GNOME Bugzilla – Bug 149151
Valgrind reports invalid read of size 4 when removing a panel drawer
Last modified: 2005-08-09 12:59:59 UTC
This is the backtrace: ==16746== Invalid read of size 1 ==16746== at 0x1C122D3D: g_utf8_validate (gutf8.c:1571) ==16746== by 0x1C00C26A: gconf_engine_set_string (gconf.c:3376) ==16746== by 0x1C00F6BE: gconf_client_set_string (gconf-client.c:1722) ==16746== by 0x8070170: drawer_load_from_gconf (drawer.c:420) ==16746== by 0x806E2A6: panel_applet_load_idle_handler (applet.c:739) ==16746== by 0x1C10719B: g_idle_dispatch (gmain.c:3802) ==16746== by 0x1C1040AB: g_main_context_dispatch (gmain.c:1942) ==16746== by 0x1C105AD8: g_main_context_iterate (gmain.c:2573) ==16746== by 0x1C105D57: g_main_loop_run (gmain.c:2777) ==16746== by 0x1BCA91B2: gtk_main (gtkmain.c:1172) ==16746== by 0x80624F9: main (main.c:99) ==16746== Address 0x1CCF2640 is 0 bytes inside a block of size 8 free'd ==16746== at 0x1B909FBD: free (vg_replace_malloc.c:153) ==16746== by 0x1C109DDD: g_free (gmem.c:186) ==16746== by 0x807013E: drawer_load_from_gconf (drawer.c:413) ==16746== by 0x806E2A6: panel_applet_load_idle_handler (applet.c:739) ==16746== by 0x1C10719B: g_idle_dispatch (gmain.c:3802) ==16746== by 0x1C1040AB: g_main_context_dispatch (gmain.c:1942) ==16746== by 0x1C105AD8: g_main_context_iterate (gmain.c:2573) ==16746== by 0x1C105D57: g_main_loop_run (gmain.c:2777) ==16746== by 0x1BCA91B2: gtk_main (gtkmain.c:1172) ==16746== by 0x80624F9: main (main.c:99)
Maybe this is it: diff -u -r1.188 drawer.c --- drawer.c 6 Jul 2004 07:33:33 -0000 1.188 +++ drawer.c 3 Aug 2004 13:49:37 -0000 @@ -410,14 +410,16 @@ toplevel = panel_profile_load_toplevel (client, profile_dir, PANEL_GCONF_TOPLEVELS, toplevel_id); - g_free (toplevel_id); g_free (profile_dir); - if (!toplevel) + if (!toplevel) { + g_free (toplevel_id); return NULL; + } key = panel_gconf_full_key (PANEL_GCONF_OBJECTS, profile, drawer_id, "attached_toplevel_id"); gconf_client_set_string (client, key, toplevel_id, NULL); + g_free (toplevel_id); panel_profile_set_toplevel_enable_buttons (toplevel, TRUE); panel_profile_set_toplevel_enable_arrows (toplevel, TRUE);
Is this similar to the bug# 144460?.
Yeah, it's the same report. I was lazy :-)
Marking this bug as duplicate of bug# 144460. *** This bug has been marked as a duplicate of 144460 ***
But the problem is still there so we have to reopen this... :-)
Now I see this when removing the drawer again: ==3985== Invalid write of size 4 ==3985== at 0x1C125214: g_nullify_pointer (gutils.c:1225) ==3985== by 0x1C07F3C0: weak_refs_notify (gobject.c:1464) ==3985== by 0x1C0F5684: g_datalist_id_set_data_full (gdataset.c:246) ==3985== by 0x1C07BE42: g_object_real_dispose (gobject.c:530) ==3985== by 0x1BCC47F0: gtk_object_dispose (gtkobject.c:381) ==3985== by 0x1BD85FFC: gtk_widget_dispose (gtkwidget.c:6382) ==3985== by 0x1C07C160: g_object_run_dispose (gobject.c:602) ==3985== by 0x1BCC4774: gtk_object_destroy (gtkobject.c:361) ==3985== by 0x1BD8089C: gtk_widget_destroy (gtkwidget.c:1913) ==3985== by 0x80976ED: panel_profile_delete_removed_ids (panel-profile.c:1976) ==3985== by 0x809792F: panel_profile_object_id_list_notify (panel-profile.c:2074) ==3985== by 0x1C0128C4: notify_listeners_callback (gconf-client.c:2368) ==3985== by 0x1C001897: gconf_listeners_notify (gconf-listeners.c:588) ==3985== by 0x1C0129C8: notify_one_entry (gconf-client.c:2393) ==3985== by 0x1C012BED: notify_idle_callback (gconf-client.c:2433) ==3985== by 0x1C10719B: g_idle_dispatch (gmain.c:3802) ==3985== by 0x1C1040AB: g_main_context_dispatch (gmain.c:1942) ==3985== by 0x1C105AD8: g_main_context_iterate (gmain.c:2573) ==3985== by 0x1C105D57: g_main_loop_run (gmain.c:2777) ==3985== by 0x1BCA91B2: gtk_main (gtkmain.c:1172) ==3985== Address 0x1CBC9F34 is 212 bytes inside a block of size 232 free'd ==3985== at 0x1B909FBD: free (vg_replace_malloc.c:153) ==3985== by 0x1C109DDD: g_free (gmem.c:186) ==3985== by 0x1C0957D4: g_type_free_instance (gtype.c:1635) ==3985== by 0x1C07C05B: g_object_unref (gobject.c:580) ==3985== by 0x1C07C168: g_object_run_dispose (gobject.c:603) ==3985== by 0x1BCC4774: gtk_object_destroy (gtkobject.c:361) ==3985== by 0x1BD8089C: gtk_widget_destroy (gtkwidget.c:1913) ==3985== by 0x1BC06220: gtk_bin_forall (gtkbin.c:165) ==3985== by 0x1BC3B164: gtk_container_foreach (gtkcontainer.c:1291) ==3985== by 0x1BC3D1F2: gtk_container_destroy (gtkcontainer.c:828) ==3985== by 0x1C08FB32: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==3985== by 0x1C07A2AD: g_type_class_meta_marshal (gclosure.c:514) ==3985== by 0x1C079FD4: g_closure_invoke (gclosure.c:437) ==3985== by 0x1C08DCD1: signal_emit_unlocked_R (gsignal.c:2551) ==3985== by 0x1C08F4D8: g_signal_emit_valist (gsignal.c:2194) ==3985== by 0x1C08F71A: g_signal_emit (gsignal.c:2238) ==3985== by 0x1BCC47DC: gtk_object_dispose (gtkobject.c:376) ==3985== by 0x1BD85FFC: gtk_widget_dispose (gtkwidget.c:6382) ==3985== by 0x1C07C160: g_object_run_dispose (gobject.c:602) ==3985== by 0x1BCC4774: gtk_object_destroy (gtkobject.c:361)
Patch looks good Kjartan, please commit
Commited the patch to HEAD.
Try commenting out the add_weak_pointer() at applet.c:1068: and see if that makes the second invalid read go away.
NEEDINFO ?
Commenting out in applet.c fixes the invalid read it seems.
Two more leaks left that I can see now: ==11151== 28 bytes in 1 blocks are definitely lost in loss record 52 of 189 ==11151== at 0x1B90A419: calloc (vg_replace_malloc.c:176) ==11151== by 0x1C109D03: g_malloc0 (gmem.c:153) ==11151== by 0x1C043B26: ORBit_alloc_by_tc (allocators.c:366) ==11151== by 0x1C047335: ORBit_demarshal_arg (corba-any.c:730) ==11151== by 0x1C03EDCD: orbit_small_demarshal (orbit-small.c:433) ==11151== by 0x1C03F326: ORBit_small_invoke_stub (orbit-small.c:660) ==11151== by 0x1C03F497: ORBit_small_invoke_stub_n (orbit-small.c:575) ==11151== by 0x1C04FC74: ORBit_c_stub_invoke (poa.c:2640) ==11151== by 0x1BB8EAC8: Bonobo_ActivationContext_query (Bonobo_ActivationContext-stubs.c:140) ==11151== by 0x1BB903C9: bonobo_activation_query (bonobo-activation-activate.c:290) ==11151== by 0x8099695: panel_addto_present_applets (panel-addto.c:413) ==11151== by 0x809A557: panel_addto_present (panel-addto.c:1107) ==11151== by 0x1C08FB32: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==11151== by 0x1C079FD4: g_closure_invoke (gclosure.c:437) ==11151== by 0x1C08D649: signal_emit_unlocked_R (gsignal.c:2435) ==11151== by 0x1C08F4D8: g_signal_emit_valist (gsignal.c:2194) ==11151== by 0x1C08F71A: g_signal_emit (gsignal.c:2238) ==11151== by 0x1BD8280B: gtk_widget_activate (gtkwidget.c:3594) ==11151== by 0x1BCB9390: gtk_menu_shell_activate_item (gtkmenushell.c:892) ==11151== by 0x1BCB9655: gtk_menu_shell_button_release (gtkmenushell.c:511) ==11151== ==11151== ==11151== 32 bytes in 2 blocks are definitely lost in loss record 56 of 189 ==11151== at 0x1B909A9C: malloc (vg_replace_malloc.c:131) ==11151== by 0x1B90A48B: realloc (vg_replace_malloc.c:189) ==11151== by 0x1C109D69: g_realloc (gmem.c:169) ==11151== by 0x1C0EFCD3: g_array_maybe_expand (garray.c:350) ==11151== by 0x1C0EFEC7: g_array_append_vals (garray.c:138) ==11151== by 0x1BBAB999: glade_parser_start_element (glade-parser.c:310) ==11151== by 0x1BE5D77A: xmlParseStartTag__internal_alias (parser.c:6647) ==11151== by 0x1BE66CC2: xmlParseElement__internal_alias (parser.c:7910) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991) ==11151== by 0x1BE65AA1: xmlParseContent__internal_alias (parser.c:7831) ==11151== by 0x1BE66BFE: xmlParseElement__internal_alias (parser.c:7991)
Reopening and changing title to be more general.
Hmm, the first one is a list returned from bonobo_activation_query() which is supposed to be free'd using CORBA_free(). I tried that in panel_addto_present_applets() and got a bunch of new errors from valgrind. The second one looks more like a leak in glade?
(Lets just leave this bug report about the drawers problem) Summary: When removing a drawer you get this: ==3985== Invalid write of size 4 ==3985== at 0x1C125214: g_nullify_pointer (gutils.c:1225) ==3985== by 0x1C07F3C0: weak_refs_notify (gobject.c:1464) ==3985== by 0x1C0F5684: g_datalist_id_set_data_full (gdataset.c:246) ==3985== by 0x1C07BE42: g_object_real_dispose (gobject.c:530) ==3985== by 0x1BCC47F0: gtk_object_dispose (gtkobject.c:381) ==3985== by 0x1BD85FFC: gtk_widget_dispose (gtkwidget.c:6382) ==3985== by 0x1C07C160: g_object_run_dispose (gobject.c:602) ==3985== by 0x1BCC4774: gtk_object_destroy (gtkobject.c:361) ==3985== by 0x1BD8089C: gtk_widget_destroy (gtkwidget.c:1913) ==3985== by 0x80976ED: panel_profile_delete_removed_ids (panel-profile.c:1976) ==3985== by 0x809792F: panel_profile_object_id_list_notify (panel-profile.c:2074) And the problem appears to be the weak ref in panel_applet_register(): assoc_panel->master_widget = applet; g_object_add_weak_pointer (G_OBJECT (applet), (gpointer *) &assoc_panel->master_widget); Need to investigate further what the correct fix is
Ok. Changing title back then
Confirmed this is the same with 2.11.x too.
Created attachment 50388 [details] [review] gnome-panel-valgrind-warning.patch Something like this should fix it. Kjartan: if you try this out and it fixes the problem, feel free to commit and close the bug.
Created attachment 50389 [details] [review] gnome-panel-valgrind-warning.patch (take two)
2005-08-09 Mark McLoughlin <mark@skynet.ie> Fix valgrind warning in bug #149151 * panel-widget.c: (panel_widget_destroy): remove the weak pointer to the drawer button from the PanelWidget when a drawer is destroyed.