After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 671419 - Crash when Printing gtk3-demo
Crash when Printing gtk3-demo
Status: RESOLVED FIXED
Product: gtk+
Classification: Platform
Component: Printing
3.3.x
Other Linux
: Normal critical
: ---
Assigned To: gtk-bugs
gtk-bugs
: 671959 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2012-03-05 22:13 UTC by Milan Crha
Modified: 2012-03-13 07:31 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
ref passed data (2.81 KB, patch)
2012-03-08 17:07 UTC, Marek Kašík
committed Details | Review

Description Milan Crha 2012-03-05 22:13:46 UTC
Moving this from a downstream bug report which was initially reported under evolution:
https://bugzilla.redhat.com/show_bug.cgi?id=799970

I'm able to reproduce this under gtk3-demo Printing demo too, if I:
a) make sure you have gtk+ configured and compiled with --enable-colord=yes
   (config.h should have defined HAVE_COLORD 1)
b) run gtk3-demo under valgrind, like this:
   $ valgrind $PREFIX/bin/gtk3-demo
c) choose the "Printing" demo, but as soon as the dialog opens click
   on Print preview, thus the dialog will be closed. Valgrind makes
   the dialog slow enough to me, that the issue with accessing already
   freed memory is reproducible here. Without valgrind I'm not able
   to reproduce this.

I have compiled gtk+ git master at commit e9944eb, which crashes under valgrind as:

==2361== Invalid read of size 8
==2361==    at 0xEB2878E: cd_client_get_connected (in /usr/lib64/libcolord.so.1.0.7)
==2361==    by 0xE8EC102: colord_update_device (gtkprintercups.c:442)
==2361==    by 0xE8EC288: colord_client_connect_cb (gtkprintercups.c:497)
==2361==    by 0x5893219: g_simple_async_result_complete (gsimpleasyncresult.c:744)
==2361==    by 0x5893265: complete_in_idle_cb (gsimpleasyncresult.c:756)
==2361==    by 0x62548D0: g_idle_dispatch (gmain.c:4629)
==2361==    by 0x62521A6: g_main_dispatch (gmain.c:2510)
==2361==    by 0x6252E67: g_main_context_dispatch (gmain.c:3047)
==2361==    by 0x625304A: g_main_context_iterate (gmain.c:3118)
==2361==    by 0x6253473: g_main_loop_run (gmain.c:3312)
==2361==    by 0x4DFEB67: print_pages (gtkprintoperation.c:3071)
==2361==    by 0x4DFEF0F: gtk_print_operation_run (gtkprintoperation.c:3245)
==2361==  Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd
==2361== 
==2361== 
==2361== Process terminating with default action of signal 11 (SIGSEGV)
==2361==  General Protection Fault
==2361==    at 0xEB2878E: cd_client_get_connected (in /usr/lib64/libcolord.so.1.0.7)
==2361==    by 0xE8EC102: colord_update_device (gtkprintercups.c:442)
==2361==    by 0xE8EC288: colord_client_connect_cb (gtkprintercups.c:497)
==2361==    by 0x5893219: g_simple_async_result_complete (gsimpleasyncresult.c:744)
==2361==    by 0x5893265: complete_in_idle_cb (gsimpleasyncresult.c:756)
==2361==    by 0x62548D0: g_idle_dispatch (gmain.c:4629)
==2361==    by 0x62521A6: g_main_dispatch (gmain.c:2510)
==2361==    by 0x6252E67: g_main_context_dispatch (gmain.c:3047)
==2361==    by 0x625304A: g_main_context_iterate (gmain.c:3118)
==2361==    by 0x6253473: g_main_loop_run (gmain.c:3312)
==2361==    by 0x4DFEB67: print_pages (gtkprintoperation.c:3071)
==2361==    by 0x4DFEF0F: gtk_print_operation_run (gtkprintoperation.c:3245)

And the downstream reporter has this backtrace:

Thread 1 (Thread 0xb77a98c0 (LWP 3267))

  • #0 __kernel_vsyscall
  • #1 __GI_raise
    at ../nptl/sysdeps/unix/sysv/linux/raise.c line 64
  • #2 __GI_abort
    at abort.c line 91
  • #3 __libc_message
    at ../sysdeps/unix/sysv/linux/libc_fatal.c line 198
  • #4 malloc_printerr
  • #5 _int_free
    at malloc.c line 3948
  • #6 standard_free
    at gmem.c line 98
  • #7 g_free
    at gmem.c line 252
  • #8 colord_update_ui_from_settings
    at gtkprintercups.c line 253
  • #9 colord_update_device
    at gtkprintercups.c line 476
  • #10 colord_client_connect_cb
    at gtkprintercups.c line 497
  • #11 g_simple_async_result_complete
    at gsimpleasyncresult.c line 744
  • #12 complete_in_idle_cb
    at gsimpleasyncresult.c line 756
  • #13 g_idle_dispatch
    at gmain.c line 4629
  • #14 g_main_dispatch
    at gmain.c line 2510
  • #15 g_main_context_dispatch
    at gmain.c line 3047
  • #16 g_main_context_iterate
    at gmain.c line 3118
  • #17 g_main_loop_run
    at gmain.c line 3312
  • #18 print_pages
    at gtkprintoperation.c line 3070
  • #19 gtk_print_operation_run
    at gtkprintoperation.c line 3244

Comment 1 Marek Kašík 2012-03-08 17:06:32 UTC
Hi,

the problem here is that the callback given to function colord_client_connect() is called even if the GCancellable passed to the same function is set to cancel. The data passed to the callback are already finalized and this is the reason of the crash.
I see 3 possible scenarios:

1) Since the cancellable was trigerred the callback should not be called and therefore there has to be a bug in colord.

or

2) We have to g_object_ref() the data passed to all colord's callbacks and g_object_unref() them in those callbacks because they are always called.

or

3) Check result of cd_*_finish() before any use of given data.


Richard, could you decide what is the right approach here?
(I vote for ref/unref, because some of those cd_*_finish() functions needs access to the passed data and I believe that 1) is not true)


Thank you

Marek
Comment 2 Marek Kašík 2012-03-08 17:07:24 UTC
Created attachment 209265 [details] [review]
ref passed data
Comment 3 Milan Crha 2012-03-09 09:22:09 UTC
The patch works for me, the gtk3-demo doesn't crash under valgrind. I think the part of the issue on my machine is that I have installed a printer which is missing drivers, and thus the colord is left stuck, till I close the printing dialog, which makes the call cancelled. I think so, because I waited for longer time and there was shown a new runtime warning on the console:
> ** WARNING **: failed to get find a colord device: Failed to FindDeviceById:
> Timeout was reached
after which I can close the printing dialog without crash even without patch being applied. But I'm not that patient usually :)
Comment 4 Richard Hughes 2012-03-09 10:32:43 UTC
(In reply to comment #3)
> failed to get find a colord device: Failed to FindDeviceById: Timeout was reached

Hmm, this looks odd indeed. This method should return straight away as it's trivial from a colord point of view.

Could you please try running (as root):

killall colord
/usr/libexec/colord --verbose
systemctl restart cups.service

Then try again to reproduce the bug with the print dialog. Then please attach *all* of the colord output; something fishy is going on.

Thanks,

Richard.
Comment 5 Milan Crha 2012-03-09 12:36:59 UTC
(In reply to comment #4)
> killall colord
> /usr/libexec/colord --verbose
> systemctl restart cups.service

If I do the above then I do not get the timeout issue, but I still can crash gtk3-demo Printing, if I cancel the dialog soon enough (without the patch).
Comment 6 Richard Hughes 2012-03-10 09:51:16 UTC
(In reply to comment #5)
> If I do the above then I do not get the timeout issue, but I still can crash
> gtk3-demo Printing, if I cancel the dialog soon enough (without the patch).

Yes, I can reproduce this too, if I do "enter,escape,enter,escape,enter,escape" in quick succession for a few seconds.

Your patch makes sense, please push to git master.

Thanks,

Richard.
Comment 7 Marek Kašík 2012-03-12 11:37:44 UTC
Pushed to master.
Comment 8 Milan Crha 2012-03-13 07:31:19 UTC
*** Bug 671959 has been marked as a duplicate of this bug. ***