Variant.new_from_data() does not sink or ref the newly-created GVariant
Submitted by David King
Link to original bug (#756090)
Description
I am looking into a crash in gnome-contacts, which looks like a double-unref of a GVariant:
https://bugzilla.redhat.com/show_bug.cgi?id=1244256
The Vala code at fault is the avatar_icon_data property getter:
https://git.gnome.org/browse/gnome-contacts/tree/src/contacts-contact.vala#n158
Specifically, Variant.new_from_data() seems to be at fault, when looking at the generated C code:
tmp12 = G_VARIANT_TYPE_BYTESTRING; tmp13 = contacts_contact_get_small_avatar (self); tmp14 = tmp13; tmp16 = gdk_pixbuf_get_pixels_with_length (tmp14, &tmp15); tmp17 = contacts_contact_get_small_avatar (self); tmp18 = tmp17; tmp19 = _g_object_ref0 (tmp18); tmp20 = g_variant_new_from_data (tmp12, tmp16, tmp15, TRUE, g_object_unref, tmp19); pixel_data = tmp20; tmp21 = contacts_contact_get_small_avatar (self); tmp22 = tmp21; tmp23 = gdk_pixbuf_get_width (tmp22); tmp24 = contacts_contact_get_small_avatar (self); tmp25 = tmp24; tmp26 = gdk_pixbuf_get_height (tmp25); tmp27 = contacts_contact_get_small_avatar (self); tmp28 = tmp27; tmp29 = gdk_pixbuf_get_rowstride (tmp28); tmp30 = contacts_contact_get_small_avatar (self); tmp31 = tmp30; tmp32 = gdk_pixbuf_get_has_alpha (tmp31); tmp33 = contacts_contact_get_small_avatar (self); tmp34 = tmp33; tmp35 = gdk_pixbuf_get_bits_per_sample (tmp34); tmp36 = contacts_contact_get_small_avatar (self); tmp37 = tmp36; tmp38 = gdk_pixbuf_get_n_channels (tmp37); tmp39 = pixel_data; tmp40 = g_variant_new ("(iiibii@ay)", tmp23, tmp26, tmp29, tmp32, tmp35, tmp38, tmp39, NULL); g_variant_ref_sink (tmp40); _g_variant_unref0 (self->priv->_avatar_icon_data); self->priv->_avatar_icon_data = tmp40; _g_variant_unref0 (pixel_data);
In other words, the pixel_data GVariant is not reffed, nor does it have its floating ref sunk, so the last _g_variant_unref0() causes it to be freed.