wrapper-2.0 crashed with SIGSEGV in strrchr()

StacktraceTop:
 strrchr () at ../sysdeps/x86_64/strrchr.S:32
 _gtk_menu_tracker_item_new (observable=0x7f6d6955dc80, model=0x7f6d6955df40, item_index=0, action_namespace=0x7f6d6958c5e0 "indicator.thunderbird", is_separator=0) at /build/buildd/gtk+3.0-3.12.2/./gtk/gtkmenutrackeritem.c:524
 gtk_menu_tracker_add_items (tracker=tracker@entry=0x7f6d5400e290, change_point=change_point@entry=0x7f6d5400d698, offset=offset@entry=11, model=model@entry=0x7f6d6955df40, position=position@entry=0, n_items=0, section=0x7f6d5400d690) at /build/buildd/gtk+3.0-3.12.2/./gtk/gtkmenutracker.c:342
 gtk_menu_tracker_model_changed (model=0x7f6d6955df40, position=0, removed=0, added=1, user_data=0x7f6d5400e290) at /build/buildd/gtk+3.0-3.12.2/./gtk/gtkmenutracker.c:445
 ffi_call_unix64 () at ../src/x86/unix64.S:76

Status changed to 'Confirmed' because the bug affects multiple users.

I think somebody with Gtk+ knowledge should examine this as well. I will post my analysis shortly.

This bit of code is from _gtk_menu_tracker_item_new():

513 self->action_and_target = gtk_print_action_and_target (action_namespace, action_name, target);
514
515 if (target)
516 g_variant_unref (target);
517
518 action_name = strrchr (self->action_and_target, '|') + 1;

If we examine gtk_print_action_and_target(), we can see this:

890 g_return_val_if_fail (strchr (action_name, '|') == NULL, NULL);
891 g_return_val_if_fail (action_namespace == NULL || strchr (action_namespace, '|') == NULL, NULL);

On line 891 is where our problems start. This is from my GDB session:

(gdb) p action_name
$2 = (const gchar *) 0x7f0a1e18a9e8 "src.mailbox:///home/wilx/.thunderbird/2de4mlx2.default/Mail/Feeds/Standard%20C++%20|%20Articles%20&%20Books"
(gdb) p action_namespace
$3 = (const gchar *) 0x7f0a1e17e970 "indicator.thunderbird"

Notice that action_namespace does not contain a '|' character. The function fails and returns NULL, which is stored into self->action_and_target without checking for failure which subsequently dies on line 518 in _gtk_menu_tracker_item_new().

Conclusion:

1. _gtk_menu_tracker_item_new() should check for failure of gtk_print_action_and_target().
2. Somebody somewhere should send action namespace in the expected format.

Did you attempt to add the indicator-menu (global menu indicator)? Because that does not work, will crash like this, and is unsupported.

First of all, to me this looks like a bug in Gtk+. Whatever triggers this, the crash is ultimately caused by the failure to check return values in _gtk_menu_tracker_item_new().

Second, if the indicator-menu is unsupported, what replaces it? I believe it just worked fine a release or two back.

This crashes because indicator-messages sends and action name with a '|' in it, which is invalid. I fixed this in r433 by escaping all ids[1], which was released in 13.10.1+15.04.20150112-0ubuntu1.

Gtk currently assumes that those inputs are trusted and thus doesn't verify them. There's been some discussion about changing that at some point, but I think that's beyond the scope of this bug.

[1] http://bazaar.launchpad.net/~indicator-applet-developers/indicator-messages/trunk.15.04/revision/433

So, is this particular crash fixed in 15.04?

It is still there. It was "featured" even in the promotional video for Xubuntu: http://www.youtube.com/watch?v=RbC0hcqZTrU&t=0m46s

[Expired for xfce4-panel (Ubuntu) because there has been no activity for 60 days.]

[Expired for xfce4-indicator-plugin (Ubuntu) because there has been no activity for 60 days.]