Bug 762427 – gitg crashed at launch or refreshed

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 762427 - gitg crashed at launch or refreshed


Summary:	gitg crashed at launch or refreshed


Status:	RESOLVED FIXED

Product:	gitg
Classification:	Applications
Component:	gitg
Version:	3.18.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gitg-maint
QA Contact:	gitg-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-02-22 07:50 UTC by Jeongsu Kim
Modified:	2016-02-23 09:53 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
gitg 3.18 crash callstack (12.33 KB, text/plain) 2016-02-22 07:51 UTC, Jeongsu Kim	Details
gitg 3.18 valgrind use after free (31.58 KB, text/plain) 2016-02-22 07:52 UTC, Jeongsu Kim	Details

Description Jeongsu Kim 2016-02-22 07:50:45 UTC

I upgraded gitg from 3.16 to 3.18.

I faced some crashes from 3.16 but I could ignore it because it was happen once a day.

But now I faced crash every launch or every refresh.

I will attach some logs.

Comment 1 Jeongsu Kim 2016-02-22 07:51:20 UTC

Created attachment 321808 [details]
gitg 3.18 crash callstack

Comment 2 Jeongsu Kim 2016-02-22 07:52:37 UTC

Created attachment 321810 [details]
gitg 3.18 valgrind use after free

It seems that some objects are used after free.

Comment 3 Jeongsu Kim 2016-02-23 03:51:16 UTC

from gitg-history-refs-list.vala

	public RefRow(Gitg.Ref? reference, RefAnimation animation = RefAnimation.NONE)
	{
		this.reference = reference;

		if (reference != null)
		{
			try
			{
				var obj = reference.resolve().lookup();

				if (obj is Ggit.Tag)
				{
					d_updated = ((Ggit.Tag)obj).get_tagger();
				}
				else if (obj is Ggit.Commit)
				{
					d_updated = ((Ggit.Commit)obj).get_committer();
				}
			}
			catch (Error e)
			{
				stderr.printf("%s\n", e.message);
			}
		}

It seems that reference count is not managed in this case.
obj has been created in above try block and deleted. But d_updated pointed its content that is already freed.

I think get_tagger or get_commiter should increase the reference count of obj or it must copy data from obj.

Comment 4 Jeongsu Kim 2016-02-23 04:32:53 UTC

I changed the behavior of ggit_commit_get_committer and now I can use gitg without crash.
Please change other functions too.


# diff -urN libgit2-glib/ggit-commit.c.orig libgit2-glib/ggit-commit.c
--- libgit2-glib/ggit-commit.c.orig	2016-02-23 13:29:46.992498260 +0900
+++ libgit2-glib/ggit-commit.c	2016-02-23 13:29:51.288498259 +0900
@@ -224,16 +224,18 @@
 ggit_commit_get_committer (GgitCommit *commit)
 {
 	git_commit *c;
-	const git_signature *signature;
+	const git_signature *committer;
+	git_signature *signature;
 
 	g_return_val_if_fail (GGIT_IS_COMMIT (commit), NULL);
 
 	c = _ggit_native_get (commit);
-	signature = git_commit_committer (c);
+	committer = git_commit_committer (c);
+	git_signature_dup(&signature, committer);
 
-	return _ggit_signature_wrap ((git_signature *)signature,
+	return _ggit_signature_wrap (signature,
 	                             ggit_commit_get_message_encoding (commit),
-	                             FALSE);
+	                             TRUE);
 }
 
 /**

Comment 5 Ignacio Casal Quinteiro (nacho) 2016-02-23 09:53:09 UTC

Thanks a lot for understanding the problem and give use the initial patch
to fix this problem.