GNOME Bugzilla – Bug 626684
Segfault when invoking methods with "out" GValues with wrong arguments
Last modified: 2010-09-23 22:53:21 UTC
Created attachment 167670 [details] Testcase showing the explained behavior Invoking a method with a GValue annotated as "out" produces a crash, if the arguments provided aren't right. Invoking the method without arguments, or providing the wrong type or amount produces a segmentation fault. Calling the method with the right arguments works as expected. The testcase provided lets you reproduce it: calling the Gtk.ListStore.get_value() method with two wrong args. The segmentation fault is produced at pygi-invoke.c:958 (_free_invocation_state), when the GValue is first unset and then freed: state->args is null.
Created attachment 167672 [details] [review] Partial fix This patch provides a partial fix for the bug, checking if the state arguments are null before trying to unset them. It works as expected: when calling the method with the wrong type/number of arguments it fails with a TypeError, and works when doing it right. It's based on the assumption that it is fine if the state arguments are null, as a result of them being assigned in a lazy way or something like that. However, when the arguments meet the method signature but the GValue didn't get stored (due to the method's logic), it segfaults. I'll attach another testcase to display this behaviour.
Created attachment 167673 [details] Testcase showing the free crash when the GValue hasn't been set When the method signature is met but, due to the application logic, the GValue doesn't get to store a value, a crash is produced when the GValue gets freed. The testcase attached passes an invalid iterator to the model, which then refuses to store a value in the GValue. This behaviour was already present, and hasn't been altered with the previous patch.
Review of attachment 167672 [details] [review]: Indeed, state->args and state->args[i] can be NULL at that point, if _prepare_invocation_state returns before it allocated them. ::: gi/pygi-invoke.c @@ +959,3 @@ + g_value_unset ( (GValue *) state->args[i]); + g_free (state->args[i]); + } This can be checked earlier.
Created attachment 167706 [details] [review] Remove useless checks. No need to check for state->arg_infos, state->arg_type_infos, and state->args_is_auxiliary to be NULL, they are always allocated.
Created attachment 167708 [details] [review] Fix caller-allocates emergency free. In the state, args, args[i], arg_infos[i], and arg_type_infos[i] must not be NULL in order to be able caller-allocates. This patch adds those conditions. Moreover, the interface info needs to be freed afterwards.
The following fixes have been pushed: e4c4ccc Fix caller-allocates emergency free. 0ab967c Remove useless checks.
Created attachment 167710 [details] [review] Fix caller-allocates emergency free. In the state, args, args[i], arg_infos[i], and arg_type_infos[i] must not be NULL in order to be able caller-allocates. This patch adds those conditions. Moreover, the interface info needs to be freed afterwards.
Created attachment 167711 [details] [review] Remove useless checks. No need to check for state->arg_infos, state->arg_type_infos, and state->args_is_auxiliary to be NULL, they are always allocated.
For the other test case, see bug 620912.
*** Bug 625583 has been marked as a duplicate of this bug. ***