After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 776388 - Use after free on shutdown
Use after free on shutdown
Status: RESOLVED DUPLICATE of bug 773871
Product: gnome-calendar
Classification: Applications
Component: User Interface
3.22.x
Other Linux
: Normal major
: 3.26
Assigned To: GNOME Calendar maintainers
GNOME Calendar maintainers
Depends on:
Blocks:
 
 
Reported: 2016-12-22 12:51 UTC by Christian Stadelmann
Modified: 2017-04-17 18:20 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
A backtrace from gdb attached to valgrind running gnome-calendar as described in comment #0 (24.91 KB, text/plain)
2016-12-22 12:51 UTC, Christian Stadelmann 		Details

Description Christian Stadelmann 2016-12-22 12:51:51 UTC 
Created attachment 342381 [details]
A backtrace from gdb attached to valgrind running gnome-calendar as described in comment #0

Steps to reproduce:
1. open gnome-calendar
2. close gnome-calendar

What happens:
crashes quite often with segmentation violation. If it doesn't crash, it gives warnings like these:

gtk_container_remove: assertion 'GTK_IS_WIDGET (widget)' failed

What should happen:
No crash

Affected version:
gnome-calendar-3.22.2-1.fc25.x86_64
gtk3-3.22.5-1.fc25.x86_64
glib2-2.50.2-1.fc25.x86_64

Steps to reproduce backtrace:
1. run valgrind:
$ G_DEBUG=fatal-warnings G_ENABLE=DIAGNOSTICS=true valgrind --vgdb=full --vgdb-error=0 /usr/bin/gnome-calendar
2. start gdb:
$ gdb
3. attach gdb to valgrind:
(gdb) target remote | vgdb
4. continue in gdb
(gdb) c
5. wait for gnome-calendar to show up
6. close gnome-calendar window

Valgrind output:

==20574== Invalid read of size 8
==20574==    at 0x639F8C0: gtk_widget_get_scale_factor (gtkwidget.c:10878)
==20574==    by 0x61BA648: gtk_css_widget_node_get_style_provider (gtkcsswidgetnode.c:250)
==20574==    by 0x61A02BB: gtk_css_node_get_style_provider_or_null (gtkcssnode.c:121)
==20574==    by 0x61A02BB: gtk_css_node_invalidate_style_provider (gtkcssnode.c:1316)
==20574==    by 0x8AE33E4: g_closure_invoke (gclosure.c:804)
==20574==    by 0x8AF5431: signal_emit_unlocked_R (gsignal.c:3635)
==20574==    by 0x8AFE05E: g_signal_emit_valist (gsignal.c:3391)
==20574==    by 0x8AFE43E: g_signal_emit (gsignal.c:3447)
==20574==    by 0x126CCC: gcal_application_finalize (gcal-application.c:212)
==20574==    by 0x8AE8116: g_object_unref (gobject.c:3185)
==20574==    by 0x11F159: main (main.c:44)
==20574==  Address 0x247b5258 is 824 bytes inside a block of size 864 free'd
==20574==    at 0x4C2ED4A: free (vg_replace_malloc.c:530)
==20574==    by 0x8D756BD: g_free (gmem.c:189)
==20574==    by 0x8D8E20F: g_slice_free1 (gslice.c:1136)
==20574==    by 0x8B06B01: g_type_free_instance (gtype.c:1937)
==20574==    by 0x61300ED: gtk_application_window_dispose (gtkapplicationwindow.c:801)
==20574==    by 0x8AE9AE8: g_object_run_dispose (gobject.c:1084)
==20574==    by 0x624D59D: gtk_main_do_event (gtkmain.c:1806)
==20574==    by 0x63B1870: send_delete_event (gtkwindow.c:1321)
==20574==    by 0x6959D47: gdk_threads_dispatch (gdk.c:743)
==20574==    by 0x8D6C8E6: g_idle_dispatch (gmain.c:5545)
==20574==    by 0x8D6FE41: g_main_dispatch (gmain.c:3203)
==20574==    by 0x8D6FE41: g_main_context_dispatch (gmain.c:3856)
==20574==    by 0x8D701BF: g_main_context_iterate.isra.24 (gmain.c:3929)
==20574==  Block was alloc'd at
==20574==    at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
==20574==    by 0x8D755A8: g_malloc (gmem.c:94)
==20574==    by 0x8D8DB02: g_slice_alloc (gslice.c:1025)
==20574==    by 0x8D8E12D: g_slice_alloc0 (gslice.c:1051)
==20574==    by 0x8B06839: g_type_create_instance (gtype.c:1839)
==20574==    by 0x8AE869A: g_object_new_internal (gobject.c:1783)
==20574==    by 0x8AEA0AC: g_object_newv (gobject.c:1930)
==20574==    by 0x6144D79: _gtk_builder_construct (gtkbuilder.c:717)
==20574==    by 0x61463D4: builder_construct.isra.5 (gtkbuilderparser.c:139)
==20574==    by 0x6146E10: parse_child (gtkbuilderparser.c:522)
==20574==    by 0x6146E10: start_element (gtkbuilderparser.c:970)
==20574==    by 0x8D73412: emit_start_element (gmarkup.c:1042)
==20574==    by 0x8D744FA: g_markup_parse_context_parse (gmarkup.c:1389)

Truncated backtrace:

+ Trace 237014

  • #0 gtk_widget_get_scale_factor
    at gtkwidget.c line 10878
  • #1 gtk_css_widget_node_get_style_provider
    at gtkcsswidgetnode.c line 250
  • #2 gtk_css_node_get_style_provider_or_null
    at gtkcssnode.c line 121
  • #3 gtk_css_node_invalidate_style_provider
    at gtkcssnode.c line 1316
  • #7 <emit signal ??? on instance 0x24c35ca0 [GtkStyleCascade]>
    at gsignal.c line 3447
  • #8 _gtk_style_provider_private_changed
    at gtkstyleproviderprivate.c line 113
  • #9 _gtk_style_cascade_remove_provider
    at gtkstylecascade.c line 400
  • #10 gtk_style_context_remove_provider_for_screen
    at gtkstylecontext.c line 741
  • #11 gcal_application_finalize
    at gcal-application.c line 212
  • #12 g_object_unref
    at gobject.c line 3185
  • #13 main
    at main.c line 44 

(full backtrace attached)

Additional info:
This bug is probably the cause for downstream bugs like these:
https://bugzilla.redhat.com/show_bug.cgi?id=1385383
https://bugzilla.redhat.com/show_bug.cgi?id=1408207
Comment 1 Mohammed Sadiq 2016-12-22 13:04:42 UTC 
dup of bug 773871?
Comment 2 Christian Stadelmann 2016-12-22 13:48:48 UTC 
(In reply to Mohammed Sadiq from comment #1)
> dup of bug 773871?

You're probably right about that.

*** This bug has been marked as a duplicate of bug 773871 ***