Ubuntu
notify-osd package

Bug #1189281
Comment #7

Comment 7 for bug 1189281

Revision history for this message

Sebastien Bacher (seb128) wrote on 2013-06-10:

valgrind log:

"==21810== Invalid read of size 4
==21810== at 0x8056A81: bubble_get_id (bubble.c:3100)
==21810== by 0x8064432: stack_notify_handler (stack.c:785)
==21810== by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810== by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810== by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810== by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810== by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810== by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810== by 0x4D85934: (below main) (libc-start.c:260)
==21810== Address 0x660aae0 is 160 bytes inside a block of size 184 free'd
==21810== at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21810== by 0x4C5640F: g_free (gmem.c:197)
==21810== by 0x4C6CEFA: g_slice_free1 (gslice.c:1124)
==21810== by 0x4BE7ECC: g_type_free_instance (gtype.c:1932)
==21810== by 0x4BC950A: g_object_unref (gobject.c:3202)
==21810== by 0x8063D2D: stack_layout (display.c:308)
==21810== by 0x806455E: stack_notify_handler (stack.c:772)
==21810== by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810== by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810== by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810== by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810== by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810== by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810== by 0x4D85934: (below main) (libc-start.c:260)"

The issue is:

* the stack_notify_handler code does:

" stack_layout (self);
}

if (bubble)
dbus_g_method_return (context, bubble_get_id (bubble));"

* stack_layout() does:

" if (dnd_dont_disturb_user ()
&& (! bubble_is_urgent (bubble)))
...
g_object_unref (bubble);"

* so basically in the case where the bubble is not displayed the object is unrefed, but bubble is not set to NULL which makes if (bubble) not work as intended.

Not sure we can set bubble to NULL after the unref though since stack_allocate_slot() has code that g_object_ref() bubble objects, so it seems their ref count can be > 1 and it would be wrong to do bubble = NULL before the ref reachs 0...

valgrind log:

"==21810== Invalid read of size 4
==21810==    at 0x8056A81: bubble_get_id (bubble.c:3100)
==21810==    by 0x8064432: stack_notify_handler (stack.c:785)
==21810==    by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810==    by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810==    by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810==    by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810==    by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810==    by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810==    by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810==    by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810==    by 0x4D85934: (below main) (libc-start.c:260)
==21810==  Address 0x660aae0 is 160 bytes inside a block of size 184 free'd
==21810==    at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21810==    by 0x4C5640F: g_free (gmem.c:197)
==21810==    by 0x4C6CEFA: g_slice_free1 (gslice.c:1124)
==21810==    by 0x4BE7ECC: g_type_free_instance (gtype.c:1932)
==21810==    by 0x4BC950A: g_object_unref (gobject.c:3202)
==21810==    by 0x8063D2D: stack_layout (display.c:308)
==21810==    by 0x806455E: stack_notify_handler (stack.c:772)
==21810==    by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810==    by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810==    by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810==    by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810==    by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810==    by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810==    by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810==    by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810==    by 0x4D85934: (below main) (libc-start.c:260)"

The issue is:

* the stack_notify_handler code does:

"		stack_layout (self);
	}

if (bubble)
		dbus_g_method_return (context, bubble_get_id (bubble));"

* stack_layout() does:

"	if (dnd_dont_disturb_user ()
	    && (! bubble_is_urgent (bubble)))
...
		g_object_unref (bubble);"

* so basically in the case where the bubble is not displayed the object is unrefed, but bubble is not set to NULL which makes if (bubble) not work as intended.

Ubuntunotify-osd package

Comment 7 for bug 1189281

Ubuntu
notify-osd package