glib-2.0: Backport GMainContext fixes

Backport fixes introduced in 2.63.6 for memory leaks and memory corruption in
GMainContext

Upstream merge: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1353

Fixes SIGSEGV in GStreamer:

    Thread 2 "multihandlesink" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7ffff6bb9700 (LWP 18045)]
    0x00007ffff7d65992 in g_source_unref_internal (source=0x7ffff00047d0, context=0x55555561c800, have_lock=1) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:2146
    2146    ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c: No such file or directory.
    (gdb) bt
    #0  0x00007ffff7d65992 in g_source_unref_internal (source=0x7ffff00047d0, context=0x55555561c800, have_lock=1) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:2146
    #1  0x00007ffff7d65bb6 in g_source_iter_next (iter=iter@entry=0x7ffff6bb8db0, source=source@entry=0x7ffff6bb8da8) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:980
    #2  0x00007ffff7d67ef3 in g_main_context_prepare (context=context@entry=0x55555561c800, priority=priority@entry=0x7ffff6bb8e30) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:944
    #3  0x00007ffff7d6896b in g_main_context_iterate (context=context@entry=0x55555561c800, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:3900
    #4  0x00007ffff7d68b4c in g_main_context_iteration (context=0x55555561c800, may_block=may_block@entry=1) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gmain.c:3981
    #5  0x00007ffff6be4482 in gst_multi_socket_sink_thread (mhsink=0x555555679ab0 [GstMultiSocketSink]) at ../../../gst-plugins-base-1.14.4/gst/tcp/gstmultisocketsink.c:1164
    #6  0x00007ffff7d8fb35 in g_thread_proxy (data=0x55555565c770) at ../../../../../../../repo/workspace/sources/glib-2.0/glib/gthread.c:784
    #7  0x00007ffff7841ebd in start_thread (arg=<optimized out>) at pthread_create.c:486
    #8  0x00007ffff7aa12bf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    #8  0x00007ffff7aa12bf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Signed-off-by: Daniel Gomez <daniel@qtec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Author: Daniel Gomez

meta/recipes-core/glib-2.0/glib-2.0/0011-GMainContext-Fix-GSource-iterator-if-iteration-can-m.patch

@@ -0,0 +1,43 @@
+From ef2be42998e3fc10299055a5a01f7c791538174c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 3 Feb 2020 15:38:28 +0200
+Subject: [PATCH] GMainContext - Fix GSource iterator if iteration can modify
+ the list
+
+We first have to ref the next source and then unref the previous one.
+This might be the last reference to the previous source, and freeing the
+previous source might unref and free the next one which would then leave
+use with a dangling pointer here.
+
+Fixes https://gitlab.gnome.org/GNOME/glib/issues/2031
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/b06c48de7554607ff3fb58d6c0510cfa5088e909]
+
+---
+ glib/gmain.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/glib/gmain.c b/glib/gmain.c
+index af979c8..a9a287d 100644
+--- a/glib/gmain.c
++++ b/glib/gmain.c
+@@ -969,13 +969,17 @@ g_source_iter_next (GSourceIter *iter, GSource **source)
+    * GSourceList to be removed from source_lists (if iter->source is
+    * the only source in its list, and it is destroyed), so we have to
+    * keep it reffed until after we advance iter->current_list, above.
++   *
++   * Also we first have to ref the next source before unreffing the
++   * previous one as unreffing the previous source can potentially
++   * free the next one.
+    */
++  if (next_source && iter->may_modify)
++    g_source_ref (next_source);
+
+   if (iter->source && iter->may_modify)
+     g_source_unref_internal (iter->source, iter->context, TRUE);
+   iter->source = next_source;
+-  if (iter->source && iter->may_modify)
+-    g_source_ref (iter->source);
+
+   *source = iter->source;
+   return *source != NULL;

meta/recipes-core/glib-2.0/glib-2.0/0012-GMainContext-Fix-memory-leaks-and-memory-corruption-.patch

@@ -0,0 +1,109 @@
+From 611430a32a46d0dc806a829161e2dccf9c0196a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Mon, 3 Feb 2020 15:35:51 +0200
+Subject: [PATCH] GMainContext - Fix memory leaks and memory corruption when
+ freeing sources while freeing a context
+
+Instead of destroying sources directly while freeing the context, and
+potentially freeing them if this was the last reference to them, collect
+new references of all sources in a separate list before and at the same
+time invalidate their context so that they can't access it anymore. Only
+once all sources have their context invalidated, destroy them while
+still keeping a reference to them. Once all sources are destroyed we get
+rid of the additional references and free them if nothing else keeps a
+reference to them anymore.
+
+This fixes a regression introduced by 26056558be in 2012.
+
+The previous code that invalidated the context of each source and then
+destroyed it before going to the next source without keeping an
+additional reference caused memory leaks or memory corruption depending
+on the order of the sources in the sources lists.
+
+If a source was destroyed it might happen that this was the last
+reference to this source, and it would then be freed. This would cause
+the finalize function to be called, which might destroy and unref
+another source and potentially free it. This other source would then
+either
+- go through the normal free logic and change the intern linked list
+  between the sources, while other sources that are unreffed as part of
+  the main context freeing would not. As such the list would be in an
+  inconsistent state and we might dereference freed memory.
+- go through the normal destroy and free logic but because the context
+  pointer was already invalidated it would simply mark the source as
+  destroyed without actually removing it from the context. This would
+  then cause a memory leak because the reference owned by the context is
+  not freed.
+
+Fixes https://github.com/gtk-rs/glib/issues/583 while still keeping
+https://bugzilla.gnome.org/show_bug.cgi?id=661767 fixes.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/aa20167d419c649f34fed06a9463890b41b1eba0]
+
+---
+ glib/gmain.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/glib/gmain.c b/glib/gmain.c
+index a9a287d..10ba2f8 100644
+--- a/glib/gmain.c
++++ b/glib/gmain.c
+@@ -538,6 +538,7 @@ g_main_context_unref (GMainContext *context)
+   GSourceIter iter;
+   GSource *source;
+   GList *sl_iter;
++  GSList *s_iter, *remaining_sources = NULL;
+   GSourceList *list;
+   guint i;
+
+@@ -557,10 +558,30 @@ g_main_context_unref (GMainContext *context)
+
+   /* g_source_iter_next() assumes the context is locked. */
+   LOCK_CONTEXT (context);
+-  g_source_iter_init (&iter, context, TRUE);
++
++  /* First collect all remaining sources from the sources lists and store a
++   * new reference in a separate list. Also set the context of the sources
++   * to NULL so that they can't access a partially destroyed context anymore.
++   *
++   * We have to do this first so that we have a strong reference to all
++   * sources and destroying them below does not also free them, and so that
++   * none of the sources can access the context from their finalize/dispose
++   * functions. */
++  g_source_iter_init (&iter, context, FALSE);
+   while (g_source_iter_next (&iter, &source))
+     {
+       source->context = NULL;
++      remaining_sources = g_slist_prepend (remaining_sources, g_source_ref (source));
++    }
++  g_source_iter_clear (&iter);
++
++  /* Next destroy all sources. As we still hold a reference to all of them,
++   * this won't cause any of them to be freed yet and especially prevents any
++   * source that unrefs another source from its finalize function to be freed.
++   */
++  for (s_iter = remaining_sources; s_iter; s_iter = s_iter->next)
++    {
++      source = s_iter->data;
+       g_source_destroy_internal (source, context, TRUE);
+     }
+   UNLOCK_CONTEXT (context);
+@@ -585,6 +606,18 @@ g_main_context_unref (GMainContext *context)
+   g_cond_clear (&context->cond);
+
+   g_free (context);
++
++  /* And now finally get rid of our references to the sources. This will cause
++   * them to be freed unless something else still has a reference to them. Due
++   * to setting the context pointers in the sources to NULL above, this won't
++   * ever access the context or the internal linked list inside the GSource.
++   * We already removed the sources completely from the context above. */
++  for (s_iter = remaining_sources; s_iter; s_iter = s_iter->next)
++    {
++      source = s_iter->data;
++      g_source_unref_internal (source, NULL, FALSE);
++    }
++  g_slist_free (remaining_sources);
+ }
+
+ /* Helper function used by mainloop/overflow test.

meta/recipes-core/glib-2.0/glib-2.0/0013-GMainContext-Move-mutex-unlocking-in-destructor-righ.patch

@@ -0,0 +1,36 @@
+From 3e9d85f1b75e2b1096d9643563d7d17380752fc7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 11 Feb 2020 09:34:38 +0200
+Subject: [PATCH] GMainContext - Move mutex unlocking in destructor right
+ before freeing the mutex
+
+This does not have any behaviour changes but is cleaner. The mutex is
+only unlocked now after all operations on the context are done and right
+before freeing the mutex and the context itself.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/730a75fc8e8271c38fbd5363d1f77a00876b9ddc]
+
+---
+ glib/gmain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/glib/gmain.c b/glib/gmain.c
+index 10ba2f8..b1df470 100644
+--- a/glib/gmain.c
++++ b/glib/gmain.c
+@@ -584,7 +584,6 @@ g_main_context_unref (GMainContext *context)
+       source = s_iter->data;
+       g_source_destroy_internal (source, context, TRUE);
+     }
+-  UNLOCK_CONTEXT (context);
+
+   for (sl_iter = context->source_lists; sl_iter; sl_iter = sl_iter->next)
+     {
+@@ -595,6 +594,7 @@ g_main_context_unref (GMainContext *context)
+
+   g_hash_table_destroy (context->sources);
+
++  UNLOCK_CONTEXT (context);
+   g_mutex_clear (&context->mutex);
+
+   g_ptr_array_free (context->pending_dispatches, TRUE);

meta/recipes-core/glib-2.0/glib-2.0_2.62.4.bb

@@ -16,6 +16,9 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
            file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
            file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
+           file://0011-GMainContext-Fix-GSource-iterator-if-iteration-can-m.patch \
+           file://0012-GMainContext-Fix-memory-leaks-and-memory-corruption-.patch \
+           file://0013-GMainContext-Move-mutex-unlocking-in-destructor-righ.patch \
            "
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"