SEGV in _gtk_widget_get_toplevel()
Steps to reproduce
- This crash can be reproduced in our ERP application CASYMIR (OPG Bug-ID 228735). It occurs after destroying and creating a whole bunch of GtkWidgets. It cannot be reproduced with the supplied demos or test programs.
Analysis
We found out that the blink_cb() in gtkentry.c is being called on a GtkEntry which is not yet fully realized. (widget->priv->realized == 0).
Version information
- gtk+-3.24.4
- glib-2.54.3
- pango-1.41.0
- cairo-1.16.0
- tested operating systems: CentOS 7.6, Win10/32Bit, Win10/64Bit
Compilation options on CentOS 7.6: ./configure --enable-debug=yes --disable-largefile --disable-tests --enable-broadway-backend --enable-x11-backend --prefix=/opt/casy/gtk3/.Linux.3.x86_64 AWK=/usr/bin/gawk
Cross-compilation options on Win10/32Bit: ./configure --host=i686-w64-mingw32 --build=x86_64-pc-linux-gnu --enable-debug=yes --disable-largefile --disable-cups --disable-introspection --prefix=/home/fredy/.wine/drive_c/Casymir3_32
Cross-compilation options on Win10/64Bit: ./configure --host=x86_64-w64-mingw32 --build=x86_64-pc-linux-gnu --enable-debug=yes --disable-largefile --disable-cups --disable-introspection --prefix=/home/fredy/.wine/drive_c/Casymir3_64
Warnings
No warnings, just SEGV
Backtrace
(gdb) bt
#0 0x00007ffff6edefff in _gtk_widget_get_toplevel (widget=widget@entry=0x2057710)
at gtkwidgetprivate.h:382
#1 gtk_widget_get_screen_unchecked (widget=widget@entry=0x2b44590) at gtkwidget.c:10794
#2 0x00007ffff6ee5f88 in gtk_widget_get_screen (widget=0x2b44590) at gtkwidget.c:10831
#3 0x00007ffff6ee6f78 in gtk_widget_get_settings (widget=0x2b44590) at gtkwidget.c:11681
#4 0x00007ffff6cef033 in get_cursor_blink_timeout (entry=0x2b44590) at gtkentry.c:10221
#5 blink_cb (data=<optimized out>) at gtkentry.c:10287
#6 0x00007ffff687ff18 in gdk_threads_dispatch (data=0x21940e0,
data@entry=<error reading variable: value has been optimized out>) at gdk.c:768
#7 0x00007ffff51f6fa3 in g_timeout_dispatch (source=0x24c46a0, callback=<optimized out>,
user_data=<optimized out>) at gmain.c:4638
#8 0x00007ffff51f6575 in g_main_dispatch (context=0x7c6b00) at gmain.c:3165
#9 g_main_context_dispatch (context=context@entry=0x7c6b00) at gmain.c:3818
#10 0x00007ffff51f68e8 in g_main_context_iterate (context=0x7c6b00, block=block@entry=1,
dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3891
#11 0x00007ffff51f6baa in g_main_loop_run (loop=0x1365500) at gmain.c:4087
#12 0x00007ffff6d8a725 in gtk_main () at gtkmain.c:1323
#13 0x000000000041a345 in opg_run_ui ()
#14 0x000000000041a464 in main ()
Valgrind output
==19594== Invalid read of size 8
==19594== at 0x5B18FFB: _gtk_widget_get_toplevel (gtkwidgetprivate.h:382)
==19594== by 0x5B18FFB: gtk_widget_get_screen_unchecked (gtkwidget.c:10794)
==19594== by 0x5B1FF87: gtk_widget_get_screen (gtkwidget.c:10831)
==19594== by 0x5B20F77: gtk_widget_get_settings (gtkwidget.c:11681)
==19594== by 0x5929032: get_cursor_blink_timeout (gtkentry.c:10221)
==19594== by 0x5929032: blink_cb (gtkentry.c:10287)
==19594== by 0x610BF17: gdk_threads_dispatch (gdk.c:768)
==19594== by 0x779CFA2: g_timeout_dispatch (gmain.c:4638)
==19594== by 0x779C574: g_main_dispatch (gmain.c:3165)
==19594== by 0x779C574: g_main_context_dispatch (gmain.c:3818)
==19594== by 0x779C8E7: g_main_context_iterate.isra.25 (gmain.c:3891)
==19594== by 0x779CBA9: g_main_loop_run (gmain.c:4087)
==19594== by 0x59C4724: gtk_main (gtkmain.c:1323)
==19594== by 0x41A344: opg_run_ui (in /home/contrib/opg/opg3/.Linux.3.x86_64/opg)
==19594== by 0x41A463: main (in /home/contrib/opg/opg3/.Linux.3.x86_64/opg)