GNOME Bugzilla – Bug 655625
Crash in atk_state_set_contains_state
Last modified: 2013-09-13 01:05:17 UTC
Entered a search term in the search box, pressed return and received four tasks in the list. Then changed the term, deleting 4 characters at the beginning of the term and evolution would crash. I am running evolution 3.1.4 on ubuntu oneiric, a vm (vmware player). Just upgraded all relevant packages. Here is part of the gdb output plus the stack trace: (gdb) f 1
+ Trace 227953
Thread 1 (Thread 0xb62bd8a0 (LWP 5101))
This was reproducable!!
Can you please also install debug packages for glib?
(In reply to comment #2) > Can you please also install debug packages for glib? Hmm. Just installed libglib2.0-0-dbg, ran evoluton under gdb again, and the bug did not occur again? By the way, evolution crashes when started from the terminal or from the gui, but runs under gdb.
(In reply to comment #3) > (In reply to comment #2) > > Can you please also install debug packages for glib? > > Hmm. Just installed libglib2.0-0-dbg, ran evolution under gdb again, and the > bug did not occur again? By the way, evolution crashes when started from > the terminal or from the gui, but runs under gdb. Here is the stack trace from apport-unpack when run from the terminal.
+ Trace 227954
(In reply to comment #3) > (In reply to comment #2) > > Can you please also install debug packages for glib? > > Hmm. Just installed libglib2.0-0-dbg, ran evoluton under gdb again, and the > bug did not occur again? By the way, evolution crashes when started from > the terminal or from the gui, but runs under gdb. Just did a git pull and rebuilt evolution and eds master, started the app in tasks, changed the search field, which already contained a term from my previous session, and the app crashes. Here are some snippets from my gdb session and the stack trace: (gdb) do
+ Trace 228022
Created attachment 193247 [details] [review] Put the check GAL_A11Y_IS_E_TABLE_ITEM (a11y) earlier
Thanks for a bug report and patch, but I'm rejecting it. It's just a workaround, and even that can lead to a crash. The function was called with nonNULL a11y, and your backtrace shows that the a11y was already freed (ref_count is 0), thus an already freed memory is accessed here. As the GET_PRIVATE() macro accesses internal members of something what is already freed, then it's just a matter of luck that it didn't crash (it might crash even with your patch if you run evolution with G_SLICE=always-malloc). The type-check macro also accesses internal structures, which shouldn't be done on an already freed object. The only workaround is to disable accessibility, at least for now. I'll try to enable it and see whether I'll be able to reproduce it on my machine with your steps. Comment #4 is a different bug, fixed in 3.1.5.
Hrm, so I tried to reproduce this, but no luck. I see the method being called, but apart of that nothing, no crash. neither valgrind claims anything, it's using correct memory pointers when I'm trying your steps.
*** Bug 656780 has been marked as a duplicate of this bug. ***
Just in case, to disable accessibility just run this command: $ gsettings set org.gnome.desktop.interface toolkit-accessibility false and logout+login to take into effect.
Just had another one of those. Used evolution 3.1.5, a version just updated via apt-get upgrade on ubuntu oneiric: (gdb) bt
+ Trace 228152
(In reply to comment #11) > Just had another one of those. Used evolution 3.1.5, a version just updated via > apt-get upgrade on ubuntu oneiric: > > (gdb) bt > Now I do have a scenario to repeat it, and it is not connected to searching. Just open the tasks, click on the first line in the summary list: "Click here to add a task", click on a different item in the summary list, click again into the first line to add a task, and the crash occurs.
Created attachment 196398 [details] [review] proposed evo patch for evolution; This seems to "fix" this for me. Mine steps are similar to yours: a) click in "Click to add" b) click again under the Summary header, to get blinking cursor c) press Enter - cursor is gone, but the field under summary is still visible d) repeat b) & c) There are critical warnings on the console now. I wrote fix in quotes above, because the whole concept of a11y in ETable is kinda strange. For example, it uses g_object_run_dispose, which might not be used (I think I added it when I was replacing some other deprecated function), but, when is g_object_unref used, then the Evolution crashes almost instantly. Thus this change. Please give it a try and let me know whether it helped you too. Thanks in advance.
This patch fixes the crash for me in master.
Thanks for testing this. I'm marking the patch accordingly.
*** Bug 659892 has been marked as a duplicate of this bug. ***
Created commit 23f5359 in evo master (3.3.1+) Created commit 743a04d in evo gnome-3-2 (3.2.1+)