After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 746013 - Invalid write of size 8
Invalid write of size 8
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Widget: Other
3.15.x
Other Linux
: Normal critical
: ---
Assigned To: gtk-bugs
gtk-bugs
Depends on:
Blocks:
 
 
Reported: 2015-03-11 08:17 UTC by Milan Crha
Modified: 2015-03-11 10:49 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Milan Crha 2015-03-11 08:17:53 UTC 
Valgrind claims this when running evolution under it. Invalid writes (use-after-free) can cause bad crashes, due to memory corruption, as you know. This is gtk3-3.15.10-1.fc23.x86_64

==2434== Invalid write of size 8
==2434==    at 0xF41B1D5: g_nullify_pointer (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF15EE4E: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF161B48: g_object_run_dispose (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD4FE67E: gtk_box_forall (gtkbox.c:2558)
==2434==    by 0xD54B790: gtk_container_destroy (gtkcontainer.c:1524)
==2434==    by 0xF15AE9E: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17613F: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17650E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)
==2434==    by 0xF161B48: g_object_run_dispose (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD5BD4DE: gtk_frame_forall (gtkframe.c:368)
==2434==    by 0xD54B790: gtk_container_destroy (gtkcontainer.c:1524)
==2434==    by 0xF15AF44: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17613F: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17650E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)
==2434==    by 0xF16002B: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD54999F: gtk_container_remove (gtkcontainer.c:1737)
==2434==    by 0x4E54FDE: ??? (in /usr/lib64/evolution/libevolution-shell.so)
==2434==    by 0xF15EE4E: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16002B: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0x2D6266C0: ??? (in /usr/lib64/evolution/libevolution-mail.so)
==2434==    by 0x2D62678C: ??? (in /usr/lib64/evolution/libevolution-mail.so)
==2434==    by 0xEE4C393: ??? (in /usr/lib64/libgio-2.0.so.0.4391.0)
==2434==    by 0xEE4C3B8: ??? (in /usr/lib64/libgio-2.0.so.0.4391.0)
==2434==    by 0xF3E7229: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF3E75BF: ??? (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF3E78E1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xD60B7D4: gtk_main (gtkmain.c:1219)
==2434==    by 0x10C7BD: main (in /usr/bin/evolution)
==2434==  Address 0x366b37b0 is 176 bytes inside a block of size 224 free'd
==2434==    at 0x4C2CD29: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2434==    by 0xF3ECF3E: g_free (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF40484C: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF17CFD6: g_type_free_instance (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD50B9C8: gtk_button_destroy (gtkbutton.c:708)
==2434==    by 0xF15AE9E: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17613F: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17650E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)
==2434==    by 0xF161B48: g_object_run_dispose (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD4FE67E: gtk_box_forall (gtkbox.c:2558)
==2434==    by 0xD54B790: gtk_container_destroy (gtkcontainer.c:1524)
==2434==    by 0xF15AE9E: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17613F: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17650E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)
==2434==    by 0xF161B48: g_object_run_dispose (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD5BD4DE: gtk_frame_forall (gtkframe.c:368)
==2434==    by 0xD54B790: gtk_container_destroy (gtkcontainer.c:1524)
==2434==    by 0xF15AF44: g_closure_invoke (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17613F: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF17650E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)
==2434==    by 0xF16002B: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xD54999F: gtk_container_remove (gtkcontainer.c:1737)
==2434==    by 0x4E54FDE: ??? (in /usr/lib64/evolution/libevolution-shell.so)
==2434==    by 0xF15EE4E: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0xF16002B: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.4391.0)
==2434==    by 0x2D6266C0: ??? (in /usr/lib64/evolution/libevolution-mail.so)
==2434==    by 0x2D62678C: ??? (in /usr/lib64/evolution/libevolution-mail.so)
==2434==    by 0xEE4C393: ??? (in /usr/lib64/libgio-2.0.so.0.4391.0)
==2434==    by 0xEE4C3B8: ??? (in /usr/lib64/libgio-2.0.so.0.4391.0)
==2434==    by 0xF3E7229: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF3E75BF: ??? (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xF3E78E1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4391.0)
==2434==    by 0xD60B7D4: gtk_main (gtkmain.c:1219)
==2434==    by 0x10C7BD: main (in /usr/bin/evolution)
Comment 1 Milan Crha 2015-03-11 08:20:23 UTC 
gtk3-demo exhibits the same issue, when changing the demo in the left tree.
Comment 2 Debarshi Ray 2015-03-11 10:26:44 UTC 
(In reply to Milan Crha from comment #0)
> Valgrind claims this when running evolution under it. Invalid writes
> (use-after-free) can cause bad crashes, due to memory corruption, as you
> know. This is gtk3-3.15.10-1.fc23.x86_64
> 
> ==2434== Invalid write of size 8
> ==2434==    at 0xF41B1D5: g_nullify_pointer (in
> /usr/lib64/libglib-2.0.so.0.4391.0)
> ==2434==    by 0xF15EE4E: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xF161B48: g_object_run_dispose (in
> /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xD4FE67E: gtk_box_forall (gtkbox.c:2558)
> ==2434==    by 0xD54B790: gtk_container_destroy (gtkcontainer.c:1524)
> ==2434==    by 0xF15AE9E: g_closure_invoke (in
> /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xF16DC05: ??? (in /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xF17613F: g_signal_emit_valist (in
> /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xF17650E: g_signal_emit (in
> /usr/lib64/libgobject-2.0.so.0.4391.0)
> ==2434==    by 0xD76D497: gtk_widget_dispose (gtkwidget.c:11949)

Wild guess. I think this is because we are not removing the weak pointers that we added here:

commit 7c4bf742e82d812ecc5b0c3280db86d2689eb093
Author: Debarshi Ray <debarshir@gnome.org>
Date:   Sun Mar 1 13:28:21 2015 +0100

    eventcontroller, widget: Don't crash if destroyed before the other
    
    There are two scenarios. A widget sub-class owns a GtkEventController
    and passes itself to it, or a controller owned by something else is
    passed a widget.
    
    In the second case, if the widget is destroyed before the controller,
    we will have a crash when destructing the controller because we will
    be accessing invalid memory. Adding a weak reference on the widget
    addresses that problem.
    
    This leads to a crash in the first case. When the widget is getting
    destroyed, it will drop the reference to its own controller. The
    controller will skip touching the widget because the weak reference
    would have turned it to NULL. However, when the widget sub-class chains
    up to GtkWidget it will try to free all the controllers in its list.
    Unfortunately, all these controllers have already been destroyed. So
    we need to guard against this too.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=745225