Use after free in CallbackIn marshaller
The following discussion from !837 (merged) should be addressed:
-
@skeller started a discussion: (+3 comments) I noticed the following while running gnome-shell through valgrind with this MR applied. Not sure what specifically triggered this, because I haven't seen this in other runs (with and without the MR), so I'm also not sure if this is caused by this MR.
==362366== Invalid read of size 2 ==362366== at 0x4CDA05C: g_closure_unref (gclosure.c:621) ==362366== by 0x4ED86F5: Gjs::Arg::CallbackIn::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1454) ==362366== by 0x4EECE11: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1188) ==362366== by 0x4EEEB3B: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1136) ==362366== by 0x4EEF8F7: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1238) ==362366== by 0x607A389: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x606E2FB: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x6079C18: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A187: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A583: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x60FC360: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x4F24A51: GjsContextPrivate::call_function(JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (context.cpp:1689) ==362366== Address 0x3d9e6868 is 40 bytes inside a block of size 168 free'd ==362366== at 0x48440E4: free (vg_replace_malloc.c:884) ==362366== by 0x4CDA1A8: g_closure_unref (gclosure.c:642) ==362366== by 0x4ED86F5: Gjs::Arg::CallbackIn::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1454) ==362366== by 0x4EECE11: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1188) ==362366== by 0x4EEEB3B: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1136) ==362366== by 0x4EEF8F7: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1238) ==362366== by 0x607A389: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x606E2FB: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x6079C18: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A187: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A583: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x60FC360: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== Block was alloc'd at ==362366== at 0x4846464: calloc (vg_replace_malloc.c:1340) ==362366== by 0x4D83F98: g_malloc0 (gmem.c:163) ==362366== by 0x4CD987B: g_closure_new_simple (gclosure.c:213) ==362366== by 0x4EEC92E: operator new (closure.h:44) ==362366== by 0x4EEC92E: GjsCallbackTrampoline::create(JSContext*, JS::Handle<JSObject*>, _GIBaseInfoStub*, GIScopeType, bool, bool) (function.cpp:692) ==362366== by 0x4ED9609: Gjs::Arg::CallbackIn::in(JSContext*, GjsFunctionCallState*, _GIArgument*, JS::Handle<JS::Value>) (arg-cache.cpp:857) ==362366== by 0x4EEE9F7: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1024) ==362366== by 0x4EEF8F7: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1238) ==362366== by 0x607A389: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x606E2FB: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x6079C18: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A187: ??? (in /usr/lib64/libmozjs-102.so.0.0.0) ==362366== by 0x607A583: ??? (in /usr/lib64/libmozjs-102.so.0.0.0)