[GNC-dev] gnucash stable: Fix NULL dereference in gnc_plugin_page_report_focus_widget.
john
jralls at ceridwen.us
Thu Nov 2 13:08:17 EDT 2023
It's crashing before the call to g_type_check_instance_is_a. The stack trace in https://lists.gnucash.org/pipermail/gnucash-user/2023-November/109345.html points to offset 1374 in gnc_plugin_page_report_focus_widget. Here's the disassembly:
tub for: gnc_window_set_progressbar_window
libgnc-gnome.dylib[0x7c30e] <+1406>: testl %eax, %eax
libgnc-gnome.dylib[0x7c310] <+1408>: jne 0x7c05c ; <+716>
libgnc-gnome.dylib[0x7c316] <+1414>: movq %r15, %rdi
libgnc-gnome.dylib[0x7c319] <+1417>: callq 0x8fa5e ; symbol stub for: gtk_widget_grab_focus
libgnc-gnome.dylib[0x7c31e] <+1422>: jmp 0x7c05c ; <+716>
libgnc-gnome.dylib[0x7c323] <+1427>: callq 0x8d520 ; symbol stub for: __stack_chk_fail
libgnc-gnome.dylib[0x7c328] <+1432>: nopl (%rax,%rax)
G_
> On Nov 2, 2023, at 02:04, Geert Janssens <geert.gnucash at kobaltwit.be> wrote:
>
> This seems to point at a regression in Gtk.
>
> From what I understand GTK_IS_WIDGET should return FALSE if widget is NULL.
>
> It's defined here:
> https://gitlab.gnome.org/GNOME/gtk/-/blob/main/gtk/gtkwidget.h?
> ref_type=heads#L46
>
> It's a macro that calls G_TYPE_CHECK_INSTANCE_TYPE, which is defined here:
> https://gitlab.gnome.org/GNOME/glib/-/blob/main/gobject/gtype.h?
> ref_type=heads#L541
>
> The comment above this definition states G_TYPE_CHECK_INSTANCE_TYPE should
> return FALSE if instance is NULL.
>
> So I'm rather surprised this use of GTK_IS_WIDGET crashes gnucash.
Hmm. It does indeed look properly null-checked. G_TYPE_CHECK_INSTANCE_TYPE just forwards to _G_TYPE_CIT at https://gitlab.gnome.org/GNOME/glib/-/blame/main/gobject/gtype.h?page=3#L2671
(# define _G_TYPE_CIT(ip, gt) (G_GNUC_EXTENSION ({ \
GTypeInstance *__inst = (GTypeInstance*) ip; GType __t = gt; gboolean __r; \
if (!__inst) \
__r = FALSE; \
else if (__inst->g_class && __inst->g_class->g_type == __t) \
__r = TRUE; \
else \
__r = g_type_check_instance_is_a (__inst, __t); \
__r; \
}))
The disassembly of gnc_plugin_page_report_focus_widget:
libgnc-gnome.dylib[0x7c2d8] <+1352>: callq 0x8fa4c ; symbol stub for: gtk_widget_get_type
libgnc-gnome.dylib[0x7c2dd] <+1357>: testq %r15, %r15 <<< if (!__inst)
libgnc-gnome.dylib[0x7c2e0] <+1360>: je 0x7c05c ; <+716>
libgnc-gnome.dylib[0x7c2e6] <+1366>: movq (%r15), %rcx
libgnc-gnome.dylib[0x7c2e9] <+1369>: testq %rcx, %rcx <<<< if (__inst->g_class
libgnc-gnome.dylib[0x7c2ec] <+1372>: je 0x7c2f3 ; <+1379>
libgnc-gnome.dylib[0x7c2ee] <+1374>: cmpq %rax, (%rcx) <<<<< && __inst->g_class->g_type == __t *** Crash is here ***
libgnc-gnome.dylib[0x7c2f1] <+1377>: je 0x7c306 ; <+1398>
libgnc-gnome.dylib[0x7c2f3] <+1379>: movq %r15, %rdi
libgnc-gnome.dylib[0x7c2f6] <+1382>: movq %rax, %rsi
libgnc-gnome.dylib[0x7c2f9] <+1385>: callq 0x8da0c ; symbol stub for: g_type_check_instance_is_a
libgnc-gnome.dylib[0x7c2d1] <+1345>: movq -0x98(%rbp), %r15
libgnc-gnome.dylib[0x7c2fe] <+1390>: testl %eax, %eax
libgnc-gnome.dylib[0x7c300] <+1392>: je 0x7c05c ; <+716>
libgnc-gnome.dylib[0x7c306] <+1398>: movq %r15, %rdi
libgnc-gnome.dylib[0x7c309] <+1401>: callq 0x8fa7c ; symbol stub for: gtk_widget_is_focus
It's crashing dereferencing __inst->g_class->g_type, and the diagnostic says it's a nullptr:
VM Region Info: 0 is not in any region. Bytes before following region: 4537495552
I've asked Michael for the register block to confirm that %rcx contains nullptr, but I'm baffled how it can go from not null at 1369 to null at 1374.
Regards,
John Ralls
More information about the gnucash-devel
mailing list