GNOME Bugzilla – Bug 357611
Invalid free() makes the directfb backend crash
Last modified: 2006-10-08 16:17:01 UTC
Steps to reproduce: Compile GTK with the DirectFB backend and run gtk-demo, open the hypertext window, set a breakpoint on gtk_target_table_free(), close the hypertext window with meta-c and the crash will happen inside the for() loop. Stack trace: *** glibc detected *** free(): invalid pointer: 0xa7de4b41 *** Program received signal SIGABRT, Aborted.
+ Trace 73201
Thread NaN (LWP 20062)
note that valgrind detects the attempt to perform a bad free() and allows regular program execution (dump from another run) ==4110== Invalid free() / delete / delete[] ==4110== at 0x401D139: free (vg_replace_malloc.c:233) ==4110== by 0x45CEBD0: g_free (in /usr/lib/libglib-2.0.so.0.1200.3) ==4110== by 0x4258C7D: gtk_target_table_free (gtkselection.c:621) ==4110== by 0x4299933: gtk_text_buffer_free_target_lists (gtktextbuffer.c:3919) ==4110== by 0x4299CFF: gtk_text_buffer_finalize (gtktextbuffer.c:592) ==4110== by 0x456DD92: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1200.3) ==4110== by 0x42AC5A1: gtk_text_layout_set_buffer (gtktextlayout.c:312) ==4110== by 0x42AC6E7: gtk_text_layout_finalize (gtktextlayout.c:245) ==4110== by 0x456DD92: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1200.3) ==4110== by 0x42C012A: gtk_text_view_destroy_layout (gtktextview.c:6015) ==4110== by 0x42C03C9: gtk_text_view_destroy (gtktextview.c:2553) ==4110== by 0x4578EBA: g_cclosure_marshal_VOID__VOID (in /usr/lib/libgobject-2.0.so.0.1200.3) ==4110== Address 0x43F49BF is not stack'd, malloc'd or (recently) free'd Other information: I've been once able to detect a non-crasher bad free() with the X11 backend, so i'm not really sure this bug is caused by the DFB backend and not by something other in the GTK platform. This bug was also successfully reproduced by Loic Minier [1] and was first spotted back in July 2006 [2]. Thanks Attilio [1] http://lists.debian.org/debian-boot/2006/09/msg01081.html [2] http://mail.gnome.org/archives/gtk-devel-list/2006-July/msg00157.html
This bug should be sent to the person responsible for the gtk widget. It does not seem to be directfb specific. The crash is reproducible on directfb it seems but that's just because of the memory layout I think.
In this case, the "guilty" widget should be GTKTextView by Havoc Pennington: sending it a destroy signal causes a crash on DFB and not in X11, as the below test app demonstrates. #include <gtk/gtk.h> GtkWidget *window, *view, *button, *vbox; int main( int argc, char *argv[] ) { gtk_init (&argc, &argv); window = gtk_window_new (GTK_WINDOW_TOPLEVEL); gtk_widget_set_size_request (window, 400, 300); view = gtk_text_view_new (); button = gtk_button_new_with_label("destroy the textview"); g_signal_connect_swapped (G_OBJECT (button), "clicked", G_CALLBACK (gtk_widget_destroy), G_OBJECT (view)); vbox = gtk_vbox_new (FALSE, 5); gtk_box_pack_start(GTK_BOX(vbox), view, TRUE, TRUE, 5); gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, TRUE, 5); gtk_container_add(GTK_CONTAINER(window), vbox); gtk_widget_show_all (window); gtk_main (); return 0; }
Attilio, I tried running this with: valgrind -v --log-file=valgrind.log --show-below-main=yes ./main but I couldn't reproduce the invalid free()s with the X11 backend. Do you have any recipe for this? I'll try with DFB ASAP.
Indeed i was never able to reproduce a real crash with X, but if you set a watchpoint on the "i" variable inside the for() loop of gtk_target_table_free(), you'll see that it gets assigned nonsense values as the free()s get called. Valgring detects the invalid free() and prevents the crash with DFB, so you may want to compile against DFB and wrap the app by valgrind: do you get the warning?
I wasn't able to reproduce a problem with gtk_target_table_free() and X
I was able to reproduce a someone crash similar to this (it happens when freeing an array of GtkTargetEntry) by opening the clipboard demo in gtk-demo and then pressing "copy". Trace is attached. *** glibc detected *** free(): invalid pointer: 0xa7e9cc81 *** Program received signal SIGABRT, Aborted.
+ Trace 75107
Thread NaN (LWP 4030)
(gdb) p i $10 = 12
Does it happen on X11 also ?
I don't see it on X11
Looks like gdk_atom_name does not return a newly allocated string on the directfb backend. It should.
I owe you a lot of beer for that one. Thanks !
I did some tests, and the attached patch seems to fix reported crashes in gtk-demo. Could someone commit a patch ASAP? thanks a lot! Attilio Index: gdk/directfb/gdkproperty-directfb.c =================================================================== RCS file: /cvs/gnome/gtk+/gdk/directfb/gdkproperty-directfb.c,v retrieving revision 1.1 diff -u -r1.1 gdkproperty-directfb.c --- gdk/directfb/gdkproperty-directfb.c 5 Feb 2006 04:04:28 -0000 1.1 +++ gdk/directfb/gdkproperty-directfb.c 8 Oct 2006 08:09:58 -0000 @@ -192,7 +192,7 @@ if (GPOINTER_TO_INT (atom) >= atoms_to_names->len) return NULL; - return g_ptr_array_index (atoms_to_names, GPOINTER_TO_INT (atom)); + return g_strdup ( g_ptr_array_index (atoms_to_names, GPOINTER_TO_INT (atom))); }
Fixed in cvs