gnome-todo crashes every time it is being closed [without today panel]
Steps to reproduce:
- Open GNOME To Do
- have the "today panel" not active
- close GNOME To Do
What happens:
GNOME Todo crashes immediately.
What should happen:
No crash.
Version info:
I am using gnome-todo 3.28.1 on Gtk+ 3.22.30.
This is a use-after-free bug according to valgrind:
==25646== Invalid read of size 8
==25646== at 0x53811E9: gtk_list_box_invalidate_sort (gtklistbox.c:1312)
==25646== by 0x6888ADC: g_closure_invoke (gclosure.c:804)
==25646== by 0x689BF42: signal_emit_unlocked_R (gsignal.c:3635)
==25646== by 0x68A5069: g_signal_emit_valist (gsignal.c:3391)
==25646== by 0x68A5662: g_signal_emit (gsignal.c:3447)
==25646== by 0x130F97: task_changed_cb (gtd-task-list.c:126)
==25646== by 0x6888ADC: g_closure_invoke (gclosure.c:804)
==25646== by 0x689BF42: signal_emit_unlocked_R (gsignal.c:3635)
==25646== by 0x68A5069: g_signal_emit_valist (gsignal.c:3391)
==25646== by 0x68A5662: g_signal_emit (gsignal.c:3447)
==25646== by 0x688D513: g_object_dispatch_properties_changed (gobject.c:1082)
==25646== by 0x688F9D0: g_object_notify_by_spec_internal (gobject.c:1175)
==25646== by 0x688F9D0: g_object_notify (gobject.c:1223)
==25646== Address 0x33a14bd0 is 512 bytes inside a block of size 560 free'd
==25646== at 0x4C2EDAC: free (vg_replace_malloc.c:530)
==25646== by 0x4E8C4D1: g_free (gmem.c:194)
==25646== by 0x4EA4723: g_slice_free1 (gslice.c:1136)
==25646== by 0x68AC183: g_type_free_instance (gtype.c:1937)
==25646== by 0x4E7449E: g_hash_table_remove_all_nodes.part.0 (ghash.c:552)
==25646== by 0x4E753A7: g_hash_table_remove_all_nodes (ghash.c:491)
==25646== by 0x4E753A7: g_hash_table_remove_all (ghash.c:1447)
==25646== by 0x4E753F1: g_hash_table_destroy (ghash.c:1128)
==25646== by 0x4E7449E: g_hash_table_remove_all_nodes.part.0 (ghash.c:552)
==25646== by 0x4E753A7: g_hash_table_remove_all_nodes (ghash.c:491)
==25646== by 0x4E753A7: g_hash_table_remove_all (ghash.c:1447)
==25646== by 0x4E753F1: g_hash_table_destroy (ghash.c:1128)
==25646== by 0x54D90B2: gtk_widget_real_destroy (gtkwidget.c:12224)
==25646== by 0x68889F4: g_closure_invoke (gclosure.c:804)
==25646== Block was alloc'd at
==25646== at 0x4C2DBAB: malloc (vg_replace_malloc.c:299)
==25646== by 0x4E8C3C5: g_malloc (gmem.c:99)
==25646== by 0x4EA3FF6: g_slice_alloc (gslice.c:1025)
==25646== by 0x4EA463C: g_slice_alloc0 (gslice.c:1051)
==25646== by 0x68ABDB1: g_type_create_instance (gtype.c:1839)
==25646== by 0x688E6C7: g_object_new_internal (gobject.c:1799)
==25646== by 0x689016C: g_object_newv (gobject.c:2036)
==25646== by 0x527B1B9: _gtk_builder_construct (gtkbuilder.c:718)
==25646== by 0x527C794: builder_construct.isra.5 (gtkbuilderparser.c:139)
==25646== by 0x527D50C: parse_child (gtkbuilderparser.c:522)
==25646== by 0x527D50C: start_element (gtkbuilderparser.c:970)
==25646== by 0x4E8A010: emit_start_element (gmarkup.c:1041)
==25646== by 0x4E8B0C9: g_markup_parse_context_parse (gmarkup.c:1388)