Crash during g_object_unref of GDbusProxy
Hello,
Crash happens randomly during g_object_unref(proxy) call on GDBusProxy *proxy in a closed application written in C++ controlling wifi station using wpa_supplicant dbus api.
Proxy is obtained with async g_dbus_proxy_new_for_bus call and response: GDBusProxy *proxy = g_dbus_proxy_new_for_bus_finish(result, &error); Then proxy is stored in Bss class.
g_object_unref is called in destructor of ~Bss so it is not called twice on the same object.
Steps to reproduce
I don't know steps to reproduce it. Issue happens on production devices, it occurred so far only once on development device.
Version information
custom Linux distribution for embedded device
glib 2.46.2
patches: https://bugzilla.gnome.org/show_bug.cgi?id=7554, https://bugzilla.gnome.org/show_bug.cgi?id=758641
Warnings
There are no warnings before crash.
Backtrace
#0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
#1 0xb69e1400 in __GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.23-r0/git/sysdeps/unix/sysv/linux/raise.c:54
#2 0xb69e25d6 in __GI_abort () at /usr/src/debug/glibc/2.23-r0/git/stdlib/abort.c:89
#3 0xb6a0d166 in __libc_message (do_abort=do_abort@entry=2, fmt=0xb6a9f304 "*** Error in `%s': %s: 0x%s ***\n") at /usr/src/debug/glibc/2.23-r0/git/sysdeps/posix/libc_fatal.c:175
#4 0xb6a12074 in malloc_printerr (action=<optimized out>, str=0xb6a9f440 "free(): invalid next size (fast)", ptr=<optimized out>, ar_ptr=<optimized out>) at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:5007
#5 0xb6a127bc in _int_free (av=0xb6abc7ac <main_arena>, p=<optimized out>, have_lock=-1226636361, have_lock@entry=0) at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:3868
#6 0xb6a158bc in __GI___libc_free (mem=<optimized out>) at /usr/src/debug/glibc/2.23-r0/git/malloc/malloc.c:2969
#7 0xb6cec9c0 in g_free (mem=<optimized out>) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/glib/gmem.c:189
#8 0xb6e303b6 in signal_data_free (signal_data=0x2efe40) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/gio/gdbusconnection.c:3230
#9 unsubscribe_id_internal (connection=connection@entry=0x25b178, subscription_id=subscription_id@entry=85, out_removed_subscribers=out_removed_subscribers@entry=0x3613a0) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/gio/gdbusconnection.c:3589
#10 0xb6e33a08 in g_dbus_connection_signal_unsubscribe (connection=0x25b178, subscription_id=85) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/gio/gdbusconnection.c:3624
#11 0xb6e3c08e in g_dbus_proxy_finalize (object=0x27eb60) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/gio/gdbusproxy.c:220
#12 0xb6e9fa06 in g_object_unref (_object=0x27eb60) at /usr/src/debug/glib-2.0/1_2.46.2-r0/glib-2.46.2/gobject/gobject.c:3179
#13 0x001a9872 in wpa::Bss::cleanup (this=this@entry=0x27de3c) at Bss.cpp:45
#14 0x001a989c in wpa::Bss::~Bss (this=0x27de3c, __in_chrg=<optimized out>) at Bss.cpp:25
Questions:
- Do you know about similar issue reports?
- Could this issue be caused by https://bugzilla.gnome.org/show_bug.cgi?id=778096 ?