GNOME Bugzilla – Bug 413921
panel_run_dialog_screen_changed invalid read
Last modified: 2007-06-02 12:00:21 UTC
While running gnome-panel from valgrind: ==8047== Invalid read of size 4 ==8047== at 0x8085387: panel_run_dialog_screen_changed (panel-run-dialog.c:1834) ==8047== by 0x4801ED8: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x48060F2: signal_emit_unlocked_R (gsignal.c:2440) ==8047== by 0x4807616: g_signal_emit_valist (gsignal.c:2199) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x44D1233: do_screen_change (gtkwidget.c:5187) ==8047== by 0x44D1376: gtk_widget_propagate_hierarchy_changed_recurse (gtkwidget.c:5211) ==8047== by 0x42E855E: gtk_bin_forall (gtkbin.c:133) ==8047== by 0x432781A: gtk_container_forall (gtkcontainer.c:1261) ==8047== by 0x44D13AE: gtk_widget_propagate_hierarchy_changed_recurse (gtkwidget.c:5214) ==8047== by 0x42EC19F: gtk_box_forall (gtkbox.c:670) ==8047== by 0x432781A: gtk_container_forall (gtkcontainer.c:1261) ==8047== by 0x44D13AE: gtk_widget_propagate_hierarchy_changed_recurse (gtkwidget.c:5214) ==8047== by 0x42EC19F: gtk_box_forall (gtkbox.c:670) ==8047== by 0x432781A: gtk_container_forall (gtkcontainer.c:1261) ==8047== by 0x44D13AE: gtk_widget_propagate_hierarchy_changed_recurse (gtkwidget.c:5214) ==8047== by 0x42EC19F: gtk_box_forall (gtkbox.c:670) ==8047== by 0x432781A: gtk_container_forall (gtkcontainer.c:1261) ==8047== by 0x44D13AE: gtk_widget_propagate_hierarchy_changed_recurse (gtkwidget.c:5214) ==8047== by 0x44D4A7B: _gtk_widget_propagate_hierarchy_changed (gtkwidget.c:5251) ==8047== by 0x44DDE18: gtk_widget_unparent (gtkwidget.c:2131) ==8047== by 0x42E8784: gtk_bin_remove (gtkbin.c:112) ==8047== by 0x4801ED8: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:636) ==8047== by 0x47F3E48: g_type_class_meta_marshal (gclosure.c:567) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x4806589: signal_emit_unlocked_R (gsignal.c:2370) ==8047== by 0x4807616: g_signal_emit_valist (gsignal.c:2199) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x43280A8: gtk_container_remove (gtkcontainer.c:991) ==8047== by 0x44D911C: gtk_widget_dispose (gtkwidget.c:6879) ==8047== by 0x47F7CBF: g_object_run_dispose (gobject.c:573) ==8047== by 0x43DDA6D: gtk_object_destroy (gtkobject.c:403) ==8047== by 0x44D93F4: gtk_widget_destroy (gtkwidget.c:2168) ==8047== by 0x42E855E: gtk_bin_forall (gtkbin.c:133) ==8047== by 0x432763A: gtk_container_foreach (gtkcontainer.c:1288) ==8047== by 0x4327F7F: gtk_container_destroy (gtkcontainer.c:825) ==8047== by 0x44E85D0: gtk_window_destroy (gtkwindow.c:3954) ==8047== by 0x48029C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==8047== by 0x47F3E48: g_type_class_meta_marshal (gclosure.c:567) ==8047== Address 0x738B8DC is 100 bytes inside a block of size 112 free'd ==8047== at 0x4020F9A: free (vg_replace_malloc.c:233) ==8047== by 0x4859F90: g_free (gmem.c:187) ==8047== by 0x8081C11: panel_run_dialog_destroy (panel-run-dialog.c:169) ==8047== by 0x48029C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x48060F2: signal_emit_unlocked_R (gsignal.c:2440) ==8047== by 0x4807616: g_signal_emit_valist (gsignal.c:2199) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x43DDD60: gtk_object_dispose (gtkobject.c:418) ==8047== by 0x44D9140: gtk_widget_dispose (gtkwidget.c:6887) ==8047== by 0x44E54C5: gtk_window_dispose (gtkwindow.c:1794) ==8047== by 0x47F7CBF: g_object_run_dispose (gobject.c:573) ==8047== by 0x43DDA6D: gtk_object_destroy (gtkobject.c:403) ==8047== by 0x44D93F4: gtk_widget_destroy (gtkwidget.c:2168) ==8047== by 0x8082474: panel_run_dialog_execute (panel-run-dialog.c:438) ==8047== by 0x80824E6: panel_run_dialog_response (panel-run-dialog.c:458) ==8047== by 0x4802718: g_cclosure_marshal_VOID(i_xx_t) (gmarshal.c:216) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x48060F2: signal_emit_unlocked_R (gsignal.c:2440) ==8047== by 0x4807616: g_signal_emit_valist (gsignal.c:2199) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x4339179: gtk_dialog_response (gtkdialog.c:835) ==8047== by 0x43391D4: action_widget_activated (gtkdialog.c:534) ==8047== by 0x48029C8: g_cclosure_marshal_VOID__VOID (gmarshal.c:77) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x48060F2: signal_emit_unlocked_R (gsignal.c:2440) ==8047== by 0x4807616: g_signal_emit_valist (gsignal.c:2199) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x42ED152: gtk_button_clicked (gtkbutton.c:889) ==8047== by 0x42EEBC4: gtk_button_finish_activate (gtkbutton.c:1557) ==8047== by 0x42EEC8B: gtk_button_key_release (gtkbutton.c:1414) ==8047== by 0x43BD5FF: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:84) ==8047== by 0x47F3E48: g_type_class_meta_marshal (gclosure.c:567) ==8047== by 0x47F562A: g_closure_invoke (gclosure.c:490) ==8047== by 0x4806742: signal_emit_unlocked_R (gsignal.c:2478) ==8047== by 0x48073DE: g_signal_emit_valist (gsignal.c:2209) ==8047== by 0x48077D8: g_signal_emit (gsignal.c:2243) ==8047== by 0x44D1A77: gtk_widget_event_internal (gtkwidget.c:3915) ==8047== by 0x43B6939: gtk_propagate_event (gtkmain.c:2324) ==8047== by 0x43B7B26: gtk_main_do_event (gtkmain.c:1592)
It's probably only a matter of changing: g_signal_connect_swapped (dialog->run_dialog, "destroy", G_CALLBACK (panel_run_dialog_destroy), dialog); to use g_signal_connect_after(). What's happening here is that we're accessing the structure that was free in the destroy signal handler, when destroying the dialog content. Freeing the structure after the destroying of the dialog content should be enough.
Doesn't work :-) Hrm. I see how to fix this, but my solution involves quite some rewriting (which is needed), and that's not okay for 2.18.0...
Ubuntu bug https://launchpad.net/bugs/90444 is a crasher which looks like the same bug and already has some duplicates
*** Bug 420661 has been marked as a duplicate of this bug. ***
*** Bug 421712 has been marked as a duplicate of this bug. ***
*** Bug 421882 has been marked as a duplicate of this bug. ***
*** Bug 422017 has been marked as a duplicate of this bug. ***
Debug backtrace for the crash: .
+ Trace 122359
Thread 1 (process 19312)
Here too... # uname -a FreeBSD marcus 7.0-CURRENT FreeBSD 7.0-CURRENT #1: Tue Mar 27 06:39:37 BRT 2007 root@marcus:/usr/obj/usr/src/sys/MARCUS i386 (gdb) bt full
+ Trace 122583
(In reply to comment #2) > Doesn't work :-) > Hrm. I see how to fix this, but my solution involves quite some rewriting > (which is needed), and that's not okay for 2.18.0... > What's status of this? I think that's critical, since that's always possible to reproduce with <Alt>+<F2>. Regards
Created attachment 85823 [details] [review] disconnect signal handler before freeing dialog
*** Bug 426806 has been marked as a duplicate of this bug. ***
Thanks Ray!
*** Bug 430904 has been marked as a duplicate of this bug. ***
*** Bug 440508 has been marked as a duplicate of this bug. ***
*** Bug 441085 has been marked as a duplicate of this bug. ***
*** Bug 442959 has been marked as a duplicate of this bug. ***