A Pango attribute deallocated twice

[Tommi Höynälänmaa]

Hi

A Pango attribute gets deallocated twice in program calc-9.scm causing
the program to crash. The Scheme code calc-9.scm is generated from the
Theme-D program calc-9.thp.

Gdb gives the following output:
---cut here---
scheme@(guile-user)> (load "rtp.scm")
scheme@(guile-user)> (__main (list "" "calc-9.go"))
*1*
*2*
(guile:1851): Pango-DEBUG: 20:41:22.941: pango_attr_color_new: 
0x555556590d60
(guile:1851): Pango-DEBUG: 20:41:22.941: klass: 0x7fffeb7c5fa0
*4*
(guile:1851): Pango-DEBUG: 20:41:23.051: pango_attr_int_new: 0x55555615ae60
(guile:1851): Pango-DEBUG: 20:41:23.051: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.051: pango_attr_list_unref ENTER
(guile:1851): Pango-DEBUG: 20:41:23.051: pango_attr_list_unref EXIT
(guile:1851): Pango-DEBUG: 20:41:23.051: pango_attr_int_new: 0x55555615afa0
(guile:1851): Pango-DEBUG: 20:41:23.051: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.051: pango_attr_int_new: 0x55555615b0c0
(guile:1851): Pango-DEBUG: 20:41:23.051: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref ENTER
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/1
(guile:1851): Pango-DEBUG: 20:41:23.063: attr: 0x55555615afa0
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: destroy: 0x7fffeb590dc0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/2
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/3
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/4
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref EXIT
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attribute_destroy ENTER: 
0x55555615b0c0
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: destroy: 0x7fffeb590dc0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attribute_destroy EXIT
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_int_new: 0x55555615aec0
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_int_new: 0x55555615af60
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref ENTER
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/1
(guile:1851): Pango-DEBUG: 20:41:23.063: attr: 0x55555615aec0
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: destroy: 0x7fffeb590dc0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/2
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/3
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/4
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref EXIT
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attribute_destroy ENTER: 
0x55555615af60
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: destroy: 0x7fffeb590dc0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attribute_destroy EXIT
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref ENTER
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/1
(guile:1851): Pango-DEBUG: 20:41:23.063: attr: 0x55555615ae60
(guile:1851): Pango-DEBUG: 20:41:23.063: klass: 0x7fffeb7c5de0
(guile:1851): Pango-DEBUG: 20:41:23.063: destroy: 0x7fffeb590dc0
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/2
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/3
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref/4
(guile:1851): Pango-DEBUG: 20:41:23.063: pango_attr_list_unref EXIT
*5*
*6*
*7*
outer lambda enter
inner lambda enter
make-button-row ENTER
make-button-row EXIT
inner lambda exit
outer lambda exit
outer lambda enter
inner lambda enter
make-button-row ENTER
make-button-row EXIT
inner lambda exit
inner lambda enter
make-button-row ENTER
make-button-row EXIT
inner lambda exit
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref ENTER
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref/1
(guile:1851): Pango-DEBUG: 20:41:23.105: attr: 0x555556590d60
(guile:1851): Pango-DEBUG: 20:41:23.105: klass: 0x7fffeb7c5fa0
(guile:1851): Pango-DEBUG: 20:41:23.105: destroy: 0x7fffeb590db0
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref/2
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref/3
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref/4
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attr_list_unref EXIT
(guile:1851): Pango-DEBUG: 20:41:23.105: pango_attribute_destroy ENTER: 
0x555556590d60
(guile:1851): Pango-DEBUG: 20:41:23.105: klass: 0x7fffec0014e0
(guile:1851): Pango-DEBUG: 20:41:23.105: destroy: 0x80
inner lambda enter
make-button-row ENTER

Thread 5 "guile" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff3504700 (LWP 1858)]
0x0000000000000080 in ?? ()
(gdb) backtrace
#0  0x0000000000000080 in  ()
#1  0x00007fffeb591591 in pango_attribute_destroy ()
    at /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
#2  0x00007fffeb7d3259 in  ()
    at /usr/lib/guile-gnome-2/libgw-guile-gnome-pango.so.0
#3  0x00007ffff00d3f0f in  () at /usr/lib/libgwrap-guile-runtime.so.2
#4  0x00007ffff00d3fae in  () at /usr/lib/libgwrap-guile-runtime.so.2
#5  0x00007ffff724b74d in GC_invoke_finalizers ()
    at /usr/lib/x86_64-linux-gnu/libgc.so.1
#6  0x00007ffff7affe79 in scm_run_finalizers ()
    at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#7  0x00007ffff7affed5 in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#8  0x00007ffff7af0a4a in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#9  0x00007ffff7b6a30c in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#10 0x00007ffff7b74137 in scm_call_n ()
    at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#11 0x00007ffff7b62da2 in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#12 0x00007ffff7af1030 in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#13 0x00007ffff7af10c5 in scm_c_with_continuation_barrier ()
    at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#14 0x00007ffff7b619ec in  () at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#15 0x00007ffff7252c42 in GC_call_with_stack_base ()
    at /usr/lib/x86_64-linux-gnu/libgc.so.1
#16 0x00007ffff7b61d08 in scm_with_guile ()
    at /usr/lib/x86_64-linux-gnu/libguile-2.2.so.1
#17 0x00007ffff78a16db in start_thread (arg=0x7ffff3504700)
    at pthread_create.c:463
#18 0x00007ffff75ca88f in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb)
---cut here---

The attribute deallocated twice has address 0x55555658ff60. It is
allocated by function pango_attr_color_new at the start of the log.
By comparing the properties of this attribute printed after calls to
pango_attr_list_unref and pango_attribute_destroy at the end of the
log it can be seen that the contents of the attribute have got
corrupted after the first deallocation (of course, this is not an
error).

The files related to this bug can be found at

     http://www.iki.fi/tohoyn/theme-d/theme-d-gnome-bug1.tar.bz2

There is a version file pango-attributes.c containing extra debug
information in the package. If you use that you also have to set the
environment variable G_MESSAGES_DEBUG (to value "all") so that the log
messages get printed.  When I removed the Pango-related procedure
calls from the program the bug disappeared.  When I added the same
Pango operations to the original version of calc.scm in guile-gnome
the bug did not occur. IMHO the variable attrlist should not be
deallocated at all in the position where it is done now since it is
defined in the surrounding let expression.

I use guile 2.2.3 and guile-gnome 2.16.5 on Ubuntu 18.04.

Steps to reproduce the bug:
1. Unpack file theme-d-gnome-bug1.tar.bz2 and cd to subdirectory
theme-d-gnome-bug1.
2. Launch script init.sh.
3. Launch script launch-gdb.sh.
4. Give command run.
5. After guile starts give the following commands:
  (load "rtp.scm")
  (__main (list "" "calc-9.go"))

Does anyone have ideas how to fix this?

     - Tommi Höynälänmaa