After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 782254 - Crash in maps_contact_store_dispose
Crash in maps_contact_store_dispose
Status: RESOLVED FIXED
Product: gnome-maps
Classification: Applications
Component: general
unspecified
Other Linux
: Normal critical
: ---
Assigned To: gnome-maps-maint
gnome-maps-maint
Depends on:
Blocks:
 
 
Reported: 2017-05-06 07:35 UTC by Jeremy Bicha
Modified: 2017-05-08 21:10 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
contactStore: Avoid use-after free (1011 bytes, patch)
2017-05-08 19:38 UTC, Marcus Lundblad 		committed Details | Review

Description Jeremy Bicha 2017-05-06 07:35:04 UTC 
Ubuntu 17.04 with gnome-maps 3.24, gjs 1.48.0 and 1.48.2 has been receiving crash reports:

gjs-console (11) g_slice_free_chain_with_offset → g_list_free → maps_contact_store_dispose → g_object_unref → release_native_object

+ Trace 237424

  • #0 g_slice_free_chain_with_offset
    at ../../../../glib/gslice.c line 1191
  • #1 g_list_free
    at ../../../../glib/glist.c line 182
  • #2 maps_contact_store_dispose
    at maps-contact-store.c line 69
  • #3 g_object_unref
    at ../../../../gobject/gobject.c line 3148
  • #4 release_native_object
    at gi/object.cpp line 1257
  • #5 disassociate_js_gobject
    at gi/object.cpp line 1419
  • #6 update_heap_wrapper_weak_pointers
    at gi/object.cpp line 1345
  • #7 ??
  • #8 ??
  • #9 ??
  • #10 ??
  • #11 ??
  • #12 ??
  • #13 ??
  • #14 ?? 






Comment 1


Jeremy Bicha





          2017-05-06 07:35:51 UTC
        



.




+
Trace
    237425






Thread 9
          (Thread 0x7f7ee37fe700 (LWP 12901))


    

  • 
#0
syscall

    
                at ../sysdeps/unix/sysv/linux/x86_64/syscall.S
                  line
                  38

    

    • 

  • 
#1
g_cond_wait_until

    
                at ../../../../glib/gthread-posix.c
                  line
                  1442

    

    • 

  • 
#2
g_async_queue_pop_intern_unlocked

    
                at ../../../../glib/gasyncqueue.c
                  line
                  422

    

    • 

  • 
#3
g_async_queue_timeout_pop_unlocked

    
                at ../../../../glib/gasyncqueue.c
                  line
                  570

    

    • 

  • 
#4
g_thread_pool_wait_for_new_task

    
                at ../../../../glib/gthreadpool.c
                  line
                  262

    

    • 

  • 
#5
g_thread_pool_thread_proxy

    
                at ../../../../glib/gthreadpool.c
                  line
                  296

    

    • 

  • 
#6
g_thread_proxy

    
                at ../../../../glib/gthread.c
                  line
                  784

    

    • 

  • 
#7
start_thread

    
                at pthread_create.c
                  line
                  456

    

    • 

  • 
#8
clone

    
                at ../sysdeps/unix/sysv/linux/x86_64/clone.S
                  line
                  105

    

    • 



Thread 1
          (Thread 0x7f7fba8ec600 (LWP 12638))


    

  • 
#0
g_slice_free_chain_with_offset

    
                at ../../../../glib/gslice.c
                  line
                  1191

    

    • 

  • 
#1
g_list_free

    
                at ../../../../glib/glist.c
                  line
                  182

    

    • 

  • 
#2
maps_contact_store_dispose

    
                at maps-contact-store.c
                  line
                  69

    

    • 

  • 
#3
g_object_unref

    
                at ../../../../gobject/gobject.c
                  line
                  3148

    

    • 

  • 
#4
release_native_object

    
                at gi/object.cpp
                  line
                  1257

    

    • 

  • 
#5
disassociate_js_gobject

    
                at gi/object.cpp
                  line
                  1419

    

    • 

  • 
#6
update_heap_wrapper_weak_pointers

    
                at gi/object.cpp
                  line
                  1345

    

    • 

  • 
#7
??

    • 

  • 
#8
??

    • 

  • 
#9
??

    • 

  • 
#10
??

    • 

  • 
#11
??

    • 

  • 
#12
??

    • 

  • 
#13
??

    • 

  • 
#14
??

    • 













Comment 2


Jeremy Bicha





          2017-05-06 07:39:03 UTC
        



There are hundreds of reports in Ubuntu's crash database for this issue.






Comment 3


Emmanuele Bassi (:ebassi)





          2017-05-08 14:07:56 UTC
        



The ::dispose() virtual function can be called multiple times.

If you free some data inside there, you also need to set the pointer to NULL, and check for NULL.

In this case:

-  g_list_free (store->priv->list);
-  g_object_unref (store->priv->aggregator);
+  g_clear_pointer (&store->priv->list, g_list_free)
+  g_clear_object (&store->priv->aggregator);






Comment 4


Philip Chimento





          2017-05-08 18:55:24 UTC
        



As Emmanuele suggested on IRC, it could be that this was exposed by SpiderMonkey's improved garbage collector, where in previous versions whatever JS object was holding on to the contact store was never garbage collected.






Comment 5


Marcus Lundblad





          2017-05-08 19:38:28 UTC
        



Created attachment 351388 [details] [review]
contactStore: Avoid use-after free

Clear pointers in dispose vfunc to avoid crashes when ::dispose() is called
multiple times on the contact store object.






Comment 6


Marcus Lundblad





          2017-05-08 20:55:02 UTC
        



Attachment 351388 [details] pushed as f75562e - contactStore: Avoid use-after free






Comment 7


Marcus Lundblad





          2017-05-08 21:10:25 UTC
        



I took the liberty of pushing this to get it in for 3.24.2 :)