Bug 701884 – lots of invalid reads in iconview a11y code

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 701884 - lots of invalid reads in iconview a11y code


Summary:	lots of invalid reads in iconview a11y code


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Accessibility
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-06-08 23:26 UTC by Christian Persch
Modified:	2014-03-05 20:31 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Don't access freed item (1.42 KB, patch) 2014-03-04 14:24 UTC, Marek Kašík	committed	Details \| Review

Description Christian Persch 2013-06-08 23:26:05 UTC

Was valgrinding evince and happened to see these in the log:

==11960== Invalid read of size 4
==11960==    at 0x477F7A9: gtk_icon_view_accessible_model_row_deleted (gtkiconviewaccessible.c:1128)
==11960==    by 0x51A7E66: g_cclosure_marshal_VOID__BOXED (gmarshal.c:1120)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFC6E: signal_emit_unlocked_R (gsignal.c:3652)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x46BBFC3: gtk_tree_model_row_deleted (gtktreemodel.c:1867)
==11960==    by 0x455E5DD: gtk_list_store_remove (gtkliststore.c:1233)
==11960==    by 0x455ED54: gtk_list_store_clear (gtkliststore.c:1447)
==11960==    by 0x8088A6B: ev_sidebar_thumbnails_clear_model (ev-sidebar-thumbnails.c:948)
==11960==    by 0x8086F00: ev_sidebar_thumbnails_dispose (ev-sidebar-thumbnails.c:231)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x45A17AB: gtk_notebook_forall (gtknotebook.c:4481)
==11960==    by 0x4490F8C: gtk_container_foreach (gtkcontainer.c:2127)
==11960==    by 0x448F553: gtk_container_destroy (gtkcontainer.c:1386)
==11960==    by 0x459BC51: gtk_notebook_destroy (gtknotebook.c:1719)
==11960==    by 0x51A6D31: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==11960==    by 0x51A48BB: g_type_class_meta_marshal (gclosure.c:970)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFE0E: signal_emit_unlocked_R (gsignal.c:3698)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x471CE40: gtk_widget_dispose (gtkwidget.c:11132)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x44324F7: gtk_box_forall (gtkbox.c:2100)
==11960==    by 0x4490F8C: gtk_container_foreach (gtkcontainer.c:2127)
==11960==    by 0x448F553: gtk_container_destroy (gtkcontainer.c:1386)
==11960==    by 0x51A6D31: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==11960==  Address 0x75cc918 is 16 bytes inside a block of size 32 free'd
==11960==    at 0x40291BE: free (vg_replace_malloc.c:427)
==11960==    by 0x524DEBE: g_free (gmem.c:197)
==11960==    by 0x5265AC2: g_slice_free1 (gslice.c:1124)
==11960==    by 0x4531916: gtk_icon_view_item_free (gtkiconview.c:3287)
==11960==    by 0x45320BC: gtk_icon_view_row_deleted (gtkiconview.c:3513)
==11960==    by 0x51A7E66: g_cclosure_marshal_VOID__BOXED (gmarshal.c:1120)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BF9FE: signal_emit_unlocked_R (gsignal.c:3582)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x46BBFC3: gtk_tree_model_row_deleted (gtktreemodel.c:1867)
==11960==    by 0x455E5DD: gtk_list_store_remove (gtkliststore.c:1233)
==11960==    by 0x455ED54: gtk_list_store_clear (gtkliststore.c:1447)
==11960==    by 0x8088A6B: ev_sidebar_thumbnails_clear_model (ev-sidebar-thumbnails.c:948)
==11960==    by 0x8086F00: ev_sidebar_thumbnails_dispose (ev-sidebar-thumbnails.c:231)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x45A17AB: gtk_notebook_forall (gtknotebook.c:4481)
==11960==    by 0x4490F8C: gtk_container_foreach (gtkcontainer.c:2127)
==11960==    by 0x448F553: gtk_container_destroy (gtkcontainer.c:1386)
==11960==    by 0x459BC51: gtk_notebook_destroy (gtknotebook.c:1719)
==11960==    by 0x51A6D31: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==11960==    by 0x51A48BB: g_type_class_meta_marshal (gclosure.c:970)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFE0E: signal_emit_unlocked_R (gsignal.c:3698)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x471CE40: gtk_widget_dispose (gtkwidget.c:11132)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)

and lots of these:

==11960== Invalid read of size 4
==11960==    at 0x477E9A7: gtk_icon_view_item_accessible_is_showing (gtkiconviewaccessible.c:716)
==11960==    by 0x477EA28: gtk_icon_view_item_accessible_set_visibility (gtkiconviewaccessible.c:731)
==11960==    by 0x477F3FA: gtk_icon_view_accessible_traverse_items (gtkiconviewaccessible.c:998)
==11960==    by 0x477F7EB: gtk_icon_view_accessible_model_row_deleted (gtkiconviewaccessible.c:1138)
==11960==    by 0x51A7E66: g_cclosure_marshal_VOID__BOXED (gmarshal.c:1120)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFC6E: signal_emit_unlocked_R (gsignal.c:3652)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x46BBFC3: gtk_tree_model_row_deleted (gtktreemodel.c:1867)
==11960==    by 0x455E5DD: gtk_list_store_remove (gtkliststore.c:1233)
==11960==    by 0x455ED54: gtk_list_store_clear (gtkliststore.c:1447)
==11960==    by 0x8088A6B: ev_sidebar_thumbnails_clear_model (ev-sidebar-thumbnails.c:948)
==11960==    by 0x8086F00: ev_sidebar_thumbnails_dispose (ev-sidebar-thumbnails.c:231)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x45A17AB: gtk_notebook_forall (gtknotebook.c:4481)
==11960==    by 0x4490F8C: gtk_container_foreach (gtkcontainer.c:2127)
==11960==    by 0x448F553: gtk_container_destroy (gtkcontainer.c:1386)
==11960==    by 0x459BC51: gtk_notebook_destroy (gtknotebook.c:1719)
==11960==    by 0x51A6D31: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==11960==    by 0x51A48BB: g_type_class_meta_marshal (gclosure.c:970)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFE0E: signal_emit_unlocked_R (gsignal.c:3698)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x471CE40: gtk_widget_dispose (gtkwidget.c:11132)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x44324F7: gtk_box_forall (gtkbox.c:2100)
==11960==  Address 0x75cc908 is 0 bytes inside a block of size 32 free'd
==11960==    at 0x40291BE: free (vg_replace_malloc.c:427)
==11960==    by 0x524DEBE: g_free (gmem.c:197)
==11960==    by 0x5265AC2: g_slice_free1 (gslice.c:1124)
==11960==    by 0x4531916: gtk_icon_view_item_free (gtkiconview.c:3287)
==11960==    by 0x45320BC: gtk_icon_view_row_deleted (gtkiconview.c:3513)
==11960==    by 0x51A7E66: g_cclosure_marshal_VOID__BOXED (gmarshal.c:1120)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BF9FE: signal_emit_unlocked_R (gsignal.c:3582)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x46BBFC3: gtk_tree_model_row_deleted (gtktreemodel.c:1867)
==11960==    by 0x455E5DD: gtk_list_store_remove (gtkliststore.c:1233)
==11960==    by 0x455ED54: gtk_list_store_clear (gtkliststore.c:1447)
==11960==    by 0x8088A6B: ev_sidebar_thumbnails_clear_model (ev-sidebar-thumbnails.c:948)
==11960==    by 0x8086F00: ev_sidebar_thumbnails_dispose (ev-sidebar-thumbnails.c:231)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)
==11960==    by 0x45A17AB: gtk_notebook_forall (gtknotebook.c:4481)
==11960==    by 0x4490F8C: gtk_container_foreach (gtkcontainer.c:2127)
==11960==    by 0x448F553: gtk_container_destroy (gtkcontainer.c:1386)
==11960==    by 0x459BC51: gtk_notebook_destroy (gtknotebook.c:1719)
==11960==    by 0x51A6D31: g_cclosure_marshal_VOID__VOID (gmarshal.c:85)
==11960==    by 0x51A48BB: g_type_class_meta_marshal (gclosure.c:970)
==11960==    by 0x51A427B: g_closure_invoke (gclosure.c:777)
==11960==    by 0x51BFE0E: signal_emit_unlocked_R (gsignal.c:3698)
==11960==    by 0x51BEFEA: g_signal_emit_valist (gsignal.c:3326)
==11960==    by 0x51BF310: g_signal_emit (gsignal.c:3382)
==11960==    by 0x471CE40: gtk_widget_dispose (gtkwidget.c:11132)
==11960==    by 0x51AA8A1: g_object_run_dispose (gobject.c:1067)
==11960==    by 0x470F923: gtk_widget_destroy (gtkwidget.c:4179)

Comment 1 Marek Kašík 2014-03-04 14:24:37 UTC

Created attachment 270905 [details] [review]
Don't access freed item

Hi,

I've observed this during fixing of https://bugzilla.redhat.com/show_bug.cgi?id=1013457. The problem is that gtk_icon_view_row_deleted() frees an GtkIconViewItem right before gtk_icon_view_accessible_model_row_deleted() access it when triggered by "row-deleted".

I didn't investigate it comprehensively but the attached patch fixes the problem for me.

Regards

Marek