GNOME Bugzilla – Bug 671419
Crash when Printing gtk3-demo
Last modified: 2012-03-13 07:31:19 UTC
Moving this from a downstream bug report which was initially reported under evolution: https://bugzilla.redhat.com/show_bug.cgi?id=799970 I'm able to reproduce this under gtk3-demo Printing demo too, if I: a) make sure you have gtk+ configured and compiled with --enable-colord=yes (config.h should have defined HAVE_COLORD 1) b) run gtk3-demo under valgrind, like this: $ valgrind $PREFIX/bin/gtk3-demo c) choose the "Printing" demo, but as soon as the dialog opens click on Print preview, thus the dialog will be closed. Valgrind makes the dialog slow enough to me, that the issue with accessing already freed memory is reproducible here. Without valgrind I'm not able to reproduce this. I have compiled gtk+ git master at commit e9944eb, which crashes under valgrind as: ==2361== Invalid read of size 8 ==2361== at 0xEB2878E: cd_client_get_connected (in /usr/lib64/libcolord.so.1.0.7) ==2361== by 0xE8EC102: colord_update_device (gtkprintercups.c:442) ==2361== by 0xE8EC288: colord_client_connect_cb (gtkprintercups.c:497) ==2361== by 0x5893219: g_simple_async_result_complete (gsimpleasyncresult.c:744) ==2361== by 0x5893265: complete_in_idle_cb (gsimpleasyncresult.c:756) ==2361== by 0x62548D0: g_idle_dispatch (gmain.c:4629) ==2361== by 0x62521A6: g_main_dispatch (gmain.c:2510) ==2361== by 0x6252E67: g_main_context_dispatch (gmain.c:3047) ==2361== by 0x625304A: g_main_context_iterate (gmain.c:3118) ==2361== by 0x6253473: g_main_loop_run (gmain.c:3312) ==2361== by 0x4DFEB67: print_pages (gtkprintoperation.c:3071) ==2361== by 0x4DFEF0F: gtk_print_operation_run (gtkprintoperation.c:3245) ==2361== Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd ==2361== ==2361== ==2361== Process terminating with default action of signal 11 (SIGSEGV) ==2361== General Protection Fault ==2361== at 0xEB2878E: cd_client_get_connected (in /usr/lib64/libcolord.so.1.0.7) ==2361== by 0xE8EC102: colord_update_device (gtkprintercups.c:442) ==2361== by 0xE8EC288: colord_client_connect_cb (gtkprintercups.c:497) ==2361== by 0x5893219: g_simple_async_result_complete (gsimpleasyncresult.c:744) ==2361== by 0x5893265: complete_in_idle_cb (gsimpleasyncresult.c:756) ==2361== by 0x62548D0: g_idle_dispatch (gmain.c:4629) ==2361== by 0x62521A6: g_main_dispatch (gmain.c:2510) ==2361== by 0x6252E67: g_main_context_dispatch (gmain.c:3047) ==2361== by 0x625304A: g_main_context_iterate (gmain.c:3118) ==2361== by 0x6253473: g_main_loop_run (gmain.c:3312) ==2361== by 0x4DFEB67: print_pages (gtkprintoperation.c:3071) ==2361== by 0x4DFEF0F: gtk_print_operation_run (gtkprintoperation.c:3245) And the downstream reporter has this backtrace:
+ Trace 229815
Thread 1 (Thread 0xb77a98c0 (LWP 3267))
Hi, the problem here is that the callback given to function colord_client_connect() is called even if the GCancellable passed to the same function is set to cancel. The data passed to the callback are already finalized and this is the reason of the crash. I see 3 possible scenarios: 1) Since the cancellable was trigerred the callback should not be called and therefore there has to be a bug in colord. or 2) We have to g_object_ref() the data passed to all colord's callbacks and g_object_unref() them in those callbacks because they are always called. or 3) Check result of cd_*_finish() before any use of given data. Richard, could you decide what is the right approach here? (I vote for ref/unref, because some of those cd_*_finish() functions needs access to the passed data and I believe that 1) is not true) Thank you Marek
Created attachment 209265 [details] [review] ref passed data
The patch works for me, the gtk3-demo doesn't crash under valgrind. I think the part of the issue on my machine is that I have installed a printer which is missing drivers, and thus the colord is left stuck, till I close the printing dialog, which makes the call cancelled. I think so, because I waited for longer time and there was shown a new runtime warning on the console: > ** WARNING **: failed to get find a colord device: Failed to FindDeviceById: > Timeout was reached after which I can close the printing dialog without crash even without patch being applied. But I'm not that patient usually :)
(In reply to comment #3) > failed to get find a colord device: Failed to FindDeviceById: Timeout was reached Hmm, this looks odd indeed. This method should return straight away as it's trivial from a colord point of view. Could you please try running (as root): killall colord /usr/libexec/colord --verbose systemctl restart cups.service Then try again to reproduce the bug with the print dialog. Then please attach *all* of the colord output; something fishy is going on. Thanks, Richard.
(In reply to comment #4) > killall colord > /usr/libexec/colord --verbose > systemctl restart cups.service If I do the above then I do not get the timeout issue, but I still can crash gtk3-demo Printing, if I cancel the dialog soon enough (without the patch).
(In reply to comment #5) > If I do the above then I do not get the timeout issue, but I still can crash > gtk3-demo Printing, if I cancel the dialog soon enough (without the patch). Yes, I can reproduce this too, if I do "enter,escape,enter,escape,enter,escape" in quick succession for a few seconds. Your patch makes sense, please push to git master. Thanks, Richard.
Pushed to master.
*** Bug 671959 has been marked as a duplicate of this bug. ***