Ubuntu
gnome-software package

Invalid read in the snap plugin

Bug #1798360 reported by Sebastien Bacher on 2018-10-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gnome-software (Ubuntu)	Invalid	High	Unassigned
	snapd-glib (Ubuntu)	Fix Released	High	Andrea Azzarone

Bug Description

On cosmic, open gnome-software, type some text to search, it easily leads to snapd related warnings on stdout and those corresponding valgrind invalid read errors

==31017== Invalid read of size 8
==31017== at 0x4913AC5: g_type_check_instance_is_fundamentally_a (gtype.c:4023)
==31017== by 0x48F4AF4: g_object_unref (gobject.c:3243)
==31017== by 0x497D4E2: g_source_callback_unref (gmain.c:1551)
==31017== by 0x497DF1D: g_source_destroy_internal (gmain.c:1236)
==31017== by 0x4980B77: g_main_dispatch (gmain.c:3206)
==31017== by 0x4980B77: g_main_context_dispatch (gmain.c:3847)
==31017== by 0x4980ED7: g_main_context_iterate.isra.26 (gmain.c:3920)
==31017== by 0x49811D1: g_main_loop_run (gmain.c:4116)
==31017== by 0x12C6EB5E: end_sync (snapd-client-sync.c:33)
==31017== by 0x12C6EB5E: snapd_client_find_section_sync (snapd-client-sync.c:646)
==31017== by 0x12C2F571: find_snaps (gs-plugin-snap.c:294)
==31017== by 0x12C30320: gs_plugin_add_search (gs-plugin-snap.c:635)
==31017== by 0x186660: gs_plugin_loader_call_vfunc (gs-plugin-loader.c:695)
==31017== by 0x1869E1: gs_plugin_loader_run_results (gs-plugin-loader.c:1147)
==31017== by 0x187BC4: gs_plugin_loader_process_thread_cb (gs-plugin-loader.c:3140)
==31017== by 0x4ADFC02: g_task_thread_pool_thread (gtask.c:1331)
==31017== by 0x49A9AD2: g_thread_pool_thread_proxy (gthreadpool.c:307)
==31017== by 0x49A9134: g_thread_proxy (gthread.c:784)
==31017== by 0x5CFC163: start_thread (pthread_create.c:486)
==31017== by 0x5E2FDEE: clone (clone.S:95)
==31017== Address 0xdccd330 is 96 bytes inside a block of size 184 free'd
==31017== at 0x483897B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31017== by 0x49128C3: g_type_free_instance (gtype.c:1936)
==31017== by 0x12C67046: request_data_unref (snapd-client.c:178)
==31017== by 0x497D4E2: g_source_callback_unref (gmain.c:1551)
==31017== by 0x497DF1D: g_source_destroy_internal (gmain.c:1236)
==31017== by 0x4980B77: g_main_dispatch (gmain.c:3206)
==31017== by 0x4980B77: g_main_context_dispatch (gmain.c:3847)
==31017== by 0x4980ED7: g_main_context_iterate.isra.26 (gmain.c:3920)
==31017== by 0x49811D1: g_main_loop_run (gmain.c:4116)
==31017== by 0x12C6EB5E: end_sync (snapd-client-sync.c:33)
==31017== by 0x12C6EB5E: snapd_client_find_section_sync (snapd-client-sync.c:646)
==31017== by 0x12C2F571: find_snaps (gs-plugin-snap.c:294)
==31017== by 0x12C30320: gs_plugin_add_search (gs-plugin-snap.c:635)
==31017== by 0x186660: gs_plugin_loader_call_vfunc (gs-plugin-loader.c:695)
==31017== by 0x1869E1: gs_plugin_loader_run_results (gs-plugin-loader.c:1147)
==31017== by 0x187BC4: gs_plugin_loader_process_thread_cb (gs-plugin-loader.c:3140)
==31017== by 0x4ADFC02: g_task_thread_pool_thread (gtask.c:1331)
==31017== by 0x49A9AD2: g_thread_pool_thread_proxy (gthreadpool.c:307)
==31017== by 0x49A9134: g_thread_proxy (gthread.c:784)
==31017== by 0x5CFC163: start_thread (pthread_create.c:486)
==31017== by 0x5E2FDEE: clone (clone.S:95)
==31017== Block was alloc'd at
==31017== at 0x483774F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31017== by 0x4986650: g_malloc (gmem.c:99)
==31017== by 0x499E5B2: g_slice_alloc (gslice.c:1024)
==31017== by 0x499EBE8: g_slice_alloc0 (gslice.c:1050)
==31017== by 0x49124F9: g_type_create_instance (gtype.c:1836)
==31017== by 0x48F5397: g_object_new_internal (gobject.c:1805)
==31017== by 0x48F7223: g_object_new_valist (gobject.c:2128)
==31017== by 0x48F7558: g_object_new (gobject.c:1648)
==31017== by 0x12C5C70A: _snapd_get_find_new (snapd-get-find.c:34)
==31017== by 0x12C6A967: snapd_client_find_section_async (snapd-client.c:2119)
==31017== by 0x12C6EB4D: snapd_client_find_section_sync (snapd-client-sync.c:645)
==31017== by 0x12C2F571: find_snaps (gs-plugin-snap.c:294)
==31017== by 0x12C30320: gs_plugin_add_search (gs-plugin-snap.c:635)
==31017== by 0x186660: gs_plugin_loader_call_vfunc (gs-plugin-loader.c:695)
==31017== by 0x1869E1: gs_plugin_loader_run_results (gs-plugin-loader.c:1147)
==31017== by 0x187BC4: gs_plugin_loader_process_thread_cb (gs-plugin-loader.c:3140)
==31017== by 0x4ADFC02: g_task_thread_pool_thread (gtask.c:1331)
==31017== by 0x49A9AD2: g_thread_pool_thread_proxy (gthreadpool.c:307)
==31017== by 0x49A9134: g_thread_proxy (gthread.c:784)
==31017== by 0x5CFC163: start_thread (pthread_create.c:486)
==31017== by 0x5E2FDEE: clone (clone.S:95)

Sebastien Bacher (seb128) on 2018-10-17

Changed in gnome-software (Ubuntu):
importance:	Undecided → High

Andrea Azzarone (azzar1) on 2018-10-17

Changed in gnome-software (Ubuntu):
status:	New → In Progress
assignee:	nobody → Andrea Azzarone (azzar1)

Sebastien Bacher (seb128) on 2018-10-17

Changed in snapd-glib (Ubuntu):
importance:	Undecided → High
assignee:	nobody → Robert Ancell (robert-ancell)

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2018-10-23:

I've seen this and tried a number of times to find the cause. Can't reproduce it with snapd-glib on it's own. Seems to be related to when the featured snaps are being accessed at the same time a search is being performed or cancelled.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2018-10-29:

I tried today and wasn't able to reproduce at all.

Andrea Azzarone (azzar1) on 2018-11-07

Changed in snapd-glib (Ubuntu):
assignee:	Robert Ancell (robert-ancell) → Andrea Azzarone (azzar1)
Changed in gnome-software (Ubuntu):
assignee:	Andrea Azzarone (azzar1) → nobody
status:	In Progress → Invalid
Changed in snapd-glib (Ubuntu):
status:	New → In Progress