Invalid ESource unref in on_client_connected()
This had been reported downstream as:
https://bugzilla.redhat.com/show_bug.cgi?id=1668914
After an investigation and running under valgrind I've been able to reproduce the crash by moving to/from ~/.config/evolution/sources/ a .source file referencing a CalDAV calendar. It doesn't strike the first time, it is supposed to be done several times (depending on the actual ref_count of the corresponding ESource instance).
Valgrind report is below.
The problem is that on_client_connected() expects the ESource being references, but it's not. Similarly the self->clients expects the ESource being inserted is referenced, but it's not. This causes too early free of the ESource.
While reading the code, the expectation of on_client_connected() that the source_object argument is an EClient descendant (source = e_client_get_source (E_CLIENT (source_object));
) is also wrong, especially when this is called before e_cal_client_connect_finish(). You should get the ESource from the argument returned by the e_cal_client_connect_finish() and only if it's not NULL. It can be NULL on error. That's yet another issue here, client = E_CAL_CLIENT (e_cal_client_connect_finish (result, &error));
- the typecast suggests that you expect always returned a non-NULL, but it can be NULL on error, as said above.
This had been reproduced on a gnome-3-32 branch, one commit after the 3.32.2 release (and that commit is a translation change, not a code change).
The valgrind report:
==2484== Invalid read of size 8
==2484== at 0x1016F0C05: g_type_check_instance_is_fundamentally_a (gtype.c:4023)
==2484== by 0x1016D65DE: g_object_unref (gobject.c:3285)
==2484== by 0x1013681B2: client_dispose (e-client.c:315)
==2484== by 0x10126AF0A: cal_client_dispose (e-cal-client.c:891)
==2484== by 0x1016D67AC: g_object_unref (gobject.c:3357)
==2484== by 0x101278723: cal_client_view_dispose (e-cal-client-view.c:609)
==2484== by 0x1016D67AC: g_object_unref (gobject.c:3357)
==2484== by 0x461A8F: view_state_changed_data_free (e-cal-data-model.c:399)
==2484== by 0x10176C7E0: g_source_callback_unref (gmain.c:1566)
==2484== by 0x10176BF88: g_source_destroy_internal (gmain.c:1251)
==2484== by 0x10176E231: g_main_dispatch (gmain.c:3226)
==2484== by 0x10176F02F: g_main_context_dispatch (gmain.c:3867)
==2484== by 0x10176F214: g_main_context_iterate (gmain.c:3940)
==2484== by 0x10176F2D8: g_main_context_iteration (gmain.c:4001)
==2484== by 0x1015A6E02: g_application_run (gapplication.c:2516)
==2484== by 0x460A1C: main (main.c:40)
==2484== Address 0x115c88b30 is 160 bytes inside a block of size 200 free'd
==2484== at 0x100839A0C: free (vg_replace_malloc.c:540)
==2484== by 0x101776E6F: g_free (gmem.c:192)
==2484== by 0x1017921ED: g_slice_free1 (gslice.c:1135)
==2484== by 0x1016ED06D: g_type_free_instance (gtype.c:1936)
==2484== by 0x1016D6993: g_object_unref (gobject.c:3412)
==2484== by 0x1013B19B8: source_closure_free (e-source-registry.c:254)
==2484== by 0x10176C7E0: g_source_callback_unref (gmain.c:1566)
==2484== by 0x10176BF88: g_source_destroy_internal (gmain.c:1251)
==2484== by 0x10176E231: g_main_dispatch (gmain.c:3226)
==2484== by 0x10176F02F: g_main_context_dispatch (gmain.c:3867)
==2484== by 0x10176F214: g_main_context_iterate (gmain.c:3940)
==2484== by 0x10176F2D8: g_main_context_iteration (gmain.c:4001)
==2484== by 0x1015A6E02: g_application_run (gapplication.c:2516)
==2484== by 0x460A1C: main (main.c:40)
==2484== Block was alloc'd at
==2484== at 0x10083880B: malloc (vg_replace_malloc.c:309)
==2484== by 0x101776D14: g_malloc (gmem.c:99)
==2484== by 0x101791FB1: g_slice_alloc (gslice.c:1024)
==2484== by 0x101791FF1: g_slice_alloc0 (gslice.c:1050)
==2484== by 0x1016ECC17: g_type_create_instance (gtype.c:1836)
==2484== by 0x1016D2BE7: g_object_new_internal (gobject.c:1829)
==2484== by 0x1016D3AAB: g_object_new_valist (gobject.c:2155)
==2484== by 0x10152D574: g_initable_new_valist (ginitable.c:244)
==2484== by 0x10152D43B: g_initable_new (ginitable.c:162)
==2484== by 0x10138D05C: e_source_new (e-source.c:2483)
==2484== by 0x1013B2705: source_registry_new_source (e-source-registry.c:710)
==2484== by 0x1013B2B5E: source_registry_object_added_by_owner (e-source-registry.c:823)
==2484== by 0x1013B2D43: source_registry_object_added_cb (e-source-registry.c:889)
==2484== by 0x1016CF12F: g_cclosure_marshal_VOID__OBJECT (gmarshal.c:1852)
==2484== by 0x1016CA0F1: g_closure_invoke (gclosure.c:810)
==2484== by 0x1016E7F39: signal_emit_unlocked_R (gsignal.c:3635)
==2484== by 0x1016E722B: g_signal_emit_valist (gsignal.c:3391)
==2484== by 0x1016E791B: g_signal_emit_by_name (gsignal.c:3487)
==2484== by 0x101606B93: add_interfaces (gdbusobjectmanagerclient.c:1565)
==2484== by 0x101606FB9: on_control_proxy_g_signal (gdbusobjectmanagerclient.c:1676)
==2484== by 0x106305B27: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==2484== by 0x106305338: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==2484== by 0x1016CB899: g_cclosure_marshal_generic (gclosure.c:1500)
==2484== by 0x1016CA0F1: g_closure_invoke (gclosure.c:810)
==2484== by 0x1016E7F39: signal_emit_unlocked_R (gsignal.c:3635)
==2484== by 0x1016E722B: g_signal_emit_valist (gsignal.c:3391)
==2484== by 0x1016E77AE: g_signal_emit (gsignal.c:3447)
==2484== by 0x1015F041F: on_signal_received (gdbusproxy.c:917)
==2484== by 0x1015DDF83: emit_signal_instance_in_idle_cb (gdbusconnection.c:3743)
==2484== by 0x101770D31: g_idle_dispatch (gmain.c:5640)