gnome-shell reading from freed memory.
Affected version
gnome shell 43.0-1ubuntu2
Ubuntu 22.10
wayland
Bug summary
If I run /usr/bin/chrome-shell through valgrind, it will roughly catch 50% of the runs doing a read of free'd memory.
==288501== Invalid read of size 8
==288501== at 0x4D1D028: g_type_check_instance_cast (gtype.c:4122)
==288501== by 0x2FEC3C42: free_fetch_user_request (act-user-manager.c:1708)
==288501== by 0x2FECB887: on_find_user_by_name_finished (act-user-manager.c:1187)
==288501== by 0x4BBD558: g_task_return_now (gtask.c:1232)
==288501== by 0x4BBD782: UnknownInlinedFun (gtask.c:1301)
==288501== by 0x4BBD782: g_task_return (gtask.c:1258)
==288501== by 0x4C25B8B: reply_cb (gdbusproxy.c:2578)
==288501== by 0x4BBD558: g_task_return_now (gtask.c:1232)
==288501== by 0x4BBD782: UnknownInlinedFun (gtask.c:1301)
==288501== by 0x4BBD782: g_task_return (gtask.c:1258)
==288501== by 0x4C1D411: g_dbus_connection_call_done (gdbusconnection.c:5882)
==288501== by 0x4BBD558: g_task_return_now (gtask.c:1232)
==288501== by 0x4BBD59C: complete_in_idle_cb (gtask.c:1246)
==288501== by 0x4D9B3CE: UnknownInlinedFun (gmain.c:3444)
==288501== by 0x4D9B3CE: g_main_context_dispatch (gmain.c:4162)
==288501== Address 0x23fc48b0 is 0 bytes inside a block of size 64 free'd
==288501== at 0x484727F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==288501== by 0x4D1BFBB: g_type_free_instance (gtype.c:2010)
==288501== by 0x4D09A16: UnknownInlinedFun (gobject.c:1548)
==288501== by 0x4D09A16: g_object_notify (gobject.c:1594)
==288501== by 0x2FECAE6A: UnknownInlinedFun (act-user.c:562)
==288501== by 0x2FECAE6A: UnknownInlinedFun (act-user.c:557)
==288501== by 0x2FECAE6A: _act_user_update_from_object_path (act-user.c:1346)
==288501== by 0x2FECB60F: fetch_user_incrementally (act-user-manager.c:1789)
==288501== by 0x2FECB887: on_find_user_by_name_finished (act-user-manager.c:1187)
==288501== by 0x4BBD558: g_task_return_now (gtask.c:1232)
==288501== by 0x4BBD782: UnknownInlinedFun (gtask.c:1301)
==288501== by 0x4BBD782: g_task_return (gtask.c:1258)
==288501== by 0x4C25B8B: reply_cb (gdbusproxy.c:2578)
==288501== by 0x4BBD558: g_task_return_now (gtask.c:1232)
==288501== by 0x4BBD782: UnknownInlinedFun (gtask.c:1301)
==288501== by 0x4BBD782: g_task_return (gtask.c:1258)
==288501== by 0x4C1D411: g_dbus_connection_call_done (gdbusconnection.c:5882)
==288501== Block was alloc'd at
==288501== at 0x4844899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==288501== by 0x4DA38C8: g_malloc (gmem.c:130)
==288501== by 0x4DBB315: g_slice_alloc (gslice.c:1074)
==288501== by 0x4DBB94C: g_slice_alloc0 (gslice.c:1100)
==288501== by 0x4D21704: g_type_create_instance (gtype.c:1913)
==288501== by 0x4D088DE: g_object_new_internal (gobject.c:2226)
==288501== by 0x4D0A127: g_object_new_with_properties (gobject.c:2387)
==288501== by 0x4D0AED0: g_object_new (gobject.c:2035)
==288501== by 0x2FEC4732: create_new_user (act-user-manager.c:706)
==288501== by 0x2FECBB78: act_user_manager_get_user (act-user-manager.c:1879)
==288501== by 0x66DBE2D: ffi_call_unix64 (unix64.S:105)
==288501== by 0x66D8492: ffi_call_int.lto_priv.0 (ffi64.c:672)
Steps to reproduce
- edit
/usr/share/applications/org.gnome.Shell.desktop
- change Exec line to:
Exec=/usr/bin/valgrind --log-file=/tmp/vg.log /usr/bin/gnome-shell
- launch session from virtual console using:
XDG_SESSION_TYPE=wayland dbus-run-session gnome-session
- patiently wait for it to launch.
- examine the
/tmp/vg.log
file that will show the invalid read.
What happened
gnome-shell reads from free'd memory.
What did you expect to happen
A clean report from valgrind, showing no invalid reads.