Ubuntu gtk leaks references in GtkTreeView / GtTreeModelSort which cause segfault in bluefish
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | GTK+ |
Fix Released
|
Critical
|
||
| | gtk+3.0 (Ubuntu) |
High
|
Unassigned | ||
| | Oneiric |
High
|
Unassigned | ||
Bug Description
[Impact]
<fill me in with explanation of severity and frequency of bug on users and justification for backporting the fix to the stable release>
[Development Fix]
<fill me in with an explanation of how the bug has been addressed in the development branch, including the relevant version numbers of packages modified in order to implement the fix. >
[Stable Fix]
<fill me in by pointing out a minimal patch applicable to the stable version of the package.>
[Text Case]
<fill me in with detailed *instructions* on how to reproduce the bug. This will be used by people later on to verify the updated package fixes the problem.>
1.
2.
3.
Broken Behavior:
Fixed Behavior:
[Regression Potential]
<fill me in with a discussion of likelihood and potential severity of regressions and how users could get inadvertently affected.
[Original Report]
In Bluefish we get a lot of bugreports from users on Ubuntu 11.10 that have a segfault and all backtraces have something weird: a GtkTreeModelSort is calling it's sort function after the model has been unreffed by bluefish already.
This behaviour cannot be reproduced on Fedora 16 which also has Gtk-3.2.
Checking with libgobject-list (from http://
After a gdb breakpoint g_object_ref and g_object_unref with a condition object == 0x123123123 (the pointer of the GtkTreeModelSort) and doing a backtrace for each break, I found which function does not clean it's reference count:
Breakpoint 2, g_object_ref (object=0xaebbb0) at gobject-list.c:642
642 GObject *obj = G_OBJECT (object);
#0 g_object_ref (object=0xaebbb0) at gobject-list.c:642
#1 0x00007ffff7548abd in gtk_tree_
model=0xaebbb0, path=0x1942660)
at /build/
#2 0x00007ffff75dae49 in cell_info_new (accessible=
path=0x1942660, tv_col=0x746bc0, cell=0x1908dc0)
at /build/
#3 0x00007ffff75de929 in gtk_tree_
at /build/
#4 0x00007ffff75de608 in focus_in (widget=0xaba3c0)
at /build/
#5 0x00007ffff7456f08 in _gtk_marshal_
return_
invocation_
at /build/
#6 0x00007ffff61d00a4 in g_closure_invoke (closure=0x1930ca0,
return_
invocation_
at /build/
#7 0x00007ffff61e202a in signal_
instance=
at /build/
#8 0x00007ffff61eb483 in g_signal_
signal_
at /build/
#9 0x00007ffff61eb852 in g_signal_emit (instance=
signal_
at /build/
#10 0x00007ffff7584fe9 in gtk_widget_
at /build/
#11 0x00007ffff7591492 in gtk_widget_
at /build/
#12 0x00007ffff75968d0 in do_focus_change (widget=0xaba3c0, in=1)
at /build/
#13 0x00007ffff75a2149 in _gtk_window_
at /build/
#14 0x00007ffff75a25ea in gtk_window_
event=
#15 gtk_window_
at /build/
#16 0x00007ffff7456f08 in _gtk_marshal_
return_
invocation_
at /build/
#17 0x00007ffff61d00a4 in g_closure_invoke (closure=0x6d5a90,
return_
invocation_
at /build/
#18 0x00007ffff61e1e5f in signal_
instance=
at /build/
#19 0x00007ffff61eb483 in g_signal_
signal_
at /build/
#20 0x00007ffff61eb852 in g_signal_emit (instance=
signal_
at /build/
#21 0x00007ffff7584fe9 in gtk_widget_
at /build/
#22 0x00007ffff7456da3 in gtk_main_do_event (event=0x1912bb0)
at /build/
#23 0x00007ffff70cf102 in gdk_event_
callback=
at /build/
#24 0x00007ffff55a0a5d in g_main_dispatch (context=0x709090)
at /build/
#25 g_main_
at /build/
#26 0x00007ffff55a1258 in g_main_
block=
at /build/
#27 0x00007ffff55a1792 in g_main_loop_run (loop=0x7fde50)
at /build/
#28 0x00007ffff7455ecd in gtk_main () at /build/
#29 0x0000000000422aff in main (argc=1, argv=0x7fffffff
I don't know what causes this leak. It might be Ubuntu specific patches on gtk, the gtk theme that Ubuntu is using, or accesibility settings that default to a different value on Ubuntu (both on Ubuntu and Fedora I did not change any accessibility option from the default setting).
| OlivierS (olivier-olivier) wrote : | #1 |
| Dmitry Shachnev (mitya57) wrote : | #2 |
This was fixed upstream in http://
Can sombody please add a task for Oneiric?
| affects: | gtk+3.0 (Ubuntu) → ubuntu |
| Changed in ubuntu: | |
| assignee: | nobody → Dmitry Shachnev (mitya57) |
| Dmitry Shachnev (mitya57) wrote : | #3 |
Attached a debdiff.
| affects: | ubuntu → gtk+3.0 (Ubuntu) |
| Changed in gtk+3.0 (Ubuntu): | |
| status: | New → In Progress |
| Changed in gtk+3.0 (Ubuntu): | |
| status: | In Progress → Fix Released |
| importance: | Undecided → High |
| Changed in gtk+3.0 (Ubuntu Oneiric): | |
| status: | New → Triaged |
| importance: | Undecided → High |
| affects: | gtk+3.0 (Ubuntu) → ubuntu |
| Changed in ubuntu: | |
| assignee: | Dmitry Shachnev (mitya57) → nobody |
| Changed in gtk: | |
| importance: | Unknown → Critical |
| status: | Unknown → Fix Released |
| OlivierS (olivier-olivier) wrote : | #4 |
wouldn't it be better to upgrade to Gtk+-3.2.3 instead of applying just this patch? This patch has been included in gtk+-3.2.3 aready.
I know of at least one other critical bug (that causes segfaults) that has been fixed in gtk+-3.2.3.
| affects: | ubuntu → gtk+3.0 (Ubuntu) |
| Chris Halse Rogers (raof) wrote : | #5 |
That commit message does not exactly inspire confidence ☺.
Can we please get a SRU request roughly following https:/
| OlivierS (olivier-olivier) wrote : | #6 |
That commit is part of gtk-3.2.3 which is distributed in other releases (for example Fedora) already. In Fedora there are no stability issues found any more. Also on the bluefish side we do not receive any segfault messages from Fedora users, only from Ubuntu users. So from my point of view there seems to be no regression.
The issue is relevant to any application that uses a GtkTreeModel with a GtkTreeView widget, and the GtkTreeView widget is destroyed but the GtkTreeModel is not (for example because multiple GtkTreeView widgets use the same GtkTreModel).
| description: | updated |
| Evan Broder (broder) wrote : | #7 |
The commit message certainly leaves a lot to be desired. On the one hand, the commit is definitely fixing a bug in the reference tracking of the info struct, and it avoids storing pointers to the stack which are almost immediately invalidated. On the other hand, while I would expect either of those bugs to cause crashes, I don't see how either of those bugs could affect whether or not there's an extra reference to the GtkTreeModelSort - causing the crash that Olivier describes - but that may just be because of my weak understanding of the whole GtkTree* set of classes.
I'm personally not willing to sponsor this into the archive proper without a better sense of whether or not it will fix the bug at hand.
Olivier: Do you have a concise set of instructions on how to reproduce the bug using Bluefish?
For the time being, I'm going to upload the patch to my PPA (https:/
| Sebastien Bacher (seb128) wrote : | #8 |
Dropping from the queue, Evan seems to be on it
| OlivierS (olivier-olivier) wrote : | #9 |
With valgrind it is easy to spot with a bluefish binary compiled with gtk-3 (bluefish-2.2.1 compiled with gtk+-3.0-dev available).
you will get an invalid memory access if you just open the preferences and close it with 'OK'.
without valgrind it is harder to spot because it corrupts memory which may or may not result in crashes.
| Dmitry Shachnev (mitya57) wrote : | #10 |
Unassigning from myself as there's nothing else I can do here. A debdiff, ready for sponsoring, is attached.
| Changed in gtk+3.0 (Ubuntu Oneiric): | |
| assignee: | Dmitry Shachnev (mitya57) → nobody |
| Sebastien Bacher (seb128) wrote : | #11 |
> Unassigning from myself as there's nothing else I can do here. A debdiff, ready for sponsoring, is attached.
Thanks for the work, I've sponsored the update
| Changed in gtk+3.0 (Ubuntu Oneiric): | |
| status: | Triaged → In Progress |
| Rolf Leggewie (r0lf) wrote : | #12 |
oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".
| Changed in gtk+3.0 (Ubuntu Oneiric): | |
| status: | In Progress → Won't Fix |
I filed this bug in gnome bugzilla at https:/