Bug 1752378

Summary: Invalid read under idle_monitor_dispatch_timeout()
Product: Red Hat Enterprise Linux 7 Reporter: Milan Crha <mcrha>
Component: mutterAssignee: Jonas Ådahl <jadahl>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: fmuellner, jadahl, jkoten, mboisver
Target Milestone: rc   
Target Release: 7.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mutter-3.28.3-19.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1766695 (view as bug list) Environment:
Last Closed: 2020-03-31 19:39:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1766695    

Description Milan Crha 2019-09-16 08:38:11 UTC 
Running gnome-shell under valgrind shows this claim. Looks like a use-after-free, which can cause trouble. Maybe this is mutter, not gnome-shell, I do not know from where this comes from the backtrace.

I'm using:
mutter-3.28.3-15.el7
gnome-shell-3.28.3-16.el7

Valgrind log:

==1243== Thread 1:
==1243== Invalid read of size 8
==1243==    at 0x1033B0557: idle_monitor_dispatch_timeout (meta-idle-monitor.c:323)
==1243==    by 0x1018C2048: g_main_dispatch (gmain.c:3175)
==1243==    by 0x1018C2048: g_main_context_dispatch (gmain.c:3828)
==1243==    by 0x1018C23A7: g_main_context_iterate.isra.19 (gmain.c:3901)
==1243==    by 0x1018C2679: g_main_loop_run (gmain.c:4097)
==1243==    by 0x1033F61DB: meta_run (main.c:666)
==1243==    by 0x40217B: main (main.c:534)
==1243==  Address 0x127ceace8 is 56 bytes inside a block of size 64 free'd
==1243==    at 0x100C2B06D: free (vg_replace_malloc.c:540)
==1243==    by 0x1018C779D: g_free (gmem.c:194)
==1243==    by 0x1018DF2BF: g_slice_free1 (gslice.c:1136)
==1243==    by 0x1018B0859: g_hash_table_remove_internal (ghash.c:1376)
==1243==    by 0x1033B04AA: meta_idle_monitor_remove_watch (meta-idle-monitor.c:471)
==1243==    by 0x106B82DEB: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x106B82714: ffi_call (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x10290491F: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10290613A: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10A732526: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A725EA4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x1C9906AAFA95: ???
==1243==    by 0x126B22077: ???
==1243==    by 0x1C9906AAE887: ???
==1243==    by 0x10A932649: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A93665A: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A72E023: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5CC230: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x102929725: gjs_call_function_value (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x1028FF8CC: gjs_closure_invoke (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x1029066BB: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==  Block was alloc'd at
==1243==    at 0x100C29F73: malloc (vg_replace_malloc.c:309)
==1243==    by 0x1018C768D: g_malloc (gmem.c:99)
==1243==    by 0x1018DEC8D: g_slice_alloc (gslice.c:1025)
==1243==    by 0x1018DF1ED: g_slice_alloc0 (gslice.c:1051)
==1243==    by 0x1033AFF16: make_watch (meta-idle-monitor.c:344)
==1243==    by 0x1033B0370: meta_idle_monitor_add_idle_watch (meta-idle-monitor.c:411)
==1243==    by 0x106B82DEB: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x106B82714: ffi_call (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x10290491F: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10290613A: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10A732526: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A725EA4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x1C9906AAFA95: ???
==1243==    by 0x126B22077: ???
==1243==    by 0x1C9906AAE887: ???
==1243==    by 0x10A932649: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A93665A: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A72E023: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
Comment 2 Jonas Ådahl 2019-09-16 09:09:55 UTC 
Could you reproduce again with G_SLICE=always-malloc set in the environment?
Comment 3 Milan Crha 2019-09-16 10:11:50 UTC 
(In reply to Jonas Ådahl from comment #2)
> Could you reproduce again with G_SLICE=always-malloc set in the environment?

This was with it exported.

I filled it upstream [1] and attached there a patch, which fixes it.

[1] https://gitlab.gnome.org/GNOME/mutter/issues/796
Comment 5 Michael Boisvert 2019-11-12 14:13:04 UTC 
Milan, could you check your issue against the newer mutter?
Comment 9 Milan Crha 2019-11-12 16:32:04 UTC 
I tried with mutter-3.28.3-19.el7 and I do not see such claim in the valgrind log, thus, I guess, the fix (I proposed upstream) works.
Comment 10 Michael Boisvert 2019-11-12 16:39:45 UTC 
(In reply to Milan Crha from comment #9)
> I tried with mutter-3.28.3-19.el7 and I do not see such claim in the
> valgrind log, thus, I guess, the fix (I proposed upstream) works.

Thanks for your testing!
Comment 12 errata-xmlrpc 2020-03-31 19:39:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1021