Bug 332931 – double free or corruption when editing values

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 332931 - double free or corruption when editing values


Summary:	double free or corruption when editing values


Status:	RESOLVED FIXED

Product:	gconf-editor
Classification:	Applications
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	Gconf Editor Maintainers
QA Contact:	Gconf Editor Maintainers

URL:
Whiteboard:

Duplicates:	334580 335176 335807 338157 (view as bug list)
Depends on:
Blocks:

Reported:	2006-03-01 02:08 UTC by Claudio Saavedra
Modified:	2007-08-27 13:10 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch (1.31 KB, patch) 2006-03-17 15:00 UTC, Paolo Borelli	none	Details \| Review

Description Claudio Saavedra 2006-03-01 02:08:38 UTC

Everytime when editing a value in reciently built gconf.

*** glibc detected *** double free or corruption (out): 0x082929d0 ***

Backtrace:

+ Trace 66592

#0 raise
from /lib/tls/libc.so.6
#1 abort
from /lib/tls/libc.so.6
#2 __fsetlocking
from /lib/tls/libc.so.6
#3 malloc_usable_size
from /lib/tls/libc.so.6
#4 free
from /lib/tls/libc.so.6
#5 IA__g_free
at gmem.c line 187
#6 gconf_editor_gconf_value_changed
at gconf-editor-window.c line 953
#7 IA__g_closure_invoke
at gclosure.c line 490
#8 signal_emit_unlocked_R
at gsignal.c line 2438
#9 IA__g_signal_emit_valist
at gsignal.c line 2197
#10 IA__g_signal_emit
at gsignal.c line 2241
#11 gconf_cell_renderer_activate
at gconf-cell-renderer.c line 320
#12 IA__gtk_cell_renderer_activate
at gtkcellrenderer.c line 634
#13 gtk_tree_view_column_cell_process_action
at gtktreeviewcolumn.c line 2869
#14 _gtk_tree_view_column_cell_event
at gtktreeviewcolumn.c line 3143
#15 gtk_tree_view_button_press
at gtktreeview.c line 2368
#16 _gtk_marshal_BOOLEAN__BOXED
at gtkmarshalers.c line 83
#17 g_type_class_meta_marshal
at gclosure.c line 567
#18 IA__g_closure_invoke
at gclosure.c line 490
#19 signal_emit_unlocked_R
at gsignal.c line 2476
#20 IA__g_signal_emit_valist
at gsignal.c line 2207
#21 IA__g_signal_emit
at gsignal.c line 2241
#22 gtk_widget_event_internal
at gtkwidget.c line 3732
#23 IA__gtk_propagate_event
at gtkmain.c line 2175
#24 IA__gtk_main_do_event
at gtkmain.c line 1412
#25 gdk_event_dispatch
at gdkevents-x11.c line 2291
#26 IA__g_main_context_dispatch
at gmain.c line 1916
#27 g_main_context_iterate
at gmain.c line 2547
#28 IA__g_main_loop_run
at gmain.c line 2751
#29 IA__gtk_main
at gtkmain.c line 991
#30 main
at main.c line 93

Comment 1 Luca Ferretti 2006-03-05 10:31:09 UTC

Me too. (jhbuild HEAD compiled on Ubuntu 5.10)

(gdb) run
Starting program: /opt/gnome2/bin/gconf-editor
[Thread debugging using libthread_db enabled]
[New Thread -1226869056 (LWP 7449)]
GTK Accessibility Module initialized
Bonobo accessibility support initialized
*** glibc detected *** double free or corruption (out): 0x08289830 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread -1226869056 (LWP 7449)]
0xffffe410 in __kernel_vsyscall ()
(gdb) thread apply all bt

+ Trace 66698

Thread 1 (Thread -1226869056 (LWP 7449))

#0 __kernel_vsyscall
#1 raise
from /lib/tls/i686/cmov/libc.so.6
#2 abort
from /lib/tls/i686/cmov/libc.so.6
#3 __fsetlocking
from /lib/tls/i686/cmov/libc.so.6
#4 malloc_trim
from /lib/tls/i686/cmov/libc.so.6
#5 free
from /lib/tls/i686/cmov/libc.so.6
#6 IA__g_free
at gmem.c line 187
#7 gconf_editor_gconf_value_changed
at gconf-editor-window.c line 953
#8 IA__g_closure_invoke
at gclosure.c line 490
#9 signal_emit_unlocked_R
at gsignal.c line 2438
#10 IA__g_signal_emit_valist
at gsignal.c line 2197
#11 IA__g_signal_emit
at gsignal.c line 2241
#12 gconf_cell_renderer_text_editing_done
at gconf-cell-renderer.c line 242
#13 IA__g_cclosure_marshal_VOID__VOID
at gmarshal.c line 77
#14 IA__g_closure_invoke
at gclosure.c line 490
#15 signal_emit_unlocked_R
at gsignal.c line 2438
#16 IA__g_signal_emit_valist
at gsignal.c line 2197
#17 IA__g_signal_emit_by_name
at gsignal.c line 2265
#18 IA__gtk_cell_editable_editing_done
at gtkcelleditable.c line 113
#19 gtk_cell_editable_entry_activated
at gtkentry.c line 2181
#20 IA__g_cclosure_marshal_VOID__VOID
at gmarshal.c line 77
#21 IA__g_closure_invoke
at gclosure.c line 490
#22 signal_emit_unlocked_R
at gsignal.c line 2438
#23 IA__g_signal_emitv
at gsignal.c line 2109
#24 gtk_binding_entry_activate
at gtkbindings.c line 526
#25 binding_match_activate
at gtkbindings.c line 928
#26 gtk_bindings_activate_list
at gtkbindings.c line 1063
#27 IA__gtk_bindings_activate_event
at gtkbindings.c line 1139
#28 gtk_widget_real_key_press_event
at gtkwidget.c line 3476
#29 gtk_entry_key_press
at gtkentry.c line 1887
#30 _gtk_marshal_BOOLEAN__BOXED
at gtkmarshalers.c line 83
#31 g_type_class_meta_marshal
at gclosure.c line 567
#32 IA__g_closure_invoke
at gclosure.c line 490
#33 signal_emit_unlocked_R
at gsignal.c line 2476
#34 IA__g_signal_emit_valist
at gsignal.c line 2207
#35 IA__g_signal_emit
at gsignal.c line 2241
#36 gtk_widget_event_internal
at gtkwidget.c line 3732
#37 IA__gtk_window_propagate_key_event
at gtkwindow.c line 4517
#38 gtk_window_key_press_event
at gtkwindow.c line 4547
#39 _gtk_marshal_BOOLEAN__BOXED
at gtkmarshalers.c line 83
#40 g_type_class_meta_marshal
at gclosure.c line 567
#41 IA__g_closure_invoke
at gclosure.c line 490
#42 signal_emit_unlocked_R
at gsignal.c line 2476
#43 IA__g_signal_emit_valist
at gsignal.c line 2207
#44 IA__g_signal_emit
at gsignal.c line 2241
#45 gtk_widget_event_internal
at gtkwidget.c line 3732
#46 IA__gtk_propagate_event
at gtkmain.c line 2149
#47 IA__gtk_main_do_event
at gtkmain.c line 1412
#48 gdk_event_dispatch
at gdkevents-x11.c line 2291
#49 IA__g_main_context_dispatch
at gmain.c line 1916
#50 g_main_context_iterate
at gmain.c line 2547
#51 IA__g_main_loop_run
at gmain.c line 2751
#52 IA__gtk_main
at gtkmain.c line 991
#53 main
at main.c line 93

Comment 2 Sergej Kotliar 2006-03-15 18:59:36 UTC

*** Bug 334580 has been marked as a duplicate of this bug. ***

Comment 3 Paolo Borelli 2006-03-17 15:00:51 UTC

Created attachment 61443 [details] [review]
patch

I have seen this too.

This patch should fix the memory corruption (at least the one I experienced): GconfValue should be freed with gconf_value_free not with g_free.

The patch also fixes a tiny leak in another part of the code that I noticed while running valgrind to detect the memory corruption.

Comment 4 Fernando Herrera 2006-03-20 10:58:24 UTC

Paolo, thank you very much for the Patch. Fixed on HEAD:
2006-03-20  Fernando Herrera  <fherrera@onirica.com>

        * src/gconf-editor-window.c: (gconf_editor_gconf_value_changed): Fix
        memory corruption. GconfValue should be freed with gconf_value_free
        not with g_free.
        * src/gconf-list-model.c: (gconf_list_model_notify_func): Fix a tiny
        leak.
        Patch from Paolo Borelli. Closes bug #332931.

Comment 5 Fernando Herrera 2006-03-20 10:58:43 UTC

*** Bug 335176 has been marked as a duplicate of this bug. ***

Comment 6 Wouter Bolsterlee (uws) 2006-03-20 11:02:20 UTC

Can this patch be applied to the 2.14 branch too, please?

Comment 7 Fernando Herrera 2006-03-20 11:08:36 UTC

I have not yes branched gconf-editor for gnome-2-14. I'll branch it after 2.14.1, so the fix will be on 2.14 and 2.15

Comment 8 Sergej Kotliar 2006-06-24 10:46:38 UTC

*** Bug 335807 has been marked as a duplicate of this bug. ***

Comment 9 Kjartan Maraas 2007-08-27 13:10:09 UTC

*** Bug 338157 has been marked as a duplicate of this bug. ***