After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 748983 - Crash after opening money transfer dialog twice
Crash after opening money transfer dialog twice
Status: RESOLVED FIXED
Product: GnuCash
Classification: Other
Component: General
2.6.6
Other Linux
: Normal normal
: ---
Assigned To: gnucash-general-maint
gnucash-general-maint
Depends on:
Blocks:
 
 
Reported: 2015-05-06 00:38 UTC by Philippe A
Modified: 2018-06-29 23:40 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Philippe A 2015-05-06 00:38:11 UTC
Open any account.
Open the money transfer dialog by clicking the icon.
Click again. A second dialog will open.
Hit ESC.
Hit ESC again.
Crash.
Comment 1 John Ralls 2015-07-07 21:14:27 UTC
Can't reproduce. What distro & version, and how did you install GnuCash 2.6.6?
Comment 2 Geert Janssens 2015-12-08 17:06:17 UTC
Closing this bug report as no further information has been provided. Please feel free to reopen this bug report if you can provide the information that was asked for in a previous comment.
Thanks!
Comment 3 Philippe A 2016-02-14 01:40:34 UTC
Still easily reproducible in gnucash-2.6.9-1.fc21.x86_64 (Fedora 21).
Comment 4 Mike Evans 2016-02-14 11:04:16 UTC
I can confirm this in maint branch on Fedora 18. Using the "cancel" button to close both dialogs has the same result.

Terminal output below:

* 10:55:52 DEBUG <gnc.business> [gncBillTermDestroy] destroying bill term e3be199cfa18226b6b1d20f3225b83ce (0x8873608)
* 10:55:53  WARN <gnc.scm> Splits in trep-renderer:(#<swig-pointer Split * 8f26378> #<swig-pointer Split * 8f26600>)
sys:1: GtkWarning: IA__gtk_widget_queue_draw: assertion `GTK_IS_WIDGET (widget)' failed
*** glibc detected *** /home/mikee/progs/gnucash-maint/bin/gnucash: malloc(): smallbin double linked list corrupted: 0x09466f30 ***
======= Backtrace: =========
/lib/libc.so.6[0x417cae92]
/lib/libc.so.6[0x417cd0ed]
/lib/libc.so.6(__libc_malloc+0x61)[0x417ce771]
/lib/libglib-2.0.so.0[0x41cfd0dc]
/lib/libglib-2.0.so.0(g_malloc+0x22)[0x41cfd482]
/lib/libglib-2.0.so.0(g_strdup+0x3a)[0x41d1583a]
/lib/libgio-2.0.so.0(g_settings_list_keys+0xb4)[0x44e97354]
/home/mikee/progs/gnucash-maint/lib/gnucash/libgncmod-app-utils.so(+0x1c8e8)[0xb743f8e8]
/home/mikee/progs/gnucash-maint/lib/gnucash/libgncmod-app-utils.so(gnc_gsettings_get_bool+0xb2)[0xb74403d4]
/home/mikee/progs/gnucash-maint/lib/libgnc-core-utils.so.0(gnc_prefs_get_bool+0x47)[0xb72d538d]
/home/mikee/progs/gnucash-maint/lib/gnucash/libgncmod-gnome-utils.so(+0x50b29)[0xb751fb29]
/home/mikee/progs/gnucash-maint/lib/gnucash/libgncmod-gnome-utils.so(gnc_xfer_dialog+0xb5)[0xb75209b4]
/home/mikee/progs/gnucash-maint/lib/libgnc-gnome.so.0(+0x71f78)[0xb7706f78]
/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOID+0x8f)[0x41e3cdbf]
/lib/libgobject-2.0.so.0(g_closure_invoke+0x197)[0x41e3b007]
/lib/libgobject-2.0.so.0[0x41e4cfad]
/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xd21)[0x41e55261]
/lib/libgobject-2.0.so.0(g_signal_emit+0x34)[0x41e553e4]
/lib/libgtk-x11-2.0.so.0[0x48488f0f]
/lib/libgtk-x11-2.0.so.0(gtk_action_activate+0x85)[0x48489a35]
/lib/libgtk-x11-2.0.so.0[0x48675ee0]
/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOIDv+0x4f)[0x41e3ce2f]
/lib/libgobject-2.0.so.0[0x41e3b2b2]
/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x4c6)[0x41e54a06]
/lib/libgobject-2.0.so.0(g_signal_emit+0x34)[0x41e553e4]
/lib/libgtk-x11-2.0.so.0(gtk_button_clicked+0x8a)[0x484a68fa]
/lib/libgtk-x11-2.0.so.0[0x484a7f98]
/lib/libgobject-2.0.so.0(g_cclosure_marshal_VOID__VOIDv+0x2b)[0x41e3ce0b]
/lib/libgobject-2.0.so.0[0x41e398e8]
/lib/libgobject-2.0.so.0[0x41e3b2b2]
/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x4c6)[0x41e54a06]
/lib/libgobject-2.0.so.0(g_signal_emit+0x34)[0x41e553e4]
/lib/libgtk-x11-2.0.so.0(gtk_button_released+0x8a)[0x484a680a]
/lib/libgtk-x11-2.0.so.0[0x484a6865]
/lib/libgtk-x11-2.0.so.0[0x4857c462]
/lib/libgobject-2.0.so.0[0x41e39e3e]
/lib/libgobject-2.0.so.0(g_closure_invoke+0x197)[0x41e3b007]
/lib/libgobject-2.0.so.0[0x41e4cc58]
/lib/libgobject-2.0.so.0(g_signal_emit_valist+0xa8e)[0x41e54fce]
/lib/libgobject-2.0.so.0(g_signal_emit+0x34)[0x41e553e4]
/lib/libgtk-x11-2.0.so.0[0x486d2ad3]
/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0xd4)[0x48579eb4]
/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x2e0)[0x4857a270]
/lib/libgdk-x11-2.0.so.0[0x44b23c59]
/lib/libglib-2.0.so.0(g_main_context_dispatch+0x14b)[0x41cf715b]
/lib/libglib-2.0.so.0[0x41cf7500]
/lib/libglib-2.0.so.0(g_main_loop_run+0x83)[0x41cf7963]
/lib/libgtk-x11-2.0.so.0(gtk_main+0xb0)[0x48578f80]
/home/mikee/progs/gnucash-maint/lib/gnucash/libgncmod-gnome-utils.so(gnc_ui_start_event_loop+0x60)[0xb753f8ec]
/home/mikee/progs/gnucash-maint/bin/gnucash[0x804c73c]
/lib/libguile.so.17[0x4105c985]
/lib/libguile.so.17[0x4102d241]
/lib/libguile.so.17(scm_c_catch+0x137)[0x410a56e7]
/lib/libguile.so.17(scm_i_with_continuation_barrier+0xac)[0x4102d8fc]
/lib/libguile.so.17(scm_c_with_continuation_barrier+0x56)[0x4102d9e6]
/lib/libguile.so.17(scm_i_with_guile_and_parent+0x3e)[0x410a346e]
/lib/libguile.so.17(scm_with_guile+0x2e)[0x410a355e]
/lib/libguile.so.17(scm_boot_guile+0x46)[0x4105ca86]
/home/mikee/progs/gnucash-maint/bin/gnucash(main+0x26c)[0x804cb90]
/lib/libc.so.6(__libc_start_main+0xf5)[0x4176f865]
/home/mikee/progs/gnucash-maint/bin/gnucash[0x804a581]
Comment 5 John Ralls 2016-06-22 19:59:59 UTC
Debian's libc nicely pointed directly to the problem, a double-free. There are two static transfer-data pointers that are allocated on the stack when the dialog is created and freed when it's closed. So the second instance of the dialog leaked the first instance's pointers when it allocated new ones, then freed them when it closed, not even bothering to NULL the ptrs. Naturally closing the first dialog tried to free the already-freed ptrs and (absent double-free detection in the malloc implementation) smashed the stack creating the bogus backtrace we see above.

Now gnc_transfer_dialog_create returns immediately without creating anything if either pointer isn't NULL, preventing the re-entrance and so the crash.

This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.
Comment 6 John Ralls 2018-06-29 23:40:42 UTC
GnuCash bug tracking has moved to a new Bugzilla host. This bug has been copied to https://bugs.gnucash.org/show_bug.cgi?id=748983. Please update any external references or bookmarks.