After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 755269 - incorrect g_object_unref() in gdk-pixbuf-animation
incorrect g_object_unref() in gdk-pixbuf-animation
Status: RESOLVED FIXED
Product: gdk-pixbuf
Classification: Platform
Component: general
git master
Other FreeBSD
: Normal normal
: ---
Assigned To: gdk-pixbuf-maint
gdk-pixbuf-maint
Depends on:
Blocks:
 
 
Reported: 2015-09-19 18:44 UTC by Henry Hu
Modified: 2015-09-19 19:37 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Henry Hu 2015-09-19 18:44:27 UTC 
Recently, gdk-pixbuf-animation is moved to GTask:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=3bdf3b74b3c0e535392b540458095f7a95ba11e7

However, with the new gdk-pixbuf (2.31.7), corebird crashes with use after free:

Program received signal SIGBUS, Bus error.

+ Trace 235473

Thread 34724599808 (LWP 101780)

  • #0 __pthread_mutex_lock
    at /usr/src/lib/libthr/thread/thr_mutex.c line 441
  • #1 g_mutex_lock
    at gthread-posix.c line 216
  • #2 g_task_thread_complete
    at gtask.c line 1197
  • #3 g_task_thread_pool_thread
    at gtask.c line 1238
  • #4 g_thread_pool_thread_proxy
    at gthreadpool.c line 307
  • #5 g_thread_proxy
    at gthread.c line 764
  • #6 thread_start
    at /usr/src/lib/libthr/thread/thr_create.c line 288
  • #7 ?? 

After closer inspection, task->task_func points to animation_new_from_stream_thread() in gdk-pixbuf-animation.
When task_func is being called, task's ref count is 1, and animation_new_from_stream_thread() called g_object_unref(), which caused the task to be finalized. However, after calling task_func, the gtask thread pool function calls g_task_thread_complete() on the task, which was finalized, and crashes.

At the end of g_task_thread_pool_thread(), g_object_unref() is called on task, so it's not needed to call g_object_unref() in animation_new_from_stream_thread().