GNOME Bugzilla – Bug 726838
crash when unsetting GtkTreeView model
Last modified: 2014-03-26 14:53:27 UTC
Created attachment 272587 [details] Valgrind output for the Invalid read When calling gtk_tree_view_set_model(NULL) (from Python), the application sometimes crashes. This was observed while chasing crashes in Gedit 3.12 in combination with gedit-file-search plugin. I think I've narrowed it down to the following sequence of events: - there's a GtkTreeview with a GtkTreestore, with two levels (some top-level nodes, most of them containing one or more children) - the crash happens more likely if one of the child nodes has been selected with the mouse - when the user clicks a button, treeview.set_model(None) is called - this causes gtk_tree_view_accessible_notify_gtk() to be called, which clears its internal hash map containing cell infos (GtkTreeViewAccessibleCellInfo) - this calls cell_info_free() for each cell info; not sure in which order the hash items are removed? - cell_info_free() unrefs the corresponding GtkCellAccessible - this might call gtk_cell_accessible_object_finalize(), which in turn checks for relations of type ATK_RELATION_NODE_CHILD_OF - if such a relation exists, the GtkCellAccessible targets in this relation are unreffed as well - so this apparently causes another cell info object to be finalized as wel (probably the parent line in the treeview?) - however, this cell info still exists in the hash map; when it is later destroyed, cell_info_free() tries to access invalid memory and possibly crashes A Valgrind log is attached (line numbers might be off a bit due to local debug prints). This happens under Ubuntu 14.04 x86_64 in Virtualbox, with Gedit 3.12 and GTK 3.11, both from recent JHBuild.
Created attachment 272588 [details] example app Here's a test case: - run attached script - in treeview, expand "bar" entry - select "bar1" entry - click on "Click here" button to call treeview.set_model(None) Sometimes it crashes, sometimes it doesn't. Probably depends on the memory addresses of cell infos and how they are ordered in the hash map.
Created attachment 272648 [details] Valgrind output when calling gtk_tree_store_clear() instead When calling gtk_tree_store_clear() instead of gtk_tree_view_set_model(), a similar crash can happen (again due to cell_info_free() freeing memory that is later freed again). Valgrind output is attached.
Should be fixed in git master. I expect there to be a bunch of duplicates in bugzilla, so for every triager reading this: Whenever there's a crash with a stack trace that ends up in a11y treeview code and it happened in March, it's likely this one. Affected releases are 3.11.8 and 3.11.9, so no stable releases should trigger it. Another thing is that this crash only happens in trees, not in lists.
*** Bug 726452 has been marked as a duplicate of this bug. ***
I believe this properly fixes the crash that was first observed following the memory leak fix in commit 7a411eb6dd4d (which was later reverted in 4238cc4b7b96). So 7a411eb6dd4d can be un-reverted now. See also: https://bugzilla.gnome.org/show_bug.cgi?id=695965 https://bugzilla.gnome.org/show_bug.cgi?id=722030