WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
300378
[GTK][WPE] Fix attachmentInfo lifetime in Connection::sendOutputMessage
https://bugs.webkit.org/show_bug.cgi?id=300378
Summary
[GTK][WPE] Fix attachmentInfo lifetime in Connection::sendOutputMessage
Nikolas Zimmermann
Reported
2025-10-08 00:17:40 PDT
valgrind revealed that we're trying to transmit free'd memory over a socket in ConnectionGLib - fix that.
Attachments
Add attachment
proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1
2025-10-08 00:18:29 PDT
Excerpt from log: ==1758253== Thread 9 ReceiveQueue: ==1758253== Syscall param sendmsg(msg.msg_iov[1]) points to unaddressable byte(s) ==1758253== at 0x11AAEFE2: __syscall_cancel_arch (syscall_cancel.S:56) ==1758253== by 0x11AA2B62: __internal_syscall_cancel (cancellation.c:49) ==1758253== by 0x11AA2B62: __syscall_cancel (cancellation.c:75) ==1758253== by 0x11B398F0: sendmsg (sendmsg.c:28) ==1758253== by 0x11327133: g_socket_send_message_with_timeout (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8400.1) ==1758253== by 0x11327582: g_socket_send_message (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8400.1) ==1758253== by 0x9B39C3F: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:416) ==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352) ==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253) ==1758253== by 0xC303CFD: operator() (Function.h:82) ==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148) ==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79) ==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56) ==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59) ==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123) ==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132) ==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145) ==1758253== by 0xC357115: operator() (Function.h:82) ==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268) ==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245) ==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448) ==1758253== by 0x11B37A83: clone (clone.S:100) ==1758253== Address 0x25474eb0 is 0 bytes inside a block of size 1 free'd ==1758253== at 0x484D8BF: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1758253== by 0x10354CE5: pas_try_deallocate_slow_no_cache (pas_deallocate.c:135) ==1758253== by 0x9B39F86: fastFree (FastMalloc.h:301) ==1758253== by 0x9B39F86: free (FastMalloc.h:299) ==1758253== by 0x9B39F86: deallocateBuffer (Vector.h:271) ==1758253== by 0x9B39F86: ~VectorBuffer (Vector.h:335) ==1758253== by 0x9B39F86: ~Vector (Vector.h:700) ==1758253== by 0x9B39F86: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:409) ==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352) ==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253) ==1758253== by 0xC303CFD: operator() (Function.h:82) ==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148) ==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79) ==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56) ==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59) ==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123) ==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132) ==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145) ==1758253== by 0xC357115: operator() (Function.h:82) ==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268) ==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245) ==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448) ==1758253== by 0x11B37A83: clone (clone.S:100) ==1758253== Block was alloc'd at ==1758253== at 0x484A858: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1758253== by 0x103272B4: UnknownInlinedFun (pas_system_heap.h:138) ==1758253== by 0x103272B4: UnknownInlinedFun (pas_try_allocate_intrinsic.h:114) ==1758253== by 0x103272B4: bmalloc_allocate_impl_casual_case.constprop.0 (bmalloc_heap_inlines.h:222) ==1758253== by 0x1032978C: bmalloc_allocate_casual (bmalloc_heap.c:73) ==1758253== by 0x9B39F3A: malloc (FastMalloc.h:266) ==1758253== by 0x9B39F3A: allocateBuffer<(WTF::FailureAction)0> (Vector.h:232) ==1758253== by 0x9B39F3A: allocateBuffer (Vector.h:243) ==1758253== by 0x9B39F3A: VectorBuffer (Vector.h:330) ==1758253== by 0x9B39F3A: Vector (Vector.h:606) ==1758253== by 0x9B39F3A: IPC::Connection::sendOutputMessage(IPC::UnixMessage&&) (ConnectionGLib.cpp:372) ==1758253== by 0x9B3A765: IPC::Connection::sendOutgoingMessage(WTF::UniqueRef<IPC::Encoder>&&) (ConnectionGLib.cpp:352) ==1758253== by 0x9B18751: IPC::Connection::sendOutgoingMessages() [clone .part.0] (Connection.cpp:1253) ==1758253== by 0xC303CFD: operator() (Function.h:82) ==1758253== by 0xC303CFD: WTF::RunLoop::performWork() (RunLoop.cpp:148) ==1758253== by 0xC3DB36C: WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (RunLoopGLib.cpp:79) ==1758253== by 0xC3DC4EC: operator() (RunLoopGLib.cpp:56) ==1758253== by 0xC3DC4EC: WTF::RunLoop::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (RunLoopGLib.cpp:59) ==1758253== by 0x11534DE1: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0x1153505F: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8400.1) ==1758253== by 0xC3DE0E2: WTF::RunLoop::runGLibMainLoopIteration(WTF::RunLoop::MayBlock) (RunLoopGLib.cpp:123) ==1758253== by 0xC3DE3F1: WTF::RunLoop::runGLibMainLoop() (RunLoopGLib.cpp:132) ==1758253== by 0xC3DE491: WTF::RunLoop::run() (RunLoopGLib.cpp:145) ==1758253== by 0xC357115: operator() (Function.h:82) ==1758253== by 0xC357115: WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) (Threading.cpp:268) ==1758253== by 0xC3E47CC: WTF::wtfThreadEntryPoint(void*) (ThreadingPOSIX.cpp:245) ==1758253== by 0x11AA67F0: start_thread (pthread_create.c:448) ==1758253== by 0x11B37A83: clone (clone.S:100)
Nikolas Zimmermann
Comment 2
2025-10-08 00:20:26 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/51996
EWS
Comment 3
2025-10-08 10:29:20 PDT
Committed
301217@main
(c51f10d330b4): <
https://commits.webkit.org/301217@main
> Reviewed commits have been landed. Closing PR #51996 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug