Bug 672224 – double-free crashes on GValue arrays

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 672224 - double-free crashes on GValue arrays


Summary:	double-free crashes on GValue arrays


Status:	RESOLVED FIXED

Product:	pygobject
Classification:	Bindings
Component:	introspection
Version:	Git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	martin.pitt
QA Contact:	Python bindings maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-03-16 11:49 UTC by Martin Pitt
Modified:	2013-02-27 22:30 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Fix double-freeing GValues in arrays (1.64 KB, patch) 2012-03-16 12:31 UTC, Martin Pitt	committed	Details \| Review

Description Martin Pitt 2012-03-16 11:49:35 UTC

The fix for bug 672065 uncovered another problem: Sometimes I get a crash _after_ running all tests:

----------------------------------------------------------------------
Ran 393 tests in 3.814s

OK (expected failures=2)
*** glibc detected *** /usr/bin/python: free(): invalid next size (fast): 0x0000000002de7840 ***

With a rather unhelpful stack trace. This crash doesn't happen for me in jhbuild (or less often), and less often with -O0, so I didn't notice it at first.

I can only reproduce this when running all tests; running a subset (like the GValue ones) does not reproduce it.

The crash never happens if I disable the new test_gvalue_flat_array_in() test case, so it must have something to do with GValue arrays.

Comment 1 Martin Pitt 2012-03-16 11:55:25 UTC

The problem is apparently in _pygi_marshal_cleanup_from_py_interface_struct_gvalue():

        if (py_object_type != G_TYPE_VALUE) {
            g_value_unset ((GValue *) data);
            g_slice_free (GValue, data);
        }

which we call from _pygi_marshal_cleanup_from_py_array(). This calls cleanup_func() for each individual array member, and then

  g_array_free (array_, TRUE);

which frees the whole array again.

This works with GPtrArrays and GArrays which contain pointers, but it's a double-free for arrays which contain structs like GValues. So in this case we must not do the g_slice_free(), as the array items were not allocated using a gslice.

Comment 2 Martin Pitt 2012-03-16 12:31:37 UTC

Created attachment 209925 [details] [review]
Fix double-freeing GValues in arrays

Comment 3 Johan (not receiving bugmail) Dahlin 2012-03-16 12:45:13 UTC

Review of attachment 209925 [details] [review]:

This looks good to me, is valgrind happy about it as well?

Comment 4 Martin Pitt 2012-03-16 12:46:53 UTC

Thanks for the review, I pushed this.

valgrind shows no significant regression here. It's a bit fuzzy for me as we don't have a valgrind enabled python, and thus I get tons or valgrind errors.

Comment 5 Martin Pitt 2013-02-27 22:30:51 UTC

For the record, the original patch was broken and introduced memory leaks.

I pushed a fix to http://git.gnome.org/browse/pygobject/commit/?id=4f5e8b755. If you look at it you may vomit now, but at least that hack avoids the memory leaks that the original hack introduced.