After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 335217 - valgrind use-after-free in e-cal.c/open_async()
valgrind use-after-free in e-cal.c/open_async()
Status: RESOLVED FIXED
Product: evolution-data-server
Classification: Platform
Component: Calendar
1.12.x (obsolete)
Other Linux
: Normal major
: ---
Assigned To: evolution-calendar-maintainers
Evolution QA team
Depends on:
Blocks:
 
 
Reported: 2006-03-20 12:59 UTC by Patrick Ohly
Modified: 2008-01-28 04:56 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Fixes the bug. (1.10 KB, patch)
2008-01-22 06:17 UTC, Chenthill P 		committed Details | Review

Description Patrick Ohly 2006-03-20 12:59:57 UTC 
I ran evolution-exchange-storage 2.6.0 compiled with garnome 2.14.0
under valgrind. It uses evolution-data-server 1.6.0.

It complained once:
==1330== Invalid read of size 4
==1330==    at 0x4504B3C: open_async (e-cal.c:1850)
==1330==    by 0x552FC74: g_thread_create_proxy (gthread.c:582)
==1330==    by 0x4CF1A12: start_thread (in /lib/tls/libpthread.so.0)
==1330==    by 0x56309D9: clone (in /lib/tls/libc.so.6)
==1330==  Address 0x6471118 is 8 bytes inside a block of size 28 free'd
==1330==    at 0x401C14C: free (vg_replace_malloc.c:235)
==1330==    by 0x5517A1B: g_free (gmem.c:187)
==1330==    by 0x4504AD5: async_signal_idle_cb (e-cal.c:1837)
==1330==    by 0x5513E17: g_idle_dispatch (gmain.c:3796)
==1330==    by 0x5510489: g_main_dispatch (gmain.c:1916)
==1330==    by 0x55117EE: g_main_context_dispatch (gmain.c:2466)
==1330==    by 0x5511D0C: g_main_context_iterate (gmain.c:2547)
==1330==    by 0x55124C7: g_main_loop_run (gmain.c:2751)
==1330==    by 0x4C3B725: bonobo_main (bonobo-main.c:311)
==1330==    by 0x8078709: main (notify-main.c:162)

I haven't stepped through this in a debugger, but I suppose
that if the
  g_idle_add ((GSourceFunc) async_signal_idle_cb, ccad);
leads to an invocation of async_signal_idle_cb() before
open_async() returns, then the valgrind error is correct.
The obvious solution woould be to store the result before
in a local variable, invoking g_idle_add(), then return the
local variable.

This did not lead to a crash, but very well might under less
fortunate circumstances.
Comment 1 Patrick Ohly 2006-03-21 10:23:14 UTC 
Minor update: the binary where this occurred was evolution-alarm-notify.
I had both running under valgrind at the same time and was confusing the
two terminal windows.

The underlying problem is still the same, though.
Comment 2 Kjartan Maraas 2007-01-17 00:32:56 UTC 
I've seen this too, but not lately. Can you still reproduce this?
Comment 3 Patrick Ohly 2007-01-20 09:30:01 UTC 
> I've seen this too, but not lately. Can you still reproduce this?

Normally I do not run evolution-alarm-notify and don't have the time
to do it now, so I don't know whether I can still reproduce it - sorry!
Comment 4 Kjartan Maraas 2007-10-05 13:01:53 UTC 
I still see it with the latest packages from rawhide.
Comment 5 Chenthill P 2008-01-22 06:17:59 UTC 
Created attachment 103403 [details] [review]
Fixes the bug.

The ccad->result was not required. Since the thread is not joinable, there will no one to use it.
Comment 6 Srinivasa Ragavan 2008-01-24 03:42:10 UTC 
Looks fine chen.
Comment 7 Suman Manjunath 2008-01-28 04:56:44 UTC 
Patch committed to SVN trunk as r8431
(http://svn.gnome.org/viewvc/evolution-data-server?view=revision&revision=8431)