Bug 300378
| Summary: | [GTK][WPE] Fix attachmentInfo lifetime in Connection::sendOutputMessage | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Nikolas Zimmermann <zimmermann> |
| Component: | WPE WebKit | Assignee: | Nikolas Zimmermann <zimmermann> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bugs-noreply |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Nikolas Zimmermann
valgrind revealed that we're trying to transmit free'd memory over a socket in ConnectionGLib - fix that.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Nikolas Zimmermann
Excerpt from log:
==1758253== Thread 9 ReceiveQueue:
==1758253== Syscall param sendmsg(msg.msg_iov[1]) points to unaddressable byte(s)
==1758253== at 0x11AAEFE2: __syscall_cancel_arch (syscall_cancel.S:56)
==1758253== by 0x11AA2B62: __internal_syscall_cancel (cancellation.c:49)
==1758253== by 0x11AA2B62: __syscall_cancel (cancellation.c:75)
==1758253== by 0x11B398F0: sendmsg (sendmsg.c:28)
==1758253== by 0x11327133: g_socket_send_message_with_timeout (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8400.1)
==1758253== by 0x11327582: g_socket_send_message (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8400.1)
==1758253== by 0x9B39C3F: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:416)
==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352)
==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253)
==1758253== by 0xC303CFD: operator() (Function.h:82)
==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148)
==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79)
==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56)
==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59)
==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123)
==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132)
==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145)
==1758253== by 0xC357115: operator() (Function.h:82)
==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268)
==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245)
==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448)
==1758253== by 0x11B37A83: clone (clone.S:100)
==1758253== Address 0x25474eb0 is 0 bytes inside a block of size 1 free'd
==1758253== at 0x484D8BF: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1758253== by 0x10354CE5: pas_try_deallocate_slow_no_cache (pas_deallocate.c:135)
==1758253== by 0x9B39F86: fastFree (FastMalloc.h:301)
==1758253== by 0x9B39F86: free (FastMalloc.h:299)
==1758253== by 0x9B39F86: deallocateBuffer (Vector.h:271)
==1758253== by 0x9B39F86: ~VectorBuffer (Vector.h:335)
==1758253== by 0x9B39F86: ~Vector (Vector.h:700)
==1758253== by 0x9B39F86: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:409)
==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352)
==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253)
==1758253== by 0xC303CFD: operator() (Function.h:82)
==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148)
==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79)
==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56)
==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59)
==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123)
==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132)
==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145)
==1758253== by 0xC357115: operator() (Function.h:82)
==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268)
==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245)
==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448)
==1758253== by 0x11B37A83: clone (clone.S:100)
==1758253== Block was alloc'd at
==1758253== at 0x484A858: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==1758253== by 0x103272B4: UnknownInlinedFun (pas_system_heap.h:138)
==1758253== by 0x103272B4: UnknownInlinedFun (pas_try_allocate_intrinsic.h:114)
==1758253== by 0x103272B4: bmalloc_allocate_impl_casual_case.constprop.0 (bmalloc_heap_inlines.h:222)
==1758253== by 0x1032978C: bmalloc_allocate_casual (bmalloc_heap.c:73)
==1758253== by 0x9B39F3A: malloc (FastMalloc.h:266)
==1758253== by 0x9B39F3A: allocateBuffer<(WTF::FailureAction)0> (Vector.h:232)
==1758253== by 0x9B39F3A: allocateBuffer (Vector.h:243)
==1758253== by 0x9B39F3A: VectorBuffer (Vector.h:330)
==1758253== by 0x9B39F3A: Vector (Vector.h:606)
==1758253== by 0x9B39F3A: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:372)
==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352)
==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253)
==1758253== by 0xC303CFD: operator() (Function.h:82)
==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148)
==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79)
==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56)
==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59)
==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1)
==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123)
==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132)
==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145)
==1758253== by 0xC357115: operator() (Function.h:82)
==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268)
==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245)
==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448)
==1758253== by 0x11B37A83: clone (clone.S:100)
Nikolas Zimmermann
Pull request: https://github.com/WebKit/WebKit/pull/51996
EWS
Committed 301217@main (c51f10d330b4): <https://commits.webkit.org/301217@main>
Reviewed commits have been landed. Closing PR #51996 and removing active labels.