GNOME Bugzilla – Bug 313232
freed memory is used
Last modified: 2005-09-16 10:38:07 UTC
Distribution/Version: Mandriva cooker When adding and removing .menu files in user directory (forcing gnome-menus to switch between system menu and user menu), we can get the following valgrind trace : ==8209== Invalid read of size 4 ==8209== at 0x1C55CC3E: invoke_notifies (menu-monitor.c:80) ==8209== by 0x1C55CD0F: emit_events_in_idle (menu-monitor.c:129) ==8209== by 0x1C590A92: g_idle_dispatch (gmain.c:3813) ==8209== by 0x1C58DFE5: g_main_dispatch (gmain.c:1934) ==8209== by 0x1C58EE3E: g_main_context_dispatch (gmain.c:2484) ==8209== by 0x1C58F200: g_main_context_iterate (gmain.c:2565) ==8209== by 0x1C58F7C4: g_main_loop_run (gmain.c:2769) ==8209== by 0x1BE3FA80: gtk_main (gtkmain.c:974) ==8209== by 0x8064240: main (main.c:90) ==8209== Address 0x1CDAC888 is 0 bytes inside a block of size 8 free'd ==8209== at 0x1B9003B3: free (vg_replace_malloc.c:235) ==8209== by 0x1C593F39: g_free (gmem.c:187) ==8209== by 0x1C5A14C0: g_slist_free_1 (gslist.c:226) ==8209== by 0x1C5A1784: g_slist_delete_link (gslist.c:461) ==8209== by 0x1C55D7BD: menu_monitor_remove_notify (menu-monitor.c:592) ==8209== by 0x1C5532B5: cached_dir_free (entry-directories.c:130) ==8209== by 0x1C5537B1: cached_dir_remove_subdir (entry-directories.c:362) ==8209== by 0x1C553969: handle_cached_dir_changed (entry-directories.c:445) ==8209== by 0x1C55CC4E: invoke_notifies (menu-monitor.c:83) ==8209== by 0x1C55CD0F: emit_events_in_idle (menu-monitor.c:129) ==8209== by 0x1C590A92: g_idle_dispatch (gmain.c:3813) ==8209== by 0x1C58DFE5: g_main_dispatch (gmain.c:1934) This can result in either infinite loop or crash :(
Created attachment 50579 [details] [review] libmenu-fix-memory-corruption-race.patch This should fix it - give it a good hammering with your test case ... all I've done is made sure that it compiles.
looks good, I can't no longer reproduce the valgrind output nor the crash..
Thanks 2005-08-12 Mark McLoughlin <mark@skynet.ie> Fixes bug #313232 - memory corruption issue where notifies were being removed from under us as we walked the list of notifies. * libmenu/menu-monitor.c: (menu_monitor_notify_ref), (menu_monitor_notify_unref): make MenuMonitorNotify refcounted. (menu_monitor_add_notify): set initial refcount. (menu_monitor_remove_notify): when removing the notify, unset the callback pointer and unref. (invoke_notifies): make a copy of the notifies list and ref each notify before invoking the callbacks - callbacks may cause arbitrary notifies to be removed as we walk the list. (menu_monitor_unref): unref each of the notifies rather than freeing them.
*** Bug 313453 has been marked as a duplicate of this bug. ***
So, we've got what looks like a few dups of this from Fedora : bug #313453, bug #313537 and https://bugzilla.redhat.com/bugzilla/165977
My initial filing #313453 has been marked as a dupe of this. Was advised to re-open if it still occurs in 2.11.91-1. Am currently running Fedora Rawhide 15-08-2005 with gnome-panel-2.11.91-2 and am still experiencing it. Have been unable to update to rawhide of 16-08-2005 due to cairo, pixman dep conflicts in the repo however will re-open tomorrow if this is still a problem. Cheers Chris
Sorry, gnome-menus-2.11.91-1 contains the fix, not gnome-panel
*** Bug 315790 has been marked as a duplicate of this bug. ***