After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 694711 - write-after-free segfault in GailTreeView
write-after-free segfault in GailTreeView
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Accessibility
2.24.x
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2013-02-25 23:04 UTC by Rémi Cardona
Modified: 2013-05-09 16:01 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Remove-dangling-weak-refs-to-TreeModel-object.patch (2.09 KB, patch)
2013-02-25 23:04 UTC, Rémi Cardona 		accepted-commit_now Details | Review

Description Rémi Cardona 2013-02-25 23:04:10 UTC 
Created attachment 237397 [details] [review]
Remove-dangling-weak-refs-to-TreeModel-object.patch

While fixing memory/object leaks in Grisbi, I came across a segfault when freeing a GtkTreeView. After much digging around with gdb and Valgrind, I found the source of the bug to be in GailTreeView (launching Grisbi with NO_GAIL=1 does indeed work around the crash).

The issue is due to the weak refs pointing to the TreeView's model object as they are never properly cleaned up. In my case, the segfault occurs if I free a GtkTreeView before freeing its attached GtkTreeStore.

Looking at gailtreeview.c, I suspect that the bug may be triggered if the model/store is unset.

Right now, I've been able to confirm that this patch fixes the issue with Grisbi. If needed, I'll try to cook up a smaller test case.

Thanks
Comment 1 Matthias Clasen 2013-04-29 03:08:03 UTC 
Review of attachment 237397 [details] [review]:

makes sense