Using a Gio.Appinfo().launch with context may crash gjs
Coming from https://bugs.launchpad.net/ubuntu/+source/gjs/+bug/1986522
imports.gi.versions.Gdk = '3.0';
const {Gio, Gdk} = imports.gi;
Gdk.init([]);
const appInfo = Gio.AppInfo.create_from_commandline("true", null, 0);
const context = Gdk.Display.get_default().get_app_launch_context();
context.set_timestamp(Gdk.CURRENT_TIME);
// Fix me, context in the following causes a crash;
appInfo.launch([], context)
Which ends up in this crash (line numbers are related to gjs at commit e5fb670d):
==614316== Memcheck, a memory error detector
==614316== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==614316== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==614316== Command: gjs /tmp/init.js
==614316==
==614316== Warning: set address range perms: large range [0x2225a9550000, 0x222629150000) (noaccess)
==614316== Invalid read of size 8
==614316== at 0x488F9B8: bool gjs_g_argument_release_array_internal<false>(JSContext*, GITransfer, GjsArgumentFlags, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:1030)
==614316== by 0x48891D0: gjs_g_argument_release_out_array(JSContext*, GITransfer, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:3320)
==614316== by 0x48A0F4B: Gjs::Arg::ExplicitArrayInOut::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1428)
==614316== by 0x48DA40E: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1190)
==614316== by 0x48DA001: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1138)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:574)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:578)
==614316== by 0x54C62CB: Interpret(JSContext*, js::RunState&) [clone .lto_priv.0] (Interpreter.cpp:3314)
==614316== by 0x54BB499: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:389)
==614316== by 0x54BC69A: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) (Interpreter.cpp:781)
==614316== by 0x55592C5: UnknownInlinedFun (CompilationAndEvaluation.cpp:519)
==614316== by 0x55592C5: JS_ExecuteScript(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) (CompilationAndEvaluation.cpp:539)
==614316== by 0x493DD5B: GjsContextPrivate::eval_with_scope(JS::Handle<JSObject*>, char const*, unsigned long, char const*, JS::MutableHandle<JS::Value>) (context.cpp:1667)
==614316== Address 0x9f82d48 is 0 bytes after a block of size 8 alloc'd
==614316== at 0x4848A13: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==614316== by 0x4B19440: g_malloc0 (gmem.c:163)
==614316== by 0x48989AA: char** array_allocate<char*>(unsigned long) (arg.cpp:578)
==614316== by 0x488978F: bool gjs_array_to_auto_array<char*, (GITypeTag)0>(JSContext*, JS::Value, unsigned long, void**) (arg.cpp:606)
==614316== by 0x487FF9E: gjs_array_to_strv(JSContext*, JS::Value, unsigned int, void**) (arg.cpp:667)
==614316== by 0x48807D6: gjs_array_to_array(JSContext*, JS::Handle<JS::Value>, unsigned long, GITransfer, _GIBaseInfoStub*, void**) (arg.cpp:814)
==614316== by 0x48816F5: gjs_array_to_explicit_array(JSContext*, JS::Handle<JS::Value>, _GIBaseInfoStub*, char const*, GjsArgumentType, GITransfer, GjsArgumentFlags, void**, unsigned long*) (arg.cpp:1155)
==614316== by 0x489E706: Gjs::Arg::ExplicitArrayIn::in(JSContext*, GjsFunctionCallState*, _GIArgument*, JS::Handle<JS::Value>) (arg-cache.cpp:795)
==614316== by 0x489E7C7: Gjs::Arg::ExplicitArrayInOut::in(JSContext*, GjsFunctionCallState*, _GIArgument*, JS::Handle<JS::Value>) (arg-cache.cpp:809)
==614316== by 0x48D9930: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1026)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316==
==614316== Invalid free() / delete / delete[] / realloc()
==614316== at 0x484620F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==614316== by 0x4887AC0: gjs_g_arg_release_internal(JSContext*, GITransfer, _GIBaseInfoStub*, GITypeTag, GjsArgumentType, GjsArgumentFlags, _GIArgument*) (arg.cpp:2956)
==614316== by 0x488FA21: bool gjs_g_argument_release_array_internal<false>(JSContext*, GITransfer, GjsArgumentFlags, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:1034)
==614316== by 0x48891D0: gjs_g_argument_release_out_array(JSContext*, GITransfer, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:3320)
==614316== by 0x48A0F4B: Gjs::Arg::ExplicitArrayInOut::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1428)
==614316== by 0x48DA40E: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1190)
==614316== by 0x48DA001: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1138)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:574)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:578)
==614316== by 0x54C62CB: Interpret(JSContext*, js::RunState&) [clone .lto_priv.0] (Interpreter.cpp:3314)
==614316== by 0x54BB499: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:389)
==614316== by 0x54BC69A: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) (Interpreter.cpp:781)
==614316== Address 0x50 is not stack'd, malloc'd or (recently) free'd
==614316==
==614316== Mismatched free() / delete / delete []
==614316== at 0x484620F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==614316== by 0x4887AC0: gjs_g_arg_release_internal(JSContext*, GITransfer, _GIBaseInfoStub*, GITypeTag, GjsArgumentType, GjsArgumentFlags, _GIArgument*) (arg.cpp:2956)
==614316== by 0x488FA21: bool gjs_g_argument_release_array_internal<false>(JSContext*, GITransfer, GjsArgumentFlags, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:1034)
==614316== by 0x48891D0: gjs_g_argument_release_out_array(JSContext*, GITransfer, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:3320)
==614316== by 0x48A0F4B: Gjs::Arg::ExplicitArrayInOut::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1428)
==614316== by 0x48DA40E: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1190)
==614316== by 0x48DA001: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1138)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:574)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:578)
==614316== by 0x54C62CB: Interpret(JSContext*, js::RunState&) [clone .lto_priv.0] (Interpreter.cpp:3314)
==614316== by 0x54BB499: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:389)
==614316== by 0x54BC69A: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) (Interpreter.cpp:781)
==614316== Address 0x9f838e8 is 0 bytes inside a block of size 32 alloc'd
==614316== at 0x4C11D9E: g_closure_new_simple (gclosure.c:218)
==614316== by 0x4C132DC: g_signal_type_cclosure_new (gclosure.c:1176)
==614316== by 0x4C2A2E7: g_signal_new (gsignal.c:1520)
==614316== by 0xA1A7559: gdk_display_manager_class_init (gdkdisplaymanager.c:146)
==614316== by 0xA1A7559: gdk_display_manager_class_intern_init (gdkdisplaymanager.c:126)
==614316== by 0x4C3395A: type_class_init_Wm (gtype.c:2365)
==614316== by 0x4C3395A: g_type_class_ref (gtype.c:3080)
==614316== by 0x4C1A507: g_object_new_with_properties (gobject.c:2387)
==614316== by 0x4C1B120: g_object_new (gobject.c:2054)
==614316== by 0xA1A769C: gdk_display_manager_get (gdkdisplaymanager.c:302)
==614316== by 0xA1A776C: gdk_display_get_default (gdkdisplaymanager.c:339)
==614316== by 0xA19D88C: gdk_display_open_default (gdk.c:463)
==614316== by 0xA19D9C1: gdk_init_check (gdk.c:541)
==614316== by 0xA19D9DC: gdk_init (gdk.c:563)
==614316==
==614316== Conditional jump or move depends on uninitialised value(s)
==614316== at 0x4887AAF: gjs_g_arg_release_internal(JSContext*, GITransfer, _GIBaseInfoStub*, GITypeTag, GjsArgumentType, GjsArgumentFlags, _GIArgument*) (arg.cpp:2956)
==614316== by 0x488FA21: bool gjs_g_argument_release_array_internal<false>(JSContext*, GITransfer, GjsArgumentFlags, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:1034)
==614316== by 0x48891D0: gjs_g_argument_release_out_array(JSContext*, GITransfer, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:3320)
==614316== by 0x48A0F4B: Gjs::Arg::ExplicitArrayInOut::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1428)
==614316== by 0x48DA40E: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1190)
==614316== by 0x48DA001: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1138)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:574)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:578)
==614316== by 0x54C62CB: Interpret(JSContext*, js::RunState&) [clone .lto_priv.0] (Interpreter.cpp:3314)
==614316== by 0x54BB499: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:389)
==614316== by 0x54BC69A: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) (Interpreter.cpp:781)
==614316== by 0x55592C5: UnknownInlinedFun (CompilationAndEvaluation.cpp:519)
==614316== by 0x55592C5: JS_ExecuteScript(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) (CompilationAndEvaluation.cpp:539)
==614316==
==614316==
==614316== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==614316== Bad permissions for mapped region at address 0xA297000
==614316== at 0x488F9B8: bool gjs_g_argument_release_array_internal<false>(JSContext*, GITransfer, GjsArgumentFlags, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:1030)
==614316== by 0x48891D0: gjs_g_argument_release_out_array(JSContext*, GITransfer, _GIBaseInfoStub*, unsigned int, _GIArgument*) (arg.cpp:3320)
==614316== by 0x48A0F4B: Gjs::Arg::ExplicitArrayInOut::release(JSContext*, GjsFunctionCallState*, _GIArgument*, _GIArgument*) (arg-cache.cpp:1428)
==614316== by 0x48DA40E: Gjs::Function::finish_invoke(JSContext*, JS::CallArgs const&, GjsFunctionCallState*, _GIArgument*) (function.cpp:1190)
==614316== by 0x48DA001: Gjs::Function::invoke(JSContext*, JS::CallArgs const&, JS::Handle<JSObject*>, _GIArgument*) (function.cpp:1138)
==614316== by 0x48DA812: Gjs::Function::call(JSContext*, unsigned int, JS::Value*) (function.cpp:1240)
==614316== by 0x54BBAE1: UnknownInlinedFun (Interpreter.cpp:420)
==614316== by 0x54BBAE1: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (Interpreter.cpp:493)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:574)
==614316== by 0x54C62CB: UnknownInlinedFun (Interpreter.cpp:578)
==614316== by 0x54C62CB: Interpret(JSContext*, js::RunState&) [clone .lto_priv.0] (Interpreter.cpp:3314)
==614316== by 0x54BB499: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:389)
==614316== by 0x54BC69A: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) (Interpreter.cpp:781)
==614316== by 0x55592C5: UnknownInlinedFun (CompilationAndEvaluation.cpp:519)
==614316== by 0x55592C5: JS_ExecuteScript(JSContext*, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) (CompilationAndEvaluation.cpp:539)
==614316== by 0x493DD5B: GjsContextPrivate::eval_with_scope(JS::Handle<JSObject*>, char const*, unsigned long, char const*, JS::MutableHandle<JS::Value>) (context.cpp:1667)
This bugs affects for sure master, 1.76.0 up to 1.64.5 (the oldest I've tested).
Edited by Marco Trevisan