devhelp and many other apps crash with SIGSEGV in g_closure_invoke() due to overlay-scrollbars

Bug #1386255 reported by Marius Gedminas on 2014-10-27
172
This bug affects 96 people
Affects Status Importance Assigned to Milestone
Ubuntu GNOME
Undecided
Unassigned
overlay-scrollbar
Undecided
Unassigned
overlay-scrollbar (Ubuntu)
Critical
Unassigned

Bug Description

With the gnome3-team/gnome3-staging PPA enabled all Gtk+ applications segfault when I do stuff like

- Press the <Menu> key
- Press the Save button in gedit's headerbar
- Press the hamburger menu button in devhelp's headerbar (the stack trace attached to this bug)
- Press the Add button in gtimelog
- Try to open any of the regular menus in gtimelog

ProblemType: Crash
DistroRelease: Ubuntu 14.10
Package: devhelp 3.14.0-1~utopic1 [origin: LP-PPA-gnome3-team-gnome3-staging]
ProcVersionSignature: Ubuntu 3.16.0-23.31-generic 3.16.4
Uname: Linux 3.16.0-23-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
CurrentDesktop: GNOME
Date: Mon Oct 27 17:15:30 2014
Disassembly: => 0x0: Cannot access memory at address 0x0
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/devhelp
InstallationDate: Installed on 2012-07-25 (824 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcCmdline: devhelp
SegvAnalysis:
 Segfault happened at: 0x0: Cannot access memory at address 0x0
 PC (0x00000000) not located in a known VMA region (needed executable region)!
SegvReason: executing NULL VMA
Signal: 11
SourcePackage: devhelp
StacktraceTop:
 ?? ()
 g_closure_invoke (closure=0x11e4ce0, return_value=0x0, n_param_values=2, param_values=0x7fffd6ed0920, invocation_hint=0x7fffd6ed08c0) at /build/buildd/glib2.0-2.42.0/./gobject/gclosure.c:768
 signal_emit_unlocked_R (node=node@entry=0x11e50b0, detail=detail@entry=0, instance=instance@entry=0x182a510, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffd6ed0920) at /build/buildd/glib2.0-2.42.0/./gobject/gsignal.c:3483
 g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffd6ed0ab0) at /build/buildd/glib2.0-2.42.0/./gobject/gsignal.c:3309
 g_signal_emit (instance=instance@entry=0x182a510, signal_id=<optimized out>, detail=detail@entry=0) at /build/buildd/glib2.0-2.42.0/./gobject/gsignal.c:3365
Title: devhelp crashed with SIGSEGV in g_closure_invoke()
UpgradeStatus: Upgraded to utopic on 2014-10-24 (3 days ago)
UserGroups: adm cdrom dip docker libvirtd lp lpadmin plugdev sambashare shared sudo wireshark

Related branches

Marius Gedminas (mgedmin) wrote :
Ubuntu GNOME (ug-bot) wrote :

StacktraceTop:
 ?? ()
 g_cclosure_marshal_generic_va (closure=<error reading variable: Cannot access memory at address 0xffffffffffffff40>, return_value=<error reading variable: Cannot access memory at address 0xffffffffffffff20>, instance=<error reading variable: Cannot access memory at address 0xffffffffffffff68>, args_list=<optimized out>, marshal_data=<error reading variable: Cannot access memory at address 0xffffffffffffff18>, n_params=<error reading variable: Cannot access memory at address 0xffffffffffffff4c>, param_types=<error reading variable: Cannot access memory at address 0x10>) at /build/buildd/glib2.0-2.43.0~git20141021.4125415e/./gobject/gclosure.c:1552

tags: added: apport-failed-retrace
tags: removed: need-amd64-retrace

apport-retrace --stdout /var/crash/_usr_bin_devhelp.1000.crash gives me this.

Marius Gedminas (mgedmin) wrote :

I had a long gdb session on this with the help of #gnome-hackers on irc.gnome.org.

This crash (and many like it) was caused by code in /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/liboverlay-scrollbar.so. Instead of debugging it to the bitter end I apt-get removed overlay-scrollbar-gtk3 and the crashes are gone

Tim Lunn (darkxst) on 2014-10-28
information type: Private → Public
Marius Gedminas (mgedmin) wrote :

BTW you may want to apt-get purge overlay-scrollbar to avoid spurious error messages on the console (bug 1134202).

summary: - devhelp crashed with SIGSEGV in g_closure_invoke()
+ devhelp and many other apps crash with SIGSEGV in g_closure_invoke() due
+ to overlay-scrollbars
Tim Lunn (darkxst) wrote :

This will need to be fixed for gtk+3.14 to land in vivid

Changed in ubuntu-gnome:
milestone: none → vivid
tags: added: ubuntugnome-blocker
Marius Gedminas (mgedmin) wrote :

Details about my GDB session:

- gdb gnome-calculator (easy to trigger the bug: click on the titlebar dropdown; bonus: doesn't hold a keyboard/mouse grab when it gets frozen by gdb)
- 'run'
- click on the titlebar dropdown, see the window freeze
- gdb shows a segfault at 0x0
- 'bt' shows the stack trace; frame #1 is g_closure_invoke; the closure pointer is the same for every crash
- higher up in the stack you see it was called by gtk_grab_notify()
- set a conditional breakpoint 'b g_closure_invoke if closure == 0x....'
- 'run' to restart
- click on the titlebar dropdown again
- the breakpoint trips three times; first two are benign so hit 'cont' twice; the third one causes the crash
- single-stepping with 'n' and 's' shows that you end up in g_type_class_meta_marshal() for GtkScrollbar, with a callback at some address (0x7fffeeb3abe0)
- gdb was unable to resolve that address to a symbol, but /proc/$(pidof gnome-calculator)/maps shows it was in the range mapped to /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/liboverlay-scrollbar.so

Marius Gedminas (mgedmin) wrote :

For the record, I had overlay scrollbars disabled ('gsettings set com.canonical.desktop.interface scrollbar-mode normal') when I saw these segfaults.

Marius Gedminas (mgedmin) wrote :
Marius Gedminas (mgedmin) wrote :

Here's what causes the crash:

- overlay-scrollbar's gtk_module_init() does this:

    widget_class = g_type_class_ref (GTK_TYPE_SCROLLBAR)
    pre_hijacked_scrollbar_grab_notify = widget_class->grab_notify;

  In GTK+ 3.14 widget_class->grab_notify for GTK_TYPE_SCROLLBAR is NULL.

- overlay-scrollbar's patch_scrollbar_class_vtable() does this:

    if (widget_class->grab_notify == pre_hijacked_scrollbar_grab_notify)
      widget_class->grab_notify = hijacked_scrollbar_grab_notify;

  Since widget_class->grab_notify is still NULL and it is equal to pre_hijacked_scrollbar_grab_notify, we install our own signal handler.

- overlay-scrollbar's hijacked_scrollbar_grab_notify() does this:

    if (use_overlay_scrollbar ())
      return;

    (* pre_hijacked_scrollbar_grab_notify) (widget, was_grabbed);

  Since in Ubuntu GNOME use_overlay_scrollbar() returns a false value due, this code calls a NULL pointer and segfaults.

A more future-proof fix would be to check all pre_hijacked_ handlers before calling them.

Marius Gedminas (mgedmin) wrote :

GtkScrollbar stopped paying attention to grab_notify signals in upstream commit 26dff0d7830b45b61fb4266664e4a5c1f98c4091 somewhere in 3.13.x.

You can see it online at https://github.com/GNOME/gtk/commit/26dff0d7830b45b61fb4266664e4a5c1f98c4091

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in overlay-scrollbar (Ubuntu):
status: New → Confirmed
Iain Lane (laney) on 2014-10-29
Changed in overlay-scrollbar (Ubuntu):
assignee: nobody → Lars Uebernickel (larsu)
Iain Lane (laney) wrote :

Looks like this is only to call the pre hijacked one if not on os, so probably OK and similar probably should be done for all of these hijacked functions. Lars, could you look?

Fixed for me by the following package upgrades fixed the problem for me:
   overlay-scrollbar (0.2.16+r359+14.10.20140625-0ubuntu1 => 0.2.16+r359+14.10.20140625-0ubuntu2~utopic1)
   overlay-scrollbar-gtk2 (0.2.16+r359+14.10.20140625-0ubuntu1 => 0.2.16+r359+14.10.20140625-0ubuntu2~utopic1)
   overlay-scrollbar-gtk3 (0.2.16+r359+14.10.20140625-0ubuntu1 => 0.2.16+r359+14.10.20140625-0ubuntu2~utopic1)

Before that, the problem actually went away by *enabling* rather than disabling the overlay-scrollbars (overlay-auto instead of normal)

Also see https://bugzilla.gnome.org/show_bug.cgi?id=738073

Changed in overlay-scrollbar (Ubuntu):
importance: Undecided → Critical
Lars Karlitski (larsu) on 2014-11-14
Changed in overlay-scrollbar (Ubuntu):
status: Confirmed → In Progress
assignee: Lars Uebernickel (larsu) → Sebastien Bacher (seb128)
gsmetal (gsmetal) on 2014-11-18
no longer affects: file-roller (Ubuntu)
Changed in overlay-scrollbar (Ubuntu):
assignee: Sebastien Bacher (seb128) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package overlay-scrollbar - 0.2.16+r359+15.04.20141126-0ubuntu1

---------------
overlay-scrollbar (0.2.16+r359+15.04.20141126-0ubuntu1) vivid; urgency=low

  [ Tim Lunn ]
  * Check for null grab_notify handler before hijacking it. This fixes a
    crash in GTK+3.14 where grab_notify is no longer used, Thanks Marius
    Gedminas for the fix! (LP: #1386255)
 -- Ubuntu daily release <email address hidden> Wed, 26 Nov 2014 15:18:56 +0000

Changed in overlay-scrollbar (Ubuntu):
status: In Progress → Fix Released
Tim Lunn (darkxst) on 2014-12-26
Changed in ubuntu-gnome:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.