Use-after-free under initiable_init():gdbusconnection.c:2495
I am seeing crashes in gnome-calendar and wanted to debug them using valgrind. Therefore, I started valgrind with these command line parameters:
$ G_DEBUG=gc-friendly G_SLICE=debug-blocks /usr/bin/valgrind --track-origins=yes --vgdb=full --vgdb-error=0 /usr/bin/gnome-calendar
Then I started gdb using
$ gdb /usr/bin/gnome-calendar
and attached it to valgrind by executing
(gdb) target remote | vgdb
(gdb) continue
after a while, I got this issue reported by valgrind:
==29795== Thread 3 pool:
==29795== Invalid write of size 8
==29795== at 0x483F85B: memset (vg_replace_strmem.c:1252)
==29795== by 0x490C9F1: UnknownInlinedFun (string_fortified.h:71)
==29795== by 0x490C9F1: g_slice_alloc0 (gslice.c:1052)
==29795== by 0x57C1801: g_type_create_instance (gtype.c:1836)
==29795== by 0x57AA29A: g_param_spec_internal (gparam.c:437)
==29795== by 0x57AE9D9: g_param_spec_object (gparamspecs.c:2497)
==29795== by 0x5671501: g_socket_output_stream_class_init (gsocketoutputstream.c:195)
==29795== by 0x5671501: g_socket_output_stream_class_intern_init (gsocketoutputstream.c:54)
==29795== by 0x57BF9CA: type_class_init_Wm (gtype.c:2232)
==29795== by 0x57BF9CA: g_type_class_ref (gtype.c:2947)
==29795== by 0x57A6251: g_object_new_valist (gobject.c:2080)
==29795== by 0x57A633C: g_object_new (gobject.c:1648)
==29795== by 0x566E6BB: g_socket_connection_get_output_stream (gsocketconnection.c:116)
==29795== by 0x569C624: _g_dbus_auth_run_client (gdbusauth.c:589)
==29795== by 0x56AC524: initable_init (gdbusconnection.c:2533)
==29795== Address 0xe5aa630 is 16 bytes after a recently re-allocated block of size 80 alloc'd
==29795== at 0x57C1867: g_type_create_instance (gtype.c:1842)
==29795== by 0x57AA29A: g_param_spec_internal (gparam.c:437)
==29795== by 0x57AE9D9: g_param_spec_object (gparamspecs.c:2497)
==29795== by 0x566C3B9: g_socket_client_class_init (gsocketclient.c:918)
==29795== by 0x566C3B9: g_socket_client_class_intern_init (gsocketclient.c:113)
==29795== by 0x57BF9CA: type_class_init_Wm (gtype.c:2232)
==29795== by 0x57BF9CA: g_type_class_ref (gtype.c:2947)
==29795== by 0x57A5897: g_object_new_with_properties (gobject.c:1943)
==29795== by 0x57A6360: g_object_new (gobject.c:1645)
==29795== by 0x569ADD0: g_dbus_address_connect (gdbusaddress.c:684)
==29795== by 0x569ADD0: g_dbus_address_try_connect_one (gdbusaddress.c:798)
==29795== by 0x569B307: g_dbus_address_get_stream_sync (gdbusaddress.c:983)
==29795== by 0x56AC38D: initable_init (gdbusconnection.c:2495)
==29795== by 0x561FB11: async_init_thread (gasyncinitable.c:260)
==29795== by 0x56772C6: g_task_thread_pool_thread (gtask.c:1331)
I attached a logfile from gdb (bt
and t a a bt full
) to gnome-calendar.vgdb.log.
Installed software versions:
- glib2-2.58.3-1.fc29.x86_64
- glibc-2.28-26.fc29.x86_64
- kernel-4.20.11-200.fc29.x86_64
- valgrind-3.14.0-10.fc29.x86_64
- gdb-8.2-6.fc29.x86_64
I may be doing something wrong (please correct me if I am) but this looks like a bug in the GDBus stack of glib.