Bug 659217 – Crash when disposing GtkHTML when it's still filled

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 659217 - Crash when disposing GtkHTML when it's still filled


Summary:	Crash when disposing GtkHTML when it's still filled


Status:	RESOLVED WONTFIX

Product:	GtkHtml
Classification:	Other
Component:	Rendering
Version:	4.0.x
Hardware:	Other Linux

Importance:	Normal critical
Target Milestone:	---
Assigned To:	gtkhtml-maintainers
QA Contact:	gtkhtml-maintainers

URL:
Whiteboard:	gnome[unmaintained]

Depends on:
Blocks:

Reported:	2011-09-16 06:45 UTC by Milan Crha
Modified:	2014-12-02 01:06 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
gtkhtml patch (690 bytes, patch) 2011-09-16 10:07 UTC, Milan Crha	committed	Details \| Review

Description Milan Crha 2011-09-16 06:45:56 UTC

Moving this from a downstream bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=738666

abrt version: 2.0.5
backtrace_rating: 4
cmdline:        evolution
comment:        Closing an email window that had been reported as being too
large for evolution to format, and so I'd viewed the unformatted message.
crash_function: html_tokenizer_end
executable:     /usr/bin/evolution
kernel:         3.1.0-0.rc6.git0.0.fc16.x86_64
reason:         Process /usr/bin/evolution was killed by signal 11 (SIGSEGV)
time:           Thu Sep 15 14:46:23 2011

xsession_errors:
:(evolution-alarm-notify:2270): GLib-GIO-WARNING **: Your application does not
implement g_application_activate() and has no handlers connected to the
'activate' signal.  It should do one of these.
:(evolution:3196): evolution-shell-CRITICAL **: shell_settings_pspec_for_key:
assertion `schema_name != NULL' failed
:(evolution:3196): gtkhtml-CRITICAL **: html_engine_finalize: assertion
`opened_streams == 0' failed
:(evolution:3196): GLib-GObject-WARNING **: invalid uninstantiatable type
`<invalid>' in cast to `HTMLEngine'

Core was generated by `evolution'.
Program terminated with signal 11, Segmentation fault.

+ Trace 228467

Thread 2 (Thread 0x7f475fe5d700 (LWP 3198))

#0 read
at ../sysdeps/unix/syscall-template.S line 82
#1 read
at /usr/include/bits/unistd.h line 45
#2 unix_signal_helper_thread
at gmain.c line 4567
#3 g_thread_create_proxy
at gthread.c line 1962
#4 start_thread
at pthread_create.c line 305
#5 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 115

Thread 1 (Thread 0x7f47662819c0 (LWP 3196))

#0 html_tokenizer_end
at htmltokenizer.c line 1522
#1 html_engine_stream_end
at htmlengine.c line 5222
#2 gtk_html_stream_close
at gtkhtml-stream.c line 137
#3 html_stream_cleanup
at em-html-stream.c line 42
#4 g_closure_invoke
at gclosure.c line 774
#5 signal_emit_unlocked_R
at gsignal.c line 3272
#6 g_signal_emit_valist
at gsignal.c line 3003
#7 g_signal_emit
at gsignal.c line 3060
#8 gtk_widget_dispose
at gtkwidget.c line 10665
#9 g_object_run_dispose
at gobject.c line 945
#10 gtk_scrolled_window_forall
at gtkscrolledwindow.c line 1265
#11 gtk_container_destroy
at gtkcontainer.c line 1368
#12 g_closure_invoke
at gclosure.c line 774
#13 signal_emit_unlocked_R
at gsignal.c line 3388
#14 g_signal_emit_valist
at gsignal.c line 3003
#15 g_signal_emit
at gsignal.c line 3060
#16 gtk_widget_dispose
at gtkwidget.c line 10665
#17 g_object_run_dispose
at gobject.c line 945
#18 gtk_box_forall
at gtkbox.c line 1844
#19 gtk_container_destroy
at gtkcontainer.c line 1368
#20 g_closure_invoke
at gclosure.c line 774
#21 signal_emit_unlocked_R
at gsignal.c line 3388
#22 g_signal_emit_valist
at gsignal.c line 3003
#23 g_signal_emit
at gsignal.c line 3060
#24 gtk_widget_dispose
at gtkwidget.c line 10665
#25 g_object_run_dispose
at gobject.c line 945
#26 gtk_box_forall
at gtkbox.c line 1844
#27 gtk_container_destroy
at gtkcontainer.c line 1368
#28 g_closure_invoke
at gclosure.c line 774
#29 signal_emit_unlocked_R
at gsignal.c line 3388
#30 g_signal_emit_valist
at gsignal.c line 3003
#31 g_signal_emit
at gsignal.c line 3060
#32 gtk_widget_dispose
at gtkwidget.c line 10665
#33 g_object_run_dispose
at gobject.c line 945
#34 gtk_container_destroy
at gtkcontainer.c line 1368
#35 g_closure_invoke
at gclosure.c line 774
#36 signal_emit_unlocked_R
at gsignal.c line 3388
#37 g_signal_emit_valist
at gsignal.c line 3003
#38 g_signal_emit
at gsignal.c line 3060
#39 gtk_widget_dispose
at gtkwidget.c line 10665
#40 g_object_run_dispose
at gobject.c line 945
#41 gtk_main_do_event
at gtkmain.c line 1792
#42 gdk_event_source_dispatch
at gdkeventsource.c line 360
#43 g_main_dispatch
at gmain.c line 2441
#44 g_main_context_dispatch
at gmain.c line 3011
#45 g_main_context_iterate
at gmain.c line 3089
#46 g_main_loop_run
at gmain.c line 3297
#47 gtk_main
at gtkmain.c line 1362
#48 main
at main.c line 696

Comment 1 Milan Crha 2011-09-16 10:07:57 UTC

Created attachment 196704 [details] [review]
gtkhtml patch 

for gtkhtml;

This fixes it for me. I was thinking of moving HTMLEngine unref into GtkHTML's finalize, but it had other issues, so this ref/unref makes things live much better. With respect of a reproducer, it's easier to reproduce when the "formatting message" takes longer, like when running under valgrind for me.

Comment 2 Milan Crha 2011-09-16 10:10:24 UTC

Created commit e6b49c0 in gtkhtml master (4.1.92+)

Comment 3 Milan Crha 2011-10-10 06:50:37 UTC

Reopening, the patch doesn't fix all cases, because gtkhtml 4.2.0 still crashes under similar circumstances, as reported downstream in:
https://bugzilla.redhat.com/show_bug.cgi?id=744190

Comment 4 Milan Crha 2011-10-10 06:51:06 UTC

+ Trace 228733

Thread 1 (Thread 0x7f9174c2c9c0 (LWP 2694))

#0 ??
#1 get_lmargin
at htmlcluev.c line 100
#2 html_cluev_do_layout
at htmlcluev.c line 164
#3 html_object_calc_size
at htmlobject.c line 1189
#4 html_engine_calc_size
at htmlengine.c line 5517
#5 html_engine_update_event
at htmlengine.c line 5016
#6 html_engine_timer_event
at htmlengine.c line 5178
#7 html_engine_stream_end
at htmlengine.c line 5229
#8 gtk_html_stream_close
at gtkhtml-stream.c line 137
#9 html_stream_cleanup
at em-html-stream.c line 42
#10 g_closure_invoke
at gclosure.c line 774
#11 signal_emit_unlocked_R
at gsignal.c line 3272
#12 g_signal_emit_valist
at gsignal.c line 3003
#13 g_signal_emit
at gsignal.c line 3060
#14 gtk_widget_dispose
at gtkwidget.c line 10666
#15 g_object_run_dispose
at gobject.c line 945
#16 gtk_scrolled_window_forall
at gtkscrolledwindow.c line 1265
#17 gtk_container_destroy
at gtkcontainer.c line 1370
#18 g_closure_invoke
at gclosure.c line 774
#19 signal_emit_unlocked_R
at gsignal.c line 3388
#20 g_signal_emit_valist
at gsignal.c line 3003
#21 g_signal_emit
at gsignal.c line 3060
#22 gtk_widget_dispose
at gtkwidget.c line 10666
#23 g_object_run_dispose
at gobject.c line 945
#24 gtk_box_forall
at gtkbox.c line 1856
#25 gtk_container_destroy
at gtkcontainer.c line 1370
#26 g_closure_invoke
at gclosure.c line 774
#27 signal_emit_unlocked_R
at gsignal.c line 3388
#28 g_signal_emit_valist
at gsignal.c line 3003
#29 g_signal_emit
at gsignal.c line 3060
#30 gtk_widget_dispose
at gtkwidget.c line 10666
#31 g_object_run_dispose
at gobject.c line 945
#32 gtk_box_forall
at gtkbox.c line 1856
#33 gtk_container_destroy
at gtkcontainer.c line 1370
#34 g_closure_invoke
at gclosure.c line 774
#35 signal_emit_unlocked_R
at gsignal.c line 3388
#36 g_signal_emit_valist
at gsignal.c line 3003
#37 g_signal_emit
at gsignal.c line 3060
#38 gtk_widget_dispose
at gtkwidget.c line 10666
#39 g_object_run_dispose
at gobject.c line 945
#40 gtk_container_destroy
at gtkcontainer.c line 1370
#41 g_closure_invoke
at gclosure.c line 774
#42 signal_emit_unlocked_R
at gsignal.c line 3388
#43 g_signal_emit_valist
at gsignal.c line 3003
#44 g_signal_emit
at gsignal.c line 3060
#45 gtk_widget_dispose
at gtkwidget.c line 10666
#46 g_object_run_dispose
at gobject.c line 945
#47 gtk_main_do_event
at gtkmain.c line 1792
#48 gdk_event_source_dispatch
at gdkeventsource.c line 360
#49 g_main_dispatch
at gmain.c line 2441
#50 g_main_context_dispatch
at gmain.c line 3011
#51 g_main_context_iterate
at gmain.c line 3089
#52 g_main_loop_run
at gmain.c line 3297
#53 gtk_main
at gtkmain.c line 1362
#54 main
at main.c line 696

Comment 5 Milan Bouchet-Valat 2012-08-28 09:04:02 UTC

Any news on that crash? I'm getting this crash with Evo 3.4.4 on Fedora 17, and Abrt tells me this is a duplicate of the downstream bug.

Comment 6 Matthew Barnes 2012-08-28 11:12:40 UTC

Well the 3.4.x releases are done, Evolution 3.6 will use WebKit, and GtkHtml is basically unmaintained at this point.

Comment 7 Milan Bouchet-Valat 2012-08-28 11:38:16 UTC

OK, good to know, thanks.

Comment 8 André Klapper 2014-12-02 01:06:57 UTC

Since version 3.6, Evolution uses WebKit instead of GtkHtml for displaying messages. (And for completeness, Evolution 3.14 is planned to use WebKit also for composing and editing messages so GtkHtml will not receive any fixes anymore.)

Hence I am closing this GtkHtml rendering bug report.
We are sorry that your request was not handled in time when it was reported but unfortunately manpower is very limited (and does not allow testing every single reported issue separately again either).

Please feel free to reopen this report (and move it to the "Evolution" product and the "Mail" component) if the problem described in this bug report still happens in a recent supported Evolution version which uses WebKit (the current stable Evolution version is 3.12).