Use-after-free of GDBusMethodInvocation in GDBusInterfaceSkeleton
I just saw this failure while debugging another test with asan:
================================= 1968/10000 =================================
test: glib:gio / gdbus-test-codegen-min-required-2-64
start time: 12:33:50
duration: 0.51s
result: exit status 1
command: G_TEST_BUILDDIR=/opt/gnome/build/glib/gio/tests MALLOC_CHECK_=2 GIO_LAUNCH_DESKTOP=/opt/gnome/build/glib/gio/gio-launch-desktop G_ENABLE_DIAGNOSTIC=1 G_DEBUG=gc-friendly G_TEST_SRCDIR=/opt/gnome/source/glib/gio/tests GIO_MODULE_DIR='' /opt/gnome/build/glib/gio/tests/gdbus-test-codegen-min-required-2-64
----------------------------------- stdout -----------------------------------
TAP version 13
# random seed: R02S35287cb0e7c09926b582ef625ce6220b
1..8
# Start of gdbus tests
# Start of codegen tests
# GLib-DEBUG: g_set_user_dirs: Setting HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/home
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CACHE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/cache
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/system-config1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/system-config2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/config
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/system-data1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/system-data2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/data
# GLib-DEBUG: g_set_user_dirs: Setting XDG_STATE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/state
# GLib-DEBUG: g_set_user_dirs: Setting XDG_RUNTIME_DIR to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/annotations/.dirs/runtime
ok 1 /gdbus/codegen/annotations
# GLib-DEBUG: g_set_user_dirs: Setting HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/home
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CACHE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/cache
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/system-config1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/system-config2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/config
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/system-data1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/system-data2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/data
# GLib-DEBUG: g_set_user_dirs: Setting XDG_STATE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/state
# GLib-DEBUG: g_set_user_dirs: Setting XDG_RUNTIME_DIR to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/interface_stability/.dirs/runtime
ok 2 /gdbus/codegen/interface_stability
# GLib-DEBUG: g_set_user_dirs: Setting HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/home
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CACHE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/cache
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/system-config1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/system-config2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_CONFIG_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/config
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_DIRS to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/system-data1:/tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/system-data2
# GLib-DEBUG: g_set_user_dirs: Setting XDG_DATA_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/data
# GLib-DEBUG: g_set_user_dirs: Setting XDG_STATE_HOME to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/state
# GLib-DEBUG: g_set_user_dirs: Setting XDG_RUNTIME_DIR to /tmp/test_gdbus-test-codegen-min-required-2-64_P81101/gdbus/codegen/object-manager/.dirs/runtime
# GLib-GIO-DEBUG: Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)
----------------------------------- stderr -----------------------------------
=================================================================
==2492805==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034660 at pc 0x7f8c389b3a8f bp 0x7ffc1fa71f10 sp 0x7ffc1fa71f08
READ of size 8 at 0x60b000034660 thread T0
#0 0x7f8c389b3a8e in g_datalist_get_flags ../../source/glib/glib/gdataset.c:1355
#1 0x7f8c384d2434 in g_object_unref ../../source/glib/gobject/gobject.c:3824
#2 0x7f8c38a197e2 in g_source_callback_unref ../../source/glib/glib/gmain.c:1742
#3 0x7f8c38a172ab in g_source_destroy_internal ../../source/glib/glib/gmain.c:1407
#4 0x7f8c38a209fb in g_main_dispatch ../../source/glib/glib/gmain.c:3490
#5 0x7f8c38a24489 in g_main_context_dispatch ../../source/glib/glib/gmain.c:4200
#6 0x7f8c38a24b48 in g_main_context_iterate ../../source/glib/glib/gmain.c:4276
#7 0x7f8c38a25c49 in g_main_loop_run ../../source/glib/glib/gmain.c:4479
#8 0x49bfb7 in test_object_manager ../../source/glib/gio/tests/gdbus-test-codegen.c:2390
#9 0x7f8c38ab6d95 in test_case_run ../../source/glib/glib/gtestutils.c:3108
#10 0x7f8c38ab7792 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3203
#11 0x7f8c38ab7a56 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3222
#12 0x7f8c38ab7a56 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3222
#13 0x7f8c38ab7f85 in g_test_run_suite ../../source/glib/glib/gtestutils.c:3302
#14 0x7f8c38ab4a1a in g_test_run ../../source/glib/glib/gtestutils.c:2409
#15 0x49f176 in session_bus_run ../../source/glib/gio/tests/gdbus-sessionbus.c:69
#16 0x49edb6 in main ../../source/glib/gio/tests/gdbus-test-codegen.c:2748
#17 0x7f8c3864a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#18 0x7f8c3864a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#19 0x407404 in _start (/opt/gnome/build/glib/gio/tests/gdbus-test-codegen-min-required-2-64+0x407404)
0x60b000034660 is located 16 bytes inside of 104-byte region [0x60b000034650,0x60b0000346b8)
freed by thread T3 here:
#0 0x7f8c38eb9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7f8c38a41346 in g_free_sized ../../source/glib/glib/gmem.c:258
#2 0x7f8c3851e8f8 in g_type_free_instance ../../source/glib/gobject/gtype.c:2062
#3 0x7f8c384d2e5e in g_object_unref ../../source/glib/gobject/gobject.c:3954
#4 0x7f8c384d2ff7 in g_clear_object ../../source/glib/gobject/gobject.c:3987
#5 0x7f8c384d3df8 in g_value_object_free_value ../../source/glib/gobject/gobject.c:4399
#6 0x7f8c38534fd9 in g_value_unset ../../source/glib/gobject/gvalue.c:313
#7 0x7f8c38506462 in g_signal_emit_valist ../../source/glib/gobject/gsignal.c:3584
#8 0x7f8c3850669d in g_signal_emit ../../source/glib/gobject/gsignal.c:3612
#9 0x7f8c37e5e4d5 in dispatch_in_thread_func ../../source/glib/gio/gdbusinterfaceskeleton.c:528
#10 0x7f8c37cc0869 in g_task_thread_pool_thread ../../source/glib/gio/gtask.c:1531
#11 0x7f8c38ac2a2c in g_thread_pool_thread_proxy ../../source/glib/glib/gthreadpool.c:350
#12 0x7f8c38ac11f9 in g_thread_proxy ../../source/glib/glib/gthread.c:831
#13 0x7f8c386ae12c in start_thread (/lib64/libc.so.6+0x8b12c)
previously allocated by thread T4 here:
#0 0x7f8c38eba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x7f8c38a411f3 in g_malloc0 ../../source/glib/glib/gmem.c:163
#2 0x7f8c3851d8ff in g_type_create_instance ../../source/glib/gobject/gtype.c:1965
#3 0x7f8c384c7c24 in g_object_new_internal ../../source/glib/gobject/gobject.c:2246
#4 0x7f8c384c8805 in g_object_new_with_properties ../../source/glib/gobject/gobject.c:2409
#5 0x7f8c384c6e3e in g_object_new ../../source/glib/gobject/gobject.c:2055
#6 0x7f8c37e53b7c in _g_dbus_method_invocation_new ../../source/glib/gio/gdbusmethodinvocation.c:371
#7 0x7f8c37e00e2f in schedule_method_call ../../source/glib/gio/gdbusconnection.c:5035
#8 0x7f8c37e012a9 in validate_and_maybe_schedule_method_call ../../source/glib/gio/gdbusconnection.c:5137
#9 0x7f8c37e0156c in obj_message_func ../../source/glib/gio/gdbusconnection.c:5180
#10 0x7f8c37e0b57f in distribute_method_call ../../source/glib/gio/gdbusconnection.c:7238
#11 0x7f8c37df3549 in on_worker_message_received ../../source/glib/gio/gdbusconnection.c:2335
#12 0x7f8c37e38ee1 in _g_dbus_worker_emit_message_received ../../source/glib/gio/gdbusprivate.c:492
#13 0x7f8c37e3934b in _g_dbus_worker_queue_or_deliver_received_message ../../source/glib/gio/gdbusprivate.c:520
#14 0x7f8c37e3b1c9 in _g_dbus_worker_do_read_cb ../../source/glib/gio/gdbusprivate.c:805
#15 0x7f8c37cbfc02 in g_task_return_now ../../source/glib/gio/gtask.c:1309
#16 0x7f8c37cbfcd5 in complete_in_idle_cb ../../source/glib/gio/gtask.c:1323
#17 0x7f8c38a2b5ee in g_idle_dispatch ../../source/glib/glib/gmain.c:6163
#18 0x7f8c38a205f0 in g_main_dispatch ../../source/glib/glib/gmain.c:3460
#19 0x7f8c38a24489 in g_main_context_dispatch ../../source/glib/glib/gmain.c:4200
#20 0x7f8c38a24b48 in g_main_context_iterate ../../source/glib/glib/gmain.c:4276
#21 0x7f8c38a25c49 in g_main_loop_run ../../source/glib/glib/gmain.c:4479
#22 0x7f8c37e38353 in gdbus_shared_thread_func ../../source/glib/gio/gdbusprivate.c:284
#23 0x7f8c38ac11f9 in g_thread_proxy ../../source/glib/glib/gthread.c:831
#24 0x7f8c386ae12c in start_thread (/lib64/libc.so.6+0x8b12c)
Thread T3 created by T1 here:
#0 0x7f8c38e4b3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7f8c38b68c2b in g_system_thread_new ../../source/glib/glib/gthread-posix.c:1221
#2 0x7f8c38ac16b7 in g_thread_new_internal ../../source/glib/glib/gthread.c:935
#3 0x7f8c38ac15aa in g_thread_try_new ../../source/glib/glib/gthread.c:919
#4 0x7f8c38ac2728 in g_thread_pool_spawn_thread ../../source/glib/glib/gthreadpool.c:312
#5 0x7f8c38ac11f9 in g_thread_proxy ../../source/glib/glib/gthread.c:831
#6 0x7f8c386ae12c in start_thread (/lib64/libc.so.6+0x8b12c)
Thread T1 created by T0 here:
#0 0x7f8c38e4b3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7f8c38b68c2b in g_system_thread_new ../../source/glib/glib/gthread-posix.c:1221
#2 0x7f8c38ac16b7 in g_thread_new_internal ../../source/glib/glib/gthread.c:935
#3 0x7f8c38ac143e in g_thread_new ../../source/glib/glib/gthread.c:888
#4 0x7f8c38ac39eb in g_thread_pool_new_full ../../source/glib/glib/gthreadpool.c:640
#5 0x7f8c38ac34d6 in g_thread_pool_new ../../source/glib/glib/gthreadpool.c:559
#6 0x7f8c37cc3d61 in g_task_thread_pool_init ../../source/glib/gio/gtask.c:2276
#7 0x7f8c37cbcf51 in g_task_get_type_once ../../source/glib/gio/gtask.c:639
#8 0x7f8c37cbcd13 in g_task_get_type ../../source/glib/gio/gtask.c:639
#9 0x7f8c37e381bd in ensure_required_types ../../source/glib/gio/gdbusprivate.c:255
#10 0x7f8c37e41f6a in _g_dbus_initialize ../../source/glib/gio/gdbusprivate.c:2001
#11 0x7f8c37e0c22c in g_bus_get ../../source/glib/gio/gdbusconnection.c:7536
#12 0x7f8c37e2279d in g_bus_own_name ../../source/glib/gio/gdbusnameowning.c:683
#13 0x49bf92 in test_object_manager ../../source/glib/gio/tests/gdbus-test-codegen.c:2381
#14 0x7f8c38ab6d95 in test_case_run ../../source/glib/glib/gtestutils.c:3108
#15 0x7f8c38ab7792 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3203
#16 0x7f8c38ab7a56 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3222
#17 0x7f8c38ab7a56 in g_test_run_suite_internal ../../source/glib/glib/gtestutils.c:3222
#18 0x7f8c38ab7f85 in g_test_run_suite ../../source/glib/glib/gtestutils.c:3302
#19 0x7f8c38ab4a1a in g_test_run ../../source/glib/glib/gtestutils.c:2409
#20 0x49f176 in session_bus_run ../../source/glib/gio/tests/gdbus-sessionbus.c:69
#21 0x49edb6 in main ../../source/glib/gio/tests/gdbus-test-codegen.c:2748
#22 0x7f8c3864a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Thread T4 created by T3 here:
#0 0x7f8c38e4b3e6 in __interceptor_pthread_create (/lib64/libasan.so.8+0x4b3e6)
#1 0x7f8c38b68c2b in g_system_thread_new ../../source/glib/glib/gthread-posix.c:1221
#2 0x7f8c38ac16b7 in g_thread_new_internal ../../source/glib/glib/gthread.c:935
#3 0x7f8c38ac143e in g_thread_new ../../source/glib/glib/gthread.c:888
#4 0x7f8c37e385f5 in _g_dbus_shared_thread_ref ../../source/glib/gio/gdbusprivate.c:309
#5 0x7f8c37e40d14 in _g_dbus_worker_new ../../source/glib/gio/gdbusprivate.c:1715
#6 0x7f8c37df4cef in initable_init ../../source/glib/gio/gdbusconnection.c:2615
#7 0x7f8c37c051bb in g_initable_init ../../source/glib/gio/ginitable.c:130
#8 0x7f8c37b6d37f in async_init_thread ../../source/glib/gio/gasyncinitable.c:263
#9 0x7f8c37cc0869 in g_task_thread_pool_thread ../../source/glib/gio/gtask.c:1531
#10 0x7f8c38ac2a2c in g_thread_pool_thread_proxy ../../source/glib/glib/gthreadpool.c:350
#11 0x7f8c38ac11f9 in g_thread_proxy ../../source/glib/glib/gthread.c:831
#12 0x7f8c386ae12c in start_thread (/lib64/libc.so.6+0x8b12c)
SUMMARY: AddressSanitizer: heap-use-after-free ../../source/glib/glib/gdataset.c:1355 in g_datalist_get_flags
Shadow bytes around the buggy address:
0x0c167fffe870: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c167fffe880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c167fffe890: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c167fffe8a0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c167fffe8b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c167fffe8c0: fd fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd
0x0c167fffe8d0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c167fffe8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c167fffe910: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2492805==ABORTING
cleaning up pid 2492815
(test program exited with status code 1)
==============================================================================