Drag-and-dropping a URL into gnome-console/konsole causes memory corruption

[triallax]

Reproduction steps:

1. Have GNOME Console open
2. Drag a URL from e.g. firefox into gnome-console
3. Close the tab into which you dropped the URL
4. It crashes

backtrace:

* thread #1, name = 'kgx', stop reason = signal SIGSEGV: address not mapped to object
  * frame #0: 0x000074855f0ca2c9 libgobject-2.0.so.0`g_object_unref [inlined] g_type_check_instance_is_fundamentally_a(type_instance=0x000074855ca7cf10, fundamental_type=80) at gtype.c:4153:54
    frame #1: 0x000074855f0ca2a4 libgobject-2.0.so.0`g_object_unref(_object=0x000074855ca7cf10) at gobject.c:4325:3
    frame #2: 0x000074855ea701f1 libglib-2.0.so.0`g_hash_table_remove_internal(hash_table=<unavailable>, key=0x000074855c02c530, notify=1) at ghash.c:1717:3
    frame #3: 0x000074855e4b592e libgtk-4.so.1`gtk_widget_dispose + 654
    frame #4: 0x000074855f0ca43d libgobject-2.0.so.0`g_object_unref(_object=0x000074855aa263b0) at gobject.c:4413:3
    frame #5: 0x000074855f0e1fdf libgobject-2.0.so.0`signal_emit_valist_unlocked [inlined] g_value_unset(value=<unavailable>) at gvalue.c:197:5
    frame #6: 0x000074855f0e1fb0 libgobject-2.0.so.0`signal_emit_valist_unlocked(instance=0x000074855aa263b0, signal_id=<unavailable>, detail=0, var_args=<unavailable>) at gsignal.c:3554:3
    frame #7: 0x000074855f0e227f libgobject-2.0.so.0`g_signal_emit [inlined] g_signal_emit_valist(instance=0x000074855aa263b0, signal_id=79, detail=0, var_args=0x00007ffd63d1dd70) at gsignal.c:3263:7
    frame #8: 0x000074855f0e2262 libgobject-2.0.so.0`g_signal_emit(instance=0x000074855aa263b0, signal_id=79, detail=0) at gsignal.c:3583:3
    frame #9: 0x000059d0956e658e kgx`wait_cb [inlined] kgx_tab_died(self=0x000074855aa263b0, type=GTK_MESSAGE_INFO, message=<unavailable>, success=1) at kgx-tab.c:920:3
    frame #10: 0x000059d0956e6571 kgx`wait_cb(pid=<unavailable>, status=<unavailable>, user_data=0x000074855c022b50) at kgx-simple-tab.c:185:5
    frame #11: 0x000074855ea856f6 libglib-2.0.so.0`g_child_watch_dispatch(source=0x000074855c115730, callback=(kgx`wait_cb at kgx-simple-tab.c:164), user_data=0x000074855c022b50) at gmain.c:5857:3
    frame #12: 0x000074855ea8d02b libglib-2.0.so.0`g_main_context_dispatch_unlocked [inlined] g_main_dispatch(context=0x000074855a9056b0) at gmain.c:3344:27
    frame #13: 0x000074855ea8cedf libglib-2.0.so.0`g_main_context_dispatch_unlocked(context=0x000074855a9056b0) at gmain.c:4152:7
    frame #14: 0x000074855ea8d583 libglib-2.0.so.0`g_main_context_iterate_unlocked(context=0x000074855a9056b0, block=<unavailable>, dispatch=1, self=<unavailable>) at gmain.c:4217:5
    frame #15: 0x000074855ea8d744 libglib-2.0.so.0`g_main_context_iteration(context=0x000074855a9056b0, may_block=1) at gmain.c:4282:12
    frame #16: 0x000074855ec71cdd libgio-2.0.so.0`g_application_run(application=0x000074855d802220, argc=1, argv=<unavailable>) at gapplication.c:2712:7
    frame #17: 0x000059d0956deeb6 kgx`main(argc=1, argv=0x00007ffd63d1e008) at main.c:44:10
    frame #18: 0x000074855f25830d ld-musl-x86_64.so.1`libc_start_main_stage2(main=(kgx`main at main.c:25), argc=<unavailable>, argv=0x00007ffd63d1e008) at __libc_start_main.c:95:7
    frame #19: 0x000059d0956deb96 kgx`_start + 22

this crash is during memory cleanup so it didn't really help me find where the corruption actually happens

the same issue also occurs with konsole running in gnome (but instead konsole immediately crashes):

* thread #1, name = 'konsole', stop reason = signal SIGSEGV: address not mapped to object
  * frame #0: 0x00007dcf0fb75b24
    frame #1: 0x00007dcf0f4e429c libQt6Widgets.so.6`QWidget::event(this=<unavailable>, event=<unavailable>) at qwidget.cpp:9232:9
    frame #2: 0x00007dcf0f48e641 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x00007dcf07a05c90, receiver=0x00007dcf0972caa0, e=0x00007ffd5124f430) at qapplication.cpp:3287:26
    frame #3: 0x00007dcf0f490f03 libQt6Widgets.so.6`QApplication::notify(this=0x00007dcf0b400d30, receiver=0x00007dcf0972caa0, e=0x00007ffd5124f430) at qapplication.cpp:3049:22
    frame #4: 0x00007dcf0e4fdf20 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x00007dcf0972caa0, event=0x00007ffd5124f430) at qcoreapplication.cpp:1142:18
    frame #5: 0x00007dcf0f4fe7ea libQt6Widgets.so.6`QWidgetWindow::handleDropEvent(this=<unavailable>, event=0x00007ffd5124f8d0) at qwidgetwindow.cpp:996:5
    frame #6: 0x00007dcf0f4fb2d7 libQt6Widgets.so.6`QWidgetWindow::event(this=<unavailable>, event=<unavailable>) at qwidgetwindow.cpp:305:9
    frame #7: 0x00007dcf0f48e641 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x00007dcf07a05c90, receiver=0x00007dcf0cf32580, e=0x00007ffd5124f8d0) at qapplication.cpp:3287:26
    frame #8: 0x00007dcf0f48f70c libQt6Widgets.so.6`QApplication::notify(this=<unavailable>, receiver=0x00007dcf0cf32580, e=0x00007ffd5124f8d0) at qapplication.cpp:0
    frame #9: 0x00007dcf0e4fdf20 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x00007dcf0cf32580, event=0x00007ffd5124f8d0) at qcoreapplication.cpp:1142:18
    frame #10: 0x00007dcf0ecc0c25 libQt6Gui.so.6`QGuiApplicationPrivate::processDrop(w=0x00007dcf0cf32580, dropData=0x00007dcef82447b0, p=<unavailable>, supportedActions=(i = 1), buttons=(i = 0), modifiers=(i = 0)) at qguiapplication.cpp:3397:5
    frame #11: 0x00007dcf0ed1e885 libQt6Gui.so.6`QWindowSystemInterface::handleDrop(window=0x00007dcf0cf32580, dropData=0x00007dcef82447b0, p=0x00007dcf100022a8, supportedActions=(i = 1), buttons=(i = 0), modifiers=(i = 0)) at qwindowsysteminterface.cpp:858:12
    frame #12: 0x00007dcf0a88e62b libQt6WaylandClient.so.6`QtWaylandClient::QWaylandDataDevice::data_device_drop(this=0x00007dcf10002260) at qwaylanddatadevice.cpp:194:40
    frame #13: 0x00007dcf093b341a libffi.so.8`ffi_call_unix64 at unix64.S:104
    frame #14: 0x00007dcf093b7e95 libffi.so.8`ffi_call_int(cif=0x00007ffd5124fb60, fn=(libQt6WaylandClient.so.6`QtWayland::wl_data_device::handle_drop(void*, wl_data_device*) at qwayland-wayland.cpp:970), rvalue=0x0000000000000000, avalue=0x00007ffd5124fb90, closure=<unavailable>) at ffi64.c:673:3
    frame #15: 0x00007dcf093b79ec libffi.so.8`ffi_call(cif=0x00007ffd5124fb60, fn=(libQt6WaylandClient.so.6`QtWayland::wl_data_device::handle_drop(void*, wl_data_device*) at qwayland-wayland.cpp:970), rvalue=0x0000000000000000, avalue=0x00007ffd5124fb90) at ffi64.c:710:3
    frame #16: 0x00007dcf0cc76b43 libwayland-client.so.0`wl_closure_invoke(closure=0x00007dcf07d840d0, flags=<unavailable>, target=<unavailable>, opcode=4, data=<unavailable>) at connection.c:1228:2
    frame #17: 0x00007dcf0cc74bb8 libwayland-client.so.0`dispatch_event(display=<unavailable>, queue=<unavailable>) at wayland-client.c:1670:3
    frame #18: 0x00007dcf0cc74381 libwayland-client.so.0`wl_display_dispatch_queue_pending [inlined] dispatch_queue(display=0x00007dcf0fe0dc90, queue=<unavailable>) at wayland-client.c:1816:3
    frame #19: 0x00007dcf0cc7432b libwayland-client.so.0`wl_display_dispatch_queue_pending(display=0x00007dcf0fe0dc90, queue=0x00007dcf0fe0dd88) at wayland-client.c:2058:8
    frame #20: 0x00007dcf0cc7446c libwayland-client.so.0`wl_display_dispatch_pending(display=<unavailable>) at wayland-client.c:2121:9 [artificial]
    frame #21: 0x00007dcf0a843b95 libQt6WaylandClient.so.6`QtWaylandClient::EventThread::readAndDispatchEvents() [inlined] QtWaylandClient::EventThread::dispatchQueuePending(this=0x00007dcf0b707c90) at qwaylanddisplay.cpp:227:20
    frame #22: 0x00007dcf0a843b84 libQt6WaylandClient.so.6`QtWaylandClient::EventThread::readAndDispatchEvents(this=0x00007dcf0b707c90) at qwaylanddisplay.cpp:109:17
    frame #23: 0x00007dcf0e54c287 libQt6Core.so.6`QObject::event(this=0x00007dcf07a07600, e=0x00007dcef84c4e10) at qobject.cpp:1452:18
    frame #24: 0x00007dcf0f48e641 libQt6Widgets.so.6`QApplicationPrivate::notify_helper(this=0x00007dcf07a05c90, receiver=0x00007dcf07a07600, e=0x00007dcef84c4e10) at qapplication.cpp:3287:26
    frame #25: 0x00007dcf0f48f70c libQt6Widgets.so.6`QApplication::notify(this=<unavailable>, receiver=0x00007dcf07a07600, e=0x00007dcef84c4e10) at qapplication.cpp:0
    frame #26: 0x00007dcf0e4fdf20 libQt6Core.so.6`QCoreApplication::notifyInternal2(receiver=0x00007dcf07a07600, event=0x00007dcef84c4e10) at qcoreapplication.cpp:1142:18
    frame #27: 0x00007dcf0e4ff2b5 libQt6Core.so.6`QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) [inlined] QCoreApplication::sendEvent(receiver=0x00007dcf07a07600, event=0x00007dcef84c4e10) at qcoreapplication.cpp:1583:12
    frame #28: 0x00007dcf0e4ff2a5 libQt6Core.so.6`QCoreApplicationPrivate::sendPostedEvents(receiver=0x0000000000000000, event_type=0, data=0x00007dcf09603ea0) at qcoreapplication.cpp:1940:9
    frame #29: 0x00007dcf0e7c2365 libQt6Core.so.6`postEventSourceDispatch(_GSource*, int (*)(void*), void*) [inlined] QCoreApplication::sendPostedEvents(receiver=0x0000000000000000, event_type=0) at qcoreapplication.cpp:1797:5
    frame #30: 0x00007dcf0e7c234f libQt6Core.so.6`postEventSourceDispatch(s=0x00007dcf10002e30, (null)=<unavailable>, (null)=<unavailable>) at qeventdispatcher_glib.cpp:244:5
    frame #31: 0x00007dcf0b2ca02b libglib-2.0.so.0`g_main_context_dispatch_unlocked [inlined] g_main_dispatch(context=0x00007dcf0ce04290) at gmain.c:3344:27
    frame #32: 0x00007dcf0b2c9edf libglib-2.0.so.0`g_main_context_dispatch_unlocked(context=0x00007dcf0ce04290) at gmain.c:4152:7
    frame #33: 0x00007dcf0b2ca583 libglib-2.0.so.0`g_main_context_iterate_unlocked(context=0x00007dcf0ce04290, block=<unavailable>, dispatch=1, self=<unavailable>) at gmain.c:4217:5
    frame #34: 0x00007dcf0b2ca744 libglib-2.0.so.0`g_main_context_iteration(context=0x00007dcf0ce04290, may_block=1) at gmain.c:4282:12
    frame #35: 0x00007dcf0e7c1a01 libQt6Core.so.6`QEventDispatcherGlib::processEvents(this=0x00007dcf0b600130, flags=(i = 164)) at qeventdispatcher_glib.cpp:394:19
    frame #36: 0x00007dcf0e508b4a libQt6Core.so.6`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) [inlined] QEventLoop::processEvents(this=0x00007ffd51250340, flags=(i = 164)) at qeventloop.cpp:100:55
    frame #37: 0x00007dcf0e508b2c libQt6Core.so.6`QEventLoop::exec(this=0x00007ffd51250340, flags=<unavailable>) at qeventloop.cpp:182:9
    frame #38: 0x00007dcf0e4fe63d libQt6Core.so.6`QCoreApplication::exec() at qcoreapplication.cpp:1486:32
    frame #39: 0x00005904de6d3b39 konsole`main(argc=1, argv=0x00007ffd51250568) at main.cpp:0:1
    frame #40: 0x00007dcf1025830d ld-musl-x86_64.so.1`libc_start_main_stage2(main=(konsole`main + 32 at main.cpp:131), argc=<unavailable>, argv=0x00007ffd51250568) at __libc_start_main.c:95:7

i suspect that the root issue is somewhere in glib but i'm not entirely certain

[nekopsykose]

just asan on glib before wasnt that useful, but building kgx with all its deps as subprojects makes asan detect a uaf

==368639==ERROR: AddressSanitizer: heap-use-after-free on address 0x50400025f150 at pc 0x7353c4ec2eeb bp 0x7ffd48ad3630 sp 0x7ffd48ad3628
READ of size 8 at 0x50400025f150 thread T0
    #0 0x7353c4ec2eea in g_type_check_instance_is_fundamentally_a /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gtype.c:4151:41
    #1 0x7353c4e85bfd in g_object_unref /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:4327:3
    #2 0x7353c414eb8f in g_hash_table_remove_internal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/ghash.c:1717:3
    #3 0x7353c36a6bed in gtk_widget_real_destroy /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:7634:17
    #4 0x7353c36a6bed in gtk_widget_dispose /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:7497:7
    #5 0x7353c4e85f15 in g_object_unref /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:4415:3
    #6 0x7353c28878b8 in adw_tab_page_finalize /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/adwaita/src/adw-tab-view.c:380:3
    #7 0x7353c4e8625b in g_object_unref /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:4486:3
    #8 0x7353c4ecd9cb in g_value_unset /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gvalue.c:197:5
    #9 0x7353c4eae697 in signal_emit_valist_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3552:5
    #10 0x7353c4eaef10 in g_signal_emit_valist /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3262:7
    #11 0x7353c4eaef10 in g_signal_emit /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3582:3
    #12 0x7353c2883e73 in adw_tab_view_close_page /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/adwaita/src/adw-tab-view.c:4291:3
    #13 0x7353c3283073 in _gtk_marshal_VOID__INT_DOUBLE_DOUBLEv /tmp/bldroot/builddir/gnome-console-46.0/out-d/subprojects/gtk/gtk/gtkmarshalers.c:3688:3
    #14 0x7353c4e78ba0 in _g_closure_invoke_va /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gclosure.c:896:7
    #15 0x7353c4eacba1 in signal_emit_valist_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3423:8
    #16 0x7353c4eaef10 in g_signal_emit_valist /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3262:7
    #17 0x7353c4eaef10 in g_signal_emit /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3582:3
    #18 0x7353c341e68f in gtk_gesture_click_end /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkgestureclick.c:275:5
    #19 0x7353c4e81390 in g_cclosure_marshal_VOID__BOXEDv /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gmarshal.c:1686:3
    #20 0x7353c4e78ba0 in _g_closure_invoke_va /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gclosure.c:896:7
    #21 0x7353c4eacba1 in signal_emit_valist_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3423:8
    #22 0x7353c4eaef10 in g_signal_emit_valist /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3262:7
    #23 0x7353c4eaef10 in g_signal_emit /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3582:3
    #24 0x7353c3416edd in _gtk_gesture_set_recognized /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkgesture.c
    #25 0x7353c3416edd in _gtk_gesture_check_recognized /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkgesture.c
    #26 0x7353c341a40f in gtk_gesture_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkgesture.c:686:15
    #27 0x7353c3421136 in gtk_gesture_single_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkgesturesingle.c:227:12
    #28 0x7353c33ba122 in gtk_event_controller_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkeventcontroller.c:362:12
    #29 0x7353c3691310 in gtk_widget_run_controllers /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:4587:30
    #30 0x7353c34ab13a in gtk_propagate_event_internal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkmain.c:1948:29
    #31 0x7353c34aa185 in gtk_main_do_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkmain.c:1688:23
    #32 0x7353c39fd958 in _gdk_marshal_BOOLEAN__POINTERv /tmp/bldroot/builddir/gnome-console-46.0/out-d/subprojects/gtk/gdk/gdkmarshalers.c:302:14
    #33 0x7353c3b28060 in gdk_surface_event_marshallerv /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/gdksurface.c:462:3
    #34 0x7353c4e78ba0 in _g_closure_invoke_va /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gclosure.c:896:7
    #35 0x7353c4eacba1 in signal_emit_valist_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3423:8
    #36 0x7353c4eaef10 in g_signal_emit_valist /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3262:7
    #37 0x7353c4eaef10 in g_signal_emit /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gsignal.c:3582:3
    #38 0x7353c3b26792 in gdk_surface_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/gdksurface.c:2932:3
    #39 0x7353c3a130b1 in gdk_event_source_dispatch /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/wayland/gdkeventsource.c:142:7
    #40 0x7353c417e5c2 in g_main_dispatch /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:3348:27
    #41 0x7353c417e5c2 in g_main_context_dispatch_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4197:7
    #42 0x7353c417f523 in g_main_context_iterate_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4262:5
    #43 0x7353c417f895 in g_main_context_iteration /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4327:12
    #44 0x7353c4684921 in g_application_run /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gio/gapplication.c:2715:7
    #45 0x630eb033f405 in main /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/main.c:44:10

0x50400025f150 is located 0 bytes inside of 40-byte region [0x50400025f150,0x50400025f178)
freed by thread T0 here:
    #0 0x630eb02fff26 in free (/tmp/bldroot/builddir/gnome-console-46.0/out-d/src/kgx+0xfdf26) (BuildId: 13695e40556ebeab)
    #1 0x7353c4eb895d in g_type_free_instance /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gtype.c:2030:5
    #2 0x630eb03427d8 in glib_autoptr_clear_GObject /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject-autocleanups.h:31:1
    #3 0x630eb03427d8 in glib_autoptr_clear_KgxDropTarget /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-drop-target.h:27:1
    #4 0x630eb03427d8 in glib_autoptr_cleanup_KgxDropTarget /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-drop-target.h:27:1
    #5 0x630eb03427d8 in got_text /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-drop-target.c:337:1
    #6 0x7353c462f45b in g_task_return_now /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gio/gtask.c:1361:7
    #7 0x7353c462c90e in g_task_return /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gio/gtask.c:1430:15
    #8 0x7353c3ad5e20 in gdk_drop_read_value_done /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/gdkdrop.c:734:5
    #9 0x7353c3aa92be in gdk_content_deserializer_emit_callback /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/gdkcontentdeserializer.c:341:7
    #10 0x7353c417e5c2 in g_main_dispatch /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:3348:27
    #11 0x7353c417e5c2 in g_main_context_dispatch_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4197:7
    #12 0x7353c417f523 in g_main_context_iterate_unlocked /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4262:5
    #13 0x7353c417f895 in g_main_context_iteration /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmain.c:4327:12
    #14 0x7353c4684921 in g_application_run /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gio/gapplication.c:2715:7
    #15 0x630eb033f405 in main /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/main.c:44:10
    #16 0x7353c505826c  (/lib/ld-musl-x86_64.so.1+0x5826c) (BuildId: 0aa49ea1e4957acd)
    #17 0x630eb027d8e5 in _start (/tmp/bldroot/builddir/gnome-console-46.0/out-d/src/kgx+0x7b8e5) (BuildId: 13695e40556ebeab)

previously allocated by thread T0 here:
    #0 0x630eb0300209 in calloc (/tmp/bldroot/builddir/gnome-console-46.0/out-d/src/kgx+0xfe209) (BuildId: 13695e40556ebeab)
    #1 0x7353c419295a in g_malloc0 /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/glib/gmem.c:133:13
    #2 0x7353c4eb7ab9 in g_type_create_instance /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gtype.c:1933:17
    #3 0x7353c4e88d7d in g_object_new_internal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2606:24
    #4 0x7353c4e874bb in g_object_new_with_properties /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2769:14
    #5 0x7353c4e874bb in g_object_new /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2415:12
    #6 0x7353c3332bee in _gtk_builder_construct /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilder.c:999:15
    #7 0x7353c334834a in builder_construct /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderparser.c:474:16
    #8 0x7353c3343db1 in end_element /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderparser.c:1948:29
    #9 0x7353c334001f in proxy_end_element /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderparser.c:104:5
    #10 0x7353c36fe61b in replay_end_element /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderprecompile.c:660:3
    #11 0x7353c36fe61b in _gtk_buildable_parser_replay_precompiled /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderprecompile.c:742:17
    #12 0x7353c333f95e in gtk_buildable_parse_context_parse /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderparser.c:191:13
    #13 0x7353c333f95e in _gtk_builder_parser_parse_buffer /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilderparser.c:2203:8
    #14 0x7353c3335d2c in gtk_builder_extend_with_template /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkbuilder.c:1561:3
    #15 0x7353c369f8e4 in gtk_widget_init_template /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:11225:8
    #16 0x630eb03506fe in kgx_tab_init /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-tab.c:846:3
    #17 0x7353c4eb7c01 in g_type_create_instance /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gtype.c:1945:4
    #18 0x7353c4e88d7d in g_object_new_internal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2606:24
    #19 0x7353c4e887d7 in g_object_new_valist /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2945:16
    #20 0x7353c4e8747b in g_object_new /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gobject.c:2418:12
    #21 0x630eb033f8f9 in kgx_application_add_terminal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-application.c:785:9
    #22 0x630eb035d455 in new_tab_activated /tmp/bldroot/builddir/gnome-console-46.0/out-d/../src/kgx-window.c:490:3
    #23 0x7353c36f00c7 in gtk_action_muxer_activate_action /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkactionmuxer.c:861:23
    #24 0x7353c3564e13 in gtk_named_action_activate /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkshortcutaction.c:1116:3
    #25 0x7353c35673b5 in gtk_shortcut_controller_run_controllers /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkshortcutcontroller.c:428:11
    #26 0x7353c35673b5 in gtk_shortcut_controller_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkshortcutcontroller.c:473:10
    #27 0x7353c33ba122 in gtk_event_controller_handle_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkeventcontroller.c:362:12
    #28 0x7353c3691310 in gtk_widget_run_controllers /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:4587:30
    #29 0x7353c3691823 in _gtk_widget_captured_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkwidget.c:4748:16
    #30 0x7353c34ab040 in gtk_propagate_event_internal /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkmain.c:1916:25
    #31 0x7353c34aa185 in gtk_main_do_event /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gtk/gtkmain.c:1688:23
    #32 0x7353c39fd958 in _gdk_marshal_BOOLEAN__POINTERv /tmp/bldroot/builddir/gnome-console-46.0/out-d/subprojects/gtk/gdk/gdkmarshalers.c:302:14
    #33 0x7353c3b28060 in gdk_surface_event_marshallerv /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/gtk/gdk/gdksurface.c:462:3

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/bldroot/builddir/gnome-console-46.0/out-d/../subprojects/glib/gobject/gtype.c:4151:41 in g_type_check_instance_is_fundamentally_a
Shadow bytes around the buggy address:
  0x50400025ee80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x50400025ef00: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x50400025ef80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x50400025f000: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x50400025f080: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
=>0x50400025f100: fa fa fd fd fd fd fd fd fa fa[fd]fd fd fd fd fa
  0x50400025f180: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x50400025f200: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x50400025f280: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x50400025f300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x50400025f380: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==368639==ABORTING

[nekopsykose]

unsurprisingly dropping the autoptr cleanup in src/kgx-drop-target.c:321 fixes it

[triallax]

that indeed fixes it and seems correct, does this mean that konsole's issue originates from a different place?

[nekopsykose]

i don't think it seems correct, it probably leaks memory or something. but i don't know anything about the code :D

and yeah for all i know konsole is unrelated..

[q66]

it does leak memory, something is using the drop target object after the callback finishes (perhaps some nonsense with async callbacks, you can never know about their order)

[triallax]

then we want to copy the pointer data instead?

[triallax]

though not sure if the pointer being used after the callback finishes is intended in the first place

[nekopsykose]

it would be nice to test gnome-console master since it might just be fixed but that requires to first patch vte in subproject since it has from_chars float and i wasn't bothered

[triallax]

i looked a bit more into konsole, the call to extractDroppedText at line 3034 of src/terminalDisplay/TerminalDisplay.cpp calls some exec thing at line 2977, which calls into whatever event loop thing qt has, and on gnome that somehow results in QtWaylandClient::QWaylandDataDevice::data_device_leave getting called, which frees mimeData. this causes the mimeData access on 3066 to fail

this patch resolves it, but i'm not sure how good of an idea it is:

diff --git a/src/terminalDisplay/TerminalDisplay.cpp b/src/terminalDisplay/TerminalDisplay.cpp
index fa7e67958..b810e172a 100644
--- a/src/terminalDisplay/TerminalDisplay.cpp
+++ b/src/terminalDisplay/TerminalDisplay.cpp
@@ -3029,6 +3029,7 @@ void TerminalDisplay::dropEvent(QDropEvent *event)
     }
     auto urls = mimeData->urls();

+    bool canBePasted = mimeData->hasFormat(QStringLiteral("text/plain")) || mimeData->hasFormat(QStringLiteral("text/uri-list"));
     QString dropText;
     if (!urls.isEmpty()) {
         dropText = extractDroppedText(urls);
@@ -3063,7 +3064,7 @@ void TerminalDisplay::dropEvent(QDropEvent *event)
         dropText = mimeData->text();
     }

-    if (mimeData->hasFormat(QStringLiteral("text/plain")) || mimeData->hasFormat(QStringLiteral("text/uri-list"))) {
+    if (canBePasted) {
         doPaste(dropText, false);
     }

[nekopsykose]

it seems correct to me by your reasoning (the data is actually freed after so using it earlier is correct). but i think you'd want to at least make a bz issue (open it against product:konsole on bugs.kde i guess)