Use after free when calling g_dbus_connection_flush_sync() in a dedicated thread
The code in evolution-data-server calls g_dbus_connection_flush_sync() it its own dedicated thread (thus it's not a problem when the function blocks). Using glib2-2.62.0-1.fc31.x86_64 and runnig one of the processes under valgrind reports this:
==2176== Thread 3 gdbus:
==2176== Invalid read of size 4
==2176== at 0x100B93B18: g_cond_signal (gthread-posix.c:1429)
==2176== by 0x1009DA246: flush_data_list_complete (gdbusprivate.c:1161)
==2176== by 0x1009DC18B: ostream_flush_cb (gdbusprivate.c:1206)
==2176== by 0x1009710F9: g_task_return_now (gtask.c:1212)
==2176== by 0x100971CCC: g_task_return.part.0 (gtask.c:1281)
==2176== by 0x100952374: async_ready_flush_callback_wrapper (goutputstream.c:1830)
==2176== by 0x1009710F9: g_task_return_now (gtask.c:1212)
==2176== by 0x10097113C: complete_in_idle_cb (gtask.c:1226)
==2176== by 0x100B43DCA: g_idle_dispatch (gmain.c:5617)
==2176== by 0x100B4749F: g_main_dispatch (gmain.c:3179)
==2176== by 0x100B4749F: g_main_context_dispatch (gmain.c:3844)
==2176== by 0x100B4782F: g_main_context_iterate.isra.0 (gmain.c:3917)
==2176== by 0x100B47B22: g_main_loop_run (gmain.c:4111)
==2176== by 0x1009DA649: gdbus_shared_thread_func (gdbusprivate.c:279)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)
==2176== Address 0x11b239530 is 16 bytes inside a block of size 40 free'd
==2176== at 0x100839A0C: free (vg_replace_malloc.c:540)
==2176== by 0x100B4D3CC: g_free (gmem.c:192)
==2176== by 0x1009DB3A9: _g_dbus_worker_flush_sync (gdbusprivate.c:1816)
==2176== by 0x100884139: e_cal_backend_notify_property_changed (e-cal-backend.c:4674)
==2176== by 0x10085872B: cal_backend_file_take_icomp (e-cal-backend-file.c:1148)
==2176== by 0x10085C6F7: open_cal (e-cal-backend-file.c:1188)
==2176== by 0x10085C6F7: e_cal_backend_file_open (e-cal-backend-file.c:1495)
==2176== by 0x100887D03: cal_backend_open (e-cal-backend-sync.c:656)
==2176== by 0x10087F96B: cal_backend_open_thread (e-cal-backend.c:1712)
==2176== by 0x100884098: cal_backend_dispatch_thread (e-cal-backend.c:267)
==2176== by 0x100B71693: g_thread_pool_thread_proxy (gthreadpool.c:308)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)
==2176== Block was alloc'd at
==2176== at 0x10083AB1A: calloc (vg_replace_malloc.c:762)
==2176== by 0x100B4D330: g_malloc0 (gmem.c:129)
==2176== by 0x1009DB2E5: _g_dbus_worker_flush_sync (gdbusprivate.c:1786)
==2176== by 0x100884139: e_cal_backend_notify_property_changed (e-cal-backend.c:4674)
==2176== by 0x10085872B: cal_backend_file_take_icomp (e-cal-backend-file.c:1148)
==2176== by 0x10085C6F7: open_cal (e-cal-backend-file.c:1188)
==2176== by 0x10085C6F7: e_cal_backend_file_open (e-cal-backend-file.c:1495)
==2176== by 0x100887D03: cal_backend_open (e-cal-backend-sync.c:656)
==2176== by 0x10087F96B: cal_backend_open_thread (e-cal-backend.c:1712)
==2176== by 0x100884098: cal_backend_dispatch_thread (e-cal-backend.c:267)
==2176== by 0x100B71693: g_thread_pool_thread_proxy (gthreadpool.c:308)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)
==2176==
==2176== Syscall param futex(futex) points to unaddressable byte(s)
==2176== at 0x100E9815D: syscall (in /usr/lib64/libc-2.30.so)
==2176== by 0x1009DA246: flush_data_list_complete (gdbusprivate.c:1161)
==2176== by 0x1009DC18B: ostream_flush_cb (gdbusprivate.c:1206)
==2176== by 0x1009710F9: g_task_return_now (gtask.c:1212)
==2176== by 0x100971CCC: g_task_return.part.0 (gtask.c:1281)
==2176== by 0x100952374: async_ready_flush_callback_wrapper (goutputstream.c:1830)
==2176== by 0x1009710F9: g_task_return_now (gtask.c:1212)
==2176== by 0x10097113C: complete_in_idle_cb (gtask.c:1226)
==2176== by 0x100B43DCA: g_idle_dispatch (gmain.c:5617)
==2176== by 0x100B4749F: g_main_dispatch (gmain.c:3179)
==2176== by 0x100B4749F: g_main_context_dispatch (gmain.c:3844)
==2176== by 0x100B4782F: g_main_context_iterate.isra.0 (gmain.c:3917)
==2176== by 0x100B47B22: g_main_loop_run (gmain.c:4111)
==2176== by 0x1009DA649: gdbus_shared_thread_func (gdbusprivate.c:279)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)
==2176== Address 0x11b239530 is 16 bytes inside a block of size 40 free'd
==2176== at 0x100839A0C: free (vg_replace_malloc.c:540)
==2176== by 0x100B4D3CC: g_free (gmem.c:192)
==2176== by 0x1009DB3A9: _g_dbus_worker_flush_sync (gdbusprivate.c:1816)
==2176== by 0x100884139: e_cal_backend_notify_property_changed (e-cal-backend.c:4674)
==2176== by 0x10085872B: cal_backend_file_take_icomp (e-cal-backend-file.c:1148)
==2176== by 0x10085C6F7: open_cal (e-cal-backend-file.c:1188)
==2176== by 0x10085C6F7: e_cal_backend_file_open (e-cal-backend-file.c:1495)
==2176== by 0x100887D03: cal_backend_open (e-cal-backend-sync.c:656)
==2176== by 0x10087F96B: cal_backend_open_thread (e-cal-backend.c:1712)
==2176== by 0x100884098: cal_backend_dispatch_thread (e-cal-backend.c:267)
==2176== by 0x100B71693: g_thread_pool_thread_proxy (gthreadpool.c:308)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)
==2176== Block was alloc'd at
==2176== at 0x10083AB1A: calloc (vg_replace_malloc.c:762)
==2176== by 0x100B4D330: g_malloc0 (gmem.c:129)
==2176== by 0x1009DB2E5: _g_dbus_worker_flush_sync (gdbusprivate.c:1786)
==2176== by 0x100884139: e_cal_backend_notify_property_changed (e-cal-backend.c:4674)
==2176== by 0x10085872B: cal_backend_file_take_icomp (e-cal-backend-file.c:1148)
==2176== by 0x10085C6F7: open_cal (e-cal-backend-file.c:1188)
==2176== by 0x10085C6F7: e_cal_backend_file_open (e-cal-backend-file.c:1495)
==2176== by 0x100887D03: cal_backend_open (e-cal-backend-sync.c:656)
==2176== by 0x10087F96B: cal_backend_open_thread (e-cal-backend.c:1712)
==2176== by 0x100884098: cal_backend_dispatch_thread (e-cal-backend.c:267)
==2176== by 0x100B71693: g_thread_pool_thread_proxy (gthreadpool.c:308)
==2176== by 0x100B70F51: g_thread_proxy (gthread.c:805)
==2176== by 0x1014224E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==2176== by 0x100E9D642: clone (in /usr/lib64/libc-2.30.so)