[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
*** This bug is a duplicate of bug 1438014 *** https://bugs.launchpad.net/bugs/1438014 Reposted to gnome's gitlab: https://gitlab.gnome.org/GNOME/gtk/issues/180 ** Bug watch removed: GNOME Bug Tracker #607668 https://bugzilla.gnome.org/show_bug.cgi?id=607668 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667227 Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667232] Re: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() while editing shortcuts
*** This bug is a duplicate of bug 1438014 *** https://bugs.launchpad.net/bugs/1438014 ** Patch added: "lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch" https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232/+attachment/4826657/+files/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667232 Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() while editing shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
** Patch added: "lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch" https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1667227/+attachment/4826656/+files/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667227 Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667232] Re: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() while editing shortcuts
*** This bug is a duplicate of bug 1438014 *** https://bugs.launchpad.net/bugs/1438014 Seems to be error in gtk_cell_area_activate_cell: it has incorrect order of actions which broke gtk_grab_add / gtk_grab_remove pair https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388 3428 gtk_cell_renderer_start_editing (renderer, This will call gtk_grab_add to register widget in default window group "gtk_window_get_group (NULL);" Later, 3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area); will change widget to other window group (by setting parent gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent) And gtk_grab_remove will be unable to remove link to the widget from the wrong window group, creating stale pointer, which will be used after free. More details at Bug #1667227. Bug can be detected by "Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed" messages, when mate-terminal (bug #1667227) or gnome-terminal are started from another console (with option --disable-factory) and keyboard shortcuts are edited. I have such messages with gtk+3 (upstream) versions 3.16.7, 3.18.9, 3.20.9, 3.22.8; valgrind can detect invalid reads (use after free) from window_group_cleanup_grabs -> gtk_widget_get_toplevel. Simple, but potentially incorrect patch corrects this bug (both Gtk-CRITICAL messages and valgrind detections/SIGSEGVs) in gnome-terminal and mate-terminal (bug #1667227). It is tested with gtk+3 3.16.7, 3.18.9, 3.20.9, 3.22.8. Just call _gtk_window_group_remove_grab from gtkmain.c:gtk_grab_remove twice, additional call with default window group, to clear all possible references to the widget from the grabs list: diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c index 3152971256..681cb2bec9 100644 --- a/gtk/gtkmain.c +++ b/gtk/gtkmain.c @@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget) group = gtk_main_get_window_group (widget); _gtk_window_group_remove_grab (group, widget); + // quick workaround for lp #1667227, lp #1667232 + _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget); + new_grab_widget = gtk_window_group_get_current_grab (group); gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE); -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667232 Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() while editing shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
Bug can be detected by "Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion 'GTK_IS_WIDGET (widget)' failed" messages, when mate-terminal or gnome-terminal are started from another console (with option --disable-factory) and keyboard shortcuts are edited. I have such messages with gtk+3 (upstream) versions 3.16.7, 3.18.9, 3.20.9, 3.22.8; valgrind can detect invalid reads (use after free) from window_group_cleanup_grabs -> gtk_widget_get_toplevel. Simple, but potentially incorrect patch corrects this bug (both Gtk-CRITICAL messages and valgrind detections/SIGSEGVs) in mate-terminal and gnome-terminal (bug #1667232). It is tested with gtk+3 3.16.7, 3.18.9, 3.20.9, 3.22.8. Just call _gtk_window_group_remove_grab from gtkmain.c:gtk_grab_remove twice, additional call with default window group, to clear all possible references to the widget from the grabs list: diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c index 3152971256..681cb2bec9 100644 --- a/gtk/gtkmain.c +++ b/gtk/gtkmain.c @@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget) group = gtk_main_get_window_group (widget); _gtk_window_group_remove_grab (group, widget); + // quick workaround for lp #1667227, lp #1667232 + _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget); + new_grab_widget = gtk_window_group_get_current_grab (group); gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE); -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667227 Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
gtk_main_get_window_group function return different results for
gtk_grab_add and gtk_grab_remove, but widget address was same in both
functions:
if (GTK_IS_WINDOW (toplevel))
return gtk_window_get_group (GTK_WINDOW (toplevel));
else
return gtk_window_get_group (NULL);
On gtk_grab_add window group is 0x55b0b160 for widget 0x55e50780:
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group
(widget=0x55e50780) at ././gtk/gtkmain.c:2
025
2025 if (GTK_IS_WINDOW (toplevel))
$2044 (widget) = 0x55e50780
$2045 (toplevel) = 0x55e50780
$2046 (*widget) = {parent_instance = {g_type_instance = {g_class =
0x55e5e800}, ref_count = 1, qdata = 0x2}, priv = 0x555
555e50690}
$2047 (*widget.priv) = {..., window = 0x0, registered_windows = 0x0, parent =
0x0, event_contr
ollers = 0x0, accessible = 0x0}
#0 gtk_main_get_window_group (widget=0x55e50780) at ././gtk/gtkmain.c:2025
#1 0x771f3bb3 in gtk_grab_add (widget=0x55e50780) at
././gtk/gtkmain.c:2231
#2 0x770ac1d1 in gtk_cell_renderer_accel_start_editing
(cell=0x55845270, event=0x55d416f0, widget=
0x55e183f0, path=0x55e57720 "2:0", background_area=0x7fffc2e0,
cell_area=0x7fffc2e0, flags=(unknown
: 0)) at ././gtk/gtkcellrendereraccel.c:497
#3 0x770a92dd in gtk_cell_renderer_start_editing (cell=0x55845270,
event=0x55d416f0, widget=0x
55e183f0, path=0x55e57720 "2:0", background_area=0x7fffc2e0,
cell_area=0x7fffc2e0, flags=(unknown: 0))
at ././gtk/gtkcellrenderer.c:921
#4 0x7709d47e in gtk_cell_area_activate_cell (area=0x55e0d140,
widget=0x55e183f0, renderer=0x55845270, event=0x55d416f0,
cell_area=0x7fffc380, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:3432
#5 0x77096407 in gtk_cell_area_real_event (area=0x55e0d140,
context=0x55e26850, widget=0x55e183f0, event=0x55d416f0,
cell_area=0x7fffc570, flags=(unknown: 0)) at ././gtk/gtkcellarea.c:1101
At time of gtk_grab_remove, when event is delivered to widget 0x55e50780
from gtk_main_do_event, its toplevel was 0x55ddb0d0
Thread 1 "mate-terminal" hit Breakpoint 3, gtk_main_get_window_group
(widget=0x55e50780) at ././gtk/gtkmain.c:2025
2025 if (GTK_IS_WINDOW (toplevel))
$2092 (widget) = 0x55e50780
$2093 (toplevel) = 0x55ddb0d0
$2094 (*widget) = {parent_instance = {g_type_instance = {g_class =
0x55e5e800}, ref_count = 7, qdata = 0x55ecf180}, priv = 0x55e50690}
$2095 (*widget.priv) = {, window = 0x55e507e0, registered_windows =
0x5595
7d00, parent = 0x55e183f0, event_controllers = 0x0, accessible =
0x55e1d320}
#0 gtk_main_get_window_group (widget=0x55e50780) at ././gtk/gtkmain.c:2025
#1 0x771f3d8c in gtk_grab_remove (widget=0x55e50780) at
././gtk/gtkmain.c:2286
#2 0x770ac56b in gtk_cell_editable_event_box_key_press_event
(widget=0x55e50780, event=0x55e473c0)
at ././gtk/gtkcellrendereraccel.c:645
Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed ->
.. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal..
-> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable ->
gtk_tree_view_put -> gtk_widget_set_parent
So, gtk_cell_area_activate_cell of gtk+3 (3.22.7) has incorrect order of
actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388
3428 gtk_cell_renderer_start_editing (renderer,
...
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget,
cell_area);
--
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu.
https://bugs.launchpad.net/bugs/1667227
Title:
mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() -
while editing Keyboard Shortcuts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions
--
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
** Also affects: gtk+3.0 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667227 Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1667227] Re: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts
When shortcut is changing, keypress handler gtk_cell_editable_event_box_key_press_event calls gtk_grab_remove, but _gtk_window_group_remove_grab tries to remove grab from wrong window_group (not the group used to add grab in gtk_grab_add -> _gtk_window_group_add_grab). Grab remove fails and stale pointer is kept in grab lists of original group. With valgrind I see errors on access with this stale pointer: ==21822== Invalid read of size 8 ==21822==at 0x578DEFF: window_group_cleanup_grabs (gtkwindowgroup.c:111) ==21822==by 0x578E38C: gtk_window_group_add_window (gtkwindowgroup.c:176) ==21822==by 0x577AD36: gtk_window_set_transient_for (gtkwindow.c:3332) ==21822==by 0x56FCD22: gtk_tooltip_set_last_window (gtktooltip.c:808) ==21822==by 0x56FE9C9: gtk_tooltip_handle_event_internal (gtktooltip.c:1432) ==21822==by 0x56FE934: _gtk_tooltip_handle_event (gtktooltip.c:1413) ==21822==by 0x55811E2: gtk_main_do_event (gtkmain.c:1938) ==21822==by 0x5D34548: _gdk_event_emit (gdkevents.c:73) ==21822==by 0x5D7ABD1: gdk_event_source_dispatch (gdkeventsource.c:367) ==21822==by 0x6F65177: g_main_dispatch (gmain.c:3203) ==21822==by 0x6F660BA: g_main_context_dispatch (gmain.c:3856) ==21822==by 0x6F662AE: g_main_context_iterate (gmain.c:3929) ==21822== Address 0x16279328 is 344 bytes inside a block of size 416 free'd ==21822==at 0x4C2DD5B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21822==by 0x6F6D990: g_free (gmem.c:189) ==21822==by 0x6F88997: g_slice_free1 (gslice.c:1136) ==21822==by 0x6CEAE5D: g_type_free_instance (gtype.c:1937) ==21822==by 0x6CD4F15: g_object_unref (gobject.c:3196) ==21822==by 0x5784A47: gtk_window_propagate_key_event (gtkwindow.c:8141) ==21822==by 0x5784AA0: gtk_window_key_press_event (gtkwindow.c:8159) ==21822==by 0x5583B9C: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:131) ==21822==by 0x6CC8CC7: g_type_class_meta_marshalv (gclosure.c:1024) ==21822==by 0x6CC8849: _g_closure_invoke_va (gclosure.c:867) ==21822==by 0x6CE40E2: g_signal_emit_valist (gsignal.c:3300) ==21822==by 0x6CE52FE: g_signal_emit (gsignal.c:3447) ==21822== Block was alloc'd at ==21822==at 0x4C2CB2F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==21822==by 0x6F6D827: g_malloc (gmem.c:94) ==21822==by 0x6F8875B: g_slice_alloc (gslice.c:1025) ==21822==by 0x6F8879B: g_slice_alloc0 (gslice.c:1051) ==21822==by 0x6CEA95E: g_type_create_instance (gtype.c:1839) ==21822==by 0x6CD135B: g_object_new_internal (gobject.c:1783) ==21822==by 0x6CD20D1: g_object_new_valist (gobject.c:2042) ==21822==by 0x6CD0F44: g_object_new (gobject.c:1626) ==21822==by 0x543ABB9: gtk_cell_editable_event_box_new (gtkcellrendereraccel.c:803) Wrong gtk_grab_remove was called from the gtk_window_propagate_key_event: ==21822==by 0x578EE1B: _gtk_window_group_remove_grab (gtkwindowgroup.c:291) ==21822==by 0x5581ABE: gtk_grab_remove (gtkmain.c:2285) ==21822==by 0x543A56A: gtk_cell_editable_event_box_key_press_event (gtkcellrendereraccel.c:645) ==21822==by 0x5583B9C: _gtk_marshal_BOOLEAN__BOXEDv (gtkmarshalers.c:131) ==21822==by 0x6CC8CC7: g_type_class_meta_marshalv (gclosure.c:1024) ==21822==by 0x6CC8849: _g_closure_invoke_va (gclosure.c:867) ==21822==by 0x6CE40E2: g_signal_emit_valist (gsignal.c:3300) ==21822==by 0x6CE52FE: g_signal_emit (gsignal.c:3447) ==21822==by 0x575F9BD: gtk_widget_event_internal (gtkwidget.c:7723) ==21822==by 0x575ED7F: gtk_widget_event (gtkwidget.c:7293) ==21822==by 0x57849C4: gtk_window_propagate_key_event (gtkwindow.c:8126) ** Attachment removed: "ProcMaps.txt" https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227/+attachment/4825038/+files/ProcMaps.txt ** Information type changed from Private to Public ** Also affects: gnome-terminal (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-terminal in Ubuntu. https://bugs.launchpad.net/bugs/1667227 Title: mate-terminal crashed with SIGSEGV in g_type_check_instance_is_a() - while editing Keyboard Shortcuts To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667227/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
