Working on a personal itch-scratching project, I found myself wanting a sortable treeview. So I stuffed my treemodel into a TreeModelSort and set up my sort functions, and everything was happy. Except, when running my application, I kept getting strange segfaults within glib’s qsort implementation. I had set the following function as my sort_func (yes, it’s C++, but it should be fairly self-explanatory):
static int
compare_foo (const Gtk::TreeModel::iterator& a, const Gtk::TreeModel::iterator& b)
{
std::tr1::shared_ptr<Foo> l1, l2;
l1 = a->get_value (COLUMN_FOO);
l2 = b->get_value (COLUMN_FOO);
if (!l1)
return -1;
if (!l2)
return 1;
return l1->get_id () - l2->get_id ();
}Can you spot the error? Running it under valgrind indicated that I was reading data from *before* the start of the array that was being sorted. In fact, the following lines of code in g_qsort_with_data() were causing tmp_ptr to be decreased back past the start of the array:
while ((*compare_func) ((void *) run_ptr, (void *) tmp_ptr, user_data) < 0)
tmp_ptr -= size;Hmm. Why is there no guard to prevent tmp_ptr from being decreased past the start? Then I noticed the following comment up a few lines:
/* Find smallest element in first threshold and place it at the
array's beginning. This is the smallest array element,
and the operation speeds up insertion sort's inner loop. */So at this point, the code is assuming that the very first element of the array is the smallest, so compare_func should always return >= 0 when it reaches the start of the array. Aha! So the problem is my compare_func. It turns out I forgot to handle the single case of both values being NULL.
l1 = a->get_value (COLUMN_FOO);
l2 = b->get_value (COLUMN_FOO);
+
+ if (!l1 && !l2)
+ return 0;
if (!l1)
return -1;So there’s not really a big lesson to be learned here, but if you ever hit strange segfaults deep inside glib’s qsort while sorting a treemodel, do yourself a favor and double-check that your sort function is sane first. Also, do yourself a favor and run it under valgrind as soon as you get a strange segfault. Knowing the exact point of the invalid read is infinitely more helpful than waiting until that invalid read causes a segfault.
Thank you! This has haunted me for 3 years. Damned. That was a quick fix.
Wouldn’t it be even nicer to just do:
if (l1 == l2) return 0;
You’ll save yourself resolving some pointers and calling some functions both in the identity case (which is a superset of two NULLs).
Stupid touchpad, I meant “both resolving and …” 😉
Sure, that might be a nicer solution. But that wasn’t really the point of the post 😉
When you hit this issue once, you never forget again. In general you MUST ensure the following properties on your cmp function:
1) cmp(a,b)==-cmp(b,a)
2) cmp(a,a)==0
3) cmp(a,b)==0 && cmp(b,c)==0 => cmp(a,c)==0
4) cmp(a,b)<0 && cmp(b,c) cmp(a,c)<0
behdad
Thanks for the helpful list Behdad. I think something may have gotten eaten on #4 above due to the angle brackets ?
You’re right. Lets try again:
4) cmp(a,b)<0 && cmp(b,c)<0 => cmp(a,c)<0