GVim crashes when opening new tab

Bug #1650666 reported by Nicholas Guriev
32
This bug affects 6 people
Affects Status Importance Assigned to Milestone
vim (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Impact]

A severe regression has been found in the GTK 3 variant of Gvim.
Upon start-up, it crashes immediately with multiple failed
assertions.

A second related, but less severe problem may occur when opening
new tabs within the GTK 3 variant of Gvim.

[Test Case]

Please note that in the following test cases, a given machine may
experience either of the test cases, while being unable to
experience the other test case. Please do /not/ discount
the merits of this SRU on being able to only confirm a single
test case, but not both.

This patch equally corrects both test cases listed below, to
produce a working GTK 3 Gvim variant.

IMPORTANT: Both test cases below require the package "vim-gtk3"
to be installed, prior to testing for either test case's
impact to one's machine.

[[TEST CASE #1]]

1. From a terminal window, launch the GTK 3 variant of Gvim:

  $ vim.gtk3

2. Immediately upon launch (whereby the window may or may
   not briefly display); the terminal window will show error
   messages relating to `unity_gtk_menu_*` critical
   assertions.

   A full example of the experienced error output shown is:

```
(gvim:13519): GLib-CRITICAL **: g_ptr_array_insert: assertion 'index_ <= (gint)rarray->len' failed
** (gvim:13519): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed
** (gvim:13519): CRITICAL **: unity_gtk_menu_item_get_child_shell: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed
** (gvim:13519): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed
** (gvim:13519): CRITICAL **: unity_gtk_menu_item_get_label: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed
** (gvim:13519): CRITICAL **: unity_gtk_menu_item_get_icon: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed
```

[[TEST CASE #2]]

1. From a terminal window, launch the GTK 3 variant of Gvim:

  $ vim.gtk3

2. Upon the window opening, attempt to open a new tab by entering
   the key sequences "<ESC>:tabnew" and pressing <ENTER>. The
   program should now SEGV and abort.

[Regression Potential]

* The bug is possibly applicable to all later Ubuntu releases,
  which combine Unity and GTK 3.

* The upstream Vim project has not incorporated the fix, and
  most likely will not. The specifics behind the fix might
  be construed as too specific to the combination of Ubuntu,
  Unity, and GTK 3; and not general enough to patch for all
  downstream distributions.

[Other Info]

* Further information about this bug is available at the URLs:
  https://github.com/vim/vim/issues/851
  https://bugs.launchpad.net/ubuntu/+source/vim/+bug/1650666

---

When I open new tab using :tabnew command, GVim crashes in unity_gtk_menu_section_get_item_attributes function of libunity-gtk3-parser0 package.

Steps to reproduce:
1. Run gvim from vim-gtk3 package
2. Type `:tabnew`
3. GVim exits, the window closes

Stack trace obtained via gdb:

mymedia@comp2:~$ gdb -silent --args gvim -f -u /dev/null -U /dev/null --noplugin
Reading symbols from gvim...(no debugging symbols found)...done.
gdb$ run
Starting program: /usr/bin/gvim -f -u /dev/null -U /dev/null --noplugin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe986d700 (LWP 11042)]
[New Thread 0x7fffe906c700 (LWP 11043)]
[New Thread 0x7fffe886b700 (LWP 11044)]

(gvim:11038): GLib-CRITICAL **: g_ptr_array_insert: assertion 'index_ <= (gint)rarray->len' failed

** (gvim:11038): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed

** (gvim:11038): CRITICAL **: unity_gtk_menu_item_get_child_shell: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

** (gvim:11038): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed

** (gvim:11038): CRITICAL **: unity_gtk_menu_item_get_label: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

** (gvim:11038): CRITICAL **: unity_gtk_menu_item_get_icon: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

Thread 1 "gvim" received signal SIGSEGV, Segmentation fault.
unity_gtk_menu_section_get_item_attributes (model=<optimized out>, item_index=<optimized out>,
    attributes=0x7fffffff8b90) at ../../../lib/unity-gtk-menu-section.c:130
130 ../../../lib/unity-gtk-menu-section.c: Нет такого файла или каталога.
gdb$ backtrace
#0 0x00007fffe9a82083 in unity_gtk_menu_section_get_item_attributes (model=<optimized out>, item_index=<optimized out>, attributes=0x7fffffff8b90) at ../../../lib/unity-gtk-menu-section.c:130
#1 0x00007ffff653f23c in g_menu_model_real_iterate_item_attributes (model=0x555556016160 [UnityGtkMenuSection], item_index=<optimized out>) at ././gio/gmenumodel.c:299
#2 0x00007ffff6541070 in g_menu_exporter_menu_describe_item (position=position@entry=1, menu=<optimized out>, menu=<optimized out>) at ././gio/gmenuexporter.c:212
#3 0x00007ffff65414be in g_menu_exporter_menu_items_changed (model=<optimized out>, position=1, removed=0, added=<optimized out>, user_data=0x555555ffd4c0) at ././gio/gmenuexporter.c:276
#4 0x00007fffee607e18 in ffi_call_unix64 () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#5 0x00007fffee60787a in ffi_call () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#10 0x00007ffff626efaf in <emit signal ??? on instance 0x555556016160 [UnityGtkMenuSection]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>)
    at ././gobject/gsignal.c:3447
    #6 0x00007ffff62547ae in g_cclosure_marshal_generic (closure=0x55555607fd10, return_gvalue=0x0, n_param_values=<optimized out>, param_values=<optimized out>, invocation_hint=<optimized out>, marshal_data=<optimized out>) at ././gobject/gclosure.c:1490
    #7 0x00007ffff6253f75 in g_closure_invoke (closure=0x55555607fd10, return_value=return_value@entry=0x0, n_param_values=4, param_values=param_values@entry=0x7fffffff9250, invocation_hint=invocation_hint@entry=0x7fffffff91d0) at ././gobject/gclosure.c:804
    #8 0x00007ffff6265f82 in signal_emit_unlocked_R (node=node@entry=0x555555f38af0, detail=detail@entry=0, instance=instance@entry=0x555556016160, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffff9250) at ././gobject/gsignal.c:3635
    #9 0x00007ffff626ebcc in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffff9440)
    at ././gobject/gsignal.c:3391
#14 0x00007ffff626efaf in <emit signal ??? on instance 0x555555e7b9c0 [GtkMenu]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ././gobject/gsignal.c:3447
    #11 0x00007ffff6253f75 in g_closure_invoke (closure=0x555556054e20, return_value=return_value@entry=0x0, n_param_values=3, param_values=param_values@entry=0x7fffffff96d0, invocation_hint=invocation_hint@entry=0x7fffffff9650) at ././gobject/gclosure.c:804
    #12 0x00007ffff6265f82 in signal_emit_unlocked_R (node=node@entry=0x555555aee490, detail=detai---Type <return> to continue, or q <return> to quit---
l@entry=0, instance=instance@entry=0x555555e7b9c0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffff96d0) at ././gobject/gsignal.c:3635
    #13 0x00007ffff626ebcc in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffff98b0)
    at ././gobject/gsignal.c:3391
#15 0x000055555575edef in gui_mch_add_menu_item ()
#16 0x000055555566c0e0 in ()
#17 0x000055555566c976 in ex_menu ()
#18 0x000055555561e4cf in do_cmdline ()
#19 0x00005555555e7afe in ex_execute ()
#20 0x000055555561e4cf in do_cmdline ()
#21 0x0000555555746879 in call_func ()
#22 0x00005555557472d5 in get_func_tv ()
#23 0x0000555555749d0f in ex_call ()
#24 0x000055555561e4cf in do_cmdline ()
#25 0x0000555555746879 in call_func ()
#26 0x00005555557472d5 in get_func_tv ()
#27 0x0000555555749d0f in ex_call ()
#28 0x000055555561e4cf in do_cmdline ()
#29 0x0000555555639d76 in ()
#30 0x000055555563a5e4 in apply_autocmds ()
#31 0x00005555555c2965 in buflist_new ()
#32 0x000055555560323b in do_ecmd ()
#33 0x00005555556228c4 in do_exedit ()
#34 0x000055555562300b in ex_splitview ()
#35 0x000055555561e4cf in do_cmdline ()
#36 0x0000555555690135 in ()
#37 0x0000555555699b85 in normal_cmd ()
#38 0x0000555555793435 in main_loop ()
#39 0x00005555557945b0 in vim_main2 ()
#40 0x00005555555b7421 in main ()
gdb$ continue
Continuing.
Vim: Caught deadly signal SEGV
Vim: Finished.

Thread 1 "gvim" received signal SIGSEGV, Segmentation fault.
0x00007ffff2d78b17 in kill () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: Нет такого файла или каталога.
gdb$ quit
A debugging session is active.

 Inferior 1 [process 11038] will be killed.

Quit anyway? (y or n) y
mymedia@comp2:~$

Versions:

mymedia@comp2:~$ LANG=C gvim --version
VIM - Vi IMproved 8.0 (2016 Sep 12, compiled Dec 06 2016 10:03:48)
Included patches: 1-95
Modified by <email address hidden>
Compiled by <email address hidden>
Huge version with GTK3 GUI. Features included (+) or not (-):
+acl +file_in_path +mouse_sgr +tag_old_static
+arabic +find_in_path -mouse_sysmouse -tag_any_white
+autocmd +float +mouse_urxvt +tcl
+balloon_eval +folding +mouse_xterm +termguicolors
+browse -footer +multi_byte +terminfo
++builtin_terms +fork() +multi_lang +termresponse
+byte_offset +gettext -mzscheme +textobjects
+channel -hangul_input +netbeans_intg +timers
+cindent +iconv +num64 +title
+clientserver +insert_expand +packages +toolbar
+clipboard +job +path_extra +user_commands
+cmdline_compl +jumplist +perl +vertsplit
+cmdline_hist +keymap +persistent_undo +virtualedit
+cmdline_info +lambda +postscript +visual
+comments +langmap +printer +visualextra
+conceal +libcall +profile +viminfo
+cryptv +linebreak -python +vreplace
+cscope +lispindent +python3 +wildignore
+cursorbind +listcmds +quickfix +wildmenu
+cursorshape +localmap +reltime +windows
+dialog_con_gui +lua +rightleft +writebackup
+diff +menu +ruby +X11
+digraphs +mksession +scrollbind -xfontset
+dnd +modify_fname +signs +xim
-ebcdic +mouse +smartindent +xpm
+emacs_tags +mouseshape +startuptime +xsmp_interact
+eval +mouse_dec +statusline +xterm_clipboard
+ex_extra +mouse_gpm -sun_workshop -xterm_save
+extra_search -mouse_jsbterm +syntax
+farsi +mouse_netterm +tag_binary
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
 2nd user vimrc file: "~/.vim/vimrc"
      user exrc file: "$HOME/.exrc"
  system gvimrc file: "$VIM/gvimrc"
    user gvimrc file: "$HOME/.gvimrc"
2nd user gvimrc file: "~/.vim/gvimrc"
       defaults file: "$VIMRUNTIME/defaults.vim"
    system menu file: "$VIMRUNTIME/menu.vim"
  fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK -pthread -I/usr/include/gtk-3.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/at-spi-2.0 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/gtk-3.0 -I/usr/include/gio-unix-2.0/ -I/usr/include/mirclient -I/usr/include/mircommon -I/usr/include/mircookie -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -Wdate-time -g -O2 -fdebug-prefix-map=/build/vim-3w9TQv/vim-8.0.0095=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -L. -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fstack-protector -rdynamic -Wl,-export-dynamic -Wl,-E -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o vim -lgtk-3 -lgdk-3 -lpangocairo-1.0 -lpango-1.0 -latk-1.0 -lcairo-gobject -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -lgobject-2.0 -lglib-2.0 -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE -lm -ltinfo -lnsl -lselinux -lacl -lattr -lgpm -ldl -L/usr/lib -llua5.2 -Wl,-E -fstack-protector-strong -L/usr/local/lib -L/usr/lib/x86_64-linux-gnu/perl/5.24/CORE -lperl -ldl -lm -lpthread -lcrypt -L/usr/lib/python3.5/config-3.5m-x86_64-linux-gnu -lpython3.5m -lpthread -ldl -lutil -lm -L/usr/lib/x86_64-linux-gnu -ltcl8.6 -ldl -lz -lpthread -lieee -lm -lruby-2.3 -lpthread -lgmp -ldl -lcrypt -lm
mymedia@comp2:~$ LANG=C apt policy libunity-gtk3-parser0 vim-gtk3
libunity-gtk3-parser0:
  Installed: 0.0.0+16.10.20160913-0ubuntu1
  Candidate: 0.0.0+16.10.20160913-0ubuntu1
  Version table:
 *** 0.0.0+16.10.20160913-0ubuntu1 500
        500 http://mirror.yandex.ru/ubuntu devel/main amd64 Packages
        100 /var/lib/dpkg/status
vim-gtk3:
  Installed: 2:8.0.0095-1ubuntu2
  Candidate: 2:8.0.0095-1ubuntu2
  Version table:
     2:8.0.0134-1 200
        200 http://mirror.yandex.ru/debian unstable/main amd64 Packages
 *** 2:8.0.0095-1ubuntu2 500
        500 http://mirror.yandex.ru/ubuntu devel/universe amd64 Packages
        100 /var/lib/dpkg/status
N: Ignoring file '50unattended-upgrades.ucf-dist' in directory '/etc/apt/apt.conf.d/' as it has an invalid filename extension
mymedia@comp2:~$ lsb_release -rd
Description: Ubuntu Zesty Zapus (development branch)
Release: 17.04
mymedia@comp2:~$

Sorry for my bad English, this is not my native language, but what else should I provide?

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: vim-gtk3 2:8.0.0095-1ubuntu2
ProcVersionSignature: Ubuntu 4.8.0-30.32-generic 4.8.6
Uname: Linux 4.8.0-30-generic x86_64
ApportVersion: 2.20.4-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Dec 16 22:05:07 2016
ExecutablePath: /usr/bin/vim.gtk3
SourcePackage: vim
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Nicholas Guriev (mymedia) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vim (Ubuntu):
status: New → Confirmed
Revision history for this message
Ivo Wever (ivo-wever) wrote :

Just upgraded to Zesty. Experiencing what seems to be this exact problem.

$ gdb -silent --args gvim -f -u /dev/null -U /dev/null --noplugin
Reading symbols from gvim...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/gvim -f -u /dev/null -U /dev/null --noplugin
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe94cd700 (LWP 22840)]
[New Thread 0x7fffe8ccc700 (LWP 22841)]
[New Thread 0x7fffe3fff700 (LWP 22842)]
[New Thread 0x7fffe0f29700 (LWP 22843)]
[New Thread 0x7fffd6582700 (LWP 22844)]
[New Thread 0x7fffd5d81700 (LWP 22845)]
[New Thread 0x7fffd5580700 (LWP 22847)]
[Thread 0x7fffd5580700 (LWP 22847) exited]
[Thread 0x7fffe0f29700 (LWP 22843) exited]
[Thread 0x7fffd6582700 (LWP 22844) exited]
[Thread 0x7fffd5d81700 (LWP 22845) exited]

(gvim:22836): GLib-CRITICAL **: g_ptr_array_insert: assertion 'index_ <= (gint)rarray->len' failed

** (gvim:22836): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed

** (gvim:22836): CRITICAL **: unity_gtk_menu_item_get_child_shell: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

** (gvim:22836): CRITICAL **: unity_gtk_menu_shell_get_item: assertion '0 <= index && index < items->len' failed

** (gvim:22836): CRITICAL **: unity_gtk_menu_item_get_label: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

** (gvim:22836): CRITICAL **: unity_gtk_menu_item_get_icon: assertion 'UNITY_GTK_IS_MENU_ITEM (item)' failed

Thread 1 "gvim" received signal SIGSEGV, Segmentation fault.
0x00007fffe96e2083 in ?? () from /usr/lib/x86_64-linux-gnu/libunity-gtk3-parser.so.0

Revision history for this message
Ivo Wever (ivo-wever) wrote :

Workaround: remove vim-gnome and vim-gtk3, install vim-gtk (which uses gtk). Perhaps vim-gtk3 should specify a dependency on some specific gtk library, which Nicholas Guriev and me are missing?

Revision history for this message
David Venz (david-venz) wrote :

Unfortunately while vim-gtk doesn't crash, it does perform poorly during redraws - see https://bugs.launchpad.net/ubuntu/+source/vim/+bug/320700
I haven't yet found a solution on 16.04 under VMware that both performs well and doesn't crash.

Revision history for this message
oymyisme (oymyisme07) wrote :

On my computer, if "unset GTK_MODULES", vim-gtk3 wouldn't crash.
Another software based on QT also crashed with GTK_MODULES set, and works well after "unset GTK_MODULES".
So I think vim-gtk3 is victim too.

Revision history for this message
oymyisme (oymyisme07) wrote :

after study , I think the problem is in vim-gtk3.
"unset GTK_MODULES" works because vim-gtk3 doesn't use menu bar in this way.
check my post at https://github.com/vim/vim/issues/851.

Nish Aravamudan (nacc)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vim (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Alex Chiang (achiang) wrote :

Using vim8 from a ppa has worked for me. The latest vim has the patch mentioned in github#851.

Perhaps it could be SRU'ed into 16.04's vim7, but that would require someone to put the effort in.

The PPA I used was:

ppa:jonathonf/vim

Thanks to @oymyisme for figuring out the root cause.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.