Invalid write in StTextureCache property bind
I've noticed the following invalid write in one of my valgrind logs:
==212529== Invalid write of size 8
==212529== at 0x5BF930D: st_texture_cache_bind_weak_notify (st-texture-cache.c:780)
==212529== by 0x4C8BD0E: weak_refs_notify (gobject.c:2944)
==212529== by 0x4CFCB12: g_data_set_internal (gdataset.c:407)
==212529== by 0x5C0DCA8: st_widget_dispose (st-widget.c:318)
==212529== by 0x4C8CF62: g_object_unref (gobject.c:3461)
==212529== by 0x4C8CF62: g_object_unref (gobject.c:3391)
==212529== by 0x5C101E1: st_widget_set_last_visible_child (st-widget.c:1465)
==212529== by 0x5C101E1: st_widget_update_child_styles (st-widget.c:1562)
==212529== by 0x4D1BC3F: g_main_dispatch (gmain.c:3309)
==212529== by 0x4D1BC3F: g_main_context_dispatch (gmain.c:3974)
==212529== by 0x4D1BFC7: g_main_context_iterate.constprop.0 (gmain.c:4047)
==212529== by 0x4D1C2B2: g_main_loop_run (gmain.c:4241)
==212529== by 0x58BC3DB: meta_run (main.c:676)
==212529== by 0x4027D5: main (main.c:552)
==212529== Address 0x229fdc80 is 32 bytes inside a block of size 48 free'd
==212529== at 0x483B9F5: free (vg_replace_malloc.c:540)
==212529== by 0x4C876A8: closure_invoke_notifiers (gclosure.c:263)
==212529== by 0x4C876A8: g_closure_unref (gclosure.c:615)
==212529== by 0x4C991C1: handler_unref_R.part.0 (gsignal.c:773)
==212529== by 0x4C99719: handler_unref_R (gsignal.c:730)
==212529== by 0x4C99719: g_signal_handler_disconnect (gsignal.c:2732)
==212529== by 0x5BF930C: st_texture_cache_bind_weak_notify (st-texture-cache.c:780)
==212529== by 0x4C8BD0E: weak_refs_notify (gobject.c:2944)
==212529== by 0x4CFCB12: g_data_set_internal (gdataset.c:407)
==212529== by 0x5C0DCA8: st_widget_dispose (st-widget.c:318)
==212529== by 0x4C8CF62: g_object_unref (gobject.c:3461)
==212529== by 0x4C8CF62: g_object_unref (gobject.c:3391)
==212529== by 0x5C101E1: st_widget_set_last_visible_child (st-widget.c:1465)
==212529== by 0x5C101E1: st_widget_update_child_styles (st-widget.c:1562)
==212529== by 0x4D1BC3F: g_main_dispatch (gmain.c:3309)
==212529== by 0x4D1BC3F: g_main_context_dispatch (gmain.c:3974)
==212529== by 0x4D1BFC7: g_main_context_iterate.constprop.0 (gmain.c:4047)
==212529== by 0x4D1C2B2: g_main_loop_run (gmain.c:4241)
==212529== by 0x58BC3DB: meta_run (main.c:676)
==212529== by 0x4027D5: main (main.c:552)
==212529== Block was alloc'd at
==212529== at 0x483A809: malloc (vg_replace_malloc.c:309)
==212529== by 0x4D21BD0: g_malloc (gmem.c:102)
==212529== by 0x4D39B00: g_slice_alloc (gslice.c:1024)
==212529== by 0x4D3A191: g_slice_alloc0 (gslice.c:1050)
==212529== by 0x5BFAA9F: st_texture_cache_bind_cairo_surface_property (st-texture-cache.c:823)
==212529== by 0x486A011: window_backed_app_get_icon (shell-app.c:221)
==212529== by 0x486A011: shell_app_create_icon_texture (shell-app.c:254)
I have not found a way to reliably trigger this yet. The invalid write seems to be triggered by st_widget_update_child_styles
. I'm suspecting that it might be related to the corresponding idle source only getting cleared after chaining up the parent dispose method in StWidget::dispose
, but I'm not familiar enough with the code to know for sure. Also doing this after the chain up seems to be done intentionally to prevent a crash: !529 (comment 504170).