After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 755951 - Crash in cache_process_children_changed
Crash in cache_process_children_changed
Status: RESOLVED FIXED
Product: at-spi
Classification: Platform
Component: at-spi2-core
unspecified
Other Linux
: Normal normal
: ---
Assigned To: At-spi maintainer(s)
At-spi maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2015-10-01 16:46 UTC by Owen Taylor
Modified: 2015-10-24 23:45 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Don't crash if we get a object:children-changed event with a non-existent child (977 bytes, patch)
2015-10-01 16:47 UTC, Owen Taylor 		committed Details | Review
Fix reversed check for NULL child (878 bytes, patch)
2015-10-23 07:44 UTC, Owen Taylor 		committed Details | Review

Description Owen Taylor 2015-10-01 16:46:07 UTC 
With at-spi2-core-2.18.0 we're seeing frequent crashes in  cache_process_children_changed, for example:

https://retrace.fedoraproject.org/faf/problems/bthash/?bth=98f2f3c4cd4fc1808a7f0058c7b05f25c0ff846c

I don't have any information on how to reproduce the crash.

If I look at: https://git.gnome.org/browse/at-spi2-core/commit/?id=b2c8c4c7230742b683db3d69a608950fede76b6c 

   -    event->source->children = g_list_remove (event->source->children, child);
   +    g_ptr_array_remove (event->source->children, child);
>>>     if (child == child->parent.app->root)
          g_object_run_dispose (G_OBJECT (child->parent.app));
   -    g_object_unref (child);

With the crash occurring on the line marked >>>, so my first thought that this was a change in the unref ordering, since g_object_unref() is now *implicit* in the g_ptr_array_remove call.

*BUT* another references to child should be held by event->any_data, so I actually don't think that this is the problem.

My better guess is that if we get a object:children-changed:remove signal where the path for the child doesn't match any child for the application, then child will be NULL, and we'll also crash on this line. I don't immediately see how this would have regressed in 2.18, however. I'll attach a patch fixing that case, which hopefully is at least safe.
Comment 1 Owen Taylor 2015-10-01 16:47:10 UTC 
Created attachment 312512 [details] [review]
Don't crash if we get a object:children-changed event with a non-existent child

If we get a :children-changed event with the path for the child not matching
any accessible in the application, event->any_data would end up with a NULL
child, triggering a crash.
Comment 2 Mike Gorse 2015-10-13 00:58:54 UTC 
Comment on attachment 312512 [details] [review]
Don't crash if we get a object:children-changed event with a non-existent child

Thanks for the patch. I'm not really sure of the underlying reason for this to happen, but your patch shouldn't do any harm and looks like it'll improve things.

master: a614d4
gnome-3-18: d8ba98
Comment 3 Owen Taylor 2015-10-23 07:39:33 UTC 
Ugh, I got the test backwards :-( - leaving the crash and presumably also breaking functionality.
Comment 4 Owen Taylor 2015-10-23 07:44:27 UTC 
Created attachment 313912 [details] [review]
Fix reversed check for NULL child

The check for an unknown child path resulting in a NULL child
added in a614d447f was backwards.
Comment 5 Mike Gorse 2015-10-24 23:44:40 UTC 
Comment on attachment 313912 [details] [review]
Fix reversed check for NULL child

Thanks. Good cache. I should have noticed the lack of an !...

master: 09a604
gnome-3-18: 9851e0