Ubuntu

gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts

Bug #1438014 reported by Anna Glasgall on 2015-03-30

274

This bug affects 45 people

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu	Confirmed	High	Unassigned

Bug Description

I put my laptop to sleep for an hour or so; when I restored it, gnome-terminal had crashed. It did not do this the previous time I suspended my laptop today, so I doubt that's immediately related.

This crash can be reproduced by setting a shortcut in preferences.

ProblemType: Crash
DistroRelease: Ubuntu 15.04
Package: gnome-terminal 3.14.2-0ubuntu2
ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2
Uname: Linux 3.19.0-10-generic x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.16.2-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Mar 30 00:19:43 2015
ExecutablePath: /usr/lib/gnome-terminal/gnome-terminal-server
InstallationDate: Installed on 2014-02-03 (419 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
ProcCmdline: /usr/lib/gnome-terminal/gnome-terminal-server
ProcEnviron:
XDG_RUNTIME_DIR=<set>
SHELL=/bin/bash
LANGUAGE=en_US
PATH=(custom, user)
LANG=en_US.UTF-8
SegvAnalysis:
Segfault happened at: 0x7f98e2afbf1f <g_type_check_instance_is_a+63>: testb $0x4,0x16(%rax)
PC (0x7f98e2afbf1f) ok
source "$0x4" ok
destination "0x16(%rax)" (0x0000bcae) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: gnome-terminal
StacktraceTop:
g_type_check_instance_is_a () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
gtk_widget_get_toplevel (widget=0x2580c30) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
gtk_window_group_add_window (window_group=0x27e5c40, window=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
gtk_window_set_transient_for (window=0x252a230, parent=0x23ac7d0) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134
Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a()
UpgradeStatus: Upgraded to vivid on 2015-03-29 (0 days ago)
UserGroups: adm cdrom dialout dip kvm libvirtd lpadmin plugdev sambashare sbuild sudo

See original description

Tags:

Revision history for this message

Anna Glasgall (aglasgall) wrote on 2015-03-30:

Dependencies.txt Edit (9.7 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcMaps.txt Edit (53.4 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (858 bytes, text/plain; charset="utf-8")
Registers.txt Edit (728 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.4 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (7.3 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2015-03-30:

StacktraceTop:
g_type_check_instance_is_a (type_instance=type_instance@entry=0x2580c30, iface_type=<optimized out>) at /build/buildd/glib2.0-2.43.92/./gobject/gtype.c:4016
gtk_widget_get_toplevel (widget=0x2580c30) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
gtk_window_group_add_window (window_group=0x27e5c40, window=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
gtk_window_set_transient_for (window=0x252a230, parent=0x23ac7d0) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134

Revision history for this message

Apport retracing service (apport) wrote on 2015-03-30: Stacktrace.txt

Stacktrace.txt Edit (3.9 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2015-03-30: StacktraceSource.txt

StacktraceSource.txt Edit (3.7 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2015-03-30: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (9.4 KiB, text/plain)

Changed in gnome-terminal (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-amd64-retrace

Apport retracing service (apport) on 2017-02-23

tags:

added: zesty

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-02-23: Re: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a()

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-terminal (Ubuntu):
status:	New → Confirmed

Apport retracing service (apport) on 2017-06-26

tags:

added: artful

Jean-Baptiste Lallement (jibel) on 2017-10-05

information type:	Private → Public
Changed in gnome-terminal (Ubuntu):
importance:	Medium → High
description:	updated

Apport retracing service (apport) on 2017-10-21

tags:

added: bugpattern-needed

Revision history for this message

jean-marc (jean-marc-colagrossi) wrote on 2017-10-27:

On a terminal, choosing preferences... and modifying some shortcut keys on "Artful Aardwark" distro

Revision history for this message

Chrescht (sekateur) wrote on 2017-12-02:

Same here, shortcut keys editing in the preferences.
gnome terminal 3.24.2
Ubuntu 18.04

Vlad Orlov (monsta) on 2017-12-13

affects:	gnome-terminal (Ubuntu) → gtk+3.0 (Ubuntu)
summary:	- gnome-terminal-server crashed with SIGSEGV in - g_type_check_instance_is_a() + gnome-terminal-server and mate-terminal crash when setting keyboard + shortcuts
tags:	added: bionic xenial removed: vivid

Revision history for this message

Mikhail Kashkin (mkashkin) wrote on 2018-01-05:

I'm also using "Artful Aardwark" got many crashes with different circumstances. After some work in the background. When I'm opening and try to interact:

- Trying to open Preferences
- Trying to right-click on highlighted link to select "Open Link" (crash just after right click)
- Trying to switch tab

Revision history for this message

Cameron Cooks (cameronc56) wrote on 2018-03-28:

#10

Experienced this today, had a couple terminals open and was using chrome.

gnome-terminal-server crashed with SIGSEGV in g_cclosure_marshal_VOID__OBJECTv()

im on 16.04

Revision history for this message

Cameron Cooks (cameronc56) wrote on 2018-03-28:

#11

^ gnome-terminal version 3.18.3-1ubuntu1

Revision history for this message

André Cruz (andrefcruz) wrote on 2018-04-06:

#12

Altered keyboard shortcuts for opening new terminals and copy/paste.

[11742.029806] gnome-terminal-[4755]: segfault at 70000001e ip 00007f82140be77e sp 00007ffce1ff6fe8 error 4 in libgobject-2.0.so.0.5400.1[7f8214089000+52000]
[11785.274354] gnome-terminal-[27857]: segfault at 70000001e ip 00007fdbbe5da77e sp 00007ffee0b8a418 error 4 in libgobject-2.0.so.0.5400.1[7fdbbe5a5000+52000]
[12226.667034] gnome-terminal-[27916]: segfault at 70000001e ip 00007fe13759c77e sp 00007ffd2f2b76b8 error 4 in libgobject-2.0.so.0.5400.1[7fe137567000+52000]

17.10 (Artful Aardvark)

Revision history for this message

yzp15 (yzp15) wrote on 2018-04-14:

#13

Hello. I had some debugging with valgrind and gdb for the error with stacktrace top

g_type_check_instance_is_a glib2.0-2.43.92/./gobject/gtype.c:4016
gtk_widget_get_toplevel gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
window_group_cleanup_grabs gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
gtk_window_group_add_window gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
gtk_window_set_transient_for gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134

This is use-after-free due to incorrect grab deregistration (gtk_grab_remove tries to remove the grab not from the same window_group where it was added by gtk_grab_add)
Results were posted to Bug #1667227 and Bug #1667232
https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227 and https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232

I think that gnome-terminal grab use-after-free after editing keyboard shortcuts may be not related to the patch "debian/patches/016_no_offscreen_widgets_grabbing.patch" (it only helps to report Critical to the log).

Both gtk_grab_add and gtk_grab_remove calls gtk_main_get_window_group function, but it returns different results for these two calls (more details at https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227/comments/8)

static GtkWindowGroup *
gtk_main_get_window_group (GtkWidget *widget)
...
  if (GTK_IS_WINDOW (toplevel))
    return gtk_window_get_group (GTK_WINDOW (toplevel));
  else
    return gtk_window_get_group (NULL);

At the time of gtk_grab_add (called from gtk_cell_renderer_accel_start_editing which is called from gtk_cell_renderer_start_editing) this widget had window = 0x0 and parent = 0x0
And at time of gtk_grab_remove (called from gtk_cell_editable_event_box_key_press_event) same widget had window = 0x555555e507e0 (parent = 0x555555e183f0) which leads to incorrect deregistration of the grab.

Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed -> .. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent

So, gtk_cell_area_activate_cell of gtk+3 (3.22.7) has some kind of incorrect ordering of actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388

3428 gtk_cell_renderer_start_editing (renderer,
...
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

(There was also quick and probably incorrect fix in Bug #1667227 for this use-after-free with additional removing of grab from gtk_window_get_group (NULL) https://launchpadlibrarian.net/308873213/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch )

Hello. I had some debugging with valgrind and gdb for the error with stacktrace top

g_type_check_instance_is_a   glib2.0-2.43.92/./gobject/gtype.c:4016
 gtk_widget_get_toplevel   gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
 window_group_cleanup_grabs  gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
 gtk_window_group_add_window  gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
 gtk_window_set_transient_for gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134

This is use-after-free due to incorrect grab deregistration (gtk_grab_remove tries to remove the grab not from the same window_group where it was added by gtk_grab_add)
Results were posted to   Bug #1667227 and  Bug #1667232
https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227 and https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232

3428 gtk_cell_renderer_start_editing (renderer,
...
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

(There was also quick and probably incorrect fix in Bug #1667227 for this use-after-free with additional removing of grab from gtk_window_get_group (NULL)  https://launchpadlibrarian.net/308873213/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch )

Revision history for this message

yzp15 (yzp15) wrote on 2018-05-20:

#14

Reported to gnome's gitlab: https://gitlab.gnome.org/GNOME/gtk/issues/180
Reference: GNOME/gtk#180

cortsenc (cortsenc) on 2019-10-16

affects:

gtk+3.0 (Ubuntu) → ubuntu

Norbert (nrbrtx) on 2021-07-31

tags:

removed: artful zesty

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntu

gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches