Bug#708559: Seeing the same issue with chrome

2015-05-31 Thread Tobias Diedrich 
On Sun, 31 May 2015 01:33:17 +0200 Tobias Diedrich tobiasdiedr...@gmail.com
wrote:
 I'm seeing the same issue triggered by using dwm and chrome:
[...]
 I suspect that this is a nullpointer dereference of icon-priv?
[...]

More likely use-after-free since priv seems to be allocated together with
the main object according to gtk docs (though priv is 0 in the crash trace,
I presume that dispose nulls it out):

(gdb) bt full
#0  0x7282d616 in gtk_tray_icon_manager_filter
(xevent=0x7fffd9b0, event=optimized out, user_data=0x1fc1e1487ea0) at
/build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400
icon = 0x1fc1e1487ea0
xev = 0x7fffd9b0
[...]
(gdb) print icon
$1 = 0x1fc1e1487ea0
(gdb) print *icon
$2 = {parent_instance = {window = {bin = {container = {widget = {object =
{parent_instance = {g_type_instance = {g_class = 0xf}, ref_count = 0, qdata
= 0x0}, flags = 0}, private_flags = 0, state = 0 '\000', saved_state = 0
'\000', name = 0x error: Cannot access memory at address
0x,~
style = 0x, requisition = {width = 2010019790, height =
30670}, allocation = {x = 0, y = -353703190, width = 60138, height = 0},
window = 0xd36cd36cd36c, parent = 0x-e090e0a}, focus_child =
0xf1f6, border_width = 29298, need_resize = 1, resize_mode = 3,
reallocate_redraws = 1,~
  has_focus_chain = 1}, child = 0x-20d420d5}, title =
0xdf2b error: Cannot access memory at address 0xdf2b, wmclass_name = 0x0,
wmclass_class = 0x0, wm_role = 0x0, focus_widget = 0x0, default_widget =
0x-1, transient_parent = 0x, geometry_info = 0x7fff7fff7fff,
frame = 0x-1,~
  group = 0x, configure_request_count = 24541, allow_shrink = 1,
allow_grow = 0, configure_notify_received = 1, need_default_position = 1,
need_default_size = 0, position = 3, type = 15, has_user_ref_count = 0,
has_focus = 0, modal = 0, destroy_with_parent = 1, has_frame = 1,
iconify_initially = 0,~
  stick_initially = 0, maximize_initially = 1, decorated = 0, type_hint
= 1, gravity = 2, is_active = 0, has_toplevel_focus = 1, frame_left = 0,
frame_top = 3941264106, frame_right = 60138, frame_bottom = 0,
keys_changed_handler = 2678026866, mnemonic_modifier = 53199, screen =
0x-ccd0cce},~
socket_window = 0x1f332, modality_window = 0x1, modality_group =
0x1fc1e9a8b410, grabbed_keys = 0x0, same_app = 0}, priv = 0x0}
(gdb)


Looking at the code it is supposed to remove
the gtk_tray_icon_manager_filter before disposing the object, however it
seems possible that:
1) Either gdk_window_remove_filter is called on the wrong window as the
window argument is looked up anew
using gdk_window_lookup_for_display/gdk_screen_get_root_window and I don't
know if gdk guarantees that to be the same result
2) Or it's a threading issue and the filter is invoked on a different
thread than the dispose call and they race (since there doesn't seem to be
locking).

Bug#708559: Seeing the same issue with chrome

2015-05-30 Thread Tobias Diedrich 
I'm seeing the same issue triggered by using dwm and chrome:

Program received signal SIGSEGV, Segmentation fault.
0x7282d616 in gtk_tray_icon_manager_filter (xevent=0x7fffd9c0,
event=optimized out, user_data=0x2b036eb7f9d0)
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400
400 /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c: No
such file or directory.
(gdb)  bt
#0  0x7282d616 in gtk_tray_icon_manager_filter
(xevent=0x7fffd9c0, event=optimized out, user_data=0x2b036eb7f9d0)
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400
#1  0x7230ed71 in gdk_event_apply_filters (xevent=0x7fffd9c0,
event=0x2b036f9ee500, window=0x0)
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11
/gdkevents-x11.c:371
#2  0x72310074 in gdk_event_translate (display=0x2b0364a4d020
[GdkDisplayX11], event=0x2b036f9ee500, xevent=0x7fffd9c0,
return_exposes=return_exposes@entry=0) at
/build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:969
#3  0x72311a86 in _gdk_events_queue
(display=display@entry=0x2b0364a4d020
[GdkDisplayX11])
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:2358
#4  0x72311b2e in gdk_event_dispatch (source=optimized out,
callback=optimized out, user_data=optimized out)
at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:2419
#5  0x772b3c3d in g_main_context_dispatch (context=0x2b03649df790)
at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3122
#6  0x772b3c3d in g_main_context_dispatch (context=context@entry
=0x2b03649df790)
at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3737
#7  0x772b3f20 in g_main_context_iterate
(context=context@entry=0x2b03649df790,
block=block@entry=0, dispatch=dispatch@entry=1, self=optimized out) at
/build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3808
#8  0x772b3fcc in g_main_context_iteration (context=0x2b03649df790,
may_block=0)
at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3869
#9  0x565b1e12 in  ()
#10 0x2b03649e4480 in  ()
#11 0x0001565b9500 in  ()
#12 0x0001 in  ()
#13 0x7fffdca8 in  ()
#14 0x55fdc028 in  ()
#15 0x7fffdf50 in  ()
#16 0x7fffdc38 in  ()
#17 0x2b0364a15ea0 in  ()
#18 0x5b3927d0 in  ()
#19 0x56579540 in  ()
#20 0x5b3927d0 in  ()
#21 0x012e444f in  ()
#22 0x2b0364a14c80 in  ()
#23 0x2b0300052a20 in  ()
#24 0x in  ()
(gdb)


The gtktrayicon-x11.c code is this:
383: static GdkFilterReturn
384: gtk_tray_icon_manager_filter (GdkXEvent *xevent,
385:   GdkEvent  *event,
386:   gpointer   user_data)
387: {
388:   GtkTrayIcon *icon = user_data;
389:   XEvent *xev = (XEvent *)xevent;
390:
391:   if (xev-xany.type == ClientMessage 
392:   xev-xclient.message_type == icon-priv-manager_atom 
393:   xev-xclient.data.l[1] == icon-priv-selection_atom)
394: {
395:   GTK_NOTE (PLUGSOCKET,
396:  g_print (GtkStatusIcon %p: tray manager appeared\n, icon));
397:
398:   gtk_tray_icon_update_manager_window (icon);
399: }
400:   else if (xev-xany.window == icon-priv-manager_window)
{
  if (xev-xany.type == PropertyNotify 
  xev-xproperty.atom == icon-priv-orientation_atom)
{
  GTK_NOTE (PLUGSOCKET,
g_print (GtkStatusIcon %p: got PropertyNotify on manager window for
orientation atom\n, icon));

  gtk_tray_icon_get_orientation_property (icon);
}
  else if (xev-xany.type == DestroyNotify)
{
  GTK_NOTE (PLUGSOCKET,
g_print (GtkStatusIcon %p: got DestroyNotify for manager window\n,
icon));

  gtk_tray_icon_manager_window_destroyed (icon);
}
  else
GTK_NOTE (PLUGSOCKET,
  g_print (GtkStatusIcon %p: got other message on manager window\n,
icon));
}

  return GDK_FILTER_CONTINUE;
}


I suspect that this is a nullpointer dereference of icon-priv?
If there is an upstream fix in GTK+3, it would be nice to backport this to
the gtk2 lib as I'm getting ~daily crashes from this bug.