unity-panel-service crashed with SIGSEGV in atk_object_get_n_accessible_children()

StacktraceTop:
 panel_indicator_entry_accessible_get_n_children (accessible=0x965b1b0) at /build/buildd/unity-4.20.0/services/panel-indicator-entry-accessible.c:256
 atk_object_get_n_accessible_children (accessible=0x965b1b0) at atkobject.c:800
 append_cache_item (obj=0x965b1b0, data=0xbff71a98) at cache-adaptor.c:153
 g_hash_table_foreach (hash_table=0x96ac318, func=0xb64dd770 <append_accessible_hf>, user_data=0xbff71a98) at /build/buildd/glib2.0-2.30.0/./glib/ghash.c:1420
 spi_cache_foreach (cache=0xb5b14b80, func=0xb64dd770 <append_accessible_hf>, data=0xbff71a98) at ../../atk-adaptor/accessible-cache.c:417

Status changed to 'Confirmed' because the bug affects multiple users.

I had a interesting talking with mhr3 about this bug. It crashes in this line:

  if (GTK_IS_MENU (piea->priv->entry->menu))

So probably entry is NULL, or menu is not anymore a valid object.

Taking a look to the code, this is a custom atk object associated to a non-GTK object. Taking a look to the parent (ParentIndicatorAccessible) it have a callback when the entry is removed, so it is removed from the list. But PanelIndicatorEntryAccessible doesn't have any code managing this.

As the accessibility object can survive the base object, atk objects requires to manage if the base object is destroyed, and changing his state to ATK_STATE_DEFUNCT accordingly. So the atk-bridge will usually not interact with a accessible object with that state.

In the case of gtk, they implement this adding a weak_ref to the base object. But as I said this is custom atk object (not a gtkaccessible subclass). As far as I see the purpose of this object is expose the menu.

So I think that it is worth to add a weak_ref to entry->menu. If the crash happens because the entry->menu is freed, then ATK_STATE_DEFUNCT management should be added. The easiest way to do that:

  * add that weak_ref to the menu: when the menu is destroyed notify the state change and save somehow that the object was destroyed
       atk_object_notify_state_change (self, ATK_STATE_DEFUNCT)
  * return ATK_STATE_DEFUNCT on panel_indicator_entry_accessible_ref_state_set if the menu was destroyed

BTW: in order to return the ROLE and NAME on the initialize method, it is check entry->label and entry->image, instead of entry->menu. Not sure if this is correct. Probably it is worth to ask Rodrigo Moya about it.

I got same when i am using 3d unity, i guess it has something to do with gui lib like qt because it always happen when i am using qucs or other qt app

Just happened to me with Unity 3D. Had Totem open, and the panel vanished and returned quickly.

This same error occurs in precise, when using Eclipse and changing tabs (see duplicate bug #997444).

Verified that the Bug #997444 referenced above happens when using Kile Latex editor and changing tabs.
using Ubuntu 12.04 precise.

Crashes for me with 12.04 and kernel 3.5.0-2-generic

Sorry I mean of course that it crashes for me with 12.10 and kernel 3.5.0-2-generic.

I have this bug happening continuosly with Kile (see bug #997444).
I have this with Ubuntu 12.04 i386, Unity-2d and Unity-3d (unity -v: 5.16.0) and previous, kernel 3.2.0-32-generic-pae and previous.
The panel takes several seconds to die and restart making Kile unusable during this period and the system very slow.
Being an academic I work with latex a lot and this is very frustrating with this bug.

As it seems to persist still with 12.10, the bug needs be assigned to a developer.

I just use unity 2d panel (12.04) and no orca, btw it still crash

I can confirm comment #13, when working with Kile the unity-panel-service crashes everytime a tab is switched in Kile (i.e. this triggers the titel in the panel to be updated I suppose). I've tried running unity in verbose and debug mode, but the unity-panel-service process crashing doesn't get captured when running `unity --verbose --debug'.

So far I can only provide the crash file attached, note that I'm running plain unity (not 2d as the OP). Running unity 5.20.0 by the way.

Thank you for trying to make Ubuntu better. The stack trace in the attached .crash file in comment #16 shows a completely different problem than the one reported in this bug. Please open a new bug by using the "ubuntu-bug _usr_lib_unity_unity-panel-service.1000.crash" command from the terminal and include your nicely detailed description of how we can reproduce the problem so we can handle it appropriately.

I've created a new report at https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1213829. Apologies for polluting this report though.