GNOME Bugzilla – Bug 628563
use-after-free crash in objects_added_cb()
Last modified: 2011-01-05 17:48:53 UTC
==25576== Invalid read of size 8 ==25576== at 0x6DA43F3: objects_added_cb (e-cal-view.c:109) ==25576== by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766) ==25576== by 0x3D3DE2000A: signal_emit_unlocked_R (gsignal.c:3252) ==25576== by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983) ==25576== by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040) ==25576== by 0x6DAC284: g_signal (e-gdbus-egdbuscalview.c:1426) ==25576== by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766) ==25576== by 0x3D3DE1FDFF: signal_emit_unlocked_R (gsignal.c:3290) ==25576== by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983) ==25576== by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040) ==25576== by 0x3D3E6972E1: emit_signal_instance_in_idle_cb (gdbusconnection.c:3223) ==25576== by 0x3D3D63EF22: g_main_context_dispatch (gmain.c:2119) ==25576== Address 0x2accc670 is 0 bytes inside a block of size 48 free'd ==25576== at 0x4A04D72: free (vg_replace_malloc.c:325) ==25576== by 0x3D3D645DC2: g_free (gmem.c:204) ==25576== by 0x3D3D65CB50: g_slice_free1 (gslice.c:901) ==25576== by 0x3D3DE32DD2: g_type_free_instance (gtype.c:1932) ==25576== by 0xEC74A77: free_dn_queries (gnome-cal.c:1043) ==25576== by 0xEC75746: update_query_async (gnome-cal.c:1064) ==25576== by 0xEC7487D: message_proxy (gnome-cal.c:187) ==25576== by 0x3D3D668EC3: g_thread_pool_thread_proxy (gthreadpool.c:314) ==25576== by 0x3D3D666745: g_thread_create_proxy (gthread.c:1897) ==25576== by 0x359B007760: start_thread (pthread_create.c:301) ==25576== by 0x359A8E14EC: clone (clone.S:115) ==25576== ==25576== Invalid read of size 8 ==25576== at 0x6DA43FB: objects_added_cb (e-cal-view.c:109) ==25576== by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766) ==25576== by 0x3D3DE2000A: signal_emit_unlocked_R (gsignal.c:3252) ==25576== by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983) ==25576== by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040) ==25576== by 0x6DAC284: g_signal (e-gdbus-egdbuscalview.c:1426) ==25576== by 0x3D3DE0E50D: g_closure_invoke (gclosure.c:766) ==25576== by 0x3D3DE1FDFF: signal_emit_unlocked_R (gsignal.c:3290) ==25576== by 0x3D3DE29B49: g_signal_emit_valist (gsignal.c:2983) ==25576== by 0x3D3DE29CF2: g_signal_emit (gsignal.c:3040) ==25576== by 0x3D3E6972E1: emit_signal_instance_in_idle_cb (gdbusconnection.c:3223) ==25576== by 0x3D3D63EF22: g_main_context_dispatch (gmain.c:2119) ==25576== Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd ==25576== ==25576== ==25576== Process terminating with default action of signal 11 (SIGSEGV) ==25576== General Protection Fault
This looks like it's from a stable release; 2.30 maybe?
Actually nevermind, I misinterpreted part of the trace.
Created attachment 176003 [details] [review] eds patch for evolution-data-server; I cannot reproduce this crash, but it seems to me it's caused by not disconnecting from a GDBus object signals, which adds this patch.
Created commit 3aabc76 in eds master (2.91.4+)
*** Bug 584456 has been marked as a duplicate of this bug. ***