Bug 763893 – Shortcuts window crash after dispose

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 763893 - Shortcuts window crash after dispose


Summary:	Shortcuts window crash after dispose


Status:	RESOLVED OBSOLETE

Product:	gtk+
Classification:	Platform
Component:	Widget: Other
Version:	3.22.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtk-bugs
QA Contact:	gtk-bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-03-18 19:14 UTC by Carlos Garnacho
Modified:	2018-05-02 16:59 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
GtkShortcutsWindow: ensure the main box is destroyed (1.40 KB, patch) 2016-03-18 19:14 UTC, Carlos Garnacho	none	Details \| Review

Description Carlos Garnacho 2016-03-18 19:14:04 UTC

Seemingly unrelated steps to reproduce:
1) Launch gtk3-demo
2) Open "Shortcuts Window" demo
3) Select one with several pages, "Gedit" for example
4) Swipe with the touchscreen to the next page
5) Close the window, hitting esc or alt-f4
6) Crash

The backtrace is:

(gdb) bt

+ Trace 236094

#0 gtk_widget_accessible_get_parent
at a11y/gtkwidgetaccessible.c line 185
#1 append_cache_item
at cache-adaptor.c line 137
#2 g_hash_table_foreach
at ghash.c line 1608
#3 spi_cache_foreach
at accessible-cache.c line 417
#4 impl_GetItems
at cache-adaptor.c line 326
#5 handle_message
at droute.c line 553
#6 handle_message
at droute.c line 600
#7 _dbus_object_tree_dispatch_and_unlock
at ../../dbus/dbus-object-tree.c line 1020
#8 dbus_connection_dispatch
at ../../dbus/dbus-connection.c line 4744
#9 message_queue_dispatch
#10 g_main_context_dispatch
at gmain.c line 3154
#11 g_main_context_dispatch
at gmain.c line 3769
#12 g_main_context_iterate
at gmain.c line 3840
#13 g_main_context_iteration
at gmain.c line 3901
#14 g_application_run
at gapplication.c line 2381
#15 main
at main.c line 1180


Further checks on valgrind show the following errors:

==15779== Invalid read of size 8
==15779==    at 0x4EE46C4: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)
==15779==    by 0x5E79254: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x98BDDCF: g_hash_table_foreach (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x5E797EF: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x5E769E7: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0xAD3B723: ??? (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAD2CCB3: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAAF5644: ??? (in /usr/lib64/libatspi.so.0.0.1)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Address 0x19246630 is 752 bytes inside a block of size 816 free'd
==15779==    at 0x4C2CD5A: free (vg_replace_malloc.c:530)
==15779==    by 0x98D40FD: g_free (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EB66F: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x9665AE6: g_type_free_instance (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x507C1A3: gtk_main_do_event (gtkmain.c:1772)
==15779==    by 0x51EC5E0: send_delete_event (gtkwindow.c:1320)
==15779==    by 0x578AA9A: gdk_threads_dispatch (gdk.c:720)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Block was alloc'd at
==15779==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==15779==    by 0x98D3FE8: g_malloc (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EAF62: g_slice_alloc (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98EB58D: g_slice_alloc0 (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x96657CC: g_type_create_instance (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x96469EA: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x964843C: g_object_newv (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F693C1: _gtk_builder_construct (gtkbuilder.c:716)
==15779==    by 0x4F6A6B4: builder_construct.isra.5 (gtkbuilderparser.c:139)
==15779==    by 0x4F6B050: parse_child (gtkbuilderparser.c:522)
==15779==    by 0x4F6B050: start_element (gtkbuilderparser.c:970)
==15779==    by 0x98D1E85: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98D2F6A: g_markup_parse_context_parse (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x4F6C43C: _gtk_builder_parser_parse_buffer (gtkbuilderparser.c:1261)
==15779==    by 0x4F66A23: gtk_builder_add_from_resource (gtkbuilder.c:1235)
==15779==    by 0x4F69DE9: gtk_builder_new_from_resource (gtkbuilder.c:2608)
==15779==    by 0x42CBA7: show_shortcuts (shortcuts.c:19)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965D37E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F6FEBC: gtk_button_do_release (gtkbutton.c:1843)
==15779==    by 0x4F6FF27: gtk_real_button_released (gtkbutton.c:1961)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965D37E: g_signal_emit (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x4F6F2A2: multipress_released_cb (gtkbutton.c:666)
==15779==    by 0xC946C57: ffi_call_unix64 (in /usr/lib64/libffi.so.6.0.2)
==15779==    by 0xC9466B9: ffi_call (in /usr/lib64/libffi.so.6.0.2)
==15779==    by 0x9642289: g_cclosure_marshal_generic_va (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x96417A6: ??? (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779==    by 0x965CD27: g_signal_emit_valist (in /usr/lib64/libgobject-2.0.so.0.4706.0)
==15779== 
==15779== Invalid read of size 8
==15779==    at 0x4EE46CD: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)
==15779==    by 0x5E79254: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x98BDDCF: g_hash_table_foreach (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x5E797EF: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0x5E769E7: ??? (in /usr/lib64/libatk-bridge-2.0.so.0.0.0)
==15779==    by 0xAD3B723: ??? (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAD2CCB3: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.15.0)
==15779==    by 0xAAF5644: ??? (in /usr/lib64/libatspi.so.0.0.1)
==15779==    by 0x98CE8C2: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CEC6F: ??? (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x98CED1B: g_main_context_iteration (in /usr/lib64/libglib-2.0.so.0.4706.0)
==15779==    by 0x6782D6C: g_application_run (in /usr/lib64/libgio-2.0.so.0.4706.0)
==15779==    by 0x416C27: main (main.c:1180)
==15779==  Address 0xaaaaaaaaaaaaaaaa is not stack'd, malloc'd or (recently) free'd
==15779== 
==15779== 
==15779== Process terminating with default action of signal 11 (SIGSEGV)
==15779==  General Protection Fault
==15779==    at 0x4EE46CD: gtk_widget_accessible_get_parent (gtkwidgetaccessible.c:185)
...

Investigating further, it seems it's GtkShortcutsWindowPrivate->main_box the widget that a11y code is failing to get a parent from. I see the window being destroyed before this happens, and gtk_container_remove() not being actually called on it.

I'm attaching a patch that seems to fix this for me, no further crash nor valgrind complains.

Comment 1 Carlos Garnacho 2016-03-18 19:14:38 UTC

Created attachment 324299 [details] [review]
GtkShortcutsWindow: ensure the main box is destroyed

Otherwise it's left behind with a dangling pointer to its parent
widget, and may cause crashes afterwards when a11y processes pending
events.

Comment 2 Daniel Boles 2017-09-13 16:12:46 UTC

Review of attachment 324299 [details] [review]:

::: gtk/gtkshortcutswindow.c
@@ +592,3 @@
+      gtk_widget_destroy (GTK_WIDGET (priv->stack));
+      priv->stack = NULL;
+    }

seems obvious

@@ +605,1 @@
   if (priv->main_box)

Do we know why this was (A) commented-out and (B) after the chain-up?

Comment 3 GNOME Infrastructure Team 2018-05-02 16:59:48 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gtk/issues/603.