read freed memory.
Comment 2 Colin Walters 2010-12-01 23:22:50 UTC 
==15071== Invalid read of size 8
==15071==    at 0xC872E50: g_struct_info_get_size (gistructinfo.c:192)
==15071==    by 0xC6568E4: gjs_invoke_c_function (function.c:524)
==15071==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x34078207F1: JS_EvaluateUCScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407820867: JS_EvaluateScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x4C1522D: gjs_context_eval (context.c:793)
==15071==    by 0x4C154C9: gjs_context_eval_file (context.c:874)
==15071==    by 0x40135B: test (gjs-unit.c:88)
==15071==    by 0x54E48B2: g_test_run_suite_internal (gtestutils.c:1174)
==15071==  Address 0x585ca38 is 24 bytes inside a block of size 72 free'd
==15071==    at 0x4A05187: free (vg_replace_malloc.c:325)
==15071==    by 0x54C5872: g_free (gmem.c:263)
==15071==    by 0x54DC510: g_slice_free1 (gslice.c:907)
==15071==    by 0xC65620B: gjs_invoke_c_function (function.c:521)
==15071==    by 0x3407874822: js_Invoke (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407866CF2: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x34078756B1: ??? (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407820738: JS_EvaluateUCScriptForPrincipals (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x34078207F1: JS_EvaluateUCScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x3407820867: JS_EvaluateScript (in /usr/lib64/xulrunner-1.9.2/libmozjs.so)
==15071==    by 0x4C1522D: gjs_context_eval (context.c:793)
==15071==    by 0x4C154C9: gjs_context_eval_file (context.c:874)
Comment 3 Colin Walters 2010-12-01 23:24:23 UTC 
Created attachment 175684 [details] [review]
function: Don't unref info before we're done using it

The unref needs to be after we get the struct size.
Comment 4 Colin Walters 2010-12-01 23:36:16 UTC 
Nevermind, no one is going to review this; going ahead and committing.
Comment 5 Colin Walters 2010-12-01 23:36:27 UTC 
Attachment 175683 [details] pushed as cbf3227 - function: Don't read freed memory if a callback is freed during invocation
Attachment 175684 [details] pushed as dff2305 - function: Don't unref info before we're done using it
Comment 6 Owen Taylor 2010-12-01 23:39:02 UTC 
(In reply to comment #4)
> Nevermind, no one is going to review this; going ahead and committing.

Hey, I came here with the intent of reviewing the patches, until I saw they had already been pushed ;-)