Skip to content

g_object_unref of channel created with xfconf_channel_new causes SIGSEGV

In the following code:

property_base = g_strconcat(xfce_panel_plugin_get_property_base(panel_plugin), "/",
                            alarm->uuid, "/",
                            NULL);
channel = xfconf_channel_new_with_property_base(xfce_panel_get_channel_name(),
                                                property_base);
g_free(property_base);

g_warn_if_fail(xfconf_channel_set_uint(channel, "type", alarm->type));
g_warn_if_fail(xfconf_channel_set_string(channel, "name", alarm->name));
g_warn_if_fail(xfconf_channel_set_uint64(channel, "time",
                                         (guint64) g_date_time_to_unix(alarm->time)));
g_warn_if_fail(xfconf_channel_set_string(channel, "color", alarm->color));

g_object_unref(channel);

unrefing channel causes SIGSEGV.

Stack trace:

(gdb) bt
#0  0x00007f10fd4da36d in g_mutex_lock (mutex=mutex@entry=0x40) at ../glib-2.64.5/glib/gthread-posix.c:1481
#1  0x00007f10fafd0527 in xfconf_cache_set_property_reply_handler (proxy=0x56204be9cc40 [GDBusProxy], res=0x56204c07c8f0, user_data=0x56204bfc2a30) at xfconf-cache.c:611
#2  0x00007f10fd686564 in g_task_return_now (task=task@entry=0x56204c07c8f0 [GTask]) at ../glib-2.64.5/gio/gtask.c:1214
#3  0x00007f10fd686597 in complete_in_idle_cb (task=0x56204c07c8f0, task@entry=<error reading variable: value has been optimized out>) at ../glib-2.64.5/gio/gtask.c:1228
#4  0x00007f10fd487f42 in g_idle_dispatch (source=source@entry=0x56204c0fb420, callback=<optimized out>, user_data=<optimized out>) at ../glib-2.64.5/glib/gmain.c:5755
#5  0x00007f10fd488be4 in g_main_dispatch (context=context@entry=0x56204bcb71d0) at ../glib-2.64.5/glib/gmain.c:3309
#6  0x00007f10fd48c057 in g_main_context_dispatch (context=context@entry=0x56204bcb71d0) at ../glib-2.64.5/glib/gmain.c:3974
#7  0x00007f10fd48c1df in g_main_context_iterate (context=0x56204bcb71d0, block=block@entry=1, dispatch=dispatch@entry=1, self=self@entry=0x56204bce3470) at ../glib-2.64.5/glib/gmain.c:4047
#8  0x00007f10fd48c585 in g_main_loop_run (loop=0x56204be1db40) at ../glib-2.64.5/glib/gmain.c:4241
#9  0x00007f10fdc04265 in gtk_main () at /usr/lib64/libgtk-3.so.0
#10 0x000056204aaa2ad3 in main ()
(gdb)

Examination of core dump shows, that the 'set_property' handler is executed after old item has already been freed:

(gdb) frame 1
#1  0x00007f10fafd0527 in xfconf_cache_set_property_reply_handler (proxy=0x56204be9cc40 [GDBusProxy], res=0x56204c07c8f0, user_data=0x56204bfc2a30) at xfconf-cache.c:611
611	    xfconf_cache_mutex_lock(cache);
(gdb) p old_item->pending_calls_count 
$12 = -1
(gdb) p old_item->item
$13 = (XfconfCacheItem *) 0x0
(gdb)

According to my understanding of Xfconf, the xfconf_cache_set_property_reply_handler should not be even called once old_item->pending_calls_count goes to 0. I'm not yet able to find out where this additional call comes from.

xfconf 4.14.3

Edited by cryptogopher