1424661 - Crash in free.cold.84 | nsClipboard::GetData

Status: RESOLVED FIXED

(Core :: Widget: Gtk, defect)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-6087b658-2d05-440b-bc51-5dd850171210.
=============================================================

Top 10 frames of crashing thread:

0 firefox free.cold.84 
1 libxul.so nsClipboard::GetData widget/gtk/nsClipboard.cpp:340
2 libxul.so mozilla::dom::ContentParent::RecvGetClipboard dom/ipc/ContentParent.cpp:2629
3 libxul.so mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:7674
4 libxul.so mozilla::ipc::MessageChannel::DispatchSyncMessage 
5 libxul.so mozilla::ipc::MessageChannel::DispatchMessage 
6 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run 
7 libxul.so nsThread::ProcessNextEvent 
8 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:508
9 libxul.so mozilla::ipc::MessagePump::Run 

=============================================================

There are 11 crashes with signature 'free.cold.[0-9]+ | nsClipboard::GetData' in nightly 59 starting with buildid 20171209100033. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1417874.

[1] https://hg.mozilla.org/mozilla-central/rev/296dd5f8849a

Comment 1

[Martin Stránský [:stransky] (ni? me)]

Looks like double free - will look at it, Thanks!

Comment 2

[Martin Stránský [:stransky] (ni? me)]

Attachment: Bug 1424661 - refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(),

According to Gtk people [1] we can't mix free()/g_free() and malloc()/g_malloc() calls.
Existing nsClipboard code mixes that on some places which can lead to issued on glib built
with specific flags (ENABLE_MEM_PROFILE or ENABLE_MEM_CHECK).

[1] https://mail.gnome.org/archives/gtk-list/2000-July/msg00002.html

Review commit: https://reviewboard.mozilla.org/r/206998/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/206998/

Comment 3

[Jan Horak [:jhorak]]

Comment on attachment 8936235 [details]
Bug 1424661 - refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(),

https://reviewboard.mozilla.org/r/206998/#review212808

::: widget/gtk/nsClipboard.h:22
(Diff revision 1)
>  #define GTK_DEFAULT_MIME_TEXT "UTF8_STRING"
>  
>  class nsRetrievalContext {
>  public:
> +    // Returned data must be released by free()
>      virtual guchar* WaitForClipboardContext(const char* aMimeType,

The type guchar* is confusing there, we expect the guchar* to be freed by g_free call. 

Since WaitForClipboardContext callers mostly cast the result to const char\*, use const char\* instead of guchar\*. As far as I checked the content of return memory is not modified, therefore you should be fine with const.

::: widget/gtk/nsClipboard.cpp:321
(Diff revision 1)
> -            g_free(data);
> +            free(data);
>  
>              // Try next data format?
>              if (!htmlBodyLen)
>                  continue;
>              data = (guchar *)htmlBody;

This will also need a touch.

::: widget/gtk/nsClipboardX11.cpp:296
(Diff revision 1)
>  
>      GtkSelectionData *selectionData = WaitForContents(clipboard, aMimeType);
>      if (!selectionData)
>          return nullptr;
>  
>      int contentLength = gtk_selection_data_get_length(selectionData);

When touching this, I'm not sure if the contentLength can be 0 or even negative, please check this and do the warning if this happens.

::: widget/gtk/nsClipboardX11.cpp:297
(Diff revision 1)
>      GtkSelectionData *selectionData = WaitForContents(clipboard, aMimeType);
>      if (!selectionData)
>          return nullptr;
>  
>      int contentLength = gtk_selection_data_get_length(selectionData);
> -    guchar* data = reinterpret_cast<guchar*>(g_malloc(sizeof(guchar)*contentLength));
> +    guchar* data =

use char\* there

Comment 4

[Martin Stránský [:stransky] (ni? me)]

Comment on attachment 8936235 [details]
Bug 1424661 - refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(),

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/206998/diff/1-2/

Comment 5

[Jan Horak [:jhorak]]

Comment on attachment 8936235 [details]
Bug 1424661 - refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(),

https://reviewboard.mozilla.org/r/206998/#review213386

Looks much better now. Thanks.

::: widget/gtk/nsClipboard.cpp:227
(Diff revision 2)
>    
>      return rv;
>  }
>  
> +void
> +nsClipboard::TransferClipboardData(nsITransferable* aTransferable,

This can be static member and please rename it to something more self describing, like TransferClipboardDataToGecko or something like this.

Comment 6

[Martin Stránský [:stransky] (ni? me)]

Comment on attachment 8936235 [details]
Bug 1424661 - refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(),

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/206998/diff/2-3/

Comment 7

[Pulsebot]

Pushed by stransky@redhat.com:
https://hg.mozilla.org/integration/autoland/rev/70eb26bf8760
refactor ncClipboard::GetData(), allocate all memory by moz_xmalloc() and release by free(), r=jhorak

Comment 8

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/70eb26bf8760