Creating structs without constructors segfaults and asserts
Submitted by Nirbheek Chauhan @nirbheek
Link to original bug (#648147)
Description
While using glib-2.28.6 gobject-introspection-0.10.7 (with the last variant-related patch added), and pygobject-2.28.4, instantiating the same proxy object three times causes a segfault.
Steps to reproduce:
>>> from gi.repository import Gio
>>> a = Gio.DBusProxy.new_for_bus_sync(Gio.BusType.SESSION, Gio.DBusProxyFlags.DO_NOT_AUTO_START, Gio.DBusInterfaceInfo(), "org.gnome.Rhythmbox", "/org/gnome/Rhythmbox/Player", "org.gnome.Rhythmbox.Player", None)
>>> b = Gio.DBusProxy.new_for_bus_sync(Gio.BusType.SESSION, Gio.DBusProxyFlags.DO_NOT_AUTO_START, Gio.DBusInterfaceInfo(), "org.gnome.Rhythmbox", "/org/gnome/Rhythmbox/Player", "org.gnome.Rhythmbox.Player", None)
>>> c = Gio.DBusProxy.new_for_bus_sync(Gio.BusType.SESSION, Gio.DBusProxyFlags.DO_NOT_AUTO_START, Gio.DBusInterfaceInfo(), "org.gnome.Rhythmbox", "/org/gnome/Rhythmbox/Player", "org.gnome.Rhythmbox.Player", None)
Segmentation fault
$ echo $?
139This happens with any dbus interface, not just Rhythmbox, and doesn't happen when using gdbus from C. Backtrace:
(gdb) run
Starting program: /usr/bin/python gio_segfault.py
process 1010 is executing new program: /usr/bin/python2.6
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff39aa700 (LWP 1013)]
Program received signal SIGSEGV, Segmentation fault.
g_slice_alloc (mem_size=40) at gslice.c:833
833 gslice.c: No such file or directory.
in gslice.c
(gdb) bt
#0 g_slice_alloc (mem_size=40) at gslice.c:833
#1 0x00007ffff5a751ab in g_variant_alloc (type=0x77aff0, serialised=0, trusted=1) at gvariant-core.c:475
#2 0x00007ffff5a752af in g_variant_new_from_children (type=<value optimized out>, children=0x8234d0, n_children=1, trusted=<value optimized out>) at gvariant-core.c:560
#3 0x00007ffff5a72a4e in g_variant_builder_end (builder=0x7fffffffd660) at gvariant.c:3260
#4 0x00007ffff5a74072 in g_variant_valist_new (str=0x7fffffffd718, app=0x7fffffffd740) at gvariant.c:4096
#5 0x00007ffff5a7442a in g_variant_new_va (format_string=0x7ffff55a8b2b "", endptr=0x0, app=0x7fffffffd740) at gvariant.c:4248
#6 0x00007ffff5a74560 in g_variant_new (format_string=0x7ffff55a8b28 "(s)") at gvariant.c:4188
#7 0x00007ffff5563e83 in remove_match_rule (connection=0x813820, subscription_id=<value optimized out>, out_removed_subscribers=0x7222a0) at gdbusconnection.c:3062
#8 unsubscribe_id_internal (connection=0x813820, subscription_id=<value optimized out>, out_removed_subscribers=0x7222a0) at gdbusconnection.c:3294
#9 0x00007ffff55693ce in g_dbus_connection_signal_unsubscribe (connection=0x813820, subscription_id=6) at gdbusconnection.c:3329
#10 0x00007ffff5572ff9 in g_dbus_proxy_finalize (object=0x8120d0) at gdbusproxy.c:148
#11 0x00007ffff5f2534c in g_object_unref (_object=0x8120d0) at gobject.c:2734
#12 0x00007ffff4247b40 in pygobject_clear (self=0x7e1230) at pygobject.c:1138
#13 pygobject_dealloc (self=0x7e1230) at pygobject.c:1048
#14 0x00007ffff7acd13e in ?? () from /usr/lib64/libpython2.6.so.1.0
#15 0x00007ffff7aafd17 in ?? () from /usr/lib64/libpython2.6.so.1.0
#16 0x00007ffff7ab1f99 in PyDict_SetItem () from /usr/lib64/libpython2.6.so.1.0
#17 0x00007ffff7ab4486 in _PyModule_Clear () from /usr/lib64/libpython2.6.so.1.0
#18 0x00007ffff7b1e90d in PyImport_Cleanup () from /usr/lib64/libpython2.6.so.1.0
#19 0x00007ffff7b2ae9f in Py_Finalize () from /usr/lib64/libpython2.6.so.1.0
#20 0x00007ffff7b3643a in Py_Main () from /usr/lib64/libpython2.6.so.1.0
#21 0x00007ffff74d4b9f in __libc_start_main (main=0x400970 <main>, argc=2, ubp_av=0x7fffffffdd28, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
stack_end=0x7fffffffdd18) at libc-start.c:226
#22 0x00000000004008a9 in _start ()