After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 726825 - possible invalid reads on delete event
possible invalid reads on delete event
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Widget: Other
unspecified
Other Mac OS
: Normal normal
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2014-03-21 14:38 UTC by Carlos Garnacho
Modified: 2014-03-21 16:33 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
window: Unset source ID before possibly destroying the widget (990 bytes, patch)
2014-03-21 14:39 UTC, Carlos Garnacho
committed Details | Review

Description Carlos Garnacho 2014-03-21 14:38:13 UTC
Running gedit on valgrind:

==31245== Invalid write of size 4
==31245==    at 0x5D22D1D: send_delete_event (gtkwindow.c:1310)
==31245==    by 0x619213F: gdk_threads_dispatch (gdk.c:635)
==31245==    by 0x7FFFEED: g_idle_dispatch (gmain.c:5319)
==31245==    by 0x7FFD614: g_main_dispatch (gmain.c:3064)
==31245==    by 0x7FFE37D: g_main_context_dispatch (gmain.c:3663)
==31245==    by 0x7FFE56F: g_main_context_iterate (gmain.c:3734)
==31245==    by 0x7FFE633: g_main_context_iteration (gmain.c:3795)
==31245==    by 0x7836025: g_application_run (gapplication.c:2114)
==31245==    by 0x42052C: main (gedit.c:58)
==31245==  Address 0x1378ba3c is 524 bytes inside a block of size 992 free'd
==31245==    at 0x4C2999C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==31245==    by 0x8005C61: g_free (gmem.c:190)
==31245==    by 0x801E828: g_slice_free1 (gslice.c:1112)
==31245==    by 0x7D87DF1: g_type_free_instance (gtype.c:1932)
==31245==    by 0x7D714A0: g_object_unref (gobject.c:3125)
==31245==    by 0x5B47C10: gtk_main_do_event (gtkmain.c:1619)
==31245==    by 0x5D22D0C: send_delete_event (gtkwindow.c:1307)
==31245==    by 0x619213F: gdk_threads_dispatch (gdk.c:635)
==31245==    by 0x7FFFEED: g_idle_dispatch (gmain.c:5319)
==31245==    by 0x7FFD614: g_main_dispatch (gmain.c:3064)
==31245==    by 0x7FFE37D: g_main_context_dispatch (gmain.c:3663)
==31245==    by 0x7FFE56F: g_main_context_iterate (gmain.c:3734)
==31245==    by 0x7FFE633: g_main_context_iteration (gmain.c:3795)
==31245==    by 0x7836025: g_application_run (gapplication.c:2114)
==31245==    by 0x42052C: main (gedit.c:58)
==31245== 

send_delete_event() is touching priv->delete_event_handler after the widget has been destroyed when the event was dispatched. I'm attaching a patch to fix that
Comment 1 Carlos Garnacho 2014-03-21 14:39:36 UTC
Created attachment 272568 [details] [review]
window: Unset source ID before possibly destroying the widget

If the delete event ends up destroying the widget, unsetting
priv->delete_event_handler will happen on invalid memory, so
unset it before the widget is possibly destroyed.
Comment 2 Emmanuele Bassi (:ebassi) 2014-03-21 14:42:32 UTC
Review of attachment 272568 [details] [review]:

looks good to me.
Comment 3 Carlos Garnacho 2014-03-21 16:33:16 UTC
A hard code freeze break was approved for this one. Pushed to master.

Attachment 272568 [details] pushed as 9adfc8e - window: Unset source ID before possibly destroying the widget