Skip to content

GitLab

gtk
gtk
Open
Opened by bugzilla-migration@bugzilla-migrationReporter

Shortcuts window crash after dispose

Submitted by Carlos Garnacho @carlosg

Link to original bug (#763893)

Description

Seemingly unrelated steps to reproduce:

  1. Launch gtk3-demo
  2. Open "Shortcuts Window" demo
  3. Select one with several pages, "Gedit" for example
  4. Swipe with the touchscreen to the next page
  5. Close the window, hitting esc or alt-f4
  6. Crash

The backtrace is:

(gdb) bt
#0  0x00007ffff755970d in gtk_widget_accessible_get_parent (accessible=<optimized out>) at a11y/gtkwidgetaccessible.c:185
#1  0x00007ffff6b91255 in append_cache_item (obj=0xc63c90 [GtkContainerAccessible], data=0x7fffffffda30) at cache-adaptor.c:137
#2  0x00007ffff30b5dd0 in g_hash_table_foreach (hash_table=0xc22700 = {...}, func=func@entry=0x7ffff6b918b0 <append_accessible_hf>, user_data=user_data@entry=0x7fffffffda30)
    at ghash.c:1608
#3  0x00007ffff6b87239 in spi_cache_foreach (cache=<optimized out>, func=func@entry=0x7ffff6b918b0 <append_accessible_hf>, data=data@entry=0x7fffffffda30)
    at accessible-cache.c:417
#4  0x00007ffff6b917f0 in impl_GetItems (bus=<optimized out>, message=<optimized out>, user_data=<optimized out>) at cache-adaptor.c:326
#5  0x00007ffff6b8e9e8 in handle_message (pathstr=0x8714c8 "/org/a11y/atspi/cache", member=<optimized out>, iface=0x8714f8 "org.a11y.atspi.Cache", path=0xdfbf60, message=0x8a0430, bus=0xdfded0) at droute.c:553
#6  0x00007ffff6b8e9e8 in handle_message (bus=0xdfded0, message=message@entry=0x8a0430, user_data=user_data@entry=0xdfbf60) at droute.c:600
#7  0x00007ffff1ccf724 in _dbus_object_tree_dispatch_and_unlock (tree=0xd7e1e0, message=message@entry=0x8a0430, found_object=found_object@entry=0x7fffffffdc18)
    at ../../dbus/dbus-object-tree.c:1020
#8  0x00007ffff1cc0cb4 in dbus_connection_dispatch (connection=0xdfded0) at ../../dbus/dbus-connection.c:4744
#9  0x00007ffff1f09645 in message_queue_dispatch () at /lib64/libatspi.so.0
#10 0x00007ffff30c68c3 in g_main_context_dispatch (context=0x772d30) at gmain.c:3154
#11 0x00007ffff30c68c3 in g_main_context_dispatch (context=context@entry=0x772d30) at gmain.c:3769
#12 0x00007ffff30c6c70 in g_main_context_iterate (context=context@entry=0x772d30, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840
#13 0x00007ffff30c6d1c in g_main_context_iteration (context=context@entry=0x772d30, may_block=may_block@entry=1) at gmain.c:3901
#14 0x00007ffff6261d6d in g_application_run (application=0x76f1a0 [GtkApplication], argc=argc@entry=1, argv=argv@entry=0x7fffffffdf48) at gapplication.c:2381
#15 0x0000000000416c28 in main (argc=1, argv=0x7fffffffdf48) at main.c:1180

Further checks on valgrind show the following errors:

==15779== Invalid read of size 8
==15779==    at 0x4EE46C4: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)
==15779==    by 0x5E79254: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x98BDDCF: g_hash_table_foreach (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x5E797EF: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x5E769E7: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0xAD3B723: ??? (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAD2CCB3: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAAF5644: ??? (in /usr/lib64/libatspi.so.0.0.1)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Address 0x19246630 is 752 bytes inside a block of size 816 free'd
==15779==    at 0x4C2CD5A: free (vg_replace_malloc.c:530)
==15779==    by 0x98D40FD: g_free (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EB66F: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x9665AE6: g_type_free_instance (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x507C1A3: gtk_main_do_event (gtkmain.c:1772)
==15779==    by 0x51EC5E0: send_delete_event (gtkwindow.c:1320)
==15779==    by 0x578AA9A: gdk_threads_dispatch (gdk.c:720)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Block was alloc'd at
==15779==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==15779==    by 0x98D3FE8: g_malloc (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EAF62: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EB58D: g_slice_alloc0 (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x96657CC: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x96469EA: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x964843C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F693C1: _gtk_builder_construct (gtkbuilder.c:716)
==15779==    by 0x4F6A6B4: builder_construct.isra.5 (gtkbuilderparser.c:139)
==15779==    by 0x4F6B050: parse_child (gtkbuilderparser.c:522)
==15779==    by 0x4F6B050: start_element (gtkbuilderparser.c:970)
==15779==    by 0x98D1E85: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98D2F6A: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x4F6C43C: _gtk_builder_parser_parse_buffer (gtkbuilderparser.c:1261)
==15779==    by 0x4F66A23: gtk_builder_add_from_resource (gtkbuilder.c:1235)
==15779==    by 0x4F69DE9: gtk_builder_new_from_resource (gtkbuilder.c:2608)
==15779==    by 0x42CBA7: show_shortcuts (shortcuts.c:19)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965D37E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F6FEBC: gtk_button_do_release (gtkbutton.c:1843)
==15779==    by 0x4F6FF27: gtk_real_button_released (gtkbutton.c:1961)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965D37E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F6F2A2: multipress_released_cb (gtkbutton.c:666)
==15779==    by 0xC946C57: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==15779==    by 0xC9466B9: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==15779==    by 0x9642289: g_cclosure_marshal_generic_va (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779== 
==15779== Invalid read of size 8
==15779==    at 0x4EE46CD: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)
==15779==    by 0x5E79254: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x98BDDCF: g_hash_table_foreach (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x5E797EF: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x5E769E7: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0xAD3B723: ??? (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAD2CCB3: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAAF5644: ??? (in /usr/lib64/libatspi.so.0.0.1)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd
==15779== 
==15779== 
==15779== Process terminating with default action of signal 11 (SIGSEGV)
==15779==  General Protection Fault
==15779==    at 0x4EE46CD: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)

Investigating further, it seems it's GtkShortcutsWindowPrivate->main_box the widget that a11y code is failing to get a parent from. I see the window being destroyed before this happens, and gtk_container_remove() not being actually called on it.

I'm attaching a patch that seems to fix this for me, no further crash nor valgrind complains.

Version: 3.22.x

Edited by Daniel Boles