*** This bug is a duplicate of bug 1438014 ***
https://bugs.launchpad.net/bugs/1438014
Seems to be error in gtk_cell_area_activate_cell: it has incorrect order of
actions which broke gtk_grab_add / gtk_grab_remove pair
https://github.com/GNOME/gtk/blob/6cc08d60efeb02afc0d67982c3dc205dfd16d7cd/gtk/gtkcellarea.c#L3388
3428 gtk_cell_renderer_start_editing (renderer,
This will call gtk_grab_add to register widget in default window group
"gtk_window_get_group (NULL);"
Later,
3444 gtk_cell_area_add_editable (area, priv->focus_cell, editable_widget,
cell_area);
will change widget to other window group (by setting parent
gtk_cell_area_activate_cell -> gtk_cell_area_add_editable -> ..signal..
-> gtk_tree_view_column_add_editable_callback ->
_gtk_tree_view_add_editable -> gtk_tree_view_put ->
gtk_widget_set_parent)
And gtk_grab_remove will be unable to remove link to the widget from the wrong
window group, creating stale pointer, which will be used after free.
More details at Bug #1667227.
Bug can be detected by "Gtk-CRITICAL **: gtk_widget_get_toplevel: assertion
'GTK_IS_WIDGET (widget)' failed" messages, when mate-terminal (bug #1667227) or
gnome-terminal are started from another console (with option --disable-factory)
and keyboard shortcuts are edited.
I have such messages with gtk+3 (upstream) versions 3.16.7, 3.18.9, 3.20.9,
3.22.8; valgrind can detect invalid reads (use after free) from
window_group_cleanup_grabs -> gtk_widget_get_toplevel.
Simple, but potentially incorrect patch corrects this bug (both Gtk-CRITICAL
messages and valgrind detections/SIGSEGVs) in gnome-terminal and mate-terminal
(bug #1667227). It is tested with gtk+3 3.16.7, 3.18.9, 3.20.9, 3.22.8.
Just call _gtk_window_group_remove_grab from gtkmain.c:gtk_grab_remove twice,
additional call with default window group, to clear all possible references to
the widget from the grabs list:
diff --git a/gtk/gtkmain.c b/gtk/gtkmain.c
index 3152971256..681cb2bec9 100644
--- a/gtk/gtkmain.c
+++ b/gtk/gtkmain.c
@@ -2274,6 +2274,9 @@ gtk_grab_remove (GtkWidget *widget)
group = gtk_main_get_window_group (widget);
_gtk_window_group_remove_grab (group, widget);
+ // quick workaround for lp #1667227, lp #1667232
+ _gtk_window_group_remove_grab (gtk_window_get_group (NULL), widget);
+
new_grab_widget = gtk_window_group_get_current_grab (group);
gtk_grab_notify (group, NULL, widget, new_grab_widget, FALSE);
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1667232
Title:
gnome-terminal-server crashed with SIGSEGV in
g_type_check_instance_is_a() while editing shortcuts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-terminal/+bug/1667232/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
