Bug 374470

I get a similar crash, apparently when my DHCP lease gets renewed.  Valgrind says this:

==18365== Invalid read of size 4
==18365==    at 0x51B9C3B: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x521D50A: (within /usr/lib/libglib-2.0.so.0.1600.1)
==18365==    by 0x521E453: (within /usr/lib/libglib-2.0.so.0.1600.1)
==18365==    by 0x4069E06: (within /usr/lib/libnm_glib.so.0.0.0)
==18365==    by 0x51C499B: g_cclosure_marshal_VOID__BOXED (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x44587DE: (within /usr/lib/libdbus-glib-1.so.2.1.0)
==18365==    by 0x51B7C3A: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CC41C: (within /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CD94D: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CDDB5: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x4459A66: (within /usr/lib/libdbus-glib-1.so.2.1.0)
==18365==    by 0x462B724: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0)
==18365==  Address 0x64b34c0 is 0 bytes inside a block of size 382 free'd
==18365==    at 0x4024E7C: realloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==18365==    by 0x4F0F7CD: (within /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F0FB38: (within /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F0FB85: (within /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F10752: (within /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F10885: FcCharSetUnion (in /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F194DD: FcFontSetSort (in /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x4F1977A: FcFontSort (in /usr/lib/libfontconfig.so.1.2.0)
==18365==    by 0x43B6ACB: (within /usr/lib/libpangoft2-1.0.so.0.2000.0)
==18365==    by 0x4E5B379: pango_font_map_load_fontset (in /usr/lib/libpango-1.0.so.0.2000.0)
==18365==    by 0x4E58F8B: (within /usr/lib/libpango-1.0.so.0.2000.0)
==18365==    by 0x4E5946E: pango_itemize_with_base_dir (in /usr/lib/libpango-1.0.so.0.2000.0)
==18365== 
==18365== Invalid read of size 4
==18365==    at 0x51B9C41: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x521D50A: (within /usr/lib/libglib-2.0.so.0.1600.1)
==18365==    by 0x521E453: (within /usr/lib/libglib-2.0.so.0.1600.1)
==18365==    by 0x4069E06: (within /usr/lib/libnm_glib.so.0.0.0)
==18365==    by 0x51C499B: g_cclosure_marshal_VOID__BOXED (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x44587DE: (within /usr/lib/libdbus-glib-1.so.2.1.0)
==18365==    by 0x51B7C3A: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CC41C: (within /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CD94D: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x51CDDB5: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.1600.1)
==18365==    by 0x4459A66: (within /usr/lib/libdbus-glib-1.so.2.1.0)
==18365==    by 0x462B724: dbus_connection_dispatch (in /lib/libdbus-1.so.3.4.0)
==18365==  Address 0x10000 is not stack'd, malloc'd or (recently) free'd

So the bug seems to have been introduced with gnome-main-menu_to_NM7.patch.

Some things that seem suspicious from the patch:

* network_status_agent_dispose() should NULL out priv->nm_client, as the dispose method may be called more than once.

* network-status-agent.c:nm_get_first_active_device_info() connects to "status-changed" on the device object, with the "agent" as the closure.  What's the lifetime of the agent?  If the agent can be freed before the underlying device is freed, then the agent should disconnect from the device at dispose time.

*** This bug has been marked as a duplicate of bug 377019 ***