Ubuntu
gnome-terminal package

gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() while editing shortcuts

Bug #1667232 reported by yzp15 on 2017-02-23

This bug report is a duplicate of: Bug #1438014: gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gnome-terminal (Ubuntu)	New	Undecided	Unassigned

Bug Description

1)
Description: Ubuntu Zesty Zapus (development branch)
Release: 17.04
2)
gnome-terminal:
Installed: 3.20.2-1ubuntu5
3)
Open gnome-terminal, open menu Edit->Preferences, open Shortcuts tab, scroll to the end, change key for Help-Contents
Change the shortcut several times, using various combinations of Ctrl, Alt, Shift, "Win" (Super_L" keys with letters W/E/Q... or Function keys like F1,F2
3)
Expected: changed shortcut and working gnome-terminal
4)
After several changes gnome-terminal closes with SIGSEGV and apport.

ProblemType: Crash
DistroRelease: Ubuntu 17.04
Package: gnome-terminal 3.20.2-1ubuntu5
ProcVersionSignature: Ubuntu 4.10.0-8.10-generic 4.10.0-rc8
Uname: Linux 4.10.0-8-generic x86_64
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: MATE
Date: Thu Feb 23 09:49:49 2017
ExecutablePath: /usr/lib/gnome-terminal/gnome-terminal-server
ExecutableTimestamp: 1475202625
InstallationDate: Installed on 2017-02-22 (1 days ago)
InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Alpha amd64 (20170125)
ProcCmdline: /usr/lib/gnome-terminal/gnome-terminal-server
ProcCwd: /home/user
RetraceOutdatedPackages:
no debug symbol package found for libepoxy0
no debug symbol package found for libwayland-cursor0
no debug symbol package found for libharfbuzz0b
Signal: 11
SourcePackage: gnome-terminal
StacktraceTop:
g_type_check_instance_is_a (type_instance=type_instance@entry=0x5561990ab920, iface_type=<optimized out>) at ././gobject/gtype.c:4013
gtk_widget_get_toplevel (widget=0x5561990ab920) at ././gtk/gtkwidget.c:11521
window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x556198dfa330) at ././gtk/gtkwindowgroup.c:110
gtk_window_group_add_window (window_group=0x556198fad4d0, window=0x556198dfa330) at ././gtk/gtkwindowgroup.c:169
gtk_window_set_transient_for (window=0x556198dfa330, parent=0x556198f8cd00) at ././gtk/gtkwindow.c:3332
Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Tags:

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-23:

Dependencies.txt Edit (9.8 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (8.7 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (302 bytes, text/plain; charset="utf-8")
SegvAnalysis.txt Edit (209 bytes, text/plain; charset="utf-8")
StacktraceSource.txt Edit (3.1 KiB, text/plain; charset="utf-8")
XsessionErrors.txt Edit (22.7 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2017-02-23: This bug is a duplicate

Thank you for taking the time to report this crash and helping to make this software better. This particular crash has already been reported and is a duplicate of bug #1438014, so is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Please continue to report any other bugs you may find.

information type:	Private → Public
tags:	removed: need-amd64-retrace

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25:

Seems to be error in gtk_cell_area_activate_cell: it has incorrect order of actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388

3428 gtk_cell_renderer_start_editing (renderer,
This will call gtk_grab_add to register widget in default window group "gtk_window_get_group (NULL);"

Later,
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

will change widget to other window group (by setting parent gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent)

And gtk_grab_remove will be unable to remove link to the widget from the wrong window group, creating stale pointer, which will be used after free.
More details at Bug #1667227.

Bug can be detected by "Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed" messages, when mate-terminal (bug #1667227) or gnome-terminal are started from another console (with option --disable-factory) and keyboard shortcuts are edited.
I have such messages with gtk+3 (upstream) versions 3.16.7, 3.18.9, 3.20.9, 3.22.8; valgrind can detect invalid reads (use after free) from window_group_cleanup_grabs -> gtk_widget_get_toplevel.

Simple, but potentially incorrect patch corrects this bug (both Gtk-CRITICAL messages and valgrind detections/SIGSEGVs) in gnome-terminal and mate-terminal (bug #1667227). It is tested with gtk+3 3.16.7, 3.18.9, 3.20.9, 3.22.8.
Just call _gtk_window_group_remove_grab from gtkmain.c:gtk_grab_remove twice, additional call with default window group, to clear all possible references to the widget from the grabs list:

diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c
index 3152971256..681cb2bec9 100644
--- a/gtk/gtkmain.c
+++ b/gtk/gtkmain.c
@@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget)

       group = gtk_main_get_window_group (widget);
       _gtk_window_group_remove_grab (group, widget);
+ // quick workaround for lp #1667227, lp #1667232
+ _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget);
+
       new_grab_widget = gtk_window_group_get_current_grab (group);

gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE);

Seems to be error in  gtk_cell_area_activate_cell: it has incorrect order of actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388

3428 gtk_cell_renderer_start_editing (renderer,
This will call gtk_grab_add to register widget in default window group "gtk_window_get_group (NULL);"

Later,
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

will change widget to other window group (by setting parent  gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. ->  gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent)

And gtk_grab_remove will be unable to remove link to the widget from the wrong window group, creating stale pointer, which will be used after free.
More details at Bug #1667227.

diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c
index 3152971256..681cb2bec9 100644
--- a/gtk/gtkmain.c
+++ b/gtk/gtkmain.c
@@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget)
 
       group = gtk_main_get_window_group (widget);
       _gtk_window_group_remove_grab (group, widget);
+      // quick workaround for lp #1667227, lp #1667232
+      _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget);
+
       new_grab_widget = gtk_window_group_get_current_grab (group);
 
       gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE);

Revision history for this message

yzp15 (yzp15) wrote on 2017-02-25: