Ubuntu
mate-terminal package

mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts

Bug #1667227 reported by yzp15 on 2017-02-23

This bug report is a duplicate of: Bug #1438014: gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts. Edit Remove

This bug affects 3 people

	Status	Importance	Assigned to
gnome-terminal (Ubuntu)	Invalid	Undecided	Unassigned
gtk+3.0 (Ubuntu)	Confirmed	Undecided	Unassigned
mate-terminal (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

1)
$ lsb_release -rd
Description: Ubuntu Zesty Zapus (development branch)
Release: 17.04

Installed as Ubuntu-MATE 17.04 "Zesty Zapus" - Alpha amd64

2)
$ apt-cache policy mate-terminal
mate-terminal:
Installed: 1.17.0-0ubuntu1
Candidate: 1.17.0-0ubuntu1
3)
Open mate-terminal
Select "Edit" -> "Keyboard Shortcuts"
Select "Help"->"Contents", click on default shortcut key "F1" to change
Try to set it to various key sequences. Sometimes bug is triggered by pressing "Fn" key with some of Alt/Ctrl/Shift, sometimes by selecting Ctrl-Shift-W / Crtl-Shift-Alt-W
Expected: changed keyboard shortcut for "Help"->"Contents"

4) Abort and closed mate-terminal

ProblemType: Crash
DistroRelease: Ubuntu 17.04
Package: mate-terminal 1.17.0-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-8.10-generic 4.10.0-rc8
Uname: Linux 4.10.0-8-generic x86_64
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: MATE
Date: Thu Feb 23 09:33:19 2017
ExecutablePath: /usr/bin/mate-terminal
ExecutableTimestamp: 1484233434
InstallationDate: Installed on 2017-02-22 (1 days ago)
InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Alpha amd64 (20170125)
ProcCmdline: mate-terminal
ProcCwd: /home/user
SegvAnalysis:
Segfault happened at: 0x7f883e41c321 <g_type_check_instance_is_a+65>: testb $0x4,0x16(%rax)
PC (0x7f883e41c321) ok
source "$0x4" ok
destination "0x16(%rax)" (0x70000001e) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: mate-terminal
StacktraceTop:
g_type_check_instance_is_a () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
gtk_widget_get_toplevel () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
?? () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
gtk_window_group_add_window () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
gtk_window_set_transient_for () from /usr/lib/x86_64-linux-gnu/libgtk-3.so.0
Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Tags:

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-23:

Dependencies.txt Edit (5.9 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (1.2 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (6.6 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (302 bytes, text/plain; charset="utf-8")
ProcStatus.txt Edit (1.3 KiB, text/plain; charset="utf-8")
Registers.txt Edit (881 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (2.3 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (7.8 KiB, text/plain; charset="utf-8")
XsessionErrors.txt Edit (20.6 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2017-02-23:

StacktraceTop:
g_type_check_instance_is_a () from /tmp/apport_sandbox_o4BcaN/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
gtk_widget_get_toplevel (widget=0x564d18311770) at ././gtk/gtkwidget.c:11521
window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x564d1869c350) at ././gtk/gtkwindowgroup.c:110
gtk_window_group_add_window (window_group=0x564d181e8250, window=0x564d1869c350) at ././gtk/gtkwindowgroup.c:169
gtk_window_set_transient_for (window=0x564d1869c350, parent=0x564d1860d660) at ././gtk/gtkwindow.c:3332

Revision history for this message

Apport retracing service (apport) wrote on 2017-02-23: Stacktrace.txt

Stacktrace.txt Edit (3.4 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2017-02-23: StacktraceSource.txt

StacktraceSource.txt Edit (2.8 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2017-02-23: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (9.3 KiB, text/plain)

Changed in gnome-terminal (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-amd64-retrace

yzp15 (yzp15) on 2017-02-23

Changed in gnome-terminal (Ubuntu):
status:	New → Opinion
no longer affects:	gnome-terminal (Ubuntu)

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-24:

The warning

(mate-terminal:14703): Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed

is from

#0 0x00007ffff6d95d1f in gdk_window_get_window_type (window=0x0) at ././gdk/gdkwindow.c:2240
#1 0x00007ffff72822da in gtk_grab_add (widget=0x555555e40790) at ././gtk/gtkmain.c:2222
#2 0x00007ffff71997d8 in gtk_cell_renderer_accel_start_editing (cell=<optimized out>,
    event=0x5555557edd20, widget=<optimized out>, path=0x555555e35720 "2:0",
    background_area=<optimized out>, cell_area=<optimized out>, flags=(unknown: 0))
    at ././gtk/gtkcellrendereraccel.c:497
#3 0x00007ffff7196700 in gtk_cell_renderer_start_editing (cell=cell@entry=0x555555842270,
    event=event@entry=0x5555557edd20, widget=widget@entry=0x555555e08400, path=0x555555e35720 "2:0",
    background_area=background_area@entry=0x7fffffffcc40, cell_area=cell_area@entry=0x7fffffffcc40,
    flags=(unknown: 0)) at ././gtk/gtkcellrenderer.c:921
#4 0x00007ffff718e601 in gtk_cell_area_activate_cell (area=area@entry=0x555555e02140,
    widget=widget@entry=0x555555e08400, renderer=renderer@entry=0x555555842270,
    event=event@entry=0x5555557edd20, cell_area=cell_area@entry=0x7fffffffccc0,
    flags=flags@entry=(unknown: 0)) at ././gtk/gtkcellarea.c:3432
#5 0x00007ffff718eb0e in gtk_cell_area_real_event (area=0x555555e02140, context=<optimized out>,
    widget=0x555555e08400, event=0x5555557edd20, cell_area=0x7fffffffcd80, flags=(unknown: 0))
    at ././gtk/gtkcellarea.c:1101
#6 0x00007ffff73bee64 in gtk_tree_view_multipress_gesture_pressed (gesture=0x555555849330,
    n_press=1, x=<optimized out>, y=<optimized out>, tree_view=0x555555e08400)
    at ././gtk/gtktreeview.c:3324

The code to gtk_grab_add was added as debian patch in gtk+3.0-3.22.7 (libgtk-3-0 package):
debian/patches/016_no_offscreen_widgets_grabbing.patch:+ if (toplevel && gdk_window_get_window_type (gtk_widget_get_window (toplevel)) == GDK_WINDOW_OFFSCREEN)

Description: Don't let offscreen widget do grabbing
Author: Cody Russell <email address hidden>
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=607668
Bug-Ubuntu: https://bugs.launchpad.net/bugs/512427

critical was reported in https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/512427/comments/4

SEGV stack has code which works on grabs too:

#0 0x00007ffff5ef5321 in g_type_check_instance_is_a ()
from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#1 0x00007ffff73d61d6 in gtk_widget_get_toplevel (widget=0x555555e40790) at ././gtk/gtkwidget.c:11521
11518 GtkWidget*
11519 gtk_widget_get_toplevel (GtkWidget *widget)
11520 {
11521 g_return_val_if_fail (GTK_IS_WIDGET (widget), NULL);

#2 0x00007ffff73f79c9 in window_group_cleanup_grabs (group=<optimized out>,
window=window@entry=0x555555dc42f0) at ././gtk/gtkwindowgroup.c:110
105 priv = group->priv;
106
107 tmp_list = priv->grabs;
108 while (tmp_list)
109 {
110 if (gtk_widget_get_toplevel (tmp_list->data) == (GtkWidget*) window)
111 to_remove = g_slist_prepend (to_remove, g_object_ref (tmp_list->data));
112 tmp_list = tmp_list->next;
113 }

The warning

(mate-terminal:14703): Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed

is from

#0  0x00007ffff6d95d1f in gdk_window_get_window_type (window=0x0) at ././gdk/gdkwindow.c:2240
#1  0x00007ffff72822da in gtk_grab_add (widget=0x555555e40790) at ././gtk/gtkmain.c:2222
#2  0x00007ffff71997d8 in gtk_cell_renderer_accel_start_editing (cell=<optimized out>, 
    event=0x5555557edd20, widget=<optimized out>, path=0x555555e35720 "2:0", 
    background_area=<optimized out>, cell_area=<optimized out>, flags=(unknown: 0))
    at ././gtk/gtkcellrendereraccel.c:497
#3  0x00007ffff7196700 in gtk_cell_renderer_start_editing (cell=cell@entry=0x555555842270, 
    event=event@entry=0x5555557edd20, widget=widget@entry=0x555555e08400, path=0x555555e35720 "2:0", 
    background_area=background_area@entry=0x7fffffffcc40, cell_area=cell_area@entry=0x7fffffffcc40, 
    flags=(unknown: 0)) at ././gtk/gtkcellrenderer.c:921
#4  0x00007ffff718e601 in gtk_cell_area_activate_cell (area=area@entry=0x555555e02140, 
    widget=widget@entry=0x555555e08400, renderer=renderer@entry=0x555555842270, 
    event=event@entry=0x5555557edd20, cell_area=cell_area@entry=0x7fffffffccc0, 
    flags=flags@entry=(unknown: 0)) at ././gtk/gtkcellarea.c:3432
#5  0x00007ffff718eb0e in gtk_cell_area_real_event (area=0x555555e02140, context=<optimized out>, 
    widget=0x555555e08400, event=0x5555557edd20, cell_area=0x7fffffffcd80, flags=(unknown: 0))
    at ././gtk/gtkcellarea.c:1101
#6  0x00007ffff73bee64 in gtk_tree_view_multipress_gesture_pressed (gesture=0x555555849330, 
    n_press=1, x=<optimized out>, y=<optimized out>, tree_view=0x555555e08400)
    at ././gtk/gtktreeview.c:3324

The code to gtk_grab_add was added as debian patch in gtk+3.0-3.22.7 (libgtk-3-0 package):
debian/patches/016_no_offscreen_widgets_grabbing.patch:+  if (toplevel && gdk_window_get_window_type (gtk_widget_get_window (toplevel)) == GDK_WINDOW_OFFSCREEN)

Description: Don't let offscreen widget do grabbing
Author: Cody Russell <bratsche@gnome.org>
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=607668
Bug-Ubuntu: https://bugs.launchpad.net/bugs/512427

critical was reported in https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/512427/comments/4

SEGV stack has code which works on grabs too:

#0  0x00007ffff5ef5321 in g_type_check_instance_is_a ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#1  0x00007ffff73d61d6 in gtk_widget_get_toplevel (widget=0x555555e40790) at ././gtk/gtkwidget.c:11521
11518	GtkWidget*
11519	gtk_widget_get_toplevel (GtkWidget *widget)
11520	{
11521	  g_return_val_if_fail (GTK_IS_WIDGET (widget), NULL);

#2  0x00007ffff73f79c9 in window_group_cleanup_grabs (group=<optimized out>, 
    window=window@entry=0x555555dc42f0) at ././gtk/gtkwindowgroup.c:110
105	  priv = group->priv;
106	
107	  tmp_list = priv->grabs;
108	  while (tmp_list)
109	    {
110	      if (gtk_widget_get_toplevel (tmp_list->data) == (GtkWidget*) window)
111	        to_remove = g_slist_prepend (to_remove, g_object_ref (tmp_list->data));
112	      tmp_list = tmp_list->next;
113	    }

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25:

Download full text (3.6 KiB)

When shortcut is changing, keypress handler gtk_cell_editable_event_box_key_press_event calls gtk_grab_remove, but _gtk_window_group_remove_grab tries to remove grab from wrong window_group (not the group used to add grab in gtk_grab_add -> _gtk_window_group_add_grab).
Grab remove fails and stale pointer is kept in grab lists of original group. With valgrind I see errors on access with this stale pointer:

==21822== Invalid read of size 8
==21822== at 0x578DEFF: window_group_cleanup_grabs (gtkwindowgroup.c:111)
==21822== by 0x578E38C: gtk_window_group_add_window (gtkwindowgroup.c:176)
==21822== by 0x577AD36: gtk_window_set_transient_for (gtkwindow.c:3332)
==21822== by 0x56FCD22: gtk_tooltip_set_last_window (gtktooltip.c:808)
==21822== by 0x56FE9C9: gtk_tooltip_handle_event_internal (gtktooltip.c:1432)
==21822== by 0x56FE934: _gtk_tooltip_handle_event (gtktooltip.c:1413)
==21822== by 0x55811E2: gtk_main_do_event (gtkmain.c:1938)
==21822== by 0x5D34548: _gdk_event_emit (gdkevents.c:73)
==21822== by 0x5D7ABD1: gdk_event_source_dispatch (gdkeventsource.c:367)
==21822== by 0x6F65177: g_main_dispatch (gmain.c:3203)
==21822== by 0x6F660BA: g_main_context_dispatch (gmain.c:3856)
==21822== by 0x6F662AE: g_main_context_iterate (gmain.c:3929)
==21822== Address 0x16279328 is 344 bytes inside a block of size 416 free'd
==21822== at 0x4C2DD5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21822== by 0x6F6D990: g_free (gmem.c:189)
==21822== by 0x6F88997: g_slice_free1 (gslice.c:1136)
==21822== by 0x6CEAE5D: g_type_free_instance (gtype.c:1937)
==21822== by 0x6CD4F15: g_object_unref (gobject.c:3196)
==21822== by 0x5784A47: gtk_window_propagate_key_event (gtkwindow.c:8141)
==21822== by 0x5784AA0: gtk_window_key_press_event (gtkwindow.c:8159)
==21822== by 0x5583B9C: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:131)
==21822== by 0x6CC8CC7: g_type_class_meta_marshalv (gclosure.c:1024)
==21822== by 0x6CC8849: _g_closure_invoke_va (gclosure.c:867)
==21822== by 0x6CE40E2: g_signal_emit_valist (gsignal.c:3300)
==21822== by 0x6CE52FE: g_signal_emit (gsignal.c:3447)
==21822== Block was alloc'd at
==21822== at 0x4C2CB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21822== by 0x6F6D827: g_malloc (gmem.c:94)
==21822== by 0x6F8875B: g_slice_alloc (gslice.c:1025)
==21822== by 0x6F8879B: g_slice_alloc0 (gslice.c:1051)
==21822== by 0x6CEA95E: g_type_create_instance (gtype.c:1839)
==21822== by 0x6CD135B: g_object_new_internal (gobject.c:1783)
==21822== by 0x6CD20D1: g_object_new_valist (gobject.c:2042)
==21822== by 0x6CD0F44: g_object_new (gobject.c:1626)
==21822== by 0x543ABB9: gtk_cell_editable_event_box_new (gtkcellrendereraccel.c:803)

==21822== Invalid read of size 8
==21822==    at 0x578DEFF: window_group_cleanup_grabs (gtkwindowgroup.c:111)
==21822==    by 0x578E38C: gtk_window_group_add_window (gtkwindowgroup.c:176)
==21822==    by 0x577AD36: gtk_window_set_transient_for (gtkwindow.c:3332)
==21822==    by 0x56FCD22: gtk_tooltip_set_last_window (gtktooltip.c:808)
==21822==    by 0x56FE9C9: gtk_tooltip_handle_event_internal (gtktooltip.c:1432)
==21822==    by 0x56FE934: _gtk_tooltip_handle_event (gtktooltip.c:1413)
==21822==    by 0x55811E2: gtk_main_do_event (gtkmain.c:1938)
==21822==    by 0x5D34548: _gdk_event_emit (gdkevents.c:73)
==21822==    by 0x5D7ABD1: gdk_event_source_dispatch (gdkeventsource.c:367)
==21822==    by 0x6F65177: g_main_dispatch (gmain.c:3203)
==21822==    by 0x6F660BA: g_main_context_dispatch (gmain.c:3856)
==21822==    by 0x6F662AE: g_main_context_iterate (gmain.c:3929)
==21822==  Address 0x16279328 is 344 bytes inside a block of size 416 free'd
==21822==    at 0x4C2DD5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21822==    by 0x6F6D990: g_free (gmem.c:189)
==21822==    by 0x6F88997: g_slice_free1 (gslice.c:1136)
==21822==    by 0x6CEAE5D: g_type_free_instance (gtype.c:1937)
==21822==    by 0x6CD4F15: g_object_unref (gobject.c:3196)
==21822==    by 0x5784A47: gtk_window_propagate_key_event (gtkwindow.c:8141)
==21822==    by 0x5784AA0: gtk_window_key_press_event (gtkwindow.c:8159)
==21822==    by 0x5583B9C: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:131)
==21822==    by 0x6CC8CC7: g_type_class_meta_marshalv (gclosure.c:1024)
==21822==    by 0x6CC8849: _g_closure_invoke_va (gclosure.c:867)
==21822==    by 0x6CE40E2: g_signal_emit_valist (gsignal.c:3300)
==21822==    by 0x6CE52FE: g_signal_emit (gsignal.c:3447)
==21822==  Block was alloc'd at
==21822==    at 0x4C2CB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==21822==    by 0x6F6D827: g_malloc (gmem.c:94)
==21822==    by 0x6F8875B: g_slice_alloc (gslice.c:1025)
==21822==    by 0x6F8879B: g_slice_alloc0 (gslice.c:1051)
==21822==    by 0x6CEA95E: g_type_create_instance (gtype.c:1839)
==21822==    by 0x6CD135B: g_object_new_internal (gobject.c:1783)
==21822==    by 0x6CD20D1: g_object_new_valist (gobject.c:2042)
==21822==    by 0x6CD0F44: g_object_new (gobject.c:1626)
==21822==    by 0x543ABB9: gtk_cell_editable_event_box_new (gtkcellrendereraccel.c:803)

Wrong gtk_grab_remove was called from the gtk_window_propagate_key_event:
==21822==    by 0x578EE1B: _gtk_window_group_remove_grab (gtkwindowgroup.c:291)
==21822==    by 0x5581ABE: gtk_grab_remove (gtkmain.c:2285)
==21822==    by 0x543A56A: gtk_cell_editable_event_box_key_press_event (gtkcellrendereraccel.c:645)
==21822==    by 0x5583B9C: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:131)
==21822==    by 0x6CC8CC7: g_type_class_meta_marshalv (gclosure.c:1024)
==21822==    by 0x6CC8849: _g_closure_invoke_va (gclosure.c:867)
==21822==    by 0x6CE40E2: g_signal_emit_valist (gsignal.c:3300)
==21822==    by 0x6CE52FE: g_signal_emit (gsignal.c:3447)
==21822==    by 0x575F9BD: gtk_widget_event_internal (gtkwidget.c:7723)
==21822==    by 0x575ED7F: gtk_widget_event (gtkwidget.c:7293)
==21822==    by 0x57849C4: gtk_window_propagate_key_event (gtkwindow.c:8126)

information type:

Private → Public

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25:

Download full text (3.6 KiB)

gtk_main_get_window_group function return different results for gtk_grab_add and gtk_grab_remove, but widget address was same in both functions:

  if (GTK_IS_WINDOW (toplevel))
    return gtk_window_get_group (GTK_WINDOW (toplevel));
  else
    return gtk_window_get_group (NULL);

On gtk_grab_add window group is 0x555555b0b160 for widget 0x555555e50780:
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2
025
2025 if (GTK_IS_WINDOW (toplevel))
$2044 (widget) = 0x555555e50780
$2045 (toplevel) = 0x555555e50780
$2046 (*widget) = {parent_instance = {g_type_instance = {g_class = 0x555555e5e800}, ref_count = 1, qdata = 0x2}, priv = 0x555
555e50690}
$2047 (*widget.priv) = {..., window = 0x0, registered_windows = 0x0, parent = 0x0, event_contr
ollers = 0x0, accessible = 0x0}
#0 gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
#1 0x00007ffff71f3bb3 in gtk_grab_add (widget=0x555555e50780) at ././gtk/gtkmain.c:2231
#2 0x00007ffff70ac1d1 in gtk_cell_renderer_accel_start_editing (cell=0x555555845270, event=0x555555d416f0, widget=
0x555555e183f0, path=0x555555e57720 "2:0", background_area=0x7fffffffc2e0, cell_area=0x7fffffffc2e0, flags=(unknown
: 0)) at ././gtk/gtkcellrendereraccel.c:497
#3 0x00007ffff70a92dd in gtk_cell_renderer_start_editing (cell=0x555555845270, event=0x555555d416f0, widget=0x5555
55e183f0, path=0x555555e57720 "2:0", background_area=0x7fffffffc2e0, cell_area=0x7fffffffc2e0, flags=(unknown: 0))
at ././gtk/gtkcellrenderer.c:921
#4 0x00007ffff709d47e in gtk_cell_area_activate_cell (area=0x555555e0d140, widget=0x555555e183f0, renderer=0x555555845270, event=0x555555d416f0, cell_area=0x7fffffffc380, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:3432
#5 0x00007ffff7096407 in gtk_cell_area_real_event (area=0x555555e0d140, context=0x555555e26850, widget=0x555555e183f0, event=0x555555d416f0, cell_area=0x7fffffffc570, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:1101

At time of gtk_grab_remove, when event is delivered to widget 0x555555e50780 from gtk_main_do_event, its toplevel was 0x555555ddb0d0
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
2025 if (GTK_IS_WINDOW (toplevel))
$2092 (widget) = 0x555555e50780
$2093 (toplevel) = 0x555555ddb0d0
$2094 (*widget) = {parent_instance = {g_type_instance = {g_class = 0x555555e5e800}, ref_count = 7, qdata = 0x555555ecf180}, priv = 0x555555e50690}
$2095 (*widget.priv) = {...., window = 0x555555e507e0, registered_windows = 0x55555595
7d00, parent = 0x555555e183f0, event_controllers = 0x0, accessible = 0x555555e1d320}
#0 gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
#1 0x00007ffff71f3d8c in gtk_grab_remove (widget=0x555555e50780) at ././gtk/gtkmain.c:2286
#2 0x00007ffff70ac56b in gtk_cell_editable_event_box_key_press_event (widget=0x555555e50780, event=0x555555e473c0)
at ././gtk/gtkcellrendereraccel.c:645

Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed -> .. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_...

gtk_main_get_window_group function return different results for gtk_grab_add and gtk_grab_remove, but widget address was same in both functions:

if (GTK_IS_WINDOW (toplevel))
    return gtk_window_get_group (GTK_WINDOW (toplevel));
  else
    return gtk_window_get_group (NULL);

On gtk_grab_add window group is 0x555555b0b160 for widget 0x555555e50780:
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2
025
2025      if (GTK_IS_WINDOW (toplevel))
$2044 (widget) = 0x555555e50780
$2045 (toplevel) = 0x555555e50780
$2046 (*widget) = {parent_instance = {g_type_instance = {g_class = 0x555555e5e800}, ref_count = 1, qdata = 0x2}, priv = 0x555
555e50690}
$2047 (*widget.priv) = {..., window = 0x0, registered_windows = 0x0, parent = 0x0, event_contr
ollers = 0x0, accessible = 0x0}
#0  gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
#1  0x00007ffff71f3bb3 in gtk_grab_add (widget=0x555555e50780) at ././gtk/gtkmain.c:2231
#2  0x00007ffff70ac1d1 in gtk_cell_renderer_accel_start_editing (cell=0x555555845270, event=0x555555d416f0, widget=
0x555555e183f0, path=0x555555e57720 "2:0", background_area=0x7fffffffc2e0, cell_area=0x7fffffffc2e0, flags=(unknown
: 0)) at ././gtk/gtkcellrendereraccel.c:497
#3  0x00007ffff70a92dd in gtk_cell_renderer_start_editing (cell=0x555555845270, event=0x555555d416f0, widget=0x5555
55e183f0, path=0x555555e57720 "2:0", background_area=0x7fffffffc2e0, cell_area=0x7fffffffc2e0, flags=(unknown: 0)) 
at ././gtk/gtkcellrenderer.c:921
#4  0x00007ffff709d47e in gtk_cell_area_activate_cell (area=0x555555e0d140, widget=0x555555e183f0, renderer=0x555555845270, event=0x555555d416f0, cell_area=0x7fffffffc380, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:3432
#5  0x00007ffff7096407 in gtk_cell_area_real_event (area=0x555555e0d140, context=0x555555e26850, widget=0x555555e183f0, event=0x555555d416f0, cell_area=0x7fffffffc570, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:1101

At time of gtk_grab_remove, when event is delivered to widget 0x555555e50780 from gtk_main_do_event, its toplevel was 0x555555ddb0d0
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
2025      if (GTK_IS_WINDOW (toplevel))
$2092 (widget) = 0x555555e50780
$2093 (toplevel) = 0x555555ddb0d0
$2094 (*widget) = {parent_instance = {g_type_instance = {g_class = 0x555555e5e800}, ref_count = 7, qdata = 0x555555ecf180}, priv = 0x555555e50690}
$2095 (*widget.priv) = {...., window = 0x555555e507e0, registered_windows = 0x55555595
7d00, parent = 0x555555e183f0, event_controllers = 0x0, accessible = 0x555555e1d320}
#0  gtk_main_get_window_group (widget=0x555555e50780) at ././gtk/gtkmain.c:2025
#1  0x00007ffff71f3d8c in gtk_grab_remove (widget=0x555555e50780) at ././gtk/gtkmain.c:2286
#2  0x00007ffff70ac56b in gtk_cell_editable_event_box_key_press_event (widget=0x555555e50780, event=0x555555e473c0)
 at ././gtk/gtkcellrendereraccel.c:645

Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed -> .. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent

So, gtk_cell_area_activate_cell of gtk+3 (3.22.7) has incorrect order of actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388

3428   gtk_cell_renderer_start_editing (renderer,
...
3444   gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25:

Bug can be detected by "Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed" messages, when mate-terminal or gnome-terminal are started from another console (with option --disable-factory) and keyboard shortcuts are edited.
I have such messages with gtk+3 (upstream) versions 3.16.7, 3.18.9, 3.20.9, 3.22.8; valgrind can detect invalid reads (use after free) from window_group_cleanup_grabs -> gtk_widget_get_toplevel.

Simple, but potentially incorrect patch corrects this bug (both Gtk-CRITICAL messages and valgrind detections/SIGSEGVs) in mate-terminal and gnome-terminal (bug #1667232). It is tested with gtk+3 3.16.7, 3.18.9, 3.20.9, 3.22.8.
Just call _gtk_window_group_remove_grab from gtkmain.c:gtk_grab_remove twice, additional call with default window group, to clear all possible references to the widget from the grabs list:

diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c
index 3152971256..681cb2bec9 100644
--- a/gtk/gtkmain.c
+++ b/gtk/gtkmain.c
@@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget)

       group = gtk_main_get_window_group (widget);
       _gtk_window_group_remove_grab (group, widget);
+ // quick workaround for lp #1667227, lp #1667232
+ _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget);
+
       new_grab_widget = gtk_window_group_get_current_grab (group);

gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE);

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25:

#10

lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch Edit (558 bytes, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2017-02-25:

#11

The attachment "lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Jeremy Bícha (jbicha) wrote on 2017-03-02:

#12

yzp15, could you please report this upstream?

https://bugzilla.gnome.org/enter_bug.cgi?product=gtk%2B
https://wiki.ubuntu.com/Bugs/Upstream/GNOME.

If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-10-19:

#13

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-terminal (Ubuntu):
status:	New → Confirmed
Changed in gtk+3.0 (Ubuntu):
status:	New → Confirmed
Changed in mate-terminal (Ubuntu):
status:	New → Confirmed

Vlad Orlov (monsta) on 2017-10-19

tags:

added: artful

Vlad Orlov (monsta) on 2017-12-12

tags:

added: bionic

Vlad Orlov (monsta) on 2017-12-12

Changed in gnome-terminal (Ubuntu):
status:	Confirmed → Invalid
Changed in mate-terminal (Ubuntu):
status:	Confirmed → Invalid

Revision history for this message

Vlad Orlov (monsta) wrote on 2017-12-13:

#16

Surprise, it's been affecting gnome-terminal for years: bug 1438014.

Revision history for this message

Vlad Orlov (monsta) wrote on 2017-12-13:

#17

Forgot to mention that 016_no_offscreen_widgets_grabbing.patch had never been accepted upstream, as I learned in the discussion at https://bugzilla.gnome.org/607668.