RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1752378 - Invalid read under idle_monitor_dispatch_timeout()
Summary: Invalid read under idle_monitor_dispatch_timeout()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mutter
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 7.8
Assignee: Jonas Ådahl
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1766695
TreeView+ depends on / blocked
 
Reported: 2019-09-16 08:38 UTC by Milan Crha
Modified: 2020-03-31 19:40 UTC (History)
4 users (show)

Fixed In Version: mutter-3.28.3-19.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1766695 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:39:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Gitlab GNOME/mutter/issues/796 0 None None None 2019-09-16 10:11:50 UTC
GNOME Gitlab GNOME/mutter/merge_requests/799 0 None None None 2019-10-25 16:28:52 UTC
Red Hat Product Errata RHSA-2020:1021 0 None None None 2020-03-31 19:40:19 UTC

Description Milan Crha 2019-09-16 08:38:11 UTC 
Running gnome-shell under valgrind shows this claim. Looks like a use-after-free, which can cause trouble. Maybe this is mutter, not gnome-shell, I do not know from where this comes from the backtrace.

I'm using:
mutter-3.28.3-15.el7
gnome-shell-3.28.3-16.el7

Valgrind log:

==1243== Thread 1:
==1243== Invalid read of size 8
==1243==    at 0x1033B0557: idle_monitor_dispatch_timeout (meta-idle-monitor.c:323)
==1243==    by 0x1018C2048: g_main_dispatch (gmain.c:3175)
==1243==    by 0x1018C2048: g_main_context_dispatch (gmain.c:3828)
==1243==    by 0x1018C23A7: g_main_context_iterate.isra.19 (gmain.c:3901)
==1243==    by 0x1018C2679: g_main_loop_run (gmain.c:4097)
==1243==    by 0x1033F61DB: meta_run (main.c:666)
==1243==    by 0x40217B: main (main.c:534)
==1243==  Address 0x127ceace8 is 56 bytes inside a block of size 64 free'd
==1243==    at 0x100C2B06D: free (vg_replace_malloc.c:540)
==1243==    by 0x1018C779D: g_free (gmem.c:194)
==1243==    by 0x1018DF2BF: g_slice_free1 (gslice.c:1136)
==1243==    by 0x1018B0859: g_hash_table_remove_internal (ghash.c:1376)
==1243==    by 0x1033B04AA: meta_idle_monitor_remove_watch (meta-idle-monitor.c:471)
==1243==    by 0x106B82DEB: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x106B82714: ffi_call (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x10290491F: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10290613A: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10A732526: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A725EA4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x1C9906AAFA95: ???
==1243==    by 0x126B22077: ???
==1243==    by 0x1C9906AAE887: ???
==1243==    by 0x10A932649: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A93665A: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A72E023: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5CC230: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x102929725: gjs_call_function_value (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x1028FF8CC: gjs_closure_invoke (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x1029066BB: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==  Block was alloc'd at
==1243==    at 0x100C29F73: malloc (vg_replace_malloc.c:309)
==1243==    by 0x1018C768D: g_malloc (gmem.c:99)
==1243==    by 0x1018DEC8D: g_slice_alloc (gslice.c:1025)
==1243==    by 0x1018DF1ED: g_slice_alloc0 (gslice.c:1051)
==1243==    by 0x1033AFF16: make_watch (meta-idle-monitor.c:344)
==1243==    by 0x1033B0370: meta_idle_monitor_add_idle_watch (meta-idle-monitor.c:411)
==1243==    by 0x106B82DEB: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x106B82714: ffi_call (in /usr/lib64/libffi.so.6.0.1)
==1243==    by 0x10290491F: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10290613A: ??? (in /usr/lib64/libgjs.so.0.0.0)
==1243==    by 0x10A732526: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A725EA4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x1C9906AAFA95: ???
==1243==    by 0x126B22077: ???
==1243==    by 0x1C9906AAE887: ???
==1243==    by 0x10A932649: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A93665A: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A72E023: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732058: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A7322BF: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A732628: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A5FC5E4: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A73236B: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
==1243==    by 0x10A958415: ??? (in /usr/lib64/libmozjs-52.so.0.0.0)
Comment 2 Jonas Ådahl 2019-09-16 09:09:55 UTC 
Could you reproduce again with G_SLICE=always-malloc set in the environment?
Comment 3 Milan Crha 2019-09-16 10:11:50 UTC 
(In reply to Jonas Ådahl from comment #2)
> Could you reproduce again with G_SLICE=always-malloc set in the environment?

This was with it exported.

I filled it upstream [1] and attached there a patch, which fixes it.

[1] https://gitlab.gnome.org/GNOME/mutter/issues/796
Comment 5 Michael Boisvert 2019-11-12 14:13:04 UTC 
Milan, could you check your issue against the newer mutter?
Comment 9 Milan Crha 2019-11-12 16:32:04 UTC 
I tried with mutter-3.28.3-19.el7 and I do not see such claim in the valgrind log, thus, I guess, the fix (I proposed upstream) works.
Comment 10 Michael Boisvert 2019-11-12 16:39:45 UTC 
(In reply to Milan Crha from comment #9)
> I tried with mutter-3.28.3-19.el7 and I do not see such claim in the
> valgrind log, thus, I guess, the fix (I proposed upstream) works.

Thanks for your testing!
Comment 12 errata-xmlrpc 2020-03-31 19:39:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1021
Note You need to log in before you can comment on or make changes to this bug.