Ubuntu
pygobject package

Memory from slice allocator passed to PyObject_Free

Bug #1246516 reported by Robert Bruce Park on 2013-10-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pygobject (Ubuntu)	Expired	High	Unassigned

Bug Description

This issue is causing segfaults in Trusty. Here is the valgrind output:

==8100== Invalid read of size 4
==8100== at 0x5A479E: PyObject_Free (obmalloc.c:987)
==8100== by 0x443D7A: xmlparse_ParseFile.45364 (pyexpat.c:865)
==8100== by 0x4B410B: PyEval_EvalFrameEx (ceval.c:4057)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1046: PyEval_EvalCodeEx (ceval.c:3439)
==8100== by 0x4B4401: PyEval_EvalFrameEx (ceval.c:4167)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56B5D6: slot_tp_call.6815 (abstract.c:2064)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100== Address 0x19df7020 is 64 bytes inside a block of size 72 free'd
==8100== at 0x4C2B60C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8100== by 0x7037AB2: _pygi_argument_to_object (in /usr/lib/python3/dist-packages/gi/_gi.cpython-33m-x86_64-linux-gnu.so)
==8100== by 0x7037D7F: _pygi_argument_to_object (in /usr/lib/python3/dist-packages/gi/_gi.cpython-33m-x86_64-linux-gnu.so)
==8100== by 0x703A43D: _pygi_closure_handle (in /usr/lib/python3/dist-packages/gi/_gi.cpython-33m-x86_64-linux-gnu.so)
==8100== by 0x816C8CA: ffi_closure_unix64_inner (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x816CC43: ffi_closure_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x816CADB: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x816C40B: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x74BAE24: g_cclosure_marshal_generic_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1)
==8100== by 0x74BA3B6: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1)
==8100== by 0x74D2E81: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1)
==8100== by 0x74D4011: g_signal_emit_by_name (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3800.1)
==8100== by 0x7E9EE46: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3800.1)
==8100== by 0x7EC0B10: ??? (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3800.1)
==8100== by 0x77433B5: g_main_context_dispatch (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3800.1)
==8100== by 0x7743707: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3800.1)
==8100== by 0x77437AB: g_main_context_iteration (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3800.1)
==8100== by 0x7E9DA8B: g_application_run (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.3800.1)
==8100== by 0x816CADB: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x816C40B: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.1)
==8100== by 0x7280CC8: g_callable_info_invoke (in /usr/lib/libgirepository-1.0.so.1.0.0)
==8100== by 0x7282006: g_function_info_invoke (in /usr/lib/libgirepository-1.0.so.1.0.0)
==8100== by 0x703D546: pygi_callable_info_invoke (in /usr/lib/python3/dist-packages/gi/_gi.cpython-33m-x86_64-linux-gnu.so)
==8100== by 0x703352D: _callable_info_call (in /usr/lib/python3/dist-packages/gi/_gi.cpython-33m-x86_64-linux-gnu.so)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100==
==8100== Conditional jump or move depends on uninitialised value(s)
==8100== at 0x5A47A7: PyObject_Free (obmalloc.c:987)
==8100== by 0x443D7A: xmlparse_ParseFile.45364 (pyexpat.c:865)
==8100== by 0x4B410B: PyEval_EvalFrameEx (ceval.c:4057)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1046: PyEval_EvalCodeEx (ceval.c:3439)
==8100== by 0x4B4401: PyEval_EvalFrameEx (ceval.c:4167)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56B5D6: slot_tp_call.6815 (abstract.c:2064)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100==
==8100== Use of uninitialised value of size 8
==8100== at 0x5A47C0: PyObject_Free (obmalloc.c:987)
==8100== by 0x443D7A: xmlparse_ParseFile.45364 (pyexpat.c:865)
==8100== by 0x4B410B: PyEval_EvalFrameEx (ceval.c:4057)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56BA13: slot_tp_init.6802 (abstract.c:2064)
==8100== by 0x4C9856: type_call.6601 (typeobject.c:754)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1046: PyEval_EvalCodeEx (ceval.c:3439)
==8100== by 0x4B4401: PyEval_EvalFrameEx (ceval.c:4167)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x581889: PyObject_Call (abstract.c:2064)
==8100== by 0x4B19F3: PyEval_EvalFrameEx (ceval.c:4384)
==8100== by 0x5A1969: function_call.70433 (ceval.c:3439)
==8100== by 0x4DCF0B: method_call.65011 (abstract.c:2064)
==8100== by 0x56B5D6: slot_tp_call.6815 (abstract.c:2064)
==8100== by 0x4B42E5: PyEval_EvalFrameEx (abstract.c:2064)
==8100== by 0x4B3CA4: PyEval_EvalFrameEx (ceval.c:4157)
==8100==
==8100== Conditional jump or move depends on uninitialised value(s)
==8100== at 0x9FF334F: gdk_pixbuf_get_from_surface (in /usr/lib/x86_64-linux-gnu/libgdk-3.so.0.800.4)
==8100== by 0x9B4A390: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A4E2B7: gtk_icon_set_render_icon_pixbuf (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A4EEA7: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A4F276: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A4F47C: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A60A21: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A60A87: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF3FF0: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4172: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x99A7916: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF3FF0: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4172: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x99B33E6: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF3FF0: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4172: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF3FF0: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4172: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4491: gtk_widget_get_preferred_size (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9B4DAA6: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9B4E208: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9B4E453: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF3F67: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9AF4172: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100== by 0x9A48148: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.800.4)
==8100==

Let me know if you need any more information.

Revision history for this message

Robert Bruce Park (robru) wrote on 2013-10-30:

This cropped up when I changed the following code:

Gtk.Application.__init__(self, application_id='foo', flags=Gio.ApplicationFlags.HANDLES_COMMAND_LINE)

To this:

Gtk.Application.__init__(self, application_id='foo', flags=Gio.ApplicationFlags.HANDLES_OPEN)

Not sure if that helps you track it down.

Revision history for this message

Allison Karlitskaya (desrt) wrote on 2013-10-31:

This is not the same as the error we were seeing before: that error was an invalid read on memory that was just before a piece of memory that was allocated through the slice allocator. There is no gslice in this trace...

Revision history for this message

Martin Pitt (pitti) wrote on 2013-11-04:

Gtk.Application test (works) Edit (856 bytes, text/x-python)

Can you please give me some runnable code which reproduces this bug? I wrote a simple Gtk.Application test with HANDLES_OPEN which works fine.

Changed in pygobject (Ubuntu):
status:	New → Incomplete

Revision history for this message

Martin Pitt (pitti) wrote on 2014-01-09:

Ping?

Changed in pygobject (Ubuntu):
assignee:	Martin Pitt (pitti) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-03-11:

[Expired for pygobject (Ubuntu) because there has been no activity for 60 days.]

Changed in pygobject (Ubuntu):
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Gtk.Application test (works) Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupygobject package

Memory from slice allocator passed to PyObject_Free

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
pygobject package