PackageKit 0.6.19-3.fc16.i686 (I suspect this to be the cause of crashes in gnome-settings-daemon.) ==24355== Invalid read of size 4 ==24355== at 0xF1C8C64: pk_control_call_destroy_cb (pk-control.c:250) ==24355== by 0x47C6509: d_pending_call_free (dbus-gproxy.c:1780) ==24355== by 0x4806F51: _dbus_data_slot_list_clear (dbus-dataslot.c:335) ==24355== by 0x4806FA2: _dbus_data_slot_list_free (dbus-dataslot.c:352) ==24355== by 0x47FE0FA: _dbus_pending_call_last_unref (dbus-pending-call.c:394) ==24355== by 0x47E922F: complete_pending_call_and_unlock (dbus-connection.c:2309) ==24355== by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593) ==24355== by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101) ==24355== by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425) ==24355== by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073) ==24355== by 0x4A5D336: g_main_loop_run (gmain.c:3281) ==24355== by 0x41B2064: gtk_main (gtkmain.c:1362) ==24355== by 0x4B546B2: (below main) (libc-start.c:226) ==24355== Address 0x93dba30 is 24 bytes inside a block of size 48 free'd ==24355== at 0x4029EED: free (vg_replace_malloc.c:366) ==24355== by 0x4A6305B: standard_free (gmem.c:101) ==24355== by 0x4A63356: g_free (gmem.c:263) ==24355== by 0x4A797D6: g_slice_free1 (gslice.c:907) ==24355== by 0xF1C9760: pk_control_get_tid_state_finish (pk-control.c:206) ==24355== by 0xF1CD04B: pk_control_get_tid_cb (pk-control.c:239) ==24355== by 0x47C64CD: d_pending_call_notify (dbus-gproxy.c:1771) ==24355== by 0x47FE551: _dbus_pending_call_complete (dbus-pending-call.c:197) ==24355== by 0x47E9227: complete_pending_call_and_unlock (dbus-connection.c:2308) ==24355== by 0x47ECB37: dbus_connection_dispatch (dbus-connection.c:4593) ==24355== by 0x47C0DCD: message_queue_dispatch (dbus-gmain.c:101) ==24355== by 0x4A5C5BE: g_main_context_dispatch (gmain.c:2425) ==24355== by 0x4A5CCFF: g_main_context_iterate (gmain.c:3073) ==24355== by 0x4A5D336: g_main_loop_run (gmain.c:3281) ==24355== by 0x41B2064: gtk_main (gtkmain.c:1362) ==24355== by 0x4B546B2: (below main) (libc-start.c:226) The problematic code starts in pk_control_get_tid_async(): /* call D-Bus method async */ state->call = dbus_g_proxy_begin_call (control->priv->proxy, "GetTid", (DBusGProxyCallNotify) pk_control_get_tid_cb, state, (GDestroyNotify) pk_control_call_destroy_cb, G_TYPE_INVALID); The GDestroyNotify callback accesses @state: static void pk_control_call_destroy_cb (PkControlState *state) { if (state->call != NULL) g_warning ("%p was destroyed before it was cleared", state->call); } but the DBusGProxyCallNotify callback already destroys @state: static void pk_control_get_tid_cb (DBusGProxy *proxy, DBusGProxyCall *call, PkControlState *state) { GError *error = NULL; gchar *tid = NULL; gboolean ret; /* finished this call */ state->call = NULL; /* get the result */ ret = dbus_g_proxy_end_call (proxy, call, &error, G_TYPE_STRING, &tid, G_TYPE_INVALID); if (!ret) { /* fix up the D-Bus error */ pk_control_fixup_dbus_error (error); g_warning ("failed: %s", error->message); ====> pk_control_get_tid_state_finish (state, error); g_error_free (error); goto out; } /* save results */ state->tid = g_strdup (tid); /* we're done */ ====> pk_control_get_tid_state_finish (state, NULL); out: g_free (tid); } because static void pk_control_get_tid_state_finish (PkControlState *state, const GError *error) { [...] g_slice_free (PkControlState, state); } NOTE: the same pattern of problem may exist for the other dbus calls; but I have checked only this one.
We moved the upstream bugtracker to GitHub a long time ago. If this issue still affects you please re-create the issue here: https://github.com/hughsie/PackageKit/issues Sorry for the impersonal message, and fingers crossed your issue no longer happens. Thanks.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.