access-after-free error in gtksheet?

pspp-dev
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
access-after-free error in gtksheet?

From:	Ben Pfaff
Subject:	access-after-free error in gtksheet?
Date:	Sat, 03 May 2008 00:44:12 -0700
User-agent:	Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
Hi John.  While attempting to debug the text import dialog crash,
I discovered what appears to be an memory-access-after-free error
in gtksheet.

To reproduce it, run:
        export G_SLICE=always-malloc
        valgrind ./src/ui/gui/psppire
and then immediately close the PSPPIRE window once it appears.
For me, this produces the following complaint (followed by
others) from valgrind.  The backtraces are so long that I had to
recompile Valgrind to save more callers than the maximum it
supports by default!

I'll eventually try to investigate this myself, but it's long
past my bedtime now so I'm just passing it along to you for the
moment.

==8074== Invalid read of size 4
==8074==    at 0x80A4092: gtk_sheet_forall (gtksheet.c:7675)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40BDFFE: gtk_bin_forall (gtkbin.c:133)
==8074==    by 0x41FD540: gtk_scrolled_window_forall (gtkscrolledwindow.c:1021)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x41FFF97: gtk_scrolled_window_destroy (gtkscrolledwindow.c:799)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40C1F8F: gtk_box_forall (gtkbox.c:799)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x41B3FE7: gtk_notebook_forall (gtknotebook.c:3982)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x41BF6D6: gtk_notebook_destroy (gtknotebook.c:1476)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40C1F8F: gtk_box_forall (gtkbox.c:799)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40BDFFE: gtk_bin_forall (gtkbin.c:133)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x42D6B80: gtk_window_destroy (gtkwindow.c:4189)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46676F8: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x42D3855: gtk_window_dispose (gtkwindow.c:1968)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x419B176: gtk_main_do_event (gtkmain.c:1492)
==8074==    by 0x452A5A9: gdk_event_dispatch (gdkevents-x11.c:2351)
==8074==    by 0x46D8957: g_main_context_dispatch (in 
/usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x46DBBAD: (within /usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x46DBF36: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x419B413: gtk_main (gtkmain.c:1163)
==8074==    by 0x807BCBA: run_inner_loop (main.c:82)
==8074==    by 0x419B575: gtk_main (gtkmain.c:2233)
==8074==    by 0x807BC67: main (main.c:131)
==8074==  Address 0x60bcfd0 is 56 bytes inside a block of size 112 free'd
==8074==    at 0x402465C: free (vg_replace_malloc.c:323)
==8074==    by 0x46E0590: g_free (in /usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x46868A2: g_type_free_instance (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x80A7394: gtk_sheet_dispose (gtksheet.c:2443)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40BDFFE: gtk_bin_forall (gtkbin.c:133)
==8074==    by 0x41FD540: gtk_scrolled_window_forall (gtkscrolledwindow.c:1021)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x41FFF97: gtk_scrolled_window_destroy (gtkscrolledwindow.c:799)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40C1F8F: gtk_box_forall (gtkbox.c:799)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x41B3FE7: gtk_notebook_forall (gtknotebook.c:3982)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x41BF6D6: gtk_notebook_destroy (gtknotebook.c:1476)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40C1F8F: gtk_box_forall (gtkbox.c:799)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46677CE: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x40BDFFE: gtk_bin_forall (gtkbin.c:133)
==8074==    by 0x4103336: gtk_container_foreach (gtkcontainer.c:1480)
==8074==    by 0x4103C5F: gtk_container_destroy (gtkcontainer.c:1020)
==8074==    by 0x42D6B80: gtk_window_destroy (gtkwindow.c:4189)
==8074==    by 0x46749BE: g_cclosure_marshal_VOID__VOID (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x4666018: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x46676F8: g_closure_invoke (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467C162: (within /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467D835: g_signal_emit_valist (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x467DB78: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C1730: gtk_object_dispose (gtkobject.c:418)
==8074==    by 0x42C6EE0: gtk_widget_dispose (gtkwidget.c:7851)
==8074==    by 0x42D3855: gtk_window_dispose (gtkwindow.c:1968)
==8074==    by 0x4669D0F: g_object_run_dispose (in 
/usr/lib/libgobject-2.0.so.0.1600.2)
==8074==    by 0x41C143D: gtk_object_destroy (gtkobject.c:403)
==8074==    by 0x419B176: gtk_main_do_event (gtkmain.c:1492)
==8074==    by 0x452A5A9: gdk_event_dispatch (gdkevents-x11.c:2351)
==8074==    by 0x46D8957: g_main_context_dispatch (in 
/usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x46DBBAD: (within /usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x46DBF36: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1600.2)
==8074==    by 0x419B413: gtk_main (gtkmain.c:1163)
==8074==    by 0x807BCBA: run_inner_loop (main.c:82)
==8074==    by 0x419B575: gtk_main (gtkmain.c:2233)
==8074==    by 0x807BC67: main (main.c:131)


-- 
"In this world that Hugh Heffner had made,
 he alone seemed forever bunnyless."
--John D. MacDonald
[Prev in Thread]
Current Thread
[Next in Thread]
access-after-free error in gtksheet?, Ben Pfaff <=
- Re: access-after-free error in gtksheet?, John Darrington, 2008/05/03
  - Re: access-after-free error in gtksheet?, Ben Pfaff, 2008/05/03
    - Re: access-after-free error in gtksheet?, John Darrington, 2008/05/03
Next by Date: Re: access-after-free error in gtksheet?
Next by thread: Re: access-after-free error in gtksheet?
Index(es):
- Date
- Thread