gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts

Bug #1438014 reported by Adam Glasgall on 2015-03-30
274
This bug affects 45 people
Affects Status Importance Assigned to Milestone
gtk+3.0 (Ubuntu)
High
Unassigned

Bug Description

I put my laptop to sleep for an hour or so; when I restored it, gnome-terminal had crashed. It did not do this the previous time I suspended my laptop today, so I doubt that's immediately related.

This crash can be reproduced by setting a shortcut in preferences.

ProblemType: Crash
DistroRelease: Ubuntu 15.04
Package: gnome-terminal 3.14.2-0ubuntu2
ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2
Uname: Linux 3.19.0-10-generic x86_64
NonfreeKernelModules: openafs
ApportVersion: 2.16.2-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Mon Mar 30 00:19:43 2015
ExecutablePath: /usr/lib/gnome-terminal/gnome-terminal-server
InstallationDate: Installed on 2014-02-03 (419 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
ProcCmdline: /usr/lib/gnome-terminal/gnome-terminal-server
ProcEnviron:
 XDG_RUNTIME_DIR=<set>
 SHELL=/bin/bash
 LANGUAGE=en_US
 PATH=(custom, user)
 LANG=en_US.UTF-8
SegvAnalysis:
 Segfault happened at: 0x7f98e2afbf1f <g_type_check_instance_is_a+63>: testb $0x4,0x16(%rax)
 PC (0x7f98e2afbf1f) ok
 source "$0x4" ok
 destination "0x16(%rax)" (0x0000bcae) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: gnome-terminal
StacktraceTop:
 g_type_check_instance_is_a () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
 gtk_widget_get_toplevel (widget=0x2580c30) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
 window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
 gtk_window_group_add_window (window_group=0x27e5c40, window=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
 gtk_window_set_transient_for (window=0x252a230, parent=0x23ac7d0) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134
Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a()
UpgradeStatus: Upgraded to vivid on 2015-03-29 (0 days ago)
UserGroups: adm cdrom dialout dip kvm libvirtd lpadmin plugdev sambashare sbuild sudo

Adam Glasgall (aglasgall) wrote :

StacktraceTop:
 g_type_check_instance_is_a (type_instance=type_instance@entry=0x2580c30, iface_type=<optimized out>) at /build/buildd/glib2.0-2.43.92/./gobject/gtype.c:4016
 gtk_widget_get_toplevel (widget=0x2580c30) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
 window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
 gtk_window_group_add_window (window_group=0x27e5c40, window=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
 gtk_window_set_transient_for (window=0x252a230, parent=0x23ac7d0) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134

Changed in gnome-terminal (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
tags: added: zesty

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-terminal (Ubuntu):
status: New → Confirmed
tags: added: artful
information type: Private → Public
Changed in gnome-terminal (Ubuntu):
importance: Medium → High
description: updated
tags: added: bugpattern-needed

On a terminal, choosing preferences... and modifying some shortcut keys on "Artful Aardwark" distro

Chrescht (sekateur) wrote :

Same here, shortcut keys editing in the preferences.
gnome terminal 3.24.2
Ubuntu 18.04

Vlad Orlov (monsta) on 2017-12-13
affects: gnome-terminal (Ubuntu) → gtk+3.0 (Ubuntu)
summary: - gnome-terminal-server crashed with SIGSEGV in
- g_type_check_instance_is_a()
+ gnome-terminal-server and mate-terminal crash when setting keyboard
+ shortcuts
tags: added: bionic xenial
removed: vivid
Mikhail Kashkin (mkashkin) wrote :

I'm also using "Artful Aardwark" got many crashes with different circumstances. After some work in the background. When I'm opening and try to interact:

- Trying to open Preferences
- Trying to right-click on highlighted link to select "Open Link" (crash just after right click)
- Trying to switch tab

Cameron Cooks (cameronc56) wrote :

Experienced this today, had a couple terminals open and was using chrome.

gnome-terminal-server crashed with SIGSEGV in g_cclosure_marshal_VOID__OBJECTv()

im on 16.04

Cameron Cooks (cameronc56) wrote :

^ gnome-terminal version 3.18.3-1ubuntu1

André Cruz (andrefcruz) wrote :

Altered keyboard shortcuts for opening new terminals and copy/paste.

[11742.029806] gnome-terminal-[4755]: segfault at 70000001e ip 00007f82140be77e sp 00007ffce1ff6fe8 error 4 in libgobject-2.0.so.0.5400.1[7f8214089000+52000]
[11785.274354] gnome-terminal-[27857]: segfault at 70000001e ip 00007fdbbe5da77e sp 00007ffee0b8a418 error 4 in libgobject-2.0.so.0.5400.1[7fdbbe5a5000+52000]
[12226.667034] gnome-terminal-[27916]: segfault at 70000001e ip 00007fe13759c77e sp 00007ffd2f2b76b8 error 4 in libgobject-2.0.so.0.5400.1[7fe137567000+52000]

17.10 (Artful Aardvark)

yzp15 (yzp15) wrote :

Hello. I had some debugging with valgrind and gdb for the error with stacktrace top

 g_type_check_instance_is_a glib2.0-2.43.92/./gobject/gtype.c:4016
 gtk_widget_get_toplevel gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382
 window_group_cleanup_grabs gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110
 gtk_window_group_add_window gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169
 gtk_window_set_transient_for gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134

This is use-after-free due to incorrect grab deregistration (gtk_grab_remove tries to remove the grab not from the same window_group where it was added by gtk_grab_add)
Results were posted to Bug #1667227 and Bug #1667232
https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227 and https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232

I think that gnome-terminal grab use-after-free after editing keyboard shortcuts may be not related to the patch "debian/patches/016_no_offscreen_widgets_grabbing.patch" (it only helps to report Critical to the log).

Both gtk_grab_add and gtk_grab_remove calls gtk_main_get_window_group function, but it returns different results for these two calls (more details at https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227/comments/8)

static GtkWindowGroup *
gtk_main_get_window_group (GtkWidget *widget)
...
  if (GTK_IS_WINDOW (toplevel))
    return gtk_window_get_group (GTK_WINDOW (toplevel));
  else
    return gtk_window_get_group (NULL);

At the time of gtk_grab_add (called from gtk_cell_renderer_accel_start_editing which is called from gtk_cell_renderer_start_editing) this widget had window = 0x0 and parent = 0x0
And at time of gtk_grab_remove (called from gtk_cell_editable_event_box_key_press_event) same widget had window = 0x555555e507e0 (parent = 0x555555e183f0) which leads to incorrect deregistration of the grab.

Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed -> .. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent

So, gtk_cell_area_activate_cell of gtk+3 (3.22.7) has some kind of incorrect ordering of actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388

3428 gtk_cell_renderer_start_editing (renderer,
...
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area);

(There was also quick and probably incorrect fix in Bug #1667227 for this use-after-free with additional removing of grab from gtk_window_get_group (NULL) https://launchpadlibrarian.net/308873213/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch )

yzp15 (yzp15) wrote :

Reported to gnome's gitlab: https://gitlab.gnome.org/GNOME/gtk/issues/180
Reference: GNOME/gtk#180

To post a comment you must log in.