After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 672224 - double-free crashes on GValue arrays
double-free crashes on GValue arrays
Status: RESOLVED FIXED
Product: pygobject
Classification: Bindings
Component: introspection
Git master
Other Linux
: Normal normal
: ---
Assigned To: martin.pitt
Python bindings maintainers
Depends on:
Blocks:
 
 
Reported: 2012-03-16 11:49 UTC by Martin Pitt
Modified: 2013-02-27 22:30 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Fix double-freeing GValues in arrays (1.64 KB, patch)
2012-03-16 12:31 UTC, Martin Pitt
committed Details | Review

Description Martin Pitt 2012-03-16 11:49:35 UTC
The fix for bug 672065 uncovered another problem: Sometimes I get a crash _after_ running all tests:

----------------------------------------------------------------------
Ran 393 tests in 3.814s

OK (expected failures=2)
*** glibc detected *** /usr/bin/python: free(): invalid next size (fast): 0x0000000002de7840 ***

With a rather unhelpful stack trace. This crash doesn't happen for me in jhbuild (or less often), and less often with -O0, so I didn't notice it at first.

I can only reproduce this when running all tests; running a subset (like the GValue ones) does not reproduce it.

The crash never happens if I disable the new test_gvalue_flat_array_in() test case, so it must have something to do with GValue arrays.
Comment 1 Martin Pitt 2012-03-16 11:55:25 UTC
The problem is apparently in _pygi_marshal_cleanup_from_py_interface_struct_gvalue():

        if (py_object_type != G_TYPE_VALUE) {
            g_value_unset ((GValue *) data);
            g_slice_free (GValue, data);
        }

which we call from _pygi_marshal_cleanup_from_py_array(). This calls cleanup_func() for each individual array member, and then

  g_array_free (array_, TRUE);

which frees the whole array again.

This works with GPtrArrays and GArrays which contain pointers, but it's a double-free for arrays which contain structs like GValues. So in this case we must not do the g_slice_free(), as the array items were not allocated using a gslice.
Comment 2 Martin Pitt 2012-03-16 12:31:37 UTC
Created attachment 209925 [details] [review]
Fix double-freeing GValues in arrays
Comment 3 Johan (not receiving bugmail) Dahlin 2012-03-16 12:45:13 UTC
Review of attachment 209925 [details] [review]:

This looks good to me, is valgrind happy about it as well?
Comment 4 Martin Pitt 2012-03-16 12:46:53 UTC
Thanks for the review, I pushed this.

valgrind shows no significant regression here. It's a bit fuzzy for me as we don't have a valgrind enabled python, and thus I get tons or valgrind errors.
Comment 5 Martin Pitt 2013-02-27 22:30:51 UTC
For the record, the original patch was broken and introduced memory leaks.

I pushed a fix to http://git.gnome.org/browse/pygobject/commit/?id=4f5e8b755. If you look at it you may vomit now, but at least that hack avoids the memory leaks that the original hack introduced.