After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 242867 - crash using period ('.') to move through unread mail
crash using period ('.') to move through unread mail
Status: RESOLVED FIXED
Product: GtkHtml
Classification: Other
Component: Rendering
unspecified
Other All
: Normal blocker
: 1.5
Assigned To: yuedong du
Evolution QA team
: 242874 243694 245327 247369 247370 250574 251032 251076 251121 251257 251269 251272 251342 251379 251390 251475 251481 251631 251744 252133 252175 252201 252335 252412 252414 252559 253611 253778 254781 255271 255275 255291 255383 255641 255865 256742 257314 257499 257789 258883 259298 260566 261123 261124 261460 261497 261499 261658 261829 261863 261908 263700 263933 264320 264539 265848 265880 266084 266208 274222 306969 307592 307593 308201 (view as bug list)
Depends on:
Blocks: 244862
 
 
Reported: 2003-05-13 03:40 UTC by Rodd Clarkson
Modified: 2005-06-21 18:30 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Rodd Clarkson 2003-05-13 03:40:35 UTC
Package: Evolution
Priority: Normal
Version: GNOME2.3.1 1.3.3
Synopsis: crash using period ('.') to move through unread mail
Bugzilla-Product: Evolution
Bugzilla-Component: Mailer
BugBuddy-GnomeVersion: 2.0 (2.3.0)
Description:
Description of Problem:

evolution crashed while using period ('.') to move through unread mail
in folder.

I do this all the time and this is the only time it's happened.


Debugging Information:

Backtrace was generated from '/home/rodd/gnome-2.3.1/bin/evolution-1.3'

[New Thread 1091732000 (LWP 10381)]
[New Thread 1142127920 (LWP 10389)]
[New Thread 1133735216 (LWP 10387)]
[New Thread 1125342512 (LWP 10386)]
[New Thread 1116949808 (LWP 10385)]
[New Thread 1106287920 (LWP 10384)]
0xffffe002 in ?? ()

Thread 1 (Thread 1091732000 (LWP 10381))

  • #0 ??
  • #1 libgnomeui_segv_handle
    at gnome-ui-init.c line 646
  • #2 segv_redirect
    at main.c line 486
  • #3 segv_redirect
    at component-factory.c line 1626
  • #4 <signal handler called>
  • #5 gtk_widget_get_accessible
    at gtkwidget.c line 6793
  • #6 create_accessible
    at utils.c line 70
  • #7 html_utils_get_accessible
    at utils.c line 95
  • #8 gtk_html_a11y_ref_child
    at object.c line 118
  • #9 atk_object_ref_accessible_child
    at atkobject.c line 519
  • #10 spi_atk_bridge_signal_listener
    at bridge.c line 856
  • #11 signal_emit_unlocked_R
    at gsignal.c line 2788
  • #12 g_signal_emit_valist
    at gsignal.c line 2554
  • #13 g_signal_emit_by_name
    at gsignal.c line 2649
  • #14 gail_container_real_remove_gtk
    at gailcontainer.c line 239
  • #15 gail_container_remove_gtk
    at gailcontainer.c line 192
  • #16 g_cclosure_marshal_VOID__OBJECT
    at gmarshal.c line 636
  • #17 g_closure_invoke
    at gclosure.c line 437
  • #18 signal_emit_unlocked_R
    at gsignal.c line 2822
  • #20 g_signal_emit
    at gsignal.c line 2612
  • #21 gtk_container_remove
    at gtkcontainer.c line 983
  • #22 destroy
    at htmlembedded.c line 113
  • #23 html_object_destroy
    at htmlobject.c line 834
  • #24 destroy
    at htmlclue.c line 50
  • #25 destroy
    at htmlclueflow.c line 108
  • #26 html_object_destroy
    at htmlobject.c line 834
  • #27 destroy
    at htmlclue.c line 50
  • #28 html_object_destroy
    at htmlobject.c line 834
  • #29 destroy
    at htmltable.c line 93
  • #30 html_object_destroy
    at htmlobject.c line 834
  • #31 destroy
    at htmlclue.c line 50
  • #32 destroy
    at htmlclueflow.c line 108
  • #33 html_object_destroy
    at htmlobject.c line 834
  • #34 destroy
    at htmlclue.c line 50
  • #35 html_object_destroy
    at htmlobject.c line 834
  • #36 html_engine_parse
    at htmlengine.c line 4431
  • #37 gtk_html_begin_content
    at gtkhtml.c line 3073
  • #38 gtk_html_begin
    at gtkhtml.c line 3049
  • #39 mail_display_render
    at mail-display.c line 1817
  • #40 mail_display_redisplay
    at mail-display.c line 1941
  • #41 mail_display_set_message
    at mail-display.c line 1993
  • #42 done_message_selected
    at folder-browser.c line 2424
  • #43 get_message_got
    at mail-ops.c line 1658
  • #44 mail_msgport_replied
    at mail-mt.c line 394
  • #45 g_io_unix_dispatch
    at giounix.c line 159
  • #46 g_main_dispatch
    at gmain.c line 1653
  • #47 g_main_context_dispatch
    at gmain.c line 2197
  • #48 g_main_context_iterate
    at gmain.c line 2278
  • #49 g_main_loop_run
    at gmain.c line 2498
  • #50 bonobo_main
    at bonobo-main.c line 292
  • #51 main
    at main.c line 627
  • #52 __libc_start_main
    from /lib/tls/libc.so.6
  • #0 ??



Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Gerardo Marin 2003-05-13 23:19:39 UTC
*** bug 242874 has been marked as a duplicate of this bug. ***
Comment 2 Radek Doulik 2003-05-15 19:35:05 UTC
do you use gnome accessibility tools?
Comment 3 Rodd Clarkson 2003-05-16 00:26:33 UTC
This is an interesting question.  Here's what I can tell you.


I'm running garnome-0.24.2. I've compiled metaballs gnome-desktop and
gnome-accessibility, along with a few other applications.

I've only recently turned on accessibility in gnome using
gconf-editor.  I'm not sure if this action predates this bug report or
not.  I'm guessing that I flicked the switch about three days ago, but
I didn't restart gnome straight away, so it may or may not have taken
affect the same day.  (I don't need the a11y stuff, I'm just interested.)

Hope this helps ;-]
Comment 4 Radek Doulik 2003-05-19 17:23:19 UTC
accessibility is not yet fully supported => rescheduling
Comment 5 Gerardo Marin 2003-05-27 16:24:09 UTC
*** bug 243694 has been marked as a duplicate of this bug. ***
Comment 6 Rodd Clarkson 2003-05-27 23:39:52 UTC
Radek, with gnome-2.4 looking like it will have accessibility included
will this be address before it's released?

Comment 7 Radek Doulik 2003-05-28 08:53:12 UTC
I cannot say anything yet for sure, it has to be decided for next
major vesrion of evolution.
Comment 8 Gerardo Marin 2003-06-25 16:01:21 UTC
*** bug 245327 has been marked as a duplicate of this bug. ***
Comment 9 Gerardo Marin 2003-08-05 15:34:18 UTC
*** bug 247369 has been marked as a duplicate of this bug. ***
Comment 10 Gerardo Marin 2003-08-05 15:35:37 UTC
*** bug 247370 has been marked as a duplicate of this bug. ***
Comment 11 Rodd Clarkson 2003-08-06 00:05:17 UTC
I should let you know that this bug (or what I presume was this bug)
is causing evolution to crash 20 or 30 times a day.  While I can just
restart and move on it's very, very annoying.

I recently posted bug reports 47369, and 47370 to see if the problem
was the same as the report I had initially filed as I had changed
enough that I thought it worth being sure.

Since filling the report I've upgraded my version of garnome to 0.25.1
and I've used both the version of evolution that came with garnome
(1.4.3) and the current version (1.4.4).

Given the frequency of the crashes I would propose that the priority
of this bug be elevated.  Or I could just start filing a bug report
for each crash to make you realize how annoying this is. ;-]
Comment 12 Larry Ewing 2003-08-06 15:08:04 UTC
perhaps we should have one of people looking into a11y look into this
problem.  I don't know anything about this part of th code.
Comment 13 Gerardo Marin 2003-11-05 21:28:14 UTC
*** bug 250574 has been marked as a duplicate of this bug. ***
Comment 14 Gerardo Marin 2003-11-17 18:58:44 UTC
*** bug 251032 has been marked as a duplicate of this bug. ***
Comment 15 Gerardo Marin 2003-11-17 19:00:30 UTC
*** bug 251076 has been marked as a duplicate of this bug. ***
Comment 16 Gerardo Marin 2003-11-18 20:51:47 UTC
*** bug 251121 has been marked as a duplicate of this bug. ***
Comment 17 Gerardo Marin 2003-11-27 20:09:03 UTC
*** bug 251257 has been marked as a duplicate of this bug. ***
Comment 18 Gerardo Marin 2003-11-27 20:13:09 UTC
*** bug 251269 has been marked as a duplicate of this bug. ***
Comment 19 Gerardo Marin 2003-11-27 20:13:24 UTC
*** bug 251272 has been marked as a duplicate of this bug. ***
Comment 20 Gerardo Marin 2003-11-27 20:14:42 UTC
*** bug 251342 has been marked as a duplicate of this bug. ***
Comment 21 Gerardo Marin 2003-11-27 20:15:25 UTC
*** bug 251379 has been marked as a duplicate of this bug. ***
Comment 22 Gerardo Marin 2003-11-27 20:15:53 UTC
*** bug 251390 has been marked as a duplicate of this bug. ***
Comment 23 Gerardo Marin 2003-11-28 21:40:06 UTC
*** bug 251475 has been marked as a duplicate of this bug. ***
Comment 24 Gerardo Marin 2003-11-28 21:40:24 UTC
*** bug 251481 has been marked as a duplicate of this bug. ***
Comment 25 Gerardo Marin 2003-12-03 18:22:04 UTC
*** bug 251631 has been marked as a duplicate of this bug. ***
Comment 26 Gerardo Marin 2003-12-06 00:46:17 UTC
*** bug 251744 has been marked as a duplicate of this bug. ***
Comment 27 Gerardo Marin 2003-12-06 00:47:51 UTC
Marking as 1.5.1 since a11y is part of 1.5
Comment 28 Larry Ewing 2003-12-07 00:01:47 UTC
this definitely looks like an a11y bug adding york to the CC.

York do you have any idea what might be going wrong here?
Comment 29 yuedong du 2003-12-10 09:06:58 UTC
The bug is already fixed in trunk. In a11y/utils.c, some sanity check
code is added to avoid the crash. According our previous agreement, we
a11y code is not merge into 1.4.

Some bugs in the duplication list maybe not duplication. For other
ones that are surely duplications, they are all in 1.4. You can find
this by looking at the stack trace, and will find "..1.4/components/..". 

Actually I cannot reproduce it in my trunk build.
I think the bug can be closed.


-York
Comment 30 Gerardo Marin 2003-12-10 22:11:44 UTC
Closing as per last comment.
Thanks a lot!
Comment 31 Gerardo Marin 2003-12-15 22:55:14 UTC
*** bug 252133 has been marked as a duplicate of this bug. ***
Comment 32 Gerardo Marin 2003-12-15 22:55:45 UTC
*** bug 252175 has been marked as a duplicate of this bug. ***
Comment 33 Gerardo Marin 2003-12-15 22:55:55 UTC
*** bug 252201 has been marked as a duplicate of this bug. ***
Comment 34 Gerardo Marin 2003-12-18 21:00:21 UTC
*** bug 252335 has been marked as a duplicate of this bug. ***
Comment 35 Gerardo Marin 2003-12-23 19:52:18 UTC
*** bug 252412 has been marked as a duplicate of this bug. ***
Comment 36 Gerardo Marin 2003-12-23 19:55:59 UTC
*** bug 252414 has been marked as a duplicate of this bug. ***
Comment 37 Gerardo Marin 2004-02-02 04:54:02 UTC
*** bug 253611 has been marked as a duplicate of this bug. ***
Comment 38 Gerardo Marin 2004-02-04 03:55:37 UTC
*** bug 253778 has been marked as a duplicate of this bug. ***
Comment 39 Gerardo Marin 2004-02-04 03:56:29 UTC
*** bug 252559 has been marked as a duplicate of this bug. ***
Comment 40 Gerardo Marin 2004-02-24 00:35:55 UTC
*** bug 254781 has been marked as a duplicate of this bug. ***
Comment 41 Gerardo Marin 2004-03-08 22:39:03 UTC
*** bug 255271 has been marked as a duplicate of this bug. ***
Comment 42 Gerardo Marin 2004-03-08 22:40:04 UTC
*** bug 255275 has been marked as a duplicate of this bug. ***
Comment 43 Gerardo Marin 2004-03-08 22:40:17 UTC
*** bug 255291 has been marked as a duplicate of this bug. ***
Comment 44 Gerardo Marin 2004-03-10 20:00:15 UTC
*** bug 255383 has been marked as a duplicate of this bug. ***
Comment 45 Gerardo Marin 2004-03-16 20:42:02 UTC
*** bug 255641 has been marked as a duplicate of this bug. ***
Comment 46 Gerardo Marin 2004-03-22 23:10:30 UTC
*** bug 255865 has been marked as a duplicate of this bug. ***
Comment 47 Andrew Sobala 2004-03-22 23:46:12 UTC
So considering I got this with 1.5.5, we are not very happy bunnies.
Am I correct?
Comment 48 Gerardo Marin 2004-03-30 21:42:24 UTC
Crashes still happen.
Comment 49 Gerardo Marin 2004-04-11 20:59:30 UTC
*** bug 256742 has been marked as a duplicate of this bug. ***
Comment 50 Gerardo Marin 2004-04-22 03:51:17 UTC
*** bug 257314 has been marked as a duplicate of this bug. ***
Comment 51 Gerardo Marin 2004-04-24 19:49:56 UTC
*** bug 257499 has been marked as a duplicate of this bug. ***
Comment 52 Gerardo Marin 2004-04-28 22:18:23 UTC
*** bug 257789 has been marked as a duplicate of this bug. ***
Comment 53 Radek Doulik 2004-05-11 08:50:10 UTC
looks like there's still something wrong.

today's valgrind output:

==3245==
==3245== Invalid read of size 4
==3245==    at 0x3D4B601F: g_datalist_id_get_data (gdataset.c:461)
==3245==    by 0x3C40AA74: html_object_get_data_nocp (htmlobject.c:1596)
==3245==    by 0x3C436920: html_utils_get_accessible (utils.c:102)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==    by 0x3D4777BA: g_cclosure_marshal_VOID__OBJECT
(gmarshal.c:636)
==3245==  Address 0x3F159AF8 is 64 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid read of size 4
==3245==    at 0x3C436759: create_accessible (utils.c:40)
==3245==    by 0x3C43693A: html_utils_get_accessible (utils.c:105)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==    by 0x3D4777BA: g_cclosure_marshal_VOID__OBJECT
(gmarshal.c:636)
==3245==    by 0x3D46BA9B: g_closure_invoke (gclosure.c:437)
==3245==  Address 0x3F159AB8 is 0 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid read of size 4
==3245==    at 0x3C4335C2: html_a11y_paragraph_new (paragraph.c:94)
==3245==    by 0x3C436788: create_accessible (utils.c:42)
==3245==    by 0x3C43693A: html_utils_get_accessible (utils.c:105)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==    by 0x3D4777BA: g_cclosure_marshal_VOID__OBJECT
(gmarshal.c:636)
==3245==  Address 0x3F159AB8 is 0 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid read of size 4
==3245==    at 0x3C4335CA: html_a11y_paragraph_new (paragraph.c:94)
==3245==    by 0x3C436788: create_accessible (utils.c:42)
==3245==    by 0x3C43693A: html_utils_get_accessible (utils.c:105)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==    by 0x3D4777BA: g_cclosure_marshal_VOID__OBJECT
(gmarshal.c:636)
==3245==  Address 0x3F159AB8 is 0 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid read of size 4
==3245==    at 0x3D4B6A7D: g_data_set_internal (gdataset.c:212)
==3245==    by 0x3D4B7278: g_datalist_id_set_data_full (gdataset.c:380)
==3245==    by 0x3C40AA3B: html_object_set_data_full_nocp
(htmlobject.c:1590)
==3245==    by 0x3C43696D: html_utils_get_accessible (utils.c:108)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==  Address 0x3F159AF8 is 64 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid read of size 4
==3245==    at 0x3D4B6ABD: g_data_set_internal (gdataset.c:311)
==3245==    by 0x3D4B7278: g_datalist_id_set_data_full (gdataset.c:380)
==3245==    by 0x3C40AA3B: html_object_set_data_full_nocp
(htmlobject.c:1590)
==3245==    by 0x3C43696D: html_utils_get_accessible (utils.c:108)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==  Address 0x3F159AF8 is 64 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
==3245==
==3245== Invalid write of size 4
==3245==    at 0x3D4B6AD0: g_data_set_internal (gdataset.c:315)
==3245==    by 0x3D4B7278: g_datalist_id_set_data_full (gdataset.c:380)
==3245==    by 0x3C40AA3B: html_object_set_data_full_nocp
(htmlobject.c:1590)
==3245==    by 0x3C43696D: html_utils_get_accessible (utils.c:108)
==3245==    by 0x3C432FF3: gtk_html_a11y_ref_child (object.c:119)
==3245==    by 0x3D3D61EA: atk_object_ref_accessible_child
(atkobject.c:607)
==3245==    by 0x3DCDAA80: spi_atk_bridge_signal_listener (bridge.c:908)
==3245==    by 0x3D47A752: signal_emit_unlocked_R (gsignal.c:2402)
==3245==    by 0x3D47BAC1: g_signal_emit_valist (gsignal.c:2195)
==3245==    by 0x3D47BCC2: g_signal_emit_by_name (gsignal.c:2263)
==3245==    by 0x3DD1F3D7: gail_container_real_remove_gtk
(gailcontainer.c:248)
==3245==    by 0x3DD1F18B: gail_container_remove_gtk (gailcontainer.c:192)
==3245==  Address 0x3F159AF8 is 64 bytes inside a block of size 116 free'd
==3245==    at 0x3C01C851: free (vg_replace_malloc.c:127)
==3245==    by 0x3D4CB2A1: g_free (gmem.c:186)
==3245==    by 0x3C407D0A: destroy (htmlobject.c:74)
==3245==    by 0x3C3CC55B: destroy (htmlclue.c:56)
==3245==    by 0x3C3CE617: destroy (htmlclueflow.c:107)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3CC52B: destroy (htmlclue.c:51)
==3245==    by 0x3C40924A: html_object_destroy (htmlobject.c:834)
==3245==    by 0x3C3F8BBD: html_engine_parse (htmlengine.c:4879)
==3245==    by 0x3C3C2C30: gtk_html_begin_full (gtkhtml.c:3332)
==3245==    by 0x3E10DDC6: emhs_sync_write (em-html-stream.c:112)
==3245==    by 0x3E10C246: emcs_gui_received (em-sync-stream.c:142)
Comment 54 yuedong du 2004-05-21 06:13:40 UTC
The bug happens when there is a embeded widget in the gtkhtml layout.

problem is that the a11y object for gtkhtml(object.c) do not inherit
from gailcontainer. But when distroy such a embeded widget,
gtk_container_remove() is called. When a11y is enabled, 
gail_container** will be invoked, so thing will go wrong.

Comment 55 yuedong du 2004-05-21 10:20:44 UTC

Index: object.c
===================================================================
RCS file: /cvs/gnome/gtkhtml/a11y/object.c,v
retrieving revision 1.4
diff -u -r1.4 object.c
--- object.c    6 Aug 2003 10:47:16 -0000    1.4
+++ object.c    21 May 2004 09:42:16 -0000
@@ -59,12 +59,10 @@
         * we are deriving from
         */
        AtkObjectFactory *factory;
-        GType derived_type;
        GTypeQuery query;
        GType derived_atk_type;

-        derived_type = g_type_parent (GTK_TYPE_HTML);
-        factory = atk_registry_get_factory (atk_get_default_registry
(), derived_type);
+        factory = atk_registry_get_factory (atk_get_default_registry
(), GTK_TYPE_WIDGET);
        derived_atk_type = atk_object_factory_get_accessible_type
(factory);
        g_type_query (derived_atk_type, &query);
        tinfo.class_size = query.class_size;
Comment 56 yuedong du 2004-05-21 10:21:05 UTC
proposed fix
Comment 57 Gerardo Marin 2004-05-25 01:14:02 UTC
*** bug 258883 has been marked as a duplicate of this bug. ***
Comment 58 yuedong du 2004-05-26 02:50:10 UTC
fixed in cvs.
Comment 59 Gerardo Marin 2004-06-01 04:08:07 UTC
*** bug 259298 has been marked as a duplicate of this bug. ***
Comment 60 Gerardo Marin 2004-07-05 19:32:26 UTC
*** bug 261123 has been marked as a duplicate of this bug. ***
Comment 61 Gerardo Marin 2004-07-05 19:32:48 UTC
*** bug 261124 has been marked as a duplicate of this bug. ***
Comment 62 Gerardo Marin 2004-07-06 20:05:52 UTC
*** bug 260566 has been marked as a duplicate of this bug. ***
Comment 63 yuedong du 2004-07-12 05:49:47 UTC
Hi Gerardo,

The stack trace of newer duplicate shows that it is not quite the same
bug,  so we may not duplicate them on this bug.
Comment 64 yuedong du 2004-07-12 05:54:12 UTC
Oh sorry, I just realize this bug mentioned 2 problems, including the
newer duplicated ones. So you are right.
Comment 65 Gerardo Marin 2004-07-13 19:40:36 UTC
*** bug 261460 has been marked as a duplicate of this bug. ***
Comment 66 Gerardo Marin 2004-07-16 17:09:10 UTC
*** bug 261658 has been marked as a duplicate of this bug. ***
Comment 67 Gerardo Marin 2004-07-16 20:12:43 UTC
*** bug 261497 has been marked as a duplicate of this bug. ***
Comment 68 Gerardo Marin 2004-07-16 20:16:22 UTC
*** bug 261499 has been marked as a duplicate of this bug. ***
Comment 69 Gerardo Marin 2004-07-22 22:03:07 UTC
*** bug 261829 has been marked as a duplicate of this bug. ***
Comment 70 Gerardo Marin 2004-07-23 21:33:01 UTC
*** bug 261863 has been marked as a duplicate of this bug. ***
Comment 71 Gerardo Marin 2004-07-26 22:38:13 UTC
*** bug 261908 has been marked as a duplicate of this bug. ***
Comment 72 Gerardo Marin 2004-08-24 18:13:49 UTC
*** bug 263700 has been marked as a duplicate of this bug. ***
Comment 73 Gerardo Marin 2004-08-27 01:44:25 UTC
*** bug 263933 has been marked as a duplicate of this bug. ***
Comment 74 Gerardo Marin 2004-08-27 21:21:52 UTC
*** bug 264320 has been marked as a duplicate of this bug. ***
Comment 75 Gerardo Marin 2004-08-31 18:20:56 UTC
*** bug 264539 has been marked as a duplicate of this bug. ***
Comment 76 Gerardo Marin 2004-09-14 00:19:19 UTC
*** bug 265848 has been marked as a duplicate of this bug. ***
Comment 77 Gerardo Marin 2004-09-14 00:20:02 UTC
*** bug 265880 has been marked as a duplicate of this bug. ***
Comment 78 Gerardo Marin 2004-09-20 15:37:15 UTC
*** bug 266084 has been marked as a duplicate of this bug. ***
Comment 79 Gerardo Marin 2004-09-20 20:26:28 UTC
*** bug 266208 has been marked as a duplicate of this bug. ***
Comment 80 Elijah Newren 2005-04-10 02:39:19 UTC
*** Bug 274222 has been marked as a duplicate of this bug. ***
Comment 81 Vincent Noel 2005-06-21 18:29:21 UTC
*** Bug 306969 has been marked as a duplicate of this bug. ***
Comment 82 Vincent Noel 2005-06-21 18:29:44 UTC
*** Bug 307592 has been marked as a duplicate of this bug. ***
Comment 83 Vincent Noel 2005-06-21 18:30:01 UTC
*** Bug 307593 has been marked as a duplicate of this bug. ***
Comment 84 Vincent Noel 2005-06-21 18:30:14 UTC
*** Bug 308201 has been marked as a duplicate of this bug. ***