Use after free in e-cal-data-model.c
When running gnome-calendar 3.24 under valgrind, i sometimes get this use-after-free bug reported:
==3492== Thread 11 pool:
==3492== Invalid read of size 8
==3492== at 0x123EAF: cal_data_model_expand_recurrences_thread (e-cal-data-model.c:1147)
==3492== by 0x122389: cal_data_model_internal_thread_job_func (e-cal-data-model.c:471)
==3492== by 0x93EDF4F: g_thread_pool_thread_proxy (gthreadpool.c:307)
==3492== by 0x93ED585: g_thread_proxy (gthread.c:784)
==3492== by 0x888D36C: start_thread (pthread_create.c:456)
==3492== by 0x9C27E9E: clone (clone.S:97)
==3492== Address 0x217dca98 is 168 bytes inside a block of size 184 free'd
==3492== at 0x4C2FCC8: free (vg_replace_malloc.c:530)
==3492== by 0x93CBB7D: g_free (gmem.c:189)
==3492== by 0x93E3B3F: g_slice_free1 (gslice.c:1136)
==3492== by 0x915D742: g_type_free_instance (gtype.c:1937)
==3492== by 0x145A38: gcal_manager_finalize (gcal-manager.c:893)
==3492== by 0x913DF08: g_object_unref (gobject.c:3185)
==3492== by 0x13A71F: gcal_application_finalize (gcal-application.c:169)
==3492== by 0x913DF08: g_object_unref (gobject.c:3185)
==3492== by 0x11FDFE: main (main.c:45)
==3492== Block was alloc'd at
==3492== at 0x4C2EB1B: malloc (vg_replace_malloc.c:299)
==3492== by 0x93CBA68: g_malloc (gmem.c:94)
==3492== by 0x93E35C5: g_slice_alloc (gslice.c:1025)
==3492== by 0x93E3A58: g_slice_alloc0 (gslice.c:1051)
==3492== by 0x915D440: g_type_create_instance (gtype.c:1839)
==3492== by 0x913E4B7: g_object_new_internal (gobject.c:1783)
==3492== by 0x913FEE4: g_object_newv (gobject.c:1930)
==3492== by 0x91406A3: g_object_new (gobject.c:1623)
==3492== by 0x124B59: e_cal_data_model_new (e-cal-data-model.c:2032)
==3492== by 0x1457AE: gcal_manager_constructed (gcal-manager.c:865)
==3492== by 0x913E66F: g_object_new_internal (gobject.c:1823)
==3492== by 0x914024C: g_object_new_valist (gobject.c:2042)
==3492==
==3492== Invalid read of size 8
==3492== at 0x123ED0: cal_data_model_expand_recurrences_thread (e-cal-data-model.c:1147)
==3492== by 0x122389: cal_data_model_internal_thread_job_func (e-cal-data-model.c:471)
==3492== by 0x93EDF4F: g_thread_pool_thread_proxy (gthreadpool.c:307)
==3492== by 0x93ED585: g_thread_proxy (gthread.c:784)
==3492== by 0x888D36C: start_thread (pthread_create.c:456)
==3492== by 0x9C27E9E: clone (clone.S:97)
==3492== Address 0x217dca48 is 88 bytes inside a block of size 184 free'd
==3492== at 0x4C2FCC8: free (vg_replace_malloc.c:530)
==3492== by 0x93CBB7D: g_free (gmem.c:189)
==3492== by 0x93E3B3F: g_slice_free1 (gslice.c:1136)
==3492== by 0x915D742: g_type_free_instance (gtype.c:1937)
==3492== by 0x145A38: gcal_manager_finalize (gcal-manager.c:893)
==3492== by 0x913DF08: g_object_unref (gobject.c:3185)
==3492== by 0x13A71F: gcal_application_finalize (gcal-application.c:169)
==3492== by 0x913DF08: g_object_unref (gobject.c:3185)
==3492== by 0x11FDFE: main (main.c:45)
==3492== Block was alloc'd at
==3492== at 0x4C2EB1B: malloc (vg_replace_malloc.c:299)
==3492== by 0x93CBA68: g_malloc (gmem.c:94)
==3492== by 0x93E35C5: g_slice_alloc (gslice.c:1025)
==3492== by 0x93E3A58: g_slice_alloc0 (gslice.c:1051)
==3492== by 0x915D440: g_type_create_instance (gtype.c:1839)
==3492== by 0x913E4B7: g_object_new_internal (gobject.c:1783)
==3492== by 0x913FEE4: g_object_newv (gobject.c:1930)
==3492== by 0x91406A3: g_object_new (gobject.c:1623)
==3492== by 0x124B59: e_cal_data_model_new (e-cal-data-model.c:2032)
==3492== by 0x1457AE: gcal_manager_constructed (gcal-manager.c:865)
==3492== by 0x913E66F: g_object_new_internal (gobject.c:1823)
==3492== by 0x914024C: g_object_new_valist (gobject.c:2042)
Installed software versions:
- evolution-data-server-3.24.2-2.fc26.x86_64
- gnome-calendar-3.24.2-1.1.fc26.x86_64
- libical-2.0.0-9.fc26.x86_64
- gtk3-3.22.15-2.fc26.x86_64
- glib2-2.52.2-2.fc26.x86_64
I have no steps to reproduce.
Link to original bug (#783677)
Design Tasks
TODO
Development Tasks
TODO
QA Tasks
TODO
Edited by Thiago