apport-gtk crashed with SIGSEGV in _gtk_icon_helper_get_storage_type()

Bug #938090 reported by Paul Ortyl on 2012-02-21
This bug affects 118 people
Affects Status Importance Assigned to Milestone
Fix Released
apport (Ubuntu)
Martin Pitt
Martin Pitt
gtk+3.0 (Ubuntu)

Bug Description

just crashed

ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: apport-gtk 1.92-0ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-17.26-generic 3.2.6
Uname: Linux 3.2.0-17-generic x86_64
ApportVersion: 1.92-0ubuntu1
Architecture: amd64
Date: Tue Feb 21 20:34:36 2012
EcryptfsInUse: Yes
ExecutablePath: /usr/share/apport/apport-gtk
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha amd64 (20120213)
InterpreterPath: /usr/bin/python2.7
PackageArchitecture: all
ProcCmdline: /usr/bin/python /usr/share/apport/apport-gtk
 Segfault happened at: 0x7f9c20afda60: mov 0x18(%rdi),%rax
 PC (0x7f9c20afda60) ok
 source "0x18(%rdi)" (0x00000018) not located in a known VMA region (needed readable region)!
 destination "%rax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: apport
 ?? () from /usr/lib/x86_64-linux-gnu/
 gtk_image_clear () from /usr/lib/x86_64-linux-gnu/
 gtk_image_set_from_pixbuf () from /usr/lib/x86_64-linux-gnu/
 ffi_call_unix64 () from /usr/lib/x86_64-linux-gnu/
 ffi_call () from /usr/lib/x86_64-linux-gnu/
Title: apport-gtk crashed with SIGSEGV in gtk_image_clear()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Paul Ortyl (ortylp) wrote :

 _gtk_icon_helper_get_storage_type (self=0x0) at /build/buildd/gtk+3.0-3.3.14/./gtk/gtkiconhelper.c:482
 gtk_image_reset (image=0x2c54b00) at /build/buildd/gtk+3.0-3.3.14/./gtk/gtkimage.c:1430
 gtk_image_clear (image=0x2c54b00) at /build/buildd/gtk+3.0-3.3.14/./gtk/gtkimage.c:1486
 gtk_image_set_from_pixbuf (image=0x2c54b00, pixbuf=0x35f1a30) at /build/buildd/gtk+3.0-3.3.14/./gtk/gtkimage.c:851
 ffi_call_unix64 () at ../src/x86/unix64.S:75

Changed in apport (Ubuntu):
importance: Undecided → Medium
summary: - apport-gtk crashed with SIGSEGV in gtk_image_clear()
+ apport-gtk crashed with SIGSEGV in _gtk_icon_helper_get_storage_type()
tags: removed: need-amd64-retrace
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apport (Ubuntu):
status: New → Confirmed
visibility: private → public
tags: added: bugpattern-needed
Yen (yen26lidd) on 2012-04-05
Changed in apport (Ubuntu):
status: Confirmed → Fix Released
Martin Pitt (pitti) on 2012-04-10
Changed in apport (Ubuntu):
status: Fix Released → Confirmed
Michael Vogt (mvo) wrote :

I can reproduce this crash in software-center too, via:
$ software-center /path/to/downloaded.deb
wait until the spinner is gone but the deb is not yet displayed and close at exactly this moment.
-> crash

Michael Vogt (mvo) wrote :

This diff will probably fix the crash but maybe not the root cause that causes the icon_helper to be NULL - maybe a refcount problem?

diff --git a/gtk/gtkimage.c b/gtk/gtkimage.c
index fa87ea7..0c728af 100644
--- a/gtk/gtkimage.c
+++ b/gtk/gtkimage.c
@@ -1065,6 +1065,7 @@ GtkImageType
 gtk_image_get_storage_type (GtkImage *image)
   g_return_val_if_fail (GTK_IS_IMAGE (image), GTK_IMAGE_EMPTY);
+ g_return_val_if_fail (image->priv->icon_helper != NULL, GTK_IMAGE_EMPTY);

   return _gtk_icon_helper_get_storage_type (image->priv->icon_helper);

Michael Vogt (mvo) wrote :

Looking at this in s-c I get the "destroy" signal when the app is closed and then some event processing still happens
that causes self.icon.set_from_pixbuf() which will cause gtk_image_clear() to run on the already destroyed image
so that priv->icon_helper is NULL. This is equivalent of running:

/* run as:
 * gcc lala.c $(pkg-config --cflags --libs gtk+-x11-3.0) && ./a.out

int main(int argc, char **argv)
   gtk_init(&argc, &argv);

   GtkWidget *img = gtk_image_new();
   // SEGV

Martin Pitt (pitti) wrote :

Ah, incidentally I was just working on the Python equivalent of this.. :)

Michael Vogt (mvo) wrote :

So the attached patch against gtk+ outlines what we *may* need to do. The problem seems to be that
when python calls destroy() on a object it may not actually be destroyed yet because the pygi part still
has references. So we need to move the actual cleanup into the finalize functions instead of into destroy.

This is is line with what other widgets are doing, e.g.:
   GtkWidget *button = gtk_image_new();
   gtk_button_set_label(button, "foo");

causes a warning but not a crash.

Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :

Eh, nevermind my code example in #10, I attach a better one. FWIW, with the patch in comment #11 the code does
not segfault anymore (neither in the C demo, not in the python demo nor in SC).

tags: added: patch
Martin Pitt (pitti) on 2012-04-13
Changed in apport (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Martin Pitt (pitti) wrote :

I don't think that we can land the real fix in GTK in time for precise, so I'll work on a fix on the Apport side.

affects: gtk+3.0 (Ubuntu) → ubuntu
Changed in ubuntu:
status: New → Triaged
Changed in ubuntu:
status: New → Confirmed
Martin Pitt (pitti) on 2012-04-13
affects: Ubuntu Precise → gtk+3.0 (Ubuntu Precise)
Changed in apport (Ubuntu Precise):
status: Confirmed → In Progress
Changed in gtk+3.0 (Ubuntu Precise):
status: Triaged → Won't Fix
no longer affects: gtk+3.0 (Ubuntu Precise)
Martin Pitt (pitti) wrote :

Fixed in trunk r2280.

Changed in apport (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in gtk:
importance: Unknown → Medium
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apport - 2.0.1-0ubuntu3

apport (2.0.1-0ubuntu3) precise; urgency=low

  * Cherry-pick from trunk:
    - GTK UI tests: Ensure that there are no GLib/GTK warnings or criticals.
    - apport-gtk: Work around GTK crash when trying to set pixmap on an
      already destroyed parent window. (LP: #938090)
 -- Martin Pitt <email address hidden> Fri, 13 Apr 2012 19:42:02 +0200

Changed in apport (Ubuntu Precise):
status: Fix Committed → Fix Released
Martin Pitt (pitti) on 2012-04-16
Changed in gtk+3.0 (Ubuntu):
status: Triaged → Fix Committed
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+3.0 - 3.4.1-0ubuntu1

gtk+3.0 (3.4.1-0ubuntu1) precise-proposed; urgency=low

  * New upstream bug fix release:
    - Custom theme can crash apps with GtkEntryCompletion
    - Window expands horizontally rather than the text entry growing
    - conflict between srcdir != builddir and generated enum types
    - Wayland and X11 backends simultaneously enabled is broken
    - Anchored widgets inside GtkTextView are drawn out of place
    - gtk file-chooser: Autocompletion - Dropdown-list: selection fails
    - windows draw as unfocused/backdrop on window managers
    - URL to mailing lists in README incorrect
    - gactionmuxer: Fix list_actions
    - After clicking empty parts of a toolbar/menubar the next mouse click
      (button release) does not work
    - shouldn't set GDK_SOURCE_TOUCHSCREEN based on the name
    - GtkTreeView should not handle extra mouse buttons
    - GdkEventButton contains wrong buttons in modifier mask for button
    - entrycompletion: set_property() should use property setter functions
    - application-window: try to use the desktop name in the fallback menu
    - Deal more gracefully with a flood of scroll events
    - Translation updates.
  * Drop patches which are upstream now:
    - upstream_treeview_rendering.patch
    - git_filechooser_selection.patch
    - no_touchscreen_name_hack.patch
    - git_dont_ignore_button_release_event.patch
    - git_shrinkable_widget.patch
    - git_scrolling_performances.patch
  * debian/ Bump Build dependencies as per upstream
  * Add 00git_gtkimage_cleanup_crash.patch: GtkImage: Move the freeing of the
    icon_helper from the destory to the finalize function to avoid segfaults
    when trying to access a destroyed object before it is disposed. This often
    happens in signal handlers which get called asynchronously after destroy.
    Patch cherrypicked from upstream git head. (LP: #938090, same in
 -- Martin Pitt <email address hidden> Mon, 16 Apr 2012 10:28:54 +0200

Changed in gtk+3.0 (Ubuntu):
status: Fix Committed → Fix Released
Changed in gtk:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.