After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 453033 - gnome-panel crashed with SIGSEGV in idle_populate_func()
gnome-panel crashed with SIGSEGV in idle_populate_func()
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Class: GtkRecent
2.11.x
Other Linux
: Normal critical
: ---
Assigned To: gtk-bugs
Emmanuele Bassi (:ebassi)
: 454455 456589 508093 512060 519461 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2007-07-02 08:04 UTC by Sebastien Bacher
Modified: 2008-02-29 16:56 UTC
See Also:
GNOME target: ---
GNOME version: 2.19/2.20

Attachments
Remove double unlock and potential use after free (1.44 KB, patch)
2007-07-02 11:51 UTC, Chris Wilson 		committed Details | Review

Description Sebastien Bacher 2007-07-02 08:04:04 UTC 
The bug has been opened on https://bugs.launchpad.net/bugs/123480

"Binary package hint: gnome-panel

I'm not sure what this program is. Nothing visible changed. Sorry I can't be of more help.

ProblemType: Crash
Architecture: i386
Date: Sun Jul 1 22:36:02 2007
DistroRelease: Ubuntu 7.10
ExecutablePath: /usr/bin/gnome-panel
NonfreeKernelModules: nvidia
Package: gnome-panel 1:2.19.4-0ubuntu1
...
.

+ Trace 145198

Thread 1 (process 13008)

  • #0 idle_populate_func
    at /build/buildd/gtk+2.0-2.11.4/gtk/gtkrecentchoosermenu.c line 938
  • #1 gdk_threads_dispatch
    at /build/buildd/gtk+2.0-2.11.4/gdk/gdk.c line 470
  • #2 g_idle_dispatch
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 4131
  • #3 IA__g_main_context_dispatch
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2061
  • #4 g_main_context_iterate
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2694
  • #5 IA__g_main_loop_run
    at /build/buildd/glib2.0-2.13.5/glib/gmain.c line 2898
  • #6 IA__gtk_main
    at /build/buildd/gtk+2.0-2.11.4/gtk/gtkmain.c line 1144
  • #7 main
    at main.c line 99 






Comment 1


Chris Wilson





          2007-07-02 11:51:03 UTC
        



Created attachment 91026 [details] [review]
Remove double unlock and potential use after free

Whilst not immediately explaining the segfault, I spotted an erroneous GDK_THREAD_LEAVE() and potential attempt to access the GtkRecentChooserMenuPrivate after the menu had been finalized.






Comment 2


Matthias Clasen





          2007-07-03 15:48:18 UTC
        



That patch looks fine, please commit.






Comment 3


Chris Wilson





          2007-07-04 07:38:29 UTC
        



Matthias, one other detail that I've only just noticed is the use of gtk* functions within the DestroyNotify which suggests wrapping the gdk_threads_dispatch_free() with a ENTER/LEAVE:
Index: gdk/gdk.c
===================================================================
--- gdk/gdk.c   (revision 17988)
+++ gdk/gdk.c   (working copy)
@@ -479,9 +479,13 @@ gdk_threads_dispatch_free (gpointer data
 {
   GdkThreadsDispatch *dispatch = data;
 
+  GDK_THREADS_ENTER ();
+
   if (dispatch->destroy && dispatch->data)
     dispatch->destroy (dispatch->data);
 
+  GDK_THREADS_LEAVE ();
+
   g_slice_free (GdkThreadsDispatch, data);
 }







Comment 4


Chris Wilson





          2007-07-04 07:45:15 UTC
        



Committed gtkrecentchoosermenu.c patch, r18375:
2007-07-04  Chris Wilson  <chris@chris-wilson.co.uk>

	* gtk/gtkrecentchoosermenu.c (idle_populate_func),
	(idle_populate_clean_up), (gtk_recent_chooser_menu_populate):
	Remove a surplus GDK_THREADS_LEAVE() and avoid a potential use after
	free in the source destroy notify. (#453033)







Comment 5


Vincent Untz





          2007-07-07 08:43:53 UTC
        



*** Bug 454455 has been marked as a duplicate of this bug. ***






Comment 6


Pascal Terjan





          2007-07-13 13:39:51 UTC
        



*** Bug 456589 has been marked as a duplicate of this bug. ***






Comment 7


Philip Withnall





          2008-01-09 22:24:44 UTC
        



*** Bug 508093 has been marked as a duplicate of this bug. ***






Comment 8


Philip Withnall





          2008-01-25 18:07:50 UTC
        



*** Bug 512060 has been marked as a duplicate of this bug. ***






Comment 9


Philip Withnall





          2008-02-29 16:56:51 UTC
        



*** Bug 519461 has been marked as a duplicate of this bug. ***