GNOME Bugzilla – Bug 135489
gtkhtml2 2.4.0 crashes when using gnochm
Last modified: 2004-12-22 21:47:04 UTC
Package: gtkhtml2 Severity: normal Version: 2.4.0 Synopsis: gtkhtml2 2.4.0 crashes when using gnochm Bugzilla-Product: gtkhtml2 Bugzilla-Component: General BugBuddy-GnomeVersion: 2.0 (2.0.3) Description: Hi, I *think* this problem is not in gnochm (a CHM file viewer using gnome-python2-gtkhtml2), because it has been working properly in RedHat8.0 (gtkhtml2 2.0.1). Steps to reproduce the problem: 1. Open pretty much any file in gnochm 2. follow two or more links 3. crash :) (its pretty consistent) I tried to debug libgtkhtml2, and all I could find is that if I remove "xmlFreeDoc()" from html_parser_finalize(), the problem goes away. Please let me know if you want me to do some more testing - I wasnt sure what to try. Thanks! Rubens Debugging Information: Backtrace was generated from 'gnochm' (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...[New Thread 8192 (LWP 30195)] (no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...0x420ae169 in wait4 () from /lib/i686/libc.so.6
+ Trace 44581
A similar bug. bug #130789 has been fixed. COuld you try with a later release. Release 2.5.6 is the latest.
Same problem happens in 2.5.6 and 2.6.0. Here is the backtrace for 2.6.0: Backtrace was generated from '/usr/bin/gnochm' (no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (no debugging symbols found)... (no debugging symbols found)...[Thread debugging using libthread_db enabled] [New Thread -1084422848 (LWP 7118)] (no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...0x0054cc32 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
+ Trace 45480
Thread 1 (Thread -1084422848 (LWP 7118))
I assume thjat html_document_clear is called before this crash happens. Can you confirm this and check the value of document->dom_document when html_document_clear is called.
No, its not being called at all... (by the way, not sure if it makes any difference or not, but cancel_func is not being set at all as well).
I am not sure either whether not calling cancel_func makes any difference. Your original comment said that changing html_parser_finalize changed the behavior. Can you send be a stack trace of when html_parser_finalize is called?
Sure - from what I can see, it is being called when I am displaying a new page (using html_document_open_stream). If I remove the xmlFreeDoc() line from the code, it doesnt crash anymore (but may be leaking tons of memory :). Here it is: #0 html_parser_finalize (object=0x8480ef8) at htmlparser.c:187 #1 0x4014c59d in g_object_last_unref () from /usr/lib/libgobject-2.0.so.0 #2 0x4020af0d in html_document_open_stream (document=0x8480ef8, mime_type=0x831729c "text/html") at htmldocument.c:669 #3 0x400b2f69 in _wrap_html_document_open_stream (self=0x0, args=0x844c9d4, kwargs=0x0) at gtkhtml2.c:260 #4 0x080cebae in PyCFunction_Call () #5 0x080b1557 in PyObject_Call () #6 0x0807b975 in do_call () #7 0x08079671 in eval_frame () #8 0x0807a10e in PyEval_EvalCodeEx () #9 0x080c21bc in function_call () #10 0x080b1557 in PyObject_Call () #11 0x080b827b in instancemethod_call () #12 0x080b1557 in PyObject_Call () #13 0x0807b339 in PyEval_CallObjectWithKeywords () #14 0x080b150e in PyObject_CallObject () #15 0x400a7989 in pyg_closure_marshal (closure=0x8434378, return_value=0x0, n_param_values=2, param_values=0xbfffec30, invocation_hint=0xbfffeb38, marshal_data=0x0) at pygtype.c:669 #16 0x4014a0c0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #17 0x4015e8b4 in signal_emit_unlocked_R () from /usr/lib/libgobject-2.0.so.0 #18 0x4015d888 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #19 0x4015dbd3 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0 #20 0x4022e1ee in html_event_button_release (view=0x8445ce0, event=0x8585168) at htmlevent.c:242 #21 0x4022faa2 in html_view_button_release (widget=0x8445ce0, event=0x8445ce0) at htmlview.c:761 #22 0x4032a0e4 in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0 #23 0x4014a467 in g_type_class_meta_marshal () from /usr/lib/libgobject-2.0.so.0 #24 0x4014a0c0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #25 0x4015e369 in signal_emit_unlocked_R () from /usr/lib/libgobject-2.0.so.0 #26 0x4015d689 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #27 0x4036cfdf in gtk_signal_emit () from /usr/lib/libgtk-x11-2.0.so.0 #28 0x40410413 in gtk_widget_event_internal () from /usr/lib/libgtk-x11-2.0.so.0 #29 0x40329e67 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0 #30 0x40328b45 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0 #31 0x4058ff21 in gdk_event_dispatch () from /usr/lib/libgdk-x11-2.0.so.0 #32 0x401a1f65 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0 #33 0x401a2f98 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #34 0x401a32ad in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0 #35 0x401a3a1f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #36 0x4032839f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #37 0x40848285 in _wrap_gtk_main (self=0x0) at gtk.override:2928 #38 0x0807b5ae in fast_cfunction () #39 0x08079692 in eval_frame () #40 0x0807a10e in PyEval_EvalCodeEx () #41 0x08077025 in PyEval_EvalCode () #42 0x08096a49 in run_node () #43 0x080959c3 in PyRun_SimpleFileExFlags () #44 0x0809530a in PyRun_AnyFileExFlags () #45 0x0805381c in Py_Main () #46 0x08053269 in main () #47 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
Ugh - try again: #0 html_parser_finalize (object=0x8480ef8) at htmlparser.c:187 #1 0x4014c59d in g_object_last_unref () from /usr/lib/libgobject-2.0.so.0 #2 0x4020af0d in html_document_open_stream (document=0x8480ef8, mime_type=0x831729c "text/html") at htmldocument.c:669 #3 0x400b2f69 in _wrap_html_document_open_stream (self=0x0, args=0x844c9d4, kwargs=0x0) at gtkhtml2.c:260 #4 0x080cebae in PyCFunction_Call () #5 0x080b1557 in PyObject_Call () #6 0x0807b975 in do_call () #7 0x08079671 in eval_frame () #8 0x0807a10e in PyEval_EvalCodeEx () #9 0x080c21bc in function_call () #10 0x080b1557 in PyObject_Call () #11 0x080b827b in instancemethod_call () #12 0x080b1557 in PyObject_Call () #13 0x0807b339 in PyEval_CallObjectWithKeywords () #14 0x080b150e in PyObject_CallObject () #15 0x400a7989 in pyg_closure_marshal (closure=0x8434378, return_value=0x0, n_param_values=2, param_values=0xbfffec30, invocation_hint=0xbfffeb38, marshal_data=0x0) at pygtype.c:669 #16 0x4014a0c0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #17 0x4015e8b4 in signal_emit_unlocked_R () from /usr/lib/libgobject-2.0.so.0 #18 0x4015d888 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #19 0x4015dbd3 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0 #20 0x4022e1ee in html_event_button_release (view=0x8445ce0, event=0x8585168) at htmlevent.c:242 #21 0x4022faa2 in html_view_button_release (widget=0x8445ce0, event=0x8445ce0) at htmlview.c:761 #22 0x4032a0e4 in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0 #23 0x4014a467 in g_type_class_meta_marshal () from /usr/lib/libgobject-2.0.so.0 #24 0x4014a0c0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #25 0x4015e369 in signal_emit_unlocked_R () from /usr/lib/libgobject-2.0.so.0 #26 0x4015d689 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #27 0x4036cfdf in gtk_signal_emit () from /usr/lib/libgtk-x11-2.0.so.0 #28 0x40410413 in gtk_widget_event_internal () from /usr/lib/libgtk-x11-2.0.so.0 #29 0x40329e67 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0 #30 0x40328b45 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0 #31 0x4058ff21 in gdk_event_dispatch () from /usr/lib/libgdk-x11-2.0.so.0 #32 0x401a1f65 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0 #33 0x401a2f98 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #34 0x401a32ad in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0 #35 0x401a3a1f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #36 0x4032839f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #37 0x40848285 in _wrap_gtk_main (self=0x0) at gtk.override:2928 #38 0x0807b5ae in fast_cfunction () #39 0x08079692 in eval_frame () #40 0x0807a10e in PyEval_EvalCodeEx () #41 0x08077025 in PyEval_EvalCode () #42 0x08096a49 in run_node () #43 0x080959c3 in PyRun_SimpleFileExFlags () #44 0x0809530a in PyRun_AnyFileExFlags () #45 0x0805381c in Py_Main () #46 0x08053269 in main () #47 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
Created attachment 26087 [details] Trace for html_document_finalize Trace just requested (my web browser is not happy with cut/paste)
Created attachment 26088 [details] And another one... And now the interesting bit: the previous stack traces were obtained using bug-buddy. This time, as I am running gdb manually, I got this different trace. I also get the following message on stderr: (gnochm:3190): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `DomNode'
The crash is happening because we are leaking some data structures but not all.
Created attachment 26090 [details] [review] Proposed patch Can you check if the attached patch helps? Where is the file gtkhtml2.c referred to in the stack trace you sent me?
gtkhtml2.c is part of the gnome-python package - its in the gnome-cvs as well. With your patch, the crash does not occur in the same place anymore (things are better), and I get lots of the g_warnings you added: [rubensr@hal9000 gnochm]$ ./gnochm (gnochm:9338): HtmlDocument-WARNING **: DomDocument being leaked in html_startDocument (gnochm:9338): HtmlDocument-WARNING **: DomDocument being leaked in html_startDocument (gnochm:9338): HtmlDocument-WARNING **: DomDocument being leaked in html_startDocument (gnochm:9338): HtmlView-WARNING **: Focus element set when inserting toplevel node (gnochm:9338): HtmlDocument-WARNING **: DomDocument being leaked in html_startDocument (gnochm:9338): HtmlView-WARNING **: Focus element set when inserting toplevel node (gnochm:9338): HtmlDocument-WARNING **: DomDocument being leaked in html_startDocument (gnochm:9338): HtmlView-WARNING **: Focus element set when inserting toplevel node
Created attachment 26096 [details] Crash after patch After your patch, a strange crash occurs when the cursor leaves/enters the gtkthml widget (apparently). This trace was obtained using bug-buddy. The "old" crash does not seem to happen anymore.
Created attachment 26097 [details] Crash after patch After your patch, a strange crash occurs when the cursor leaves/enters the gtkthml widget (apparently). This trace was obtained using bug-buddy. The "old" crash does not seem to happen anymore.
Created attachment 26098 [details] Second trace for "crash after patch", using gdb. Same crash, now trace generated using gdb.
Created attachment 26111 [details] [review] Updated patch I hope that the updated patch fixes the latest crash and also fixes the leaking.
Created attachment 26113 [details] [review] Corrected updated patch
Created attachment 26141 [details] Crash occurs in a different place now It has moved :) Now I all I have to do to crash it is open any document... It will die before anything is displayed.
Does adding call to "document->dom_document = NULL;" in html_document_init() help?
No sorry - same problem.
Try changing line 755 or is it line 766 of htmldocument.c from "while (node) {" to w"hile (DOM_IS_NODE (node)) {"
Created attachment 26196 [details] Different position, same problem. I had also to add a check to prevent xmlFreeNode(top_node) from crashing, but after that, I think we're back to the original problem, just in a different place I suspect.
I think that I am going to have to get to the state that I reproduce this problem myself. This may take me a few daya as I have some urgent items I need to work on.
I have attempted to build gnochm and its dependencies. When I run it I get the error below. Can you help me resolve this problem. Traceback (most recent call last):
+ Trace 45714
import gnome.ui
No problem - when you compile gnome-python, you need to make sure that it is compiling the gnome.ui module. You can check if it is installed by looking at (usually) /usr/lib/python2.2/site-packages/gnome/ui<something>.so. If I remember correctly (not using my linux box now) after "configure", gnome-python prints a summary of the modules it will compile.
I have got gnochm starting up now. Can you give me exact instructions on reproducing the problem, i.e. what file do you open and what links do you follow?
I am now reproducing a crash with a .chm file supplied by the submitter.
Created attachment 26646 [details] [review] New patch Can you check whether this new patch solves the problem.
Ok, I tested this in the following environments: libgtkhtml2 2.4.0, Redhat 8.0 -> Works fine libgtkhtml2 2.5.6, Fedora Core 1 -> Works fine libgtkhtml2 2.6.0, Fedora Core 1 -> Works fine It looks like its fixed! Thanks a lot!
Patch committed to CVS HEAD.