After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 773854 - Use after free when deleting a completed task
Use after free when deleting a completed task
Status: RESOLVED OBSOLETE
Product: gnome-todo
Classification: Other
Component: General
3.24.x
Other Linux
: Normal critical
: ---
Assigned To: GNOME To Do maintainer(s)
GNOME To Do maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2016-11-02 17:47 UTC by Christian Stadelmann
Modified: 2020-11-25 16:20 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
gdb log from being attached to gnome-todo running in valgrind (17.37 KB, text/plain)
2016-11-02 17:47 UTC, Christian Stadelmann
  Details
gtd-task-row: avoid destroying widget twice (1.73 KB, patch)
2016-11-05 12:33 UTC, Victor Toso
rejected Details | Review

Description Christian Stadelmann 2016-11-02 17:47:06 UTC
Created attachment 338980 [details]
gdb log from being attached to gnome-todo running in valgrind

Steps to reproduce:
1. Add a new task
2. mark it as completed
3. un-hide (uncollapse) completed tasks
4. select any completed task
5. delete task

What happens:


Valgrind:
==1488== Invalid read of size 8
==1488==    at 0x639C31E: gtk_widget_destroy (gtkwidget.c:4712)
==1488==    by 0x12E628: gtd_task_row__destroy_cb (gtd-task-row.c:352)
==1488==    by 0x9A6D88C: g_timeout_dispatch (gmain.c:4674)
==1488==    by 0x9A6CE41: g_main_dispatch (gmain.c:3203)
==1488==    by 0x9A6CE41: g_main_context_dispatch (gmain.c:3856)
==1488==    by 0x9A6D1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
==1488==    by 0x9A6D26B: g_main_context_iteration (gmain.c:3990)
==1488==    by 0x92A7BBC: g_application_run (gapplication.c:2381)
==1488==    by 0x117CDD: main (main.c:41)
==1488==  Address 0x29aa9e40 is 352 bytes inside a block of size 560 free'd
==1488==    at 0x4C2ED4A: free (vg_replace_malloc.c:530)
==1488==    by 0x9A726BD: g_free (gmem.c:189)
==1488==    by 0x9A8B20F: g_slice_free1 (gslice.c:1136)
==1488==    by 0x9803B01: g_type_free_instance (gtype.c:1937)
==1488==    by 0x12CA96: gtd_task_list_view__remove_row_for_task (gtd-task-list-view.c:966)
==1488==    by 0x12CAFD: remove_task_from_list (gtd-task-list-view.c:264)
==1488==    by 0x12B883: iterate_subtasks.constprop.8 (gtd-task-list-view.c:189)
==1488==    by 0x12CEB7: gtd_task_list_view__remove_task_cb (gtd-task-list-view.c:635)
==1488==    by 0x97E346F: g_cclosure_marshal_VOID__OBJECTv (gmarshal.c:2102)
==1488==    by 0x97E0613: _g_closure_invoke_va (gclosure.c:867)
==1488==    by 0x97FADD8: g_signal_emit_valist (gsignal.c:3300)
==1488==    by 0x97FB43E: g_signal_emit (gsignal.c:3447)
==1488==  Block was alloc'd at
==1488==    at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
==1488==    by 0x9A725A8: g_malloc (gmem.c:94)
==1488==    by 0x9A8AB02: g_slice_alloc (gslice.c:1025)
==1488==    by 0x9A8B12D: g_slice_alloc0 (gslice.c:1051)
==1488==    by 0x9803839: g_type_create_instance (gtype.c:1839)
==1488==    by 0x97E569A: g_object_new_internal (gobject.c:1783)
==1488==    by 0x97E75AD: g_object_new_valist (gobject.c:2042)
==1488==    by 0x97E7850: g_object_new (gobject.c:1626)
==1488==    by 0x12B638: insert_task (gtd-task-list-view.c:834)
==1488==    by 0x12DE27: gtd_task_list_view_set_show_completed (gtd-task-list-view.c:1939)
==1488==    by 0x12DEE5: gtd_task_list_view__done_button_clicked (gtd-task-list-view.c:773)
==1488==    by 0x97E0613: _g_closure_invoke_va (gclosure.c:867)
==1488== 

gdb:
  • #0 gtk_widget_destroy
    at gtkwidget.c line 4712
  • #1 gtd_task_row__destroy_cb
    at gtd-task-row.c line 352
  • #2 g_timeout_dispatch
    at gmain.c line 4674
  • #3 g_main_dispatch
    at gmain.c line 3203
  • #4 g_main_context_dispatch
    at gmain.c line 3856
  • #5 g_main_context_iterate
    at gmain.c line 3929
  • #6 g_main_context_iteration
    at gmain.c line 3990
  • #7 g_application_run
    at gapplication.c line 2381
  • #8 main
    at main.c line 41


Full gdb log is attached.

Affected versions:
gnome-todo-3.22.0-1.fc25.x86_64
gtk3-3.22.2-1.fc25.x86_64
glib2-2.50.1-1.fc25.x86_64
Comment 1 Victor Toso 2016-11-05 12:33:43 UTC
Created attachment 339168 [details] [review]
gtd-task-row: avoid destroying widget twice

With the early return for destroy_row_timeout_id, we avoid the call to
a posteriors call to gtk_widget_destroy()

---

Although this fixes the issue for me, it could possible be a workaround as we
should not be using GtdTaskRow widget after gtk_widget_destroy() is called...

So, I'm still testing if no other regressions are found after with this patch
bug likely Georges can tell for sure ;)
Comment 2 Victor Toso 2016-11-05 12:40:33 UTC
Review of attachment 339168 [details] [review]:

Yes, we can still crash with this patch. Not with the steps on comment #0 but playing with possibilities there such as editing, priority, etc...
Comment 3 Mayank Agarwal 2017-03-05 20:41:20 UTC
I am able to delete a completed task in a list. But when I delete a task list,the app exits.
Comment 4 Randy Real 2017-03-11 17:28:29 UTC
I try recreate this bug, but i can't did.
In this blog have a proof.
http://theyodacode.blogspot.com/2017/03/bug-773854.html
Comment 5 BRESNER NURALI REVOLLAR MALDONADO 2017-03-11 17:57:14 UTC
(In reply to Christian Stadelmann from comment #0)
Hi Christian Stadelman, well I tested the possible error that you have found in this application("gnome-todo"). Following the steps that you pointed out, I have reproduce it and apparently there are no mistakes. Could you please see my post and tell me if you have further observations:
https://sites.google.com/view/aprendiendofedora25/bugs
Comment 6 Christian Stadelmann 2017-03-21 00:52:44 UTC
I can still reproduce the bug following the exact same steps as in comment #0, if running from a restricted environment such as flatpak or valgrind.
Without these restrictions, the bug will cause a memory corruption which will make gnome-todo break at random situations later on.
Comment 7 Georges Basile Stavracas Neto 2017-04-24 10:56:25 UTC
(In reply to BRESNER NURALI REVOLLAR MALDONADO from comment #5)
> (In reply to Christian Stadelmann from comment #0)
> Hi Christian Stadelman, well I tested the possible error that you have found
> in this application("gnome-todo"). Following the steps that you pointed out,
> I have reproduce it and apparently there are no mistakes. Could you please
> see my post and tell me if you have further observations:
> https://sites.google.com/view/aprendiendofedora25/bugs

I can't reproduce it as well. Nice page!

(In reply to Christian Stadelmann from comment #6)
> I can still reproduce the bug following the exact same steps as in comment
> #0, if running from a restricted environment such as flatpak or valgrind.
> Without these restrictions, the bug will cause a memory corruption which
> will make gnome-todo break at random situations later on.

Are you testing against master, or a point release (3.22)?
Comment 8 Christian Stadelmann 2017-04-25 08:55:24 UTC
(In reply to Georges Basile Stavracas Neto from comment #7)
> Are you testing against master, or a point release (3.22)?

I can still reproduce it, even on flatpak master branch as of today.

Steps to reproduce:
1. Add a new task
2. mark it as completed
3. un-hide (uncollapse) completed tasks
4. from menu, click "clear completed tasks"

Also, I cannot see the patch from comment #1 applied in git: https://git.gnome.org/browse/gnome-todo/log/?ofs=100
Comment 9 Waqar Ahmed 2017-05-04 07:26:33 UTC
Unable to reproduce. Followed each step carefully.
Comment 10 Christian Stadelmann 2017-05-14 02:01:37 UTC
With gnome-todo 3.24.1, I get a similar crasher: https://bugzilla.redhat.com/show_bug.cgi?id=1450622
Comment 11 André Klapper 2020-11-25 16:20:59 UTC
bugzilla.gnome.org is being replaced by gitlab.gnome.org. We are closing all
older bug reports and feature requests in GNOME Bugzilla which have not seen
updates for a while.

If you still use gnome-todo and if you still see this bug / want this
feature in a recent and currently supported version, then please feel free to
report it at
https://gitlab.gnome.org/GNOME/gnome-todo/-/issues/
by following the guidelines at
https://wiki.gnome.org/Community/GettingInTouch/BugReportingGuidelines

Thank you for creating this report and we are sorry it could not be implemented
so far (volunteer workforce and time is limited).