After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 453033 - gnome-panel crashed with SIGSEGV in idle_populate_func()
gnome-panel crashed with SIGSEGV in idle_populate_func()
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Class: GtkRecent
2.11.x
Other Linux
: Normal critical
: ---
Assigned To: gtk-bugs
Emmanuele Bassi (:ebassi)
: 454455 456589 508093 512060 519461 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2007-07-02 08:04 UTC by Sebastien Bacher
Modified: 2008-02-29 16:56 UTC
See Also:
GNOME target: ---
GNOME version: 2.19/2.20


Attachments
Remove double unlock and potential use after free (1.44 KB, patch)
2007-07-02 11:51 UTC, Chris Wilson
committed Details | Review

Description Sebastien Bacher 2007-07-02 08:04:04 UTC
The bug has been opened on https://bugs.launchpad.net/bugs/123480

"Binary package hint: gnome-panel

I'm not sure what this program is. Nothing visible changed. Sorry I can't be of more help.

ProblemType: Crash
Architecture: i386
Date: Sun Jul 1 22:36:02 2007
DistroRelease: Ubuntu 7.10
ExecutablePath: /usr/bin/gnome-panel
NonfreeKernelModules: nvidia
Package: gnome-panel 1:2.19.4-0ubuntu1
...
.

Thread 1 (process 13008)

  • #0 idle_populate_func
    at /build/buildd/gtk+2.0-2.11.4/gtk/gtkrecentchoosermenu.c line 938
  • #1 gdk_threads_dispatch
    at /build/buildd/gtk+2.0-2.11.4/gdk/gdk.c line 470
  • #2 g_idle_dispatch
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 4131
  • #3 IA__g_main_context_dispatch
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2061
  • #4 g_main_context_iterate
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2694
  • #5 IA__g_main_loop_run
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2898
  • #6 IA__gtk_main
    at /build/buildd/gtk+2.0-2.11.4/gtk/gtkmain.c line 1144
  • #7 main
    at main.c line 99

Comment 1 Chris Wilson 2007-07-02 11:51:03 UTC
Created attachment 91026 [details] [review]
Remove double unlock and potential use after free

Whilst not immediately explaining the segfault, I spotted an erroneous GDK_THREAD_LEAVE() and potential attempt to access the GtkRecentChooserMenuPrivate after the menu had been finalized.
Comment 2 Matthias Clasen 2007-07-03 15:48:18 UTC
That patch looks fine, please commit.
Comment 3 Chris Wilson 2007-07-04 07:38:29 UTC
Matthias, one other detail that I've only just noticed is the use of gtk* functions within the DestroyNotify which suggests wrapping the gdk_threads_dispatch_free() with a ENTER/LEAVE:
Index: gdk/gdk.c
===================================================================
--- gdk/gdk.c   (revision 17988)
+++ gdk/gdk.c   (working copy)
@@ -479,9 +479,13 @@ gdk_threads_dispatch_free (gpointer data
 {
   GdkThreadsDispatch *dispatch = data;
 
+  GDK_THREADS_ENTER ();
+
   if (dispatch->destroy && dispatch->data)
     dispatch->destroy (dispatch->data);
 
+  GDK_THREADS_LEAVE ();
+
   g_slice_free (GdkThreadsDispatch, data);
 }
Comment 4 Chris Wilson 2007-07-04 07:45:15 UTC
Committed gtkrecentchoosermenu.c patch, r18375:
2007-07-04  Chris Wilson  <chris@chris-wilson.co.uk>

	* gtk/gtkrecentchoosermenu.c (idle_populate_func),
	(idle_populate_clean_up), (gtk_recent_chooser_menu_populate):
	Remove a surplus GDK_THREADS_LEAVE() and avoid a potential use after
	free in the source destroy notify. (#453033)
Comment 5 Vincent Untz 2007-07-07 08:43:53 UTC
*** Bug 454455 has been marked as a duplicate of this bug. ***
Comment 6 Pascal Terjan 2007-07-13 13:39:51 UTC
*** Bug 456589 has been marked as a duplicate of this bug. ***
Comment 7 Philip Withnall 2008-01-09 22:24:44 UTC
*** Bug 508093 has been marked as a duplicate of this bug. ***
Comment 8 Philip Withnall 2008-01-25 18:07:50 UTC
*** Bug 512060 has been marked as a duplicate of this bug. ***
Comment 9 Philip Withnall 2008-02-29 16:56:51 UTC
*** Bug 519461 has been marked as a duplicate of this bug. ***