GNOME Bugzilla – Bug 379112
Crashes when copy-pasting text
Last modified: 2006-11-28 00:38:32 UTC
Hi, Martin Hawlisch reported in Debian bug http://bugs.debian.org/400048: """I'm using gtranslator to edit the german po file of GRAMPS. Especially when doing copy and past in the translation field gtranslator crashes very often. It prints to the console: *** glibc detected *** free(): invalid pointer: 0x089a3c28 *** and then is hanging. """ He produced a valgrind log with a gtranslator rebuilt with debugging symbols and I wrote a patch which probably fixes the issue which I'm going to attach. Bye,
Created attachment 77123 [details] [review] Nullify selection_buffer after g_free()ing it; probably fixes double free()
The patch doesn't appear to do anything useful. The selection_buffer is reset anyway on the next line.
Oops. Well, I tried breaking on the gtk_text_buffer_new(), noting down the allocated address, then breaking on free() and realloc() if the corresponding register is set to this address (I used $eax for free and $esi for realloc), but I only got a *single* hit on the free() breakpoint, after which I get the double free() warning from glibc. :-(
Running under G_SLICE=always-malloc doesn't crash, I suppose that means that some code is calling free() instead of g_free().
I linked gtranslator with --as-needed and listed all directly linked libraries. The following libs from this list are calling libc's free(): /lib/libpopt.so.0 /usr/lib/libgnomevfs-2.so.0 /usr/lib/libxml2.so.2 /usr/lib/libgtk-x11-2.0.so.0 /usr/lib/libgdk-x11-2.0.so.0 /usr/lib/libglib-2.0.so.0 Glib is obviously normal. libpopt and libxml2 aren't using glib. Could it be a Gtk or Gnome-VFS bug?
Created attachment 77213 [details] [review] g_object_unref() selection_buffer instead of g_free()ing it
(Dafydd Harries explained the issue to me, so he's the one to credit for the patch.)
This is not a double free; it's simply that the text buffer is a GObject and should be memory-managed with g_object_unref() instead of free(). The crash doesn't happen with G_SLICE=always-malloc because this means that the GtkTextBuffer object is then allocated using malloc() instead of from a slice, which means free() can be called on it without causing a crash.
Fixed in CVS. Will roll a 1.1.7 release shortly containing this patch. Thanks, guys.
*** Bug 348687 has been marked as a duplicate of this bug. ***
*** Bug 139738 has been marked as a duplicate of this bug. ***
*** Bug 344133 has been marked as a duplicate of this bug. ***
*** Bug 350277 has been marked as a duplicate of this bug. ***
*** Bug 351081 has been marked as a duplicate of this bug. ***