GNOME Bugzilla – Bug 664137
Crash in Audacious audio player when browsing the add file dialog
Last modified: 2011-12-15 20:56:26 UTC
Created attachment 201475 [details] Backtrace Audacious 3.1 started to seg fault after the update from gtk3 3.2.1 to 3.2.2. The crash occurs randomly when browsing the file dialog for adding files to a playlist. gtk version: 3.2.2 Audacious: 3.1 System: Arch Linux 3.1.0-4-ARCH #1 SMP PREEMPT Mon Nov 7 22:47:18 CET 2011 x86_64 Intel(R) Core(TM) i7-2600K CPU @ 3.40GHz GenuineIntel GNU/Linux Steps: 1 - Open the dialog to add files to the playlist. (Hit 'F' on the keyboard, or use the Plus button at the lower left corner of the playlist -- with Winamp skin) 2 - Go into random directories and possibly add files. Adding files is not necessary, just going into a folder, then going back to the parent, and repeating this is enough. The dialog is set to stay open after adding a file. 3 - Crash comes randomly. Sometimes when I descend into the very first folder. Other times I need to go back and forth 5-10 times. I could reproduce the crash on two different Arch Linux boxes. Going back to gtk3 3.2.1 fixes the problem.
Created attachment 201476 [details] Backtrace No 2 I actually get 3 different backtrace variations. Here is another one. I could not reproduce the third one.
this affects gedit as well. here is how to replicate it http://www.youtube.com/watch?v=RfhFkFpGg30 Bisected to this commit. 25621173734ad1c9cee83802f7ac32ab7df20e7 is the first bad commit commit b25621173734ad1c9cee83802f7ac32ab7df20e7 Author: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk> Date: Wed Nov 9 14:32:32 2011 +0100 gtktreeviewaccessible: use a value_destroy_func with the cell_info_by_index hash This ensures that we don't leak any GtkTreeViewAccessibleCellInfo when re-inserting a new one with the same key. https://bugzilla.gnome.org/show_bug.cgi?id=663694 :040000 040000 e0e8eba680839065d0846f43fbb075d67366f731 0f0e0ecb0000967d56bafec650016a69c02de07c M gtk
Not an accessibility issue, the accessibility stuff makes it just more visible. It's a filechooser refcounting bug: ==30271== Invalid read of size 8 ==30271== at 0x3227843DAC: g_file_equal (gfile.c:585) ==30271== by 0x4DF7C23: gtk_path_bar_check_parent_path (gtkpathbar.c:1681) ==30271== by 0x4DF81CC: _gtk_path_bar_set_file (gtkpathbar.c:1857) ==30271== by 0x4D3D36C: update_current_folder_get_info_cb (gtkfilechooserdefault.c:7306) ==30271== by 0x4D4A2F5: query_info_callback (gtkfilesystem.c:882) ==30271== by 0x322787C1D9: g_simple_async_result_complete (gsimpleasyncresult.c:744) ==30271== by 0x322787C3A1: complete_in_idle_cb_for_thread (gsimpleasyncresult.c:812) ==30271== by 0x32264524DB: g_idle_dispatch (gmain.c:4632) ==30271== by 0x322644FDB1: g_main_dispatch (gmain.c:2513) ==30271== by 0x3226450A72: g_main_context_dispatch (gmain.c:3050) ==30271== by 0x3226450C55: g_main_context_iterate (gmain.c:3121) ==30271== by 0x322645107E: g_main_loop_run (gmain.c:3315) ==30271== Address 0x15c34f70 is 0 bytes inside a block of size 32 free'd ==30271== at 0x4A0662E: free (vg_replace_malloc.c:366) ==30271== by 0x322645800A: standard_free (gmem.c:98) ==30271== by 0x32264581CD: g_free (gmem.c:252) ==30271== by 0x322646FB6F: g_slice_free1 (gslice.c:1111) ==30271== by 0x3226C2E4E0: g_type_free_instance (gtype.c:1937) ==30271== by 0x3226C196B7: g_object_unref (gobject.c:2759) ==30271== by 0x3226471BC4: g_slist_foreach (gslist.c:840) ==30271== by 0x4D30B91: pending_select_files_free (gtkfilechooserdefault.c:823) ==30271== by 0x4D3BCC6: pending_select_files_process (gtkfilechooserdefault.c:6564) ==30271== by 0x4D3BEBE: browse_files_model_finished_loading_cb (gtkfilechooserdefault.c:6640) ==30271== by 0x3226C1285A: g_cclosure_marshal_VOID__POINTER (gmarshal.c:609) ==30271== by 0x3226C0FEE5: g_closure_invoke (gclosure.c:774) ==30271==
I have segfaults with audacious (git) and gtk+3.2.2 (with and w/o 512ac214c68d7806bfab05f5311007169892d914) I can provide gdb's backtrace and valgrind log for crash, if you need it.
Fixed in gtk-3-2 and master: commit aca43f43be3886f1a0befda0178ebb94ea2cf7b1 Author: Benjamin Otte <otte@redhat.com> Date: Tue Nov 29 20:39:21 2011 +0100 filechooserdefault: Don't unref value twicegtk-3-2 Double unref was introduced in eb02dacb370e8b4e6ef62328d0c09673b1234b32
fwiw, here's the lifetime of the object that was unreffed once too often. If you want to, you can go find where: 1 --> gtk_file_system_model_got_files 2 --> add_file 1 <-- gtk_file_system_model_got_files 2 --> g_simple_async_result_new 1 <-- g_simple_async_result_finalize 2 --> g_value_set_object 3 --> g_value_object_copy_value 4 --> g_value_object_lcopy_value 3 <-- g_value_object_free_value 4 --> gtk_file_chooser_default_get_preview_file 3 <-- gtk_file_chooser_get_preview_filename 4 --> g_value_object_copy_value 5 --> g_value_object_lcopy_value 4 <-- g_value_object_free_value 3 <-- selection_check_foreach_cb 4 --> g_value_object_copy_value 5 --> g_value_object_lcopy_value 4 <-- g_value_object_free_value 3 <-- bookmarks_check_add_sensitivity 4 --> g_value_object_copy_value 5 --> g_value_object_lcopy_value 4 <-- g_value_object_free_value 5 --> gtk_file_chooser_default_update_current_folder 4 <-- gtk_file_system_model_finalize 3 <-- g_value_object_free_value 2 <-- check_preview_change 3 --> gtk_file_chooser_default_update_current_folder 4 --> _gtk_file_system_get_info 5 --> g_simple_async_result_new 4 <-- gtk_file_chooser_default_update_current_folder 3 <-- list_row_activated 2 <-- list_row_activated 3 --> _gtk_path_bar_set_file 4 --> _gtk_file_system_get_info 5 --> g_simple_async_result_new 6 --> update_current_folder_get_info_cb 7 --> shortcuts_insert_file 8 --> _gtk_file_system_get_info 9 --> g_simple_async_result_new 10 --> shortcuts_insert_file 11 --> _gtk_file_chooser_entry_set_base_folder 12 --> gtk_file_system_model_set_directory 13 --> g_simple_async_result_new 14 --> g_value_object_collect_value 15 --> g_value_object_copy_value 16 --> g_file_enumerator_set_property 15 <-- g_value_object_free_value 14 <-- g_value_object_free_value 15 --> gtk_file_chooser_default_get_current_folder 14 <-- gtk_file_chooser_get_current_folder_uri 13 <-- update_current_folder_get_info_cb 12 <-- free_async_data 11 <-- g_simple_async_result_finalize 12 --> make_directory_button 11 <-- gtk_path_bar_get_info_callback 10 <-- free_async_data 9 <-- g_simple_async_result_finalize 8 <-- get_file_info_finished 7 <-- free_async_data 6 <-- g_simple_async_result_finalize 5 <-- g_simple_async_result_finalize 4 <-- g_file_enumerator_dispose 3 <-- gtk_file_system_model_finalize 2 <-- gtk_file_chooser_entry_finalize 3 --> _gtk_file_chooser_entry_set_base_folder 2 <-- gtk_file_chooser_entry_finalize 3 --> _gtk_file_chooser_entry_set_base_folder 2 <-- gtk_file_chooser_entry_finalize 3 --> _gtk_file_chooser_entry_set_base_folder 2 <-- update_current_folder_get_info_cb 1 <-- shortcuts_free_row_data 0 <-- _gtk_file_chooser_entry_set_base_folder
*** Bug 664605 has been marked as a duplicate of this bug. ***
*** Bug 664481 has been marked as a duplicate of this bug. ***
*** Bug 654200 has been marked as a duplicate of this bug. ***
*** Bug 655442 has been marked as a duplicate of this bug. ***
*** Bug 655506 has been marked as a duplicate of this bug. ***
*** Bug 653606 has been marked as a duplicate of this bug. ***