Bug 680055 – epiphany segfault after freeing the list twice. Fix setting the list to null after free.

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 680055 - epiphany segfault after freeing the list twice. Fix setting the list to null after free.


Summary:	epiphany segfault after freeing the list twice. Fix setting the list to null ...


Status:	RESOLVED FIXED

Product:	libsoup
Classification:	Core
Component:	Misc
Version:	2.39.x
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Duplicates:	680015 (view as bug list)
Depends on:
Blocks:

Reported:	2012-07-16 21:33 UTC by Alban Browaeys
Modified:	2012-07-16 22:10 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Set the message priv->decoders to NULL after free (1.67 KB, patch) 2012-07-16 21:34 UTC, Alban Browaeys	committed	Details \| Review

Description Alban Browaeys 2012-07-16 21:33:37 UTC

(epiphany:14909): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
 backtrace:

+ Trace 230518

#0 g_logv
at gmessages.c line 758
#1 g_log
at gmessages.c line 792
#2 g_return_if_fail_warning
#3 g_object_unref
at gobject.c line 2915
#4 g_slist_foreach
at gslist.c line 894
#5 g_slist_free_full
at gslist.c line 177
#6 soup_message_cleanup_response
at soup-message.c line 1416
#7 soup_message_send_request
at soup-message-client-io.c line 153
#8 soup_connection_send_request
at soup-connection.c line 994
#9 soup_session_send_queue_item
at soup-session.c line 1076
#10 process_queue_item
at soup-session-async.c line 284
#11 run_queue
at soup-session-async.c line 341
#12 got_connection
at soup-session-async.c line 242
#13 socket_connect_finished
at soup-connection.c line 519
#14 socket_connect_result
at soup-connection.c line 554
#15 async_connected
at soup-socket.c line 728
#16 g_simple_async_result_complete
at gsimpleasyncresult.c line 775
#17 g_socket_client_async_connect_complete
at gsocketclient.c line 1316
#18 g_socket_client_tls_handshake
at gsocketclient.c line 1392
#19 g_socket_client_connected_callback
at gsocketclient.c line 1469
#20 g_simple_async_result_complete
at gsimpleasyncresult.c line 775
#21 g_socket_connection_connect_callback
at gsocketconnection.c line 242
#22 socket_source_dispatch
at gsocket.c line 3166
#23 g_main_dispatch
at gmain.c line 2691
#24 g_main_context_dispatch
at gmain.c line 3195
#25 g_main_context_iterate
at gmain.c line 3266
#26 g_main_context_iteration
at gmain.c line 3327
#27 g_application_run
at gapplication.c line 1607
#28 main
at ephy-main.c line 493




after two of those errors ends up in a segfault.

I fixed it by setting priv->decoders to NULL after freeing this list.


The issue appeared after :
commit b3b7df0c0beea646479be468b888becce5336c87
Author: Dan Winship <danw@gnome.org>
Date:   Mon Jul 2 09:49:48 2012 -0400

    Use g_slist_free_full()


The previous code was doing :
       while (priv->decoders) {
               g_object_unref (priv->decoders->data);
               priv->decoders = g_slist_delete_link (priv->decoders, priv->decoders);
       }
=>  priv->decoders = g_slist_delete_link (priv->decoders, priv->decoders); was setting the list to NULL as the last item was NULL and ended up assigned to priv->decoders.

Comment 1 Alban Browaeys 2012-07-16 21:34:22 UTC

Created attachment 218949 [details] [review]
 Set the message priv->decoders to NULL after free

Comment 2 Dan Winship 2012-07-16 22:02:13 UTC

huh. wonder why it didn't crash in the tests for me? thanks for the patch!

Comment 3 Dan Winship 2012-07-16 22:10:43 UTC

*** Bug 680015 has been marked as a duplicate of this bug. ***