After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 726747 - Valgrind warning (Invalid write) when exiting Gedit
Valgrind warning (Invalid write) when exiting Gedit
Status: RESOLVED DUPLICATE of bug 726749
Product: gtk+
Classification: Platform
Component: Accessibility
3.11.x
Other Linux
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2014-03-19 21:46 UTC by Oliver Gerlich
Modified: 2014-03-21 15:53 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
gdb backtraces for gtk_popover_accessible_finalize() and Invalid Write, and Valgrind output (24.06 KB, text/plain)
2014-03-19 21:55 UTC, Oliver Gerlich 		Details
Valgrind output for the GDB backtraces (5.23 KB, text/plain)
2014-03-19 21:58 UTC, Oliver Gerlich 		Details

Description Oliver Gerlich 2014-03-19 21:46:29 UTC 
When exiting Gedit 3.12 there's a Valgrind warning:

==20156== Invalid write of size 8
==20156==    at 0x7704675: g_nullify_pointer (gutils.c:2030)
==20156==    by 0x744CBEE: weak_refs_notify (gobject.c:2572)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5649937: gtk_box_forall (gtkbox.c:2557)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x56498EE: gtk_box_forall (gtkbox.c:2541)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x56498EE: gtk_box_forall (gtkbox.c:2541)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5779D5B: gtk_overlay_forall (gtkoverlay.c:552)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==  Address 0x114c1030 is 16 bytes inside a block of size 184 free'd
==20156==    at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20156==    by 0x746AB79: g_type_free_instance (gtype.c:1932)
==20156==    by 0x5893791: gtk_widget_real_destroy (gtkwidget.c:11516)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x57973E8: _unmanage_popover (gtkpopover.c:1461)
==20156==    by 0x76C1A7F: g_hash_table_remove_node (ghash.c:448)
==20156==    by 0x76C2039: g_hash_table_remove_internal (ghash.c:1300)
==20156==    by 0x5797697: gtk_popover_update_relative_to (gtkpopover.c:1496)
==20156==    by 0x57990C6: gtk_popover_dispose (gtkpopover.c:212)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5755392: gtk_menu_button_dispose (gtkmenubutton.c:1024)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5649937: gtk_box_forall (gtkbox.c:2557)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x56498EE: gtk_box_forall (gtkbox.c:2541)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)
==20156==    by 0x5694480: gtk_container_destroy (gtkcontainer.c:1410)
==20156==    by 0x7448F91: g_closure_invoke (gclosure.c:768)
==20156==    by 0x745B7C3: signal_emit_unlocked_R (gsignal.c:3667)
==20156==    by 0x7463448: g_signal_emit_valist (gsignal.c:3307)
==20156==    by 0x7463701: g_signal_emit (gsignal.c:3363)
==20156==    by 0x588DEB7: gtk_widget_dispose (gtkwidget.c:11348)
==20156==    by 0x744F97F: g_object_run_dispose (gobject.c:1073)

Also, sometimes Gedit crashes on exit, and I suspect this is related to the Valgrind warning.
Also, Gedit bug 726673 (Crash when closing gedit) might be the same problem.

I think the Valgrind warning is related to GtkPopoverAccessible (when removing all popovers from Gedit source code the Valgrind warning disappears).
It looks like GtkPopoverAccessible adds a weak reference (with g_object_add_weak_pointer()) to the GeditStatusMenuButton which it is relative to. But on exit the GtkPopover is destroyed before the GeditStatusMenuButton is; but GtkPopoverAccessible doesn't remove the weak ref from the button.
So when the button is destroyed, it still has the weak ref to GtkPopoverAccessible, and tries to null it; but the memory location it tries to write to was in the private data of GtkPopoverAccessible and is already freed it seems.

This happens with Gedit 3.12 and Gtk 3.11 (both from recent jhbuild), under Ubuntu 14.04 x86_64  in Virtualbox.
Comment 1 Oliver Gerlich 2014-03-19 21:55:52 UTC 
Created attachment 272437 [details]
gdb backtraces for gtk_popover_accessible_finalize() and Invalid Write, and Valgrind output

Attached are two GDB backtraces: first for the gtk_popover_accessible_finalize() call, then for the Invalid Write trap that follows. The Valgrind output for this run is also in the attached file.
Comment 2 Oliver Gerlich 2014-03-19 21:58:18 UTC 
Created attachment 272438 [details]
Valgrind output for the GDB backtraces

Forgot to add the Valgrind output to the last attachment.
Comment 3 Matthias Clasen 2014-03-21 15:53:54 UTC 

*** This bug has been marked as a duplicate of bug 726749 ***