Created attachment 2524 [details] Start up & bt When I click on a newsgroup to unsubscribe or when I click to subscribe and then click again to unsubscribe I get a core dump. This is also a confirmed issue on Windows.
This appears to be a use-after-free, so if you don't have some malloc() validation, it can be hard to reproduce. On FreeBSD, if I set MALLOC_CONF=junk:true,utrace:true in the environment and run it, I can reproduce this trivially with the following backtrace: Thread 1 received signal SIGSEGV, Segmentation fault. Address not mapped to object. 0x0000000802503450 in ?? () from /lib/libc.so.7 (gdb) bt #0 0x0000000802503450 in ?? () from /lib/libc.so.7 #1 0x000000000038dc38 in button_press_cb (ctree=0x80718f310, button=<optimized out>, data=<optimized out>) at grouplistdialog.c:606 #2 0x0000000800a14ca9 in ?? () from /usr/local/lib/libgtk-3.so.0 #3 0x00000008021e888f in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.0 #4 0x0000000802201f76 in ?? () from /usr/local/lib/libgobject-2.0.so.0 #5 0x0000000802200b08 in ?? () from /usr/local/lib/libgobject-2.0.so.0 #6 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0 #7 0x0000000800cebd01 in ?? () from /usr/local/lib/libgtk-3.so.0 #8 0x0000000800b8c12f in gtk_propagate_event () from /usr/local/lib/libgtk-3.so.0 #9 0x0000000800b8bc36 in gtk_main_do_event () from /usr/local/lib/libgtk-3.so.0 #10 0x0000000800e59071 in ?? () from /usr/local/lib/libgdk-3.so.0 #11 0x0000000800eaedf7 in ?? () from /usr/local/lib/libgdk-3.so.0 #12 0x000000080210da91 in ?? () from /usr/local/lib/libglib-2.0.so.0 #13 0x000000080210de29 in ?? () from /usr/local/lib/libglib-2.0.so.0 #14 0x000000080210e159 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.0 #15 0x0000000800b8b59a in gtk_main () from /usr/local/lib/libgtk-3.so.0 #16 0x000000000038d425 in grouplist_dialog (folder=folder@entry=0x8055658e0) at grouplistdialog.c:122 #17 0x00000000003d0003 in subscribe_newsgroup_cb (action=<optimized out>, data=0x803d73440) at news_gtk.c:174 #18 0x00000008021e888f in g_closure_invoke () from /usr/local/lib/libgobject-2.0.so.0 #19 0x0000000802201f76 in ?? () from /usr/local/lib/libgobject-2.0.so.0 #20 0x0000000802200a9d in ?? () from /usr/local/lib/libgobject-2.0.so.0 #21 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0 #22 0x0000000800d33644 in ?? () from /usr/local/lib/libgtk-3.so.0 #23 0x00000008021e8b0e in ?? () from /usr/local/lib/libgobject-2.0.so.0 #24 0x0000000802200e4e in ?? () from /usr/local/lib/libgobject-2.0.so.0 #25 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0 #26 0x0000000800cec497 in gtk_widget_activate () from /usr/local/lib/libgtk-3.so.0 #27 0x0000000800ba07ca in gtk_menu_shell_activate_item () from /usr/local/lib/libgtk-3.so.0 #28 0x0000000800ba2150 in ?? () from /usr/local/lib/libgtk-3.so.0 #29 0x0000000800a14daa in ?? () from /usr/local/lib/libgtk-3.so.0 #30 0x00000008021e8b0e in ?? () from /usr/local/lib/libgobject-2.0.so.0 #31 0x0000000802200802 in ?? () from /usr/local/lib/libgobject-2.0.so.0 #32 0x000000080220132c in g_signal_emit () from /usr/local/lib/libgobject-2.0.so.0 #33 0x0000000800cebd01 in ?? () from /usr/local/lib/libgtk-3.so.0 #34 0x0000000800b8c12f in gtk_propagate_event () from /usr/local/lib/libgtk-3.so.0 #35 0x0000000800b8bc36 in gtk_main_do_event () from /usr/local/lib/libgtk-3.so.0 #36 0x0000000800e59071 in ?? () from /usr/local/lib/libgdk-3.so.0 #37 0x0000000800eaedf7 in ?? () from /usr/local/lib/libgdk-3.so.0 #38 0x000000080210da91 in ?? () from /usr/local/lib/libglib-2.0.so.0 #39 0x000000080210de29 in ?? () from /usr/local/lib/libglib-2.0.so.0 #40 0x000000080210e159 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.0 #41 0x0000000800b8b59a in gtk_main () from /usr/local/lib/libgtk-3.so.0 #42 0x00000000003a33e6 in main (argc=1, argv=0x7fffffffe710) at main.c:1574
Looking at it, it appears that list has been free()ed at this point: (gdb) up #1 0x000000000038dcf2 in button_press_cb (ctree=0x80718f610, button=<optimized out>, data=<optimized out>) at grouplistdialog.c:612 612 g_free(list->data); (gdb) print list $1 = (GSList *) 0x803c60410 (gdb) print *list $2 = {data = 0x5a5a5a5a5a5a5a5a, next = 0x5a5a5a5a5a5a5a5a} (gdb) Filling free()ed allocations with 0x5a is one of the things the debugging malloc() does.
Valgrind turns up this: ==23789== Invalid read of size 8 ==23789== at 0x38DCE6: button_press_cb (grouplistdialog.c:611) ==23789== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== Address 0x8720120 is 0 bytes inside a block of size 16 free'd ==23789== at 0x484ECFC: free (vg_replace_malloc.c:989) ==23789== by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x38DCD7: button_press_cb (grouplistdialog.c:610) ==23789== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== Block was alloc'd at ==23789== at 0x484CD24: malloc (vg_replace_malloc.c:446) ==23789== by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x38D416: grouplist_dialog (grouplistdialog.c:115) ==23789== by 0x3D0102: subscribe_newsgroup_cb (news_gtk.c:174) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== ==23789== Invalid read of size 8 ==23789== at 0x38DCFE: button_press_cb (grouplistdialog.c:612) ==23789== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== Address 0x8720120 is 0 bytes inside a block of size 16 free'd ==23789== at 0x484ECFC: free (vg_replace_malloc.c:989) ==23789== by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x38DCD7: button_press_cb (grouplistdialog.c:610) ==23789== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==23789== Block was alloc'd at ==23789== at 0x484CD24: malloc (vg_replace_malloc.c:446) ==23789== by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==23789== by 0x38D416: grouplist_dialog (grouplistdialog.c:115) ==23789== by 0x3D0102: subscribe_newsgroup_cb (news_gtk.c:174) ==23789== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==23789== by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==23789== by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
Note, the line numbers in Valgrind are a bit off (too high) as I had some debug output in there.
Here's the Valgrind output with the correct code at 2b61e4b2c: ==24409== Invalid read of size 8 ==24409== at 0x38DC2F: button_press_cb (grouplistdialog.c:606) ==24409== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==24409== by 0x5122DF6: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==24409== by 0x6433A90: ??? (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==24409== Address 0xc43b5c0 is 0 bytes inside a block of size 16 free'd ==24409== at 0x484ECFC: free (vg_replace_malloc.c:989) ==24409== by 0x64544B4: g_slist_remove (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==24409== by 0x38DC27: button_press_cb (grouplistdialog.c:605) ==24409== by 0x4C88CA8: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6526B07: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x4F5FD00: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x4E0012E: gtk_propagate_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x4DFFC35: gtk_main_do_event (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x50CD070: ??? (in /usr/local/lib/libgdk-3.so.0.2409.32) ==24409== Block was alloc'd at ==24409== at 0x484CD24: malloc (vg_replace_malloc.c:446) ==24409== by 0x643AFF2: g_malloc (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==24409== by 0x6454206: g_slist_append (in /usr/local/lib/libglib-2.0.so.0.7800.4) ==24409== by 0x38D3E6: grouplist_dialog (grouplistdialog.c:115) ==24409== by 0x3D0002: subscribe_newsgroup_cb (news_gtk.c:174) ==24409== by 0x650E88E: g_closure_invoke (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6527F75: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6526A9C: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x652732B: g_signal_emit (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x4FA7643: ??? (in /usr/local/lib/libgtk-3.so.0.2409.32) ==24409== by 0x650EB0D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4) ==24409== by 0x6526E4D: ??? (in /usr/local/lib/libgobject-2.0.so.0.7800.4)
Created attachment 2525 [details] Fix free of free()ed pointer list->data needs to be free()ed before calling g_slist_remove() because g_slist_remove() free()s list.
It looks like this was introduced by de1fd9b0e2 to fix a use-after-free issue report from Coverity (list->data is passed to g_slist_remove()) I'll can whip up another patch that takes a copy of the pointer and calls g_free() on the copy in case you prefer clean scan results.
Created attachment 2526 [details] As previous patch, but Coverity friendly This patch prevents a harmless issue from being found by Coverity.
It looks like there's at least one more instance in the same patch that introduced the same bug... mainwindow.c ~ 3853
Actually, that one isn't as clear-cut... maybe it's a double-free?
I can confirm that patch provided in attachment 2526 [details] appears to have fixed my issue. Thank you.
Pushed to master, thanks for the patch!