Comment 7 for bug 956810

Okay, bug 784808 was instructive, but I think that one really _was_ resolved and it's a related (but not _exactly_ the same) issue we're dealing with here. I suspect the culprit is this patch http://bazaar.launchpad.net/~dbusmenu-team/dbusmenu/trunk.0.6/revision/362.4.1 to libdbusmenu.

It adds g_variant_ref_sink calls to the results of calls to g_variant_parse. But the results of g_variant_parse are *not* floating references*, so this is adding a second reference.

If gotsomething is false (as it may be if we took the g_variant_parse path), we don't call dbus_connection_emit_signal, we only unref once, and that's clearly not enough. (And actually, if !gotsomething && !removeitem_init, we don't seem to do _anything_ with megadata, so it's not clear why we'd do that megadata[1] = g_variant_parse at all).

If gotsomething is true, we g_variant_new_tuple(megadata), and that tuple adds a reference to each of its elements†, so I'm not sure why we'd need to add an additional reference ourselves beforehand.

What any of that has to do with your uninitialized bytes from https://bugs.launchpad.net/ubuntu/+source/libdbusmenu/+bug/929707 I haven't figured out.

* https://bugs.launchpad.net/dbusmenu/+bug/784808/comments/1
† http://git.gnome.org/browse/glib/tree/glib/gvariant.c?h=glib-2-32#n877