gimp crashes if you close a dialog

Thanks for your bug report. Which version of gimp do you use? Can you get a backtrace by following the steps on http://wiki.ubuntu.com/DebuggingProgramCrash?

Hi Daniel,
I'm running the latest version of gimp (2.2.10-1ubuntu2) and I have a backtrace which follows, but I doubt it'll be of use (heap corruption):

*** glibc detected *** corrupted double-linked list: 0xb7741358 ***

Program received signal SIGABRT, Aborted.
[Switching to Thread -1218651936 (LWP 26199)]
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb763d9a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb763f2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb767187a in __libc_message () from /lib/tls/i686/cmov/libc.so.6
#4 0xb767788d in malloc_consolidate () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7678653 in _int_malloc () from /lib/tls/i686/cmov/libc.so.6
#6 0xb767a411 in malloc () from /lib/tls/i686/cmov/libc.so.6
#7 0xb7a1e115 in _cairo_path_arg_buf_create () at cairo-path.c:417
#8 0xb7a1df8d in _cairo_path_fixed_add (path=0x8dc23d0,
    op=CAIRO_PATH_OP_MOVE_TO, points=0xbfa715bc, num_points=1)
    at cairo-path.c:339
#9 0xb7a1dbea in _cairo_path_fixed_move_to (path=0x8dc23d0, x=0, y=0)
    at cairo-path.c:169
#10 0xb7a11477 in *INT_cairo_move_to (cr=0x8dc23c8, x=0, y=0) at cairo.c:994
#11 0xb7a11bb0 in cairo_rectangle (cr=0x8dc23c8, x=0, y=25, width=34,
    height=34) at cairo.c:1350
#12 0xb7b1ed4d in gdk_window_clear_backing_rect (window=0x8c33a68, x=0, y=25,
    width=34, height=34) at gdkwindow.c:1841
#13 0xb7b1efbb in IA__gdk_window_begin_paint_region (window=0x8c33a68,
    region=0x8dc3598) at gdkwindow.c:991
#14 0xb7c8e347 in IA__gtk_main_do_event (event=0xbfa71760) at gtkmain.c:1404
#15 0xb7b1fe17 in gdk_window_process_updates_internal (window=0x8c33a68)
    at gdkwindow.c:2292
---Type <return> to continue, or q <return> to quit---
#16 0xb7b1feeb in IA__gdk_window_process_all_updates () at gdkwindow.c:2345
#17 0xb7b1ff6c in gdk_window_update_idle (data=0x0) at gdkwindow.c:2213
#18 0xb7814b92 in g_idle_dispatch (source=0x8da7f70, callback=0x6,
    user_data=0x0) at gmain.c:3796
#19 0xb7812876 in IA__g_main_context_dispatch (context=0x83e9378)
    at gmain.c:1916
#20 0xb7815936 in g_main_context_iterate (context=0x83e9378, block=1,
    dispatch=1, self=0x83fed10) at gmain.c:2547
#21 0xb7815c58 in IA__g_main_loop_run (loop=0x8cead70) at gmain.c:2751
#22 0x080630f2 in app_run (full_prog_name=0xbfa739e0 "/usr/bin/gimp",
    gimp_argc=0, gimp_argv=0xbfa71d28, alternate_system_gimprc=0x0,
    alternate_gimprc=0x0, session_name=0x0, batch_interpreter=0x0,
    batch_commands=0x83fed98, no_interface=0, no_data=0, no_fonts=0,
    no_splash=0, be_verbose=0, use_shm=1, use_cpu_accel=1, console_messages=0,
    stack_trace_mode=GIMP_STACK_TRACE_NEVER,
    pdb_compat_mode=GIMP_PDB_COMPAT_ON) at app_procs.c:376
#23 0x08064797 in main (argc=1, argv=0xbfa71d24) at main.c:473

The valgrind output is a lot more informative:

==26286==
==26286== Invalid free() / delete / delete[]
==26286== at 0x401CFCF: free (vg_replace_malloc.c:235)
==26286== by 0x4732E8B: g_free (gmem.c:187)
==26286== by 0x81385B4: gimp_dockable_destroy (gimpdockable.c:245)
==26286== by 0x46DF422: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==26286== by 0x46D316E: ??? (gclosure.c:567)
==26286== by 0x46D379E: g_closure_invoke (gclosure.c:490)
==26286== by 0x46E2B16: ??? (gsignal.c:2554)
==26286== by 0x46E3B18: g_signal_emit_valist (gsignal.c:2197)
==26286== by 0x46E3E88: g_signal_emit (gsignal.c:2241)
==26286== by 0x42771F1: ??? (gtkobject.c:419)
==26286== by 0x434289E: ??? (gtkwidget.c:6672)
==26286== by 0x46D5EAB: g_object_unref (gobject.c:1734)
==26286== Address 0x5261718 is 0 bytes inside a block of size 7 free'd
==26286== at 0x401CFCF: free (vg_replace_malloc.c:235)
==26286== by 0x4732E8B: g_free (gmem.c:187)
==26286== by 0x81385D6: gimp_dockable_destroy (gimpdockable.c:251)
==26286== by 0x46DF422: g_cclosure_marshal_VOID__VOID (gmarshal.c:77)
==26286== by 0x46D316E: ??? (gclosure.c:567)
==26286== by 0x46D379E: g_closure_invoke (gclosure.c:490)
==26286== by 0x46E2B16: ??? (gsignal.c:2554)
==26286== by 0x46E3B18: g_signal_emit_valist (gsignal.c:2197)
==26286== by 0x46E3E88: g_signal_emit (gsignal.c:2241)
==26286== by 0x42771F1: ??? (gtkobject.c:419)
==26286== by 0x434289E: ??? (gtkwidget.c:6672)
==26286== by 0x46D69F3: g_object_run_dispose (gobject.c:571)

In a longer valgrind backtrace, some extra context is:
==32444== by 0x8137DC3: gimp_dock_remove_book (gimpdock.c:710)
==32444== by 0x8136933: gimp_dock_destroy (gimpdock.c:322)

The important point here is, I think, that some memory freed first at gimpdockable.c:251, is then freed again at gimpdockable.c:245.

It looks like this problem appears as a result of the GtkNotebook child-freeing changes in libgtk2.0-0.

This patch fixes the crash for me. It is, however, written without a knowledge of the GtkNotebook memory interlinks, so it should be reviewed :-)

I've reported this problem upstream at http://bugzilla.gnome.org/show_bug.cgi?id=338286

On another dapper machine I got a slightly different result, when i closed a dialogue it froze, no redrawing of the windows, rather than crashing

Thank you very much, Gary.

According to upstream is the problem that occurs from both the upstream patch and Gary's a metacity problem. I'll investigate further and will apply the patch as soon as I know more of what's happening.

Ok, I filed the metacity bug and we'll try to get gimp 2.2.11 in after Beta.

 gimp (2.2.11-1ubuntu1) dapper; urgency=low
 .
   * Resynchronized with Debian, only changes to Debian are:
     - debian/rules:
       - added gettext Domain to .desktop file.
 .
 gimp (2.2.11-1) unstable; urgency=low
 .
   * New upstream release
   * Stop building with gcc-3.4 on arm
   * Fix build-depends to exclude kfreebsd-amd64 from using libasound2-dev
     (Closes: #361459)