Bug 572549 – Memory corruption in gnome-terminal

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 572549 - Memory corruption in gnome-terminal


Summary:	Memory corruption in gnome-terminal


Status:	RESOLVED FIXED

Product:	gnome-terminal
Classification:	Core
Component:	general
Version:	2.25.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	GNOME Terminal Maintainers
QA Contact:	GNOME Terminal Maintainers

URL:
Whiteboard:

Duplicates:	574369 574425 575487 (view as bug list)
Depends on:
Blocks:

Reported:	2009-02-20 12:57 UTC by Daniel Holbach
Modified:	2009-03-16 18:44 UTC

See Also:
GNOME target:	---
GNOME version:	2.25/2.26

Attachments
valgrind log (8.51 KB, application/x-gzip) 2009-02-20 17:05 UTC, Daniel Holbach	Details

Description Daniel Holbach 2009-02-20 12:57:35 UTC

I had a bunch of crashes which all occured when using multiple tabs for a while and ctrl-d-ing out of one of the sessions causing a tab to be closed.

This resulted in crashes like
http://launchpadlibrarian.net/22903593/ThreadStacktrace.txt
http://launchpadlibrarian.net/22883648/ThreadStacktrace.txt
http://launchpadlibrarian.net/22892052/ThreadStacktrace.txt

Here relevant portions of the valgrind log:

==22315== Invalid free() / delete / delete[]
==22315==    at 0x4025B4A: free (vg_replace_malloc.c:323)
==22315==    by 0x485A0C5: g_free (gmem.c:190)
==22315==    by 0x806A4BC: terminal_screen_finalize (terminal-screen.c:653)
==22315==    by 0x47E4FB8: g_object_unref (gobject.c:2421)
==22315==    by 0x4069C46: vte_terminal_catch_child_exited (vte.c:3359)
==22315==    by 0x404BDE2: _vte_marshal_VOID__INT_INT (marshal.c:143)
==22315==    by 0x47E2CAA: g_closure_invoke (gclosure.c:767)
==22315==    by 0x47FA3A8: signal_emit_unlocked_R (gsignal.c:3244)
==22315==    by 0x47FBA1A: g_signal_emit_valist (gsignal.c:2977)
==22315==    by 0x47FBD72: g_signal_emit_by_name (gsignal.c:3071)
==22315==    by 0x404DAD9: vte_reaper_child_watch_cb (reaper.c:34)
==22315==    by 0x484FC51: g_child_watch_dispatch (gmain.c:3631)
==22315==    by 0x4851AF7: g_main_context_dispatch (gmain.c:1814)
==22315==    by 0x485505A: g_main_context_iterate (gmain.c:2448)
==22315==    by 0x4855529: g_main_loop_run (gmain.c:2656)
==22315==    by 0x4362798: gtk_main (gtkmain.c:1205)
==22315==    by 0x805A604: main (terminal.c:486)
==22315==  Address 0x5b061e8 is 0 bytes inside a block of size 28 free'd
==22315==    at 0x4025B4A: free (vg_replace_malloc.c:323)
==22315==    by 0x485A0C5: g_free (gmem.c:190)
==22315==    by 0x4637D2F: gdk_region_destroy (gdkregion-generic.c:340)
==22315==    by 0x40524D1: update_regions (vte.c:14050)
==22315==    by 0x40699A3: update_repeat_timeout (vte.c:14103)
==22315==    by 0x4852225: g_timeout_dispatch (gmain.c:3253)
==22315==    by 0x4851AF7: g_main_context_dispatch (gmain.c:1814)
==22315==    by 0x485505A: g_main_context_iterate (gmain.c:2448)
==22315==    by 0x4855529: g_main_loop_run (gmain.c:2656)
==22315==    by 0x4362798: gtk_main (gtkmain.c:1205)
==22315==    by 0x805A604: main (terminal.c:486)

gnome-terminal 2.25.91.

Please let me know if you need anything else.

Comment 1 Christian Persch 2009-02-20 16:29:05 UTC

Do you have a full valgrind log for that? A test run here didn't show this...

Comment 2 Daniel Holbach 2009-02-20 17:05:31 UTC

Created attachment 129164 [details]
valgrind log

Comment 3 Christian Persch 2009-02-22 15:57:20 UTC

Was that valgrinding done with G_DEBUG=gc-friendly G_SLICE=always-malloc ?

You also could try to run g-t with G_SLICE=always-malloc MALLOC_CHECK_=2 under gdb, and get a trace from the crash this should eventually produce.

Comment 4 Daniel Holbach 2009-02-24 14:27:58 UTC

I used G_SLICE=always-malloc G_DEBUG=gc-friendly  valgrind -v --tool=memcheck --leak-check=full --num-callers=40 --log-file=valgrind.log <program> <arguments>

I'll try to get a gdb crash now. Might take a while.

Comment 5 Daniel Holbach 2009-02-24 15:27:17 UTC

(gdb) thread apply all bt full

+ Trace 212854

Thread 1 (Thread 0x7f004f07f7d0 (LWP 4676))

#0 raise
from /lib/libc.so.6
#1 abort
from /lib/libc.so.6
#2 malloc_printerr
from /lib/libc.so.6
#3 terminal_screen_finalize
at terminal-screen.c line 653
#4 IA__g_object_unref
at /build/buildd/glib2.0-2.19.8/gobject/gobject.c line 2421
#5 IA__g_closure_invoke
at /build/buildd/glib2.0-2.19.8/gobject/gclosure.c line 767
#6 signal_emit_unlocked_R
at /build/buildd/glib2.0-2.19.8/gobject/gsignal.c line 3244
#7 IA__g_signal_emit_valist
at /build/buildd/glib2.0-2.19.8/gobject/gsignal.c line 2977
#8 IA__g_signal_emit_by_name
at /build/buildd/glib2.0-2.19.8/gobject/gsignal.c line 3071
#9 vte_reaper_child_watch_cb
at /build/buildd/vte-0.19.4/./src/reaper.c line 34
#10 g_child_watch_dispatch
at /build/buildd/glib2.0-2.19.8/glib/gmain.c line 3631
#11 IA__g_main_context_dispatch
at /build/buildd/glib2.0-2.19.8/glib/gmain.c line 1814
#12 g_main_context_iterate
at /build/buildd/glib2.0-2.19.8/glib/gmain.c line 2448
#13 IA__g_main_loop_run
at /build/buildd/glib2.0-2.19.8/glib/gmain.c line 2656
#14 IA__gtk_main
at /build/buildd/gtk+2.0-2.15.4/gtk/gtkmain.c line 1205
#15 main
at terminal.c line 486

Comment 6 Christian Persch 2009-02-24 16:00:22 UTC

Thanks! Should be fixed in svn trunk now.

Comment 7 Daniel Holbach 2009-02-24 16:19:22 UTC

Thanks a bunch - I'll take it for a ride and let you know.

Comment 8 Daniel Holbach 2009-02-25 08:49:24 UTC

It's looking good and I merged the change into the Ubuntu package - great work!

Comment 9 Priit Laes (IRC: plaes) 2009-03-16 12:26:53 UTC

*** Bug 575487 has been marked as a duplicate of this bug. ***

Comment 10 Christian Persch 2009-03-16 18:44:37 UTC

*** Bug 574369 has been marked as a duplicate of this bug. ***

Comment 11 Christian Persch 2009-03-16 18:44:57 UTC

*** Bug 574425 has been marked as a duplicate of this bug. ***