Bug 750211 – second search in the font chooser yields a large stack depth and crash

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 750211 - second search in the font chooser yields a large stack depth and crash


Summary:	second search in the font chooser yields a large stack depth and crash


Status:	RESOLVED FIXED

Product:	gtk+
Classification:	Platform
Component:	Widget: GtkFontChooser
Version:	3.14.x
Hardware:	Other Linux

Importance:	Normal major
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-06-01 12:48 UTC by Vincent Lefevre
Modified:	2015-06-20 20:46 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
The stacktrace (346.44 KB, text/plain) 2015-06-04 00:44 UTC, Vincent Lefevre	Details

Description Vincent Lefevre 2015-06-01 12:48:56 UTC

After selecting a font from the font chooser, if I do another search, the application crashes. For instance, with GNOME Terminal, I can reproduce the bug with the following steps:

1. Start gnome-terminal.
2. Menu "Edit" → "Profile Preferences".
3. Click on the font box to make the font selector appear.
4. Search for "droid".
5. Choose "Droid Sans Mono Regular".
6. Click on "Select".
7. Click on the font box to make the font selector appear.
8. Double-click on "droid".
9. Type "de" (this replaces "droid").

When "e" is typed, GNOME Terminal crashes.

This is not specific to GNOME Terminal: same problem with gedit. Debugging shows a large stack depth: 671 frames for the crashed thread. Potentially infinite recursion? For instance, gtk_font_chooser_widget_cell_data_func is recursively called 20 times. The full backtrace is available in my Debian bug report:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748469#55

If need be, the font list (fc-list output) is available here:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748469#41

Note: this is with gtk+ 3.14.5, but 3.16.3 from Debian/experimental crashes too.

Comment 1 Matthias Clasen 2015-06-03 18:35:52 UTC

I don't reproduce this. Please attach the stacktrace here.

Comment 2 Vincent Lefevre 2015-06-04 00:44:52 UTC

Created attachment 304562 [details]
The stacktrace

Comment 3 Vincent Lefevre 2015-06-18 13:09:25 UTC

Here's what I get with valgrind:

$ valgrind /usr/lib/gnome-terminal/gnome-terminal-server --app-id my.foo.Terminal
==4917== Memcheck, a memory error detector
==4917== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4917== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==4917== Command: /usr/lib/gnome-terminal/gnome-terminal-server --app-id my.foo.Terminal
==4917== 

(gnome-terminal-server:4917): GLib-GObject-WARNING **: The property GtkButton:use-stock is deprecated and shouldn't be used anymore. It will be removed in a future version.

(gnome-terminal-server:4917): GLib-GObject-WARNING **: The property GtkSettings:gtk-button-images is deprecated and shouldn't be used anymore. It will be removed in a future version.

(gnome-terminal-server:4917): GLib-GObject-WARNING **: The property GtkWidget:margin-left is deprecated and shouldn't be used anymore. It will be removed in a future version.

(gnome-terminal-server:4917): GLib-GObject-WARNING **: The property GtkAlignment:left-padding is deprecated and shouldn't be used anymore. It will be removed in a future version.
Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.

(gnome-terminal-server:4917): Gtk-CRITICAL **: gtk_tree_model_filter_get_value: assertion 'GTK_TREE_MODEL_FILTER (model)->priv->stamp == iter->stamp' failed

(gnome-terminal-server:4917): GLib-GObject-WARNING **: /build/glib2.0-NiYzoW/glib2.0-2.44.1/./gobject/gtype.c:4268: type id '0' is invalid

(gnome-terminal-server:4917): GLib-GObject-WARNING **: can't peek value table for type '<invalid>' which is not currently referenced
==4917== Invalid read of size 8
==4917==    at 0x5388BC7: gtk_tree_model_get_valist (gtktreemodel.c:1797)
==4917==    by 0x5388EE8: gtk_tree_model_get (gtktreemodel.c:1759)
==4917==    by 0x523D950: gtk_font_chooser_widget_cell_data_func (gtkfontchooserwidget.c:838)
==4917==    by 0x51A58CA: apply_cell_attributes (gtkcellarea.c:1258)
==4917==    by 0x68C61DF: g_hash_table_foreach (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==4917==    by 0x51A575A: gtk_cell_area_real_apply_attributes (gtkcellarea.c:1287)
==4917==    by 0x51AADEE: gtk_cell_area_box_apply_attributes (gtkcellareabox.c:1311)
==4917==    by 0x5290D6E: _gtk_marshal_VOID__OBJECT_BOXED_BOOLEAN_BOOLEANv (gtkmarshalers.c:5040)
==4917==    by 0x664A451: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x6663FA6: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x66648FE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x51A72E5: gtk_cell_area_apply_attributes (gtkcellarea.c:2376)
==4917==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
==4917== 
==4917== 
==4917== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==4917==  Access not within mapped region at address 0x30
==4917==    at 0x5388BC7: gtk_tree_model_get_valist (gtktreemodel.c:1797)
==4917==    by 0x5388EE8: gtk_tree_model_get (gtktreemodel.c:1759)
==4917==    by 0x523D950: gtk_font_chooser_widget_cell_data_func (gtkfontchooserwidget.c:838)
==4917==    by 0x51A58CA: apply_cell_attributes (gtkcellarea.c:1258)
==4917==    by 0x68C61DF: g_hash_table_foreach (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4400.1)
==4917==    by 0x51A575A: gtk_cell_area_real_apply_attributes (gtkcellarea.c:1287)
==4917==    by 0x51AADEE: gtk_cell_area_box_apply_attributes (gtkcellareabox.c:1311)
==4917==    by 0x5290D6E: _gtk_marshal_VOID__OBJECT_BOXED_BOOLEAN_BOOLEANv (gtkmarshalers.c:5040)
==4917==    by 0x664A451: _g_closure_invoke_va (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x6663FA6: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x66648FE: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.4400.1)
==4917==    by 0x51A72E5: gtk_cell_area_apply_attributes (gtkcellarea.c:2376)
==4917==  If you believe this happened as a result of a stack
==4917==  overflow in your program's main thread (unlikely but
==4917==  possible), you can try to increase the size of the
==4917==  main thread stack using the --main-stacksize= flag.
==4917==  The main thread stack size used in this run was 8388608.
==4917== 
==4917== HEAP SUMMARY:
==4917==     in use at exit: 9,363,089 bytes in 103,209 blocks
==4917==   total heap usage: 1,066,206 allocs, 962,997 frees, 83,559,594 bytes allocated
==4917== 
==4917== LEAK SUMMARY:
==4917==    definitely lost: 57,088 bytes in 83 blocks
==4917==    indirectly lost: 174,401 bytes in 7,084 blocks
==4917==      possibly lost: 443,155 bytes in 6,176 blocks
==4917==    still reachable: 7,956,597 bytes in 86,773 blocks
==4917==         suppressed: 0 bytes in 0 blocks
==4917== Rerun with --leak-check=full to see details of leaked memory
==4917== 
==4917== For counts of detected and suppressed errors, rerun with: -v
==4917== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Comment 4 Matthias Clasen 2015-06-20 20:46:02 UTC

Should have been fixed by 8c6130e68a6e62980251cb19a0fbcd50505700f1