[gjs: 1/2] boxed: Initialize all the private BoxedInstance members

From: Philip Chimento <pchimento src gnome org>
To: commits-list gnome org
Cc:
Subject: [gjs: 1/2] boxed: Initialize all the private BoxedInstance members
Date: Thu, 3 Sep 2020 04:45:16 +0000 (UTC)

commit 1dc8120c3ad9343a58ec1728f9ad9b2a6b624bde
Author: Marco Trevisan (Treviño) <mail 3v1n0 net>
Date:   Wed Sep 2 16:30:30 2020 +0200

    boxed: Initialize all the private BoxedInstance members
    
    m_allocated_directly is allocated but never initialized by the
    constructor, as per this the behavior might be undefined and we may end up
    in situations where we do an invalid free in ~BoxedInstance.
    
    This seems to happen quite consistently in s390x and valgrind confirms
    it:
    
    ```
    ==1276052== Conditional jump or move depends on uninitialised value(s)
    ==1276052==    at 0x487953C: ~BoxedInstance (boxed.cpp:431)
    ==1276052==    by 0x487953C: finalize_impl (wrapperutils.h:1105)
    ==1276052==    by 0x487953C: GIWrapperBase<BoxedBase, BoxedPrototype, BoxedInstance>::finalize(JSFreeOp*, 
JSObject*) (wrapperutils.h:473)
    ==1276052==    by 0x55E07C3: doFinalize (Class.h:785)
    ==1276052==    by 0x55E07C3: finalize (JSObject-inl.h:87)
    ==1276052==    by 0x55E07C3: finalize<JSObject> (GC.cpp:486)
    ==1276052==    by 0x55E07C3: bool FinalizeTypedArenas<JSObject>(JSFreeOp*, js::gc::Arena**, 
js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&) (GC.cpp:541)
    ==1276052==    by 0x55E0AD9: FinalizeArenas(JSFreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, 
js::gc::AllocKind, js::SliceBudget&) (GC.cpp:569)
    ==1276052==    by 0x55E3345: js::gc::ArenaLists::foregroundFinalize(JSFreeOp*, js::gc::AllocKind, 
js::SliceBudget&, js::gc::SortedArenaList&) (GC.cpp:5500)
    ==1276052==    by 0x55E35CD: js::gc::GCRuntime::finalizeAllocKind(JSFreeOp*, js::SliceBudget&) 
(GC.cpp:5772)
    ==1276052==    by 0x55C9553: 
sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long> >, 
mozilla::EnumSet<js::gc::AllocKind, unsigned long> >::run(js::gc::SweepAction::Args&) (GC.cpp:5998)
    ==1276052==    by 0x55C890D: sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) 
(GC.cpp:5963)
    ==1276052==    by 0x55CAD95: sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, 
JSRuntime*>::run(js::gc::SweepAction::Args&) (GC.cpp:5998)
    ==1276052==    by 0x55C890D: sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) 
(GC.cpp:5963)
    ==1276052==    by 0x55D2861: sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, 
JSRuntime*>::run(js::gc::SweepAction::Args&) (GC.cpp:5998)
    ==1276052==    by 0x55DBD3F: js::gc::GCRuntime::performSweepActions(js::SliceBudget&) (GC.cpp:6141)
    ==1276052==    by 0x55F8955: js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, 
mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) (GC.cpp:6676)
    ```
    
    Details of the crash as per gdb:
    
    ```
    double free or corruption (fasttop)
    
    Thread 1 "minijasmine" received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
     #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
     #1  0x000003fffd6aa282 in __GI_abort () at abort.c:79
     #2  0x000003fffd70d0ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x3fffd7f4fa6 
"%s\n")
        at ../sysdeps/posix/libc_fatal.c:155
     #3  0x000003fffd7151f0 in malloc_printerr (str=str@entry=0x3fffd7f31d2 "double free or corruption 
(fasttop)")
        at malloc.c:5347
     #4  0x000003fffd716d12 in _int_free (av=<optimized out>, p=0x2aa000f75a0, have_lock=<optimized out>)
        at malloc.c:4266
     #5  0x000003fffde33606 in BoxedInstance::~BoxedInstance() (this=0x2aa0029e550, __in_chrg=<optimized out>)
        at ../gi/wrapperutils.h:1005
     #6  GIWrapperInstance<BoxedBase, BoxedPrototype, BoxedInstance, void>::finalize_impl(JSFreeOp*, 
JSObject*)
        (this=0x2aa0029e550) at ../gi/wrapperutils.h:1105
     #7  GIWrapperBase<BoxedBase, BoxedPrototype, BoxedInstance>::finalize(JSFreeOp*, JSObject*)
        (fop=<optimized out>, obj=0x3e14c2befee0) at ../gi/wrapperutils.h:473
     #8  0x000003fffcfef7c4 in JSClass::doFinalize(JSFreeOp*, JSObject*) const
        (obj=0x3e14c2befee0, fop=0x3ffffffede0, this=<optimized out>) at ./de
    ```

 gi/boxed.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
---
diff --git a/gi/boxed.cpp b/gi/boxed.cpp
index 05e4a4960..b1d66a94c 100644
--- a/gi/boxed.cpp
+++ b/gi/boxed.cpp
@@ -58,7 +58,9 @@
 #include "util/log.h"
 
 BoxedInstance::BoxedInstance(JSContext* cx, JS::HandleObject obj)
-    : GIWrapperInstance(cx, obj), m_owning_ptr(false) {
+    : GIWrapperInstance(cx, obj),
+      m_allocated_directly(false),
+      m_owning_ptr(false) {
     m_ptr = nullptr;
     GJS_INC_COUNTER(boxed_instance);
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]