GNOME Bugzilla – Bug 480281
Segfault when gtkspell.Spell() is called with a temporary object
Last modified: 2007-09-25 18:10:08 UTC
Steps to reproduce: $ python >>> import gtk, gtkspell >>> gtkspell.Spell(gtk.TextView()).set_language('en_GB') Segmentation fault (core dumped) Stack trace: (gdb) bt
+ Trace 165404
Other information: Happens on Ubuntu gutsy. python-gnome2-extras is 2.19.1-0ubuntu2. See http://launchpad.net/bugs/120569 for the origin of the bug. It doesn't crash if one uses: $ python >>> import gtk, gtkspell >>> tv = gtk.TextView() >>> gtkspell.Spell(tv).set_language('en_GB') Even if the original usage of the gtkspell.Spell() is wrong, it shouldn't crash.
The bug is in the libgtkspell C library; nothing I can do. Thanks for taking the time to report this bug. However, this application does not track its bugs in the GNOME Bugzilla. We kindly ask you to report the bug to the application authors. For a selective list of other bug tracking systems please consult http://live.gnome.org/Bugsquad/TriageGuide/NonGnome. If the affected third party application has a bug tracking system you should investigate whether a bug for the reported issue is already filed in this system. If it has not been filed yet please do so. Also ensure that both bug reports contain a link to each other. Thanks in advance!
I don't believe this is a bug in libgtkspell itself (see http://paste.debian.net/37967 for some C code to test libgtkspell itself from someone who assisted in debugging this crash). Please read also his analysis of the problem (https://bugs.edge.launchpad.net/ubuntu/+source/gtkspell/+bug/120569/comments/21): "The problem is how this function is called. The GtkTextView is instanciated temporarely and is destroyed after the construction of the GtkSpell object, which triggers a destruction of the relevant parts needed by set_language. I personally would consider the call method wrong, but well. A solution is to bump the refcnt of the textview in the GtkExtra python module (found in gnome-python-extras) by adding it to the type struct, and bumping the count in new_attach and get_from_textview. Also I think that one needs to introduce a destructor to decrease the refcnt of the textview. I tried this and the relevant part worked fine, but there was a crash in Python's GC instead." If his analysis is correct, how can libgtkspell prevent the python gtkspell module from corrupting its pointers? The wrong pointer is passed from the gtkspel python module to libgtkspell (and libaspell) where it causes the crash in the end. Also changing the python code makes the crash go away. So this matches his analysis.
Maybe it is _possible_ to work around the problem from gnome-python-extras side, but it does not change the fact that the real problem is in the C library. To fix the problem for real libgtkspell should be using a weak reference to the TextView object so that when the TextView is destroyed GtkSpell is notified and removes the reference.
I've forwarded this bug report to the current gtkspell maintainer (Nathan Fredrickson). Before the pastebin link from comment #2 expires, I'm copying its content for reference: pkern@asterix:/tmp$ cat test.c #include <gtk/gtktextview.h> #include <gtkspell/gtkspell.h> #include <gtk/gtk.h> #include <stdio.h> int main(int argc, char** argv) { gtk_init(&argc, &argv); GtkTextView* tv = GTK_TEXT_VIEW(gtk_text_view_new()); GError* err = NULL; GtkSpell* spell = gtkspell_new_attach(tv, NULL, &err); if(err != NULL) printf("failure!\n"); gtkspell_set_language(spell, "en_US", &err); if(err != NULL) printf("failure!\n"); } pkern@asterix:/tmp$ gcc -o test test.c `pkg-config --libs gtk+-2.0 gtkspell-2.0` `pkg-config --cflags gtk+-2.0 gtkspell-2.0` pkern@asterix:/tmp$ ./test new_attach: 0x65eab0, (null) internal: 0x65eab0, (null), (nil) err: 0x664140 created: 0x664140 set_language: 0x65eab0, en_US, 0x664140 internal: 0x65eab0, en_US, 0x664140 err: 0x69c050 deleting: 0x664140 created: 0x69c050