After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 752208 - gnome-terminal may crash when I right-click on a selection
gnome-terminal may crash when I right-click on a selection
Status: RESOLVED FIXED
Product: gnome-terminal
Classification: Core
Component: general
git master
Other FreeBSD
: Normal normal
: ---
Assigned To: GNOME Terminal Maintainers
GNOME Terminal Maintainers
Depends on: 752761
Blocks:
 
 
Reported: 2015-07-10 07:59 UTC by Ting-Wei Lan
Modified: 2015-07-31 13:18 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Ting-Wei Lan 2015-07-10 07:59:25 UTC 
This problem starts happening recently, but I still cannot find a reliable way to reproduce it. The crash usually happens when I select some text and right-click on it. When this problem happens, I can't see the popup menu and a new message is found in dmesg because gnome-terminal-server crashes with SIGBUS.

Here is the backtrace generated from a core dump:

+ Trace 235247

  • #0 g_type_check_instance
    at gtype.c line 4134
  • #1 g_signal_handlers_disconnect_matched
  • #2 gtk_menu_detach
    at gtkmenu.c line 1311
  • #3 popup_clipboard_targets_received_cb
    at terminal-window.c line 2051
  • #4 request_targets_received_func
    at gtkclipboard.c line 1325
  • #5 selection_received
    at gtkclipboard.c line 960
  • #6 _gtk_marshal_VOID__BOXED_UINT
    at gtkmarshalers.c line 3348
  • #7 g_closure_invoke
    at gclosure.c line 801
  • #8 signal_emit_unlocked_R
    at gsignal.c line 3581
  • #9 g_signal_emit_valist
    at gsignal.c line 3337
  • #10 g_signal_emit_by_name
    at gsignal.c line 3433
  • #11 gtk_selection_retrieval_report
    at gtkselection.c line 3023
  • #12 _gtk_selection_notify
    at gtkselection.c line 2827
  • #13 _gtk_marshal_BOOLEAN__BOXEDv
    at gtkmarshalers.c line 130
  • #14 g_type_class_meta_marshalv
    at gclosure.c line 1021
  • #15 _g_closure_invoke_va
    at gclosure.c line 864
  • #16 g_signal_emit_valist
    at gsignal.c line 3246
  • #17 g_signal_emit
    at gsignal.c line 3393
  • #18 gtk_widget_event_internal
    at gtkwidget.c line 7815
  • #19 gtk_widget_event
    at gtkwidget.c line 7408
  • #20 gtk_main_do_event
    at gtkmain.c line 1754
  • #21 _gdk_event_emit
    at gdkevents.c line 69
  • #22 gdk_event_source_dispatch
    at gdkeventsource.c line 364
  • #23 g_main_dispatch
    at gmain.c line 3122
  • #24 g_main_context_dispatch
    at gmain.c line 3737
  • #25 g_main_context_iterate
    at gmain.c line 3808
  • #26 g_main_context_iteration
    at gmain.c line 3869
  • #27 g_application_run
    at gapplication.c line 2311
  • #28 main
    at server.c line 177 

Some older backtraces:
http://fpaste.org/239699/43599102/
http://fpaste.org/239708/14359942/
Comment 1 Ting-Wei Lan 2015-07-10 08:04:24 UTC 
In frame #2, The object that data->attach_widget points to is invalid.

(gdb) print *(data->attach_widget)
$1 = {parent_instance = {g_type_instance = {g_class = 0xaaaaaaaaaaaaaaaa}, ref_count = 2863311530, qdata = 0xaaaaaaaaaaaaaaaa}, priv = 0xaaaaaaaaaaaaaaaa}
Comment 2 Christian Persch 2015-07-10 11:25:25 UTC 
Does reverting commit 67afb95efd64f29d62ebd32853276a76a5d0760f fix this?
Comment 3 Ting-Wei Lan 2015-07-11 08:13:13 UTC 
After using gnome-terminal for several hours, I hope it is fixed. I don't see any crash caused by right-clicks after reverting the commit.
Comment 4 Jonas Ådahl 2015-07-12 07:00:35 UTC 
I found a reliable way to reproduce:

1. Open gnome-terminal
2. Open a new tab
3. Select some text
4. Right click
5. Dismiss the popup menu
6. Close the tab
7. Select text in the initial tab
8. Right click

This seems to crash every time for me. The reason is that after you have attached a menu to a widget, there are two references to the popup menu; one from the GtkUiManager, and one from the widget the menu is attached to.

When the widget the menu is attached to is destroyed, it removes its references and assumes it was the sole owner of the menu, assuming it was destroyed.

When we then refetch the menu from GtkUiManager, we see that it is still attached to something, and then we try to detach it; which is why it fails: it tries to detach from something that was destoryed, and as a result tries to dereference the freed instance.

I see two possible solutions:

1. Move this bug to GTK+, making GTK menu attachment able to deal with not being the sole owner of a menu.
2. Do a reference dance in terminal-window for example: menu = get(); ref(menu); if (attached(menu)) detach(menu); attach(menu); unref(menu);
 unref(menu);

CC:ing mclasen. Is this something the GTK+ API is expected to handle, i.e. should we move this bug over there?
Comment 5 Ting-Wei Lan 2015-07-20 18:38:07 UTC 
(In reply to Jonas Ådahl from comment #4)
> I found a reliable way to reproduce:
> 
> 1. Open gnome-terminal
> 2. Open a new tab
> 3. Select some text
> 4. Right click
> 5. Dismiss the popup menu
> 6. Close the tab
> 7. Select text in the initial tab
> 8. Right click
> 

I can reproduce the problem using the above steps.
Comment 6 Jonas Ådahl 2015-07-23 06:54:37 UTC 
Ting-Wei, could you test the GTK+ patch in bug 752761? It fixes the issue you reported when I reproduce using the above steps.
Comment 7 Ting-Wei Lan 2015-07-25 19:42:33 UTC 
Yes, it fixes the problem.
Comment 8 Debarshi Ray 2015-07-31 12:33:52 UTC 
Can we close this now?
Comment 9 Ting-Wei Lan 2015-07-31 13:18:15 UTC 
Yes, the gtk+ fix is already pushed, so I close it now.