GNOME Bugzilla – Bug 703511
SEGV if use GtkCellRendererCombo with appears-as-list is true
Last modified: 2018-05-02 15:43:10 UTC
Created attachment 248282 [details] Sample code to reproduce problems I get some errors when I use GtkCellRendererCombo with appears-as-list is true or 1. On the other hand, I get no errors when appears-as-list is false or 0. I checked several versions of Gtk+ as followings. Please refer attached sample code. - 2.28.14 (no SEGV but display CRITICAL message) - 3.8.2 (no SEGV but display CRITICAL message) - 3.9.6 (SEGV) - master@96abd26 (SEGV) How to reproduce. 1. Build sample code for Gtk2 > $ gcc -g3 `pkg-config --cflags --libs gtk+-2.0` sample3.c -o sample3-gtk2 gtkrc: > style "appears-as-list" > { > GtkComboBox::appears-as-list = 1 > } > > class "GtkComboBox" style "appears-as-list" for Gtk3 > $ gcc -g3 `pkg-config --cflags --libs gtk+-3.0` sample3.c -o sample3-gtk3 gtk.css: > * { > -GtkComboBox-appears-as-list: true; > } 2. Run sample and change combobox value. 3-1. Displays CRITICAL message as following On 2.28.14 and 3.8.2. > (sample3-gtk2:32223): GLib-GObject-CRITICAL **: g_object_notify: assertion `G_IS_OBJECT (object)' failed 3-2. SEGV and get backtrace as following On 3.9.2 and master@96abd26. > Program received signal SIGSEGV, Segmentation fault. > g_type_check_instance_cast (type_instance=type_instance@entry=0x7a64b0, iface_type=iface_type@entry=80) at gtype.c:4008 > 4008 node = lookup_type_node_I (type_instance->g_class->g_type); > (gdb) bt > #0 g_type_check_instance_cast (type_instance=type_instance@entry=0x7a64b0, iface_type=iface_type@entry=80) at gtype.c:4008 > #1 0x00007ffff7797889 in gtk_combo_box_set_active_internal (combo_box=combo_box@entry=0x7a64b0, path=path@entry=0x7bb540) > at gtkcombobox.c:4383 > #2 0x00007ffff779c5be in gtk_combo_box_set_active_iter (combo_box=0x7a64b0, iter=<optimized out>) at gtkcombobox.c:4440 > #3 0x00007ffff779c9c1 in gtk_combo_box_list_button_released (widget=<optimized out>, event=<optimized out>, data=<optimized out>) > at gtkcombobox.c:3753 > #4 0x00007ffff78454ae in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x7afa10, return_value=0x7fffffffd490, instance=<optimized out>, > args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x6562a0) at gtkmarshalers.c:130 > #5 0x00007ffff6096e37 in _g_closure_invoke_va (closure=0x7afa10, return_value=0x7fffffffd490, instance=0x6848f0, args=0x7fffffffd588, > n_params=1, param_types=0x6562a0) at gclosure.c:840 > #6 0x00007ffff60b0a99 in g_signal_emit_valist (instance=0x6848f0, signal_id=<optimized out>, detail=<optimized out>, > var_args=var_args@entry=0x7fffffffd588) at gsignal.c:3234 > #7 0x00007ffff60b1362 in g_signal_emit (instance=instance@entry=0x6848f0, signal_id=<optimized out>, detail=detail@entry=0) > at gsignal.c:3382 > #8 0x00007ffff798a224 in gtk_widget_event_internal (widget=widget@entry=0x6848f0, event=event@entry=0x7d10d0) at gtkwidget.c:7110 > #9 0x00007ffff798a4f9 in gtk_widget_event (widget=widget@entry=0x6848f0, event=event@entry=0x7d10d0) at gtkwidget.c:6772 > #10 0x00007ffff784379c in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x6848f0) at gtkmain.c:2394 > #11 propagate_event (widget=<optimized out>, event=0x7d10d0, captured=<optimized out>, topmost=0x0) at gtkmain.c:2502 > #12 0x00007ffff784506a in gtk_main_do_event (event=0x7d10d0) at gtkmain.c:1717 > #13 0x00007ffff744a342 in gdk_event_source_dispatch (source=source@entry=0x6137a0, callback=<optimized out>, user_data=<optimized out>) > at gdkeventsource.c:364 > #14 0x00007ffff5da6a06 in g_main_dispatch (context=0x613890) at gmain.c:3058 > #15 g_main_context_dispatch (context=context@entry=0x613890) at gmain.c:3634 > #16 0x00007ffff5da6d58 in g_main_context_iterate (context=0x613890, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) > at gmain.c:3705 > #17 0x00007ffff5da715a in g_main_loop_run (loop=0x789470) at gmain.c:3899 > #18 0x00007ffff784458d in gtk_main () at gtkmain.c:1157 > #19 0x0000000000402607 in main (argc=1, argv=0x7fffffffd988) at sample3.c:363 Thanks.
Has this issue been solved meanwhile? I consider it very problematic that this very detailed bug report stays uncommented and unhandled for such a long time! Note that KDE's `oxygen' theme (at least as used on openSuSE 12.3) uses GtkComboBox::appears-as-list = 1 as default. As a result, a lot of applications crash, so this is a rather severe problem IMHO.
The fact that you were calling gtk_init() AFTER calling a bunch of GTK+ functions in load_css() wouldn't exactly help... That said, I still seem to get this after fixing those by using far simpler inline css with gtk_css_provider_load_from_data() valgrind is not happy... I don't know why this depends on :appears-as-list == 1 or whether it is just revealing that you're doing something wrong. $ LD_LIBRARY_PATH=/opt/jhbuilt/gnome/lib valgrind ./a.out ==32100== Memcheck, a memory error detector ==32100== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==32100== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==32100== Command: ./a.out ==32100== Gtk-Message: Failed to load module "canberra-gtk-module" Gtk-Message: Failed to load module "canberra-gtk-module" cb_combo_cell_fade_changed fade_edited <cross-fade> tree_view == 0x102692a0 Exiting ==32100== Invalid read of size 8 ==32100== at 0x6D85071: g_type_check_instance_is_fundamentally_a (gtype.c:4023) ==32100== by 0x6D663E4: g_object_notify (gobject.c:1184) ==32100== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==32100== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==32100== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==32100== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==32100== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==32100== Address 0x10606260 is 544 bytes inside a block of size 608 free'd ==32100== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==32100== by 0x7001EE5: g_free (gmem.c:189) ==32100== by 0x701C094: g_slice_free1 (gslice.c:1136) ==32100== by 0x6D814D1: g_type_free_instance (gtype.c:1937) ==32100== by 0x6D6B13B: g_object_unref (gobject.c:3325) ==32100== by 0x6D6B8C6: g_value_object_free_value (gobject.c:3754) ==32100== by 0x6D883DF: g_value_unset (gvalue.c:275) ==32100== by 0x6D7BC4D: g_signal_emit_valist (gsignal.c:3421) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x4FE7D9F: gtk_combo_box_set_active_internal (gtkcombobox.c:3881) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== Block was alloc'd at ==32100== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==32100== by 0x7001D96: g_malloc (gmem.c:94) ==32100== by 0x701BE59: g_slice_alloc (gslice.c:1025) ==32100== by 0x701BE98: g_slice_alloc0 (gslice.c:1051) ==32100== by 0x6D8107C: g_type_create_instance (gtype.c:1839) ==32100== by 0x6D675C7: g_object_new_internal (gobject.c:1781) ==32100== by 0x6D67BDE: g_object_new_with_properties (gobject.c:1949) ==32100== by 0x6D67178: g_object_new (gobject.c:1621) ==32100== by 0x4FE70D6: gtk_combo_box_new (gtkcombobox.c:3476) ==32100== by 0x4FC5D77: gtk_cell_renderer_combo_start_editing (gtkcellrenderercombo.c:491) ==32100== by 0x4FC1B6A: gtk_cell_renderer_start_editing (gtkcellrenderer.c:921) ==32100== by 0x4FB620E: gtk_cell_area_activate_cell (gtkcellarea.c:3432) ==32100== ==32100== Invalid read of size 8 ==32100== at 0x6D85084: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==32100== by 0x6D663E4: g_object_notify (gobject.c:1184) ==32100== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==32100== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==32100== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==32100== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==32100== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==32100== Address 0x10606260 is 544 bytes inside a block of size 608 free'd ==32100== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==32100== by 0x7001EE5: g_free (gmem.c:189) ==32100== by 0x701C094: g_slice_free1 (gslice.c:1136) ==32100== by 0x6D814D1: g_type_free_instance (gtype.c:1937) ==32100== by 0x6D6B13B: g_object_unref (gobject.c:3325) ==32100== by 0x6D6B8C6: g_value_object_free_value (gobject.c:3754) ==32100== by 0x6D883DF: g_value_unset (gvalue.c:275) ==32100== by 0x6D7BC4D: g_signal_emit_valist (gsignal.c:3421) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x4FE7D9F: gtk_combo_box_set_active_internal (gtkcombobox.c:3881) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== Block was alloc'd at ==32100== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==32100== by 0x7001D96: g_malloc (gmem.c:94) ==32100== by 0x701BE59: g_slice_alloc (gslice.c:1025) ==32100== by 0x701BE98: g_slice_alloc0 (gslice.c:1051) ==32100== by 0x6D8107C: g_type_create_instance (gtype.c:1839) ==32100== by 0x6D675C7: g_object_new_internal (gobject.c:1781) ==32100== by 0x6D67BDE: g_object_new_with_properties (gobject.c:1949) ==32100== by 0x6D67178: g_object_new (gobject.c:1621) ==32100== by 0x4FE70D6: gtk_combo_box_new (gtkcombobox.c:3476) ==32100== by 0x4FC5D77: gtk_cell_renderer_combo_start_editing (gtkcellrenderercombo.c:491) ==32100== by 0x4FC1B6A: gtk_cell_renderer_start_editing (gtkcellrenderer.c:921) ==32100== by 0x4FB620E: gtk_cell_area_activate_cell (gtkcellarea.c:3432) ==32100== ==32100== Invalid read of size 8 ==32100== at 0x6D85087: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==32100== by 0x6D663E4: g_object_notify (gobject.c:1184) ==32100== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==32100== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==32100== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==32100== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==32100== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==32100== Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd ==32100== ==32100== ==32100== Process terminating with default action of signal 11 (SIGSEGV) ==32100== General Protection Fault ==32100== at 0x6D85087: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==32100== by 0x6D663E4: g_object_notify (gobject.c:1184) ==32100== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==32100== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==32100== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==32100== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==32100== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==32100== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==32100== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==32100== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==32100== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==32100== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==32100== ==32100== HEAP SUMMARY: ==32100== in use at exit: 2,307,415 bytes in 26,007 blocks ==32100== total heap usage: 238,745 allocs, 212,738 frees, 15,661,257 bytes allocated ==32100== ==32100== LEAK SUMMARY: ==32100== definitely lost: 9,216 bytes in 30 blocks ==32100== indirectly lost: 15,300 bytes in 657 blocks ==32100== possibly lost: 4,500 bytes in 66 blocks ==32100== still reachable: 2,131,967 bytes in 24,122 blocks ==32100== of which reachable via heuristic: ==32100== length64 : 6,496 bytes in 103 blocks ==32100== newarray : 2,144 bytes in 54 blocks ==32100== suppressed: 0 bytes in 0 blocks ==32100== Rerun with --leak-check=full to see details of leaked memory ==32100== ==32100== For counts of detected and suppressed errors, rerun with: -v ==32100== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault
so it looks like gtk_combo_box_list_button_released() gets called twice, and * the first one leads to the CellRendererCombo's transient ComboBox being freed * the second one then tries to do stuff with the ComboBox as if it still exists the free is at 3881: g_signal_emit (combo_box, combo_box_signals[CHANGED], 0); and the faulting notify is at 3882: g_object_notify (G_OBJECT (combo_box), "active"); I don't currently understand what's going on here with all the different classes that are involved - chiefly, WHY the transient ComboBox is ever freed - so I don't have an explanation yet. anyway: valgrind output with more callers: ==2018== Invalid read of size 8 ==2018== at 0x6D85071: g_type_check_instance_is_fundamentally_a (gtype.c:4023) ==2018== by 0x6D663E4: g_object_notify (gobject.c:1184) ==2018== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== by 0x10A700: main (sample3.c:345) ==2018== Address 0x106017d0 is 544 bytes inside a block of size 608 free'd ==2018== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==2018== by 0x7001EE5: g_free (gmem.c:189) ==2018== by 0x701C094: g_slice_free1 (gslice.c:1136) ==2018== by 0x6D814D1: g_type_free_instance (gtype.c:1937) ==2018== by 0x6D6B13B: g_object_unref (gobject.c:3325) ==2018== by 0x6D6B8C6: g_value_object_free_value (gobject.c:3754) ==2018== by 0x6D883DF: g_value_unset (gvalue.c:275) ==2018== by 0x6D7BC4D: g_signal_emit_valist (gsignal.c:3421) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x4FE7D9F: gtk_combo_box_set_active_internal (gtkcombobox.c:3881) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== Block was alloc'd at ==2018== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==2018== by 0x7001D96: g_malloc (gmem.c:94) ==2018== by 0x701BE59: g_slice_alloc (gslice.c:1025) ==2018== by 0x701BE98: g_slice_alloc0 (gslice.c:1051) ==2018== by 0x6D8107C: g_type_create_instance (gtype.c:1839) ==2018== by 0x6D675C7: g_object_new_internal (gobject.c:1781) ==2018== by 0x6D67BDE: g_object_new_with_properties (gobject.c:1949) ==2018== by 0x6D67178: g_object_new (gobject.c:1621) ==2018== by 0x4FE70D6: gtk_combo_box_new (gtkcombobox.c:3476) ==2018== by 0x4FC5D77: gtk_cell_renderer_combo_start_editing (gtkcellrenderercombo.c:491) ==2018== by 0x4FC1B6A: gtk_cell_renderer_start_editing (gtkcellrenderer.c:921) ==2018== by 0x4FB620E: gtk_cell_area_activate_cell (gtkcellarea.c:3432) ==2018== by 0x4FAF5B3: gtk_cell_area_real_event (gtkcellarea.c:1101) ==2018== by 0x4FB0E0D: gtk_cell_area_event (gtkcellarea.c:1799) ==2018== by 0x52BF407: _gtk_tree_view_column_cell_event (gtktreeviewcolumn.c:2929) ==2018== by 0x529BD06: gtk_tree_view_multipress_gesture_pressed (gtktreeview.c:3310) ==2018== by 0xBB71037: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==2018== by 0xBB70A99: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==2018== by 0x6D60800: g_cclosure_marshal_generic_va (gclosure.c:1604) ==2018== by 0x6D5ECEF: _g_closure_invoke_va (gclosure.c:867) ==2018== by 0x6D7AB75: g_signal_emit_valist (gsignal.c:3300) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x50A1A20: gtk_gesture_multi_press_begin (gtkgesturemultipress.c:241) ==2018== by 0x6D636D5: g_cclosure_marshal_VOID__BOXEDv (gmarshal.c:1950) ==2018== by 0x6D5F12D: g_type_class_meta_marshalv (gclosure.c:1024) ==2018== by 0x6D5ECEF: _g_closure_invoke_va (gclosure.c:867) ==2018== by 0x6D7AB75: g_signal_emit_valist (gsignal.c:3300) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x509D2C9: _gtk_gesture_set_recognized (gtkgesture.c:343) ==2018== by 0x509D441: _gtk_gesture_check_recognized (gtkgesture.c:389) ==2018== ==2018== Invalid read of size 8 ==2018== at 0x6D85084: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==2018== by 0x6D663E4: g_object_notify (gobject.c:1184) ==2018== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== by 0x10A700: main (sample3.c:345) ==2018== Address 0x106017d0 is 544 bytes inside a block of size 608 free'd ==2018== at 0x4C2CE1B: free (vg_replace_malloc.c:530) ==2018== by 0x7001EE5: g_free (gmem.c:189) ==2018== by 0x701C094: g_slice_free1 (gslice.c:1136) ==2018== by 0x6D814D1: g_type_free_instance (gtype.c:1937) ==2018== by 0x6D6B13B: g_object_unref (gobject.c:3325) ==2018== by 0x6D6B8C6: g_value_object_free_value (gobject.c:3754) ==2018== by 0x6D883DF: g_value_unset (gvalue.c:275) ==2018== by 0x6D7BC4D: g_signal_emit_valist (gsignal.c:3421) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x4FE7D9F: gtk_combo_box_set_active_internal (gtkcombobox.c:3881) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== Block was alloc'd at ==2018== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299) ==2018== by 0x7001D96: g_malloc (gmem.c:94) ==2018== by 0x701BE59: g_slice_alloc (gslice.c:1025) ==2018== by 0x701BE98: g_slice_alloc0 (gslice.c:1051) ==2018== by 0x6D8107C: g_type_create_instance (gtype.c:1839) ==2018== by 0x6D675C7: g_object_new_internal (gobject.c:1781) ==2018== by 0x6D67BDE: g_object_new_with_properties (gobject.c:1949) ==2018== by 0x6D67178: g_object_new (gobject.c:1621) ==2018== by 0x4FE70D6: gtk_combo_box_new (gtkcombobox.c:3476) ==2018== by 0x4FC5D77: gtk_cell_renderer_combo_start_editing (gtkcellrenderercombo.c:491) ==2018== by 0x4FC1B6A: gtk_cell_renderer_start_editing (gtkcellrenderer.c:921) ==2018== by 0x4FB620E: gtk_cell_area_activate_cell (gtkcellarea.c:3432) ==2018== by 0x4FAF5B3: gtk_cell_area_real_event (gtkcellarea.c:1101) ==2018== by 0x4FB0E0D: gtk_cell_area_event (gtkcellarea.c:1799) ==2018== by 0x52BF407: _gtk_tree_view_column_cell_event (gtktreeviewcolumn.c:2929) ==2018== by 0x529BD06: gtk_tree_view_multipress_gesture_pressed (gtktreeview.c:3310) ==2018== by 0xBB71037: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==2018== by 0xBB70A99: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4) ==2018== by 0x6D60800: g_cclosure_marshal_generic_va (gclosure.c:1604) ==2018== by 0x6D5ECEF: _g_closure_invoke_va (gclosure.c:867) ==2018== by 0x6D7AB75: g_signal_emit_valist (gsignal.c:3300) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x50A1A20: gtk_gesture_multi_press_begin (gtkgesturemultipress.c:241) ==2018== by 0x6D636D5: g_cclosure_marshal_VOID__BOXEDv (gmarshal.c:1950) ==2018== by 0x6D5F12D: g_type_class_meta_marshalv (gclosure.c:1024) ==2018== by 0x6D5ECEF: _g_closure_invoke_va (gclosure.c:867) ==2018== by 0x6D7AB75: g_signal_emit_valist (gsignal.c:3300) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x509D2C9: _gtk_gesture_set_recognized (gtkgesture.c:343) ==2018== by 0x509D441: _gtk_gesture_check_recognized (gtkgesture.c:389) ==2018== ==2018== Invalid read of size 8 ==2018== at 0x6D85087: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==2018== by 0x6D663E4: g_object_notify (gobject.c:1184) ==2018== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== by 0x10A700: main (sample3.c:345) ==2018== Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd ==2018== ==2018== ==2018== Process terminating with default action of signal 11 (SIGSEGV) ==2018== General Protection Fault ==2018== at 0x6D85087: g_type_check_instance_is_fundamentally_a (gtype.c:4025) ==2018== by 0x6D663E4: g_object_notify (gobject.c:1184) ==2018== by 0x4FE7DB2: gtk_combo_box_set_active_internal (gtkcombobox.c:3882) ==2018== by 0x4FE7FA8: gtk_combo_box_set_active_iter (gtkcombobox.c:3942) ==2018== by 0x4FE6988: gtk_combo_box_list_button_released (gtkcombobox.c:3243) ==2018== by 0x5106F82: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:82) ==2018== by 0x6D5EA57: g_closure_invoke (gclosure.c:804) ==2018== by 0x6D7C468: signal_emit_unlocked_R (gsignal.c:3635) ==2018== by 0x6D7B84C: g_signal_emit_valist (gsignal.c:3401) ==2018== by 0x6D7BCF8: g_signal_emit (gsignal.c:3447) ==2018== by 0x52D1077: gtk_widget_event_internal (gtkwidget.c:7723) ==2018== by 0x52D048E: gtk_widget_event (gtkwidget.c:7293) ==2018== by 0x51056E9: propagate_event_up (gtkmain.c:2578) ==2018== by 0x51059CF: propagate_event (gtkmain.c:2680) ==2018== by 0x5105A9D: gtk_propagate_event (gtkmain.c:2715) ==2018== by 0x5104708: gtk_main_do_event (gtkmain.c:1911) ==2018== by 0x589F881: _gdk_event_emit (gdkevents.c:73) ==2018== by 0x58E3E10: gdk_event_source_dispatch (gdkeventsource.c:367) ==2018== by 0x6FF979F: g_main_dispatch (gmain.c:3148) ==2018== by 0x6FFA63D: g_main_context_dispatch (gmain.c:3813) ==2018== by 0x6FFA821: g_main_context_iterate (gmain.c:3886) ==2018== by 0x6FFAC47: g_main_loop_run (gmain.c:4082) ==2018== by 0x5103A7A: gtk_main (gtkmain.c:1322) ==2018== by 0x10A700: main (sample3.c:345) ==2018== ==2018== HEAP SUMMARY: ==2018== in use at exit: 2,305,799 bytes in 25,991 blocks ==2018== total heap usage: 236,573 allocs, 210,582 frees, 15,547,396 bytes allocated ==2018== ==2018== LEAK SUMMARY: ==2018== definitely lost: 9,216 bytes in 30 blocks ==2018== indirectly lost: 15,300 bytes in 657 blocks ==2018== possibly lost: 4,500 bytes in 66 blocks ==2018== still reachable: 2,130,351 bytes in 24,106 blocks ==2018== of which reachable via heuristic: ==2018== length64 : 6,496 bytes in 103 blocks ==2018== newarray : 2,144 bytes in 54 blocks ==2018== suppressed: 0 bytes in 0 blocks ==2018== Rerun with --leak-check=full to see details of leaked memory ==2018== ==2018== For counts of detected and suppressed errors, rerun with: -v ==2018== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault
(In reply to Daniel Boles from comment #3) > so it looks like gtk_combo_box_list_button_released() gets called twice wrong: the free and the faulting notify occur one after the other, in a single call
another trace in case it adds anything - chiefly, no <optimized out> here (ins)(gdb) bt
+ Trace 237846
*** Bug 793745 has been marked as a duplicate of this bug. ***
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gtk/issues/433.