Hello. I had some debugging with valgrind and gdb for the error with stacktrace top
g_type_check_instance_is_a glib2.0-2.43.92/./gobject/gtype.c:4016 gtk_widget_get_toplevel gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382 window_group_cleanup_grabs gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110 gtk_window_group_add_window gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169 gtk_window_set_transient_for gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134 This is use-after-free due to incorrect grab deregistration (gtk_grab_remove tries to remove the grab not from the same window_group where it was added by gtk_grab_add) Results were posted to Bug #1667227 and Bug #1667232 https://bugs.launchpad.net/ubuntu/+source/mate-terminal/+bug/1667227 and https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232 I think that gnome-terminal grab use-after-free after editing keyboard shortcuts may be not related to the patch "debian/patches/016_no_offscreen_widgets_grabbing.patch" (it only helps to report Critical to the log). Both gtk_grab_add and gtk_grab_remove calls gtk_main_get_window_group function, but it returns different results for these two calls (more details at https://bugs.launchpad.net/ubuntu/+source/mate- terminal/+bug/1667227/comments/8) static GtkWindowGroup * gtk_main_get_window_group (GtkWidget *widget) ... if (GTK_IS_WINDOW (toplevel)) return gtk_window_get_group (GTK_WINDOW (toplevel)); else return gtk_window_get_group (NULL); At the time of gtk_grab_add (called from gtk_cell_renderer_accel_start_editing which is called from gtk_cell_renderer_start_editing) this widget had window = 0x0 and parent = 0x0 And at time of gtk_grab_remove (called from gtk_cell_editable_event_box_key_press_event) same widget had window = 0x555555e507e0 (parent = 0x555555e183f0) which leads to incorrect deregistration of the grab. Parent of the widget was changed by gtk_tree_view_multipress_gesture_pressed -> .. -> gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal.. -> gtk_tree_view_column_add_editable_callback -> _gtk_tree_view_add_editable -> gtk_tree_view_put -> gtk_widget_set_parent So, gtk_cell_area_activate_cell of gtk+3 (3.22.7) has some kind of incorrect ordering of actions which broke gtk_grab_add / gtk_grab_remove pair https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388 3428 gtk_cell_renderer_start_editing (renderer, ... 3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget, cell_area); (There was also quick and probably incorrect fix in Bug #1667227 for this use-after-free with additional removing of grab from gtk_window_get_group (NULL) https://launchpadlibrarian.net/308873213/lp1667227_quick_fix_gtk_grab_remove.gtk+3.22.8.patch ) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1438014 Title: gnome-terminal-server and mate-terminal crash when setting keyboard shortcuts Status in gtk+3.0 package in Ubuntu: Confirmed Bug description: I put my laptop to sleep for an hour or so; when I restored it, gnome- terminal had crashed. It did not do this the previous time I suspended my laptop today, so I doubt that's immediately related. This crash can be reproduced by setting a shortcut in preferences. ProblemType: Crash DistroRelease: Ubuntu 15.04 Package: gnome-terminal 3.14.2-0ubuntu2 ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2 Uname: Linux 3.19.0-10-generic x86_64 NonfreeKernelModules: openafs ApportVersion: 2.16.2-0ubuntu5 Architecture: amd64 CurrentDesktop: Unity Date: Mon Mar 30 00:19:43 2015 ExecutablePath: /usr/lib/gnome-terminal/gnome-terminal-server InstallationDate: Installed on 2014-02-03 (419 days ago) InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1) ProcCmdline: /usr/lib/gnome-terminal/gnome-terminal-server ProcEnviron: XDG_RUNTIME_DIR=<set> SHELL=/bin/bash LANGUAGE=en_US PATH=(custom, user) LANG=en_US.UTF-8 SegvAnalysis: Segfault happened at: 0x7f98e2afbf1f <g_type_check_instance_is_a+63>: testb $0x4,0x16(%rax) PC (0x7f98e2afbf1f) ok source "$0x4" ok destination "0x16(%rax)" (0x0000bcae) not located in a known VMA region (needed writable region)! SegvReason: writing NULL VMA Signal: 11 SourcePackage: gnome-terminal StacktraceTop: g_type_check_instance_is_a () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 gtk_widget_get_toplevel (widget=0x2580c30) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwidget.c:11382 window_group_cleanup_grabs (group=<optimized out>, window=window@entry=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:110 gtk_window_group_add_window (window_group=0x27e5c40, window=0x252a230) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindowgroup.c:169 gtk_window_set_transient_for (window=0x252a230, parent=0x23ac7d0) at /build/buildd/gtk+3.0-3.14.9/./gtk/gtkwindow.c:3134 Title: gnome-terminal-server crashed with SIGSEGV in g_type_check_instance_is_a() UpgradeStatus: Upgraded to vivid on 2015-03-29 (0 days ago) UserGroups: adm cdrom dialout dip kvm libvirtd lpadmin plugdev sambashare sbuild sudo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1438014/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
