Bug 322344 – crash when saving a file with accessibility enabled

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 322344 - crash when saving a file with accessibility enabled


Summary:	crash when saving a file with accessibility enabled


Status:	RESOLVED DUPLICATE of bug 322299

Product:	libgnomeui
Classification:	Deprecated
Component:	file-chooser
Version:	2.12.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	future
Assigned To:	Federico Mena Quintero
QA Contact:	gedit QA volunteers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2005-11-24 16:14 UTC by Frederic Crozat
Modified:	2005-11-28 14:36 UTC

See Also:
GNOME target:	---
GNOME version:	2.11/2.12

Description Frederic Crozat 2005-11-24 16:14:14 UTC

Distribution/Version: Mandriva Linux cooker

While testing dogtail with gedit, I encountered a reproducible crash which
occurs just after Dogtail activate the Save button on the file-selector dialog.
This only happens when using gnome-vfs file chooser backend (and with
accessibility enabled).

It might be a bug in gnome-vfs file chooser backend, I'm not 100% sure.

Stacktrace :
Program received signal SIGSEGV, Segmentation fault.

+ Trace 64234

Thread NaN (LWP 7681)

#0 IA__gtk_file_filter_get_needed
at ../../gtk/gtkfilefilter.c line 373
#1 get_is_file_filtered
at ../../gtk/gtkfilechooserdefault.c line 4731
#2 list_model_filter_func
at ../../gtk/gtkfilechooserdefault.c line 4834
#3 file_model_node_is_visible
at ../../gtk/gtkfilesystemmodel.c line 1310
#4 do_files_added
at ../../gtk/gtkfilesystemmodel.c line 1597
#5 IA__g_cclosure_marshal_VOID__POINTER
at gmarshal.c line 601
#6 IA__g_closure_invoke
at gclosure.c line 492
#7 signal_emit_unlocked_R
at gsignal.c line 2485
#8 IA__g_signal_emit_valist
at gsignal.c line 2244
#9 IA__g_signal_emit_by_name
at gsignal.c line 2312
#10 monitor_callback
at gtkfilesystemgnomevfs.c line 2994
#11 actually_dispatch_callback
at gnome-vfs-monitor.c line 270
#12 g_idle_dispatch
at gmain.c line 3817
#13 IA__g_main_context_dispatch
at gmain.c line 1934
#14 g_main_context_iterate
at gmain.c line 2565
#15 IA__g_main_loop_run
at gmain.c line 2769
#16 IA__gtk_main
at ../../gtk/gtkmain.c line 985
#17 main
at gedit2.c line 435


It seems gnome-vfs monitor is activated after file has been saved (UTF8Demo.txt)
and is trying to update file chooser model (also the file chooser has already
been destroyed).

I'm seeing this problem with gail 1.8.6 or 1.8.7 and all the stack being GNOME
2.12 branch.

Comment 1 Federico Mena Quintero 2005-11-24 16:21:52 UTC

Uh oh.  Are we not disconnecting that notification properly?

Can you print the reference counts of the objects involved in the first few
frames of the stack trace?  That is, those for "filter", "impl", "model"?

Comment 2 Frederic Crozat 2005-11-24 16:26:48 UTC

print *model :
{parent_instance = {g_type_instance = {g_class = 0x810e848},
    ref_count = 2, qdata = 0x0}, priv = 0x80e9258}

(gdb) print *impl
$3 = {parent_instance = {box = {container = {widget = {object = {
            parent_instance = {g_type_instance = {g_class = 0x3c746964},
              ref_count = 1869760303, qdata = 0xa3e7075}, flags = 538976288},
          private_flags = 12092, state = 71 'G', saved_state = 114 'r',
          name = 0x7370756f <Address 0x7370756f out of bounds>,
          style = 0x20200a3e, requisition = {width = 1699884860,
            height = 1953391971}, allocation = {x = 1835365449, y = 538970686,
            width = 1667584572, height = 1232367205}, window = 0x3e6d6574,
          parent = 0x2020200a}, focus_child = 0x52553c20,
        border_width = 15945, need_resize = 0, resize_mode = 3,
        reallocate_redraws = 0, has_focus_chain = 0}, children = 0x2f3a656c,
      spacing = 12079, homogeneous = 0}}, action = 1630496109,
  file_system = 0x7365442f, save_widgets = 0x706f746b,
  save_file_name_entry = 0x4654552f, save_folder_label = 0x6d656438,
  save_folder_combo = 0x78742e6f, save_expander = 0x2f3c3574,
  browse_widgets = 0x3e495255, browse_shortcuts_tree_view = 0x2020200a,
  browse_shortcuts_add_button = 0x694d3c20,
  browse_shortcuts_remove_button = 0x542d656d,
  browse_shortcuts_popup_menu = 0x3e657079,
  browse_shortcuts_popup_menu_remove_item = 0x74786574,
  browse_shortcuts_popup_menu_rename_item = 0x616c702f,
  browse_files_tree_view = 0x2f3c6e69, browse_files_popup_menu = 0x656d694d,
  browse_files_popup_menu_add_shortcut_item = 0x7079542d,
  browse_files_popup_menu_hidden_files_item = 0x200a3e65,
  browse_new_folder_button = 0x3c202020, browse_path_bar = 0x656d6954,
  browse_files_model = 0x6d617473, filter_combo_hbox = 0x31313e70,
  filter_combo = 0x33383233, preview_box = 0x32373837,
  preview_label = 0x69542f3c, preview_widget = 0x7473656d,
  extra_align = 0x3e706d61, extra_widget = 0x2020200a,
  shortcuts_model = 0x72473c20, shortcuts_filter_model = 0x7370756f,
  sort_model = 0x20200a3e, load_state = 538976288, reload_state = 1869760316,
  load_timeout_id = 1732145269, pending_select_paths = 0x74696465,
  current_filter = 0x72472f3c, filters = 0x3e70756f, tooltips = 0x2020200a,
  has_home = 1194277920, has_desktop = 1886744434, num_volumes = 537542259,
  num_shortcuts = 1378827296, num_bookmarks = 1852138341,
  volumes_changed_id = 1702119796, bookmarks_changed_id = 537542253,
  current_volume_path = 0x65523c20, current_folder = 0x746e6563,
  preview_path = 0x6d657449,
  preview_display_name = 0xa3e <Address 0xa3e out of bounds>,
  list_name_column = 0x89fb888, list_name_renderer = 0x89fb9f0,
  edited_idle = 0x0, edited_new_text = 0x0, settings_signal_id = 0,
  icon_size = 17, toplevel_set_focus_id = 3068852408,
  toplevel_last_focus_widget = 0x0, local_only = 0, preview_widget_active = 0,
  use_preview_label = 0, select_multiple = 0, show_hidden = 1,
  do_overwrite_confirmation = 0, list_sort_ascending = 0, changing_folder = 0,
  shortcuts_current_folder_active = 0}

(gdb) print * (impl->current_filter)
Cannot access memory at address 0x72472f3c

Reassigning to libgnomeui file chooser backend, based on paolo feedback

Comment 3 Federico Mena Quintero 2005-11-24 16:40:47 UTC

impl->ref_count is totally fubared.  This almost certainly indicates that the
impl was freed already.

Why is the model->ref_count = 2?  Is that just garbage because that memory got
reused, or is it something else?

Could you hunt down who holds references to the GtkFileSystemModel when the impl
is already destroyed?

Are we leaking the model, or are we just spinning the main loop in the middle of
getting destroyed - which would cause the notification from GnomeVFS to come in?

Comment 4 Frederic Crozat 2005-11-24 19:10:02 UTC

Confirmed, gtkfilechooserdefault is finalized first and idle handler for
gnome-vfs backend is called after that.

It seems the problematic GtkFileSystemModel reference is hold by the
GtkTreeModelSort sort_model in gtkfilechooserdefault : after
gtk_file_chooser_default_finalize, sort_model refcount is still up to 158 (it
was decremented correctly by one during gtk_file_chooser_default_finalize).

Comment 5 Frederic Crozat 2005-11-28 14:36:23 UTC

ok, this bug was caused by latest version of gail and it fixed in CVS.

marking as duplicate.

*** This bug has been marked as a duplicate of 322299 ***