Wayland: The Accessibility function queryComponent().grabFocus() crashes gtk+ (#1507) · Issues · GNOME / gtk

Wayland: The Accessibility function queryComponent().grabFocus() crashes gtk+

Steps to reproduce

Run gedit beware that will kill it!) in Wayland
Install dogtail (https://gitlab.com/dogtail/dogtail)
Save and run the attached reproducer test-atspi-grab-focus.py

Current behavior

gedit crashes

Expected outcome

No crash

Version information

This is on gtk3, not tried in gtk4.

Additional information

Backtrace (with Gedit):

#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146
(gdb) 
#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146
(gdb) 
#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146

This is because

## Steps to reproduce

1. Run gedit beware that will kill it!) in Wayland
 2. Install dogtail (https://gitlab.com/dogtail/dogtail)
 3. Save and run the attached reproducer [test-atspi-grab-focus.py](/uploads/b3c5d5f1e32e795e4dcc8972ffe46955/test-atspi-grab-focus.py)

## Current behavior

gedit crashes

## Expected outcome

No crash

## Version information

This is on gtk3, not tried in gtk4.

## Additional information

Backtrace (with Gedit):
```
#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146
(gdb) 
#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146
(gdb) 
#0  0x0000000000000000 in  ()
#1  0x00007ffff4678db8 in g_hash_table_lookup_node (hash_return=<synthetic pointer>, key=0x56, hash_table=0x5555557c11b0)
    at ghash.c:379
#2  0x00007ffff4678db8 in g_hash_table_lookup (hash_table=0x5555557c11b0, key=key@entry=0x56) at ghash.c:1153
#3  0x00007ffff6723288 in lookup_cached_xatom (atom=0x56, display=0x5555557ad080 [GdkWaylandDisplay]) at gdkproperty-x11.c:76
#4  0x00007ffff6723288 in gdk_x11_atom_to_xatom_for_display (display=0x5555557ad080 [GdkWaylandDisplay], atom=0x56)
    at gdkproperty-x11.c:109
#5  0x00007ffff6732431 in gdk_x11_get_server_time (window=0x555555d33660 [GdkWaylandWindow]) at gdkwindow-x11.c:5540
#6  0x00007ffff6a5bfa4 in gtk_widget_accessible_grab_focus (component=<optimized out>) at a11y/gtkwidgetaccessible.c:645
#7  0x00007ffff3067a6e in impl_GrabFocus (bus=<optimized out>, message=0x555556286a40, user_data=0x5555558f6040)
    at component-adaptor.c:245
#8  0x00007ffff3061d45 in handle_other
    (pathstr=0x5555562878b8 "/org/a11y/atspi/accessible/164", member=<optimized out>, iface=0x5555562878f0 "org.a11y.atspi.Component", path=0x55555581bdb0, message=0x555556286a40, bus=0x5555562fd5c0) at droute.c:553
#9  0x00007ffff3061d45 in handle_message
    (bus=0x5555562fd5c0, message=message@entry=0x555556286a40, user_data=user_data@entry=0x55555581bdb0) at droute.c:600
#10 0x00007fffeec9cbe8 in _dbus_object_tree_dispatch_and_unlock
    (tree=0x5555557fc900, message=message@entry=0x555556286a40, found_object=found_object@entry=0x7fffffffdbf8)
    at ../../dbus/dbus-object-tree.c:1020
#11 0x00007fffeec8d384 in dbus_connection_dispatch (connection=connection@entry=0x5555562fd5c0)
    at ../../dbus/dbus-connection.c:4745
#12 0x00007fffeeee0289 in message_queue_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../atspi/atspi-gmain.c:89
#13 0x00007ffff468a81d in g_main_dispatch (context=0x55555577c4e0) at gmain.c:3177
#14 0x00007ffff468a81d in g_main_context_dispatch (context=context@entry=0x55555577c4e0) at gmain.c:3830
#15 0x00007ffff468abe8 in g_main_context_iterate
    (context=context@entry=0x55555577c4e0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3903
#16 0x00007ffff468ac80 in g_main_context_iteration (context=context@entry=0x55555577c4e0, may_block=may_block@entry=1)
    at gmain.c:3964
#17 0x00007ffff51c6625 in g_application_run
    (application=0x5555557751e0 [GeditAppX11], argc=<optimized out>, argv=0x7fffffffdf18) at gapplication.c:2470
#18 0x0000555555554f9e in main (argc=1, argv=0x7fffffffdf18) at gedit/gedit.c:146
```

This is because