GNOME Bugzilla – Bug 315135
occasional segv in gtkentry during destroy
Last modified: 2007-02-10 22:55:10 UTC
Version details: also in CVS sorry, hard to reproduce, but see below for a simple patch
gtk_entry_recompute() delays recompute until idle recompute_idle_func() calls gtk_widget_has_screen() gtk_widget_has_screen() assumes fields like widget->parent are valid the idle is not removed until gtk_entry_finalize(), but fields like widget->parent are not guaranteed to be valid then therefore if the entry is destroyed with a delayed recompute still pending, you can get a segv In my app I can reproducibly get this out of valgrind: ==5239== Invalid read of size 4 ==5239== at 0x1BB26792: IA__gtk_widget_get_toplevel (gtkwidget.c:6154) ==5239== by 0x1BB25B04: gtk_widget_get_screen_unchecked (gtkwidget.c:5533) ==5239== by 0x1BB25C54: IA__gtk_widget_has_screen (gtkwidget.c:5606) ==5239== by 0x1B9B7E44: recompute_idle_func (gtkentry.c:2891) ==5239== Address 0x1E13C0A8 is 56 bytes inside a block of size 256 free'd ==5239== at 0x1B905460: free (vg_replace_malloc.c:153) ==5239== by 0x1C622833: IA__g_free (gmem.c:187) ==5239== by 0x1BC1B388: IA__gdk_region_destroy (gdkregion-generic.c:332) ==5239== by 0x1BC21555: IA__gdk_window_invalidate_maybe_recurse (gdkwindow.c:2492) but I've been unable to make a small example that triggers this :-( The problem goes if I shift the g_source_remove() for recompute_idle from gtk_entry_finalize() to the top of gtk_entry_destroy(), since widget->parent is still valid there.
2005-09-02 Matthias Clasen <mclasen@redhat.com> * gtk/gtkentry.c (gtk_entry_destroy): Disconnect idle handlers on destroy to avoid problems when they are called on a destroyed widget. (#315135, John Cupitt)
could bug 406462 be related to this?