segfault when dragging and dropping events in week grid
#0 0x00007fd575c34675 in gtk_widget_get_request_mode ()
at /lib64/libgtk-3.so.0
#1 0x00007fd575ab6bad in count_request_modes () at /lib64/libgtk-3.so.0
#2 0x000000000045d8fc in gcal_week_grid_forall
(container=0x16406d0 [GcalWeekGrid], include_internals=1, callback=0x7fd575ab6ba0 <count_request_modes>, callback_data=0x7fffa56e4990)
at ../src/views/gcal-week-grid.c:233
#3 0x00007fd575abaabf in gtk_container_get_request_mode ()
This appears to be a use-after-free bug related to the grid's GcalRangeTree
https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/views/gcal-week-grid.c#L226 .
Dragging and dropping the event calls gcal_week_grid_drag_drop
at https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/views/gcal-week-grid.c#L897 . This function modifies the event data accordingly (cf. https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/views/gcal-week-grid.c#L897).
Later (I'm not sure how), an UPDATE_EVENT
reaches timeline_source_dispatch
(https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/core/gcal-timeline.c#L645), which calls gcal_week_grid_remove_event
(https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/views/gcal-week-grid.c#L1101). The call stack for this situation is:
#0 gcal_week_grid_remove_event
(self=0x7e86d0 [GcalWeekGrid], uid=0x7fffa4071010 "80c7b2acbf0a9b97fb096e57c11aa8e8f7654bdb:13af56e38d88ff988a2fc3a6d3d1e05ba48978d5")
at ../src/views/gcal-week-grid.c:1108
#1 0x000000000042fdee in gcal_week_view_update_event
(subscriber=0x53f540, event=0x7fffb4086e70 [GcalEvent])
at ../src/views/gcal-week-view.c:358
#2 0x0000000000446901 in update_subscriber_event
(subscriber=0x53f540, event=0x7fffb4086e70 [GcalEvent])
at ../src/core/gcal-timeline.c:238
#3 0x0000000000447807 in timeline_source_dispatch
(source=0x6457f0, callback=0x0, user_data=0x0)
at ../src/core/gcal-timeline.c:722
#4 0x00007ffff7ea37cf in g_main_dispatch (context=0x4df1f0)
at ../glib/gmain.c:3309
...
This results in the following problematic function call: https://gitlab.gnome.org/GNOME/gnome-calendar/-/blob/master/src/views/gcal-week-grid.c#L1122.
At this point, the event's range has already been modified so nothing is deleted. After the next line (destroy_event_widget
), an invalid widget pointer is now present in the data returned by gcal_range_tree_get_all_data
in the first line mentioned above.
douglas.fuller/gnome-calendar@f1cfab9f anecdotally seems to fix the segfault, but it causes another bug -- the tooltips remain in positions where the event hasn't been scheduled before.
@feaneron, any pointers right quick? I haven't worked to untangle the series of events here to figure out the best way to proceed. I'll look into this further a little later.