Bug 1444405

Unfortunately no debug symbols there, neither line numbers, which is a pita, but anyway. Below is the crashing thread. There is also eti_dispose(), like in bug #1270015, but this one is different object, this is in gal-a11y-e-table-item.c, according to the call of free_columns(), which is done there, not in e-table-item.c. The two use the same eti_dispose(), which makes the confusion, especially when there are no debug symbols.

I am not able to reproduce this myself, but we try to find the cause.

Thread 1 (Thread 0x7f2c8ea6ea80 (LWP 26455)):
#0  0x00007f2c84b56e8b in atk_gobject_accessible_dispose () from /lib64/libatk-1.0.so.0
#1  0x00007f2c839c878f in weak_refs_notify () from /lib64/libgobject-2.0.so.0
#2  0x00007f2c839c9602 in g_object_unref () from /lib64/libgobject-2.0.so.0
#3  0x00007f2c8e3e3e39 in free_columns () from /usr/lib64/evolution/libevolution-util.so
#4  0x00007f2c8e3e5fc2 in eti_dispose () from /usr/lib64/evolution/libevolution-util.so
#5  0x00007f2c839c9602 in g_object_unref () from /lib64/libgobject-2.0.so.0
#6  0x00007f2c84b58c11 in atk_object_finalize () from /lib64/libatk-1.0.so.0
#7  0x00007f2c839c96f4 in g_object_unref () from /lib64/libgobject-2.0.so.0
#8  0x00007f2c7a512afd in expiry_func () from /lib64/libatk-bridge-2.0.so.0
#9  0x00007f2c836edeed in g_timeout_dispatch () from /lib64/libglib-2.0.so.0
#10 0x00007f2c836ed4c9 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#11 0x00007f2c836ed818 in g_main_context_iterate.isra.21 () from /lib64/libglib-2.0.so.0
#12 0x00007f2c836edaea in g_main_loop_run () from /lib64/libglib-2.0.so.0
#13 0x00007f2c8525a4b5 in gtk_main () from /lib64/libgtk-3.so.0
#14 0x0000000000403de1 in main ()

I want to wait for resolution of bug #1444490, because it's likely it's the cause.

Detailed backtrace of the crash. Line numbers do not match, due to added debug prints, but it shows some other useful things.

It looks like atkgobjectaccesible expects the accessible being alive longer than the object to which it belongs. The crash happens due to atk_gobject_accessible_dispose() is being called with 'data' of already finalized object. From my debug prints:

The object is allocated here:
   etch_init: 0x54b76c0:
	   at g_type_create_instance() at gtype.c:1875
	   by g_object_new_internal() at gobject.c:1785
	   by g_object_newv() at gobject.c:1932
	   by g_object_new() at gobject.c:1623
	   by gal_a11y_e_table_column_header_new() at gal-a11y-e-table-column-header.c:305
	   by eti_ref_child() at gal-a11y-e-table-item.c:331
	   by impl_GetChildAtIndex() at accessible-adaptor.c:184
	   by handle_message() at droute.c:553
	   by _dbus_object_tree_dispatch_and_unlock()
	   by dbus_connection_dispatch()
	   by message_queue_dispatch()
	   by g_main_context_dispatch() at gmain.c:3201
	   by g_main_context_iterate.isra.21() at gmain.c:3927
	   by g_main_loop_run() at gmain.c:4122
	   by gtk_main() at gtkmain.c:1313
	   by main() at main.c:682
	   by __libc_start_main()
	   by _start()

shortly after its scheduled for unref, while it has only one reference:

      spi_leasing_take: obj:0x54b76c0 refs:1 (GalA11yETableColumnHeader)

after a little timeout (taken by spi_leasing) the object is finally freed:

   gal_a11y_e_table_column_header_dispose: 0x54b76c0:
	   at g_object_unref() at gobject.c:3149
	   by expiry_func() at accessible-leasing.c:123
	   by g_timeout_dispatch() at gmain.c:4672
	   by g_main_context_dispatch() at gmain.c:3201
	   by g_main_context_iterate.isra.21() at gmain.c:3927
	   by g_main_loop_run() at gmain.c:4122
	   by gtk_main() at gtkmain.c:1313
	   by main() at main.c:682
	   by __libc_start_main()
	   by _start()

  atk_gobject_accessible_real_dispose: atk-obj:0x54b76c0
     gal_a11y_e_table_column_header_finalize: 0x54b76c0:
  atk_gobject_accessible_real_finalize: atk-obj:0x54b76c0

and then there is called:

free_columns: unreffing 0x498c880
   atk_gobject_accessible_dispose: atk-obj:0x54b76c0

For this already freed object (0x54b76c0).

Program received signal SIGSEGV, Segmentation fault.
0x00007f3e4792bf74 in g_type_check_instance_is_a (type_instance=type_instance@entry=0x54b76c0, iface_type=<optimized out>) at gtype.c:4012
4012	  check = node && node->is_instantiatable && iface && type_node_conforms_to_U (node, iface, TRUE, FALSE);
Missing separate debuginfos, use: debuginfo-install evolution-3.22.6-8.el7.x86_64
#0  0x00007f3e4792bf74 in g_type_check_instance_is_a (type_instance=type_instance@entry=0x54b76c0, iface_type=<optimized out>) at gtype.c:4012
#1  0x00007f3e48a9c087 in atk_gobject_accessible_dispose (data=0x54b76c0) at atkgobjectaccessible.c:162
#2  0x00007f3e4790d78f in weak_refs_notify (data=0x674f7e0) at gobject.c:2638
#3  0x00007f3e523173f6 in etc_dispose (object=0x498c880 [ETableCol]) at e-table-col.c:75
#4  0x00007f3e4790e602 in g_object_unref (_object=0x498c880) at gobject.c:3148
#5  0x00007f3e523938ae in free_columns (columns=0x4d30f50) at gal-a11y-e-table-item.c:85
#6  0x00007f3e52394199 in eti_dispose (object=0x4d2f8b0 [GalA11yETableItem]) at gal-a11y-e-table-item.c:289
#7  0x00007f3e4790e602 in g_object_unref (_object=0x4d2f8b0) at gobject.c:3148
#8  0x00007f3e48a9de01 in atk_object_finalize (object=0x4cb8110 [GalA11yETableColumnHeader]) at atkobject.c:1408
#9  0x00007f3e52392c07 in gal_a11y_e_table_column_header_finalize (object=0x4cb8110 [GalA11yETableColumnHeader]) at gal-a11y-e-table-column-header.c:108
#10 0x00007f3e4790e6f4 in g_object_unref (_object=0x4cb8110) at gobject.c:3185
#11 0x00007f3e3e210c1d in expiry_func (data=data@entry=0x1a3e290) at accessible-leasing.c:122
#12 0x00007f3e47632eed in g_timeout_dispatch (source=0x58c3e80, callback=0x7f3e3e210bc0 <expiry_func>, user_data=0x1a3e290) at gmain.c:4672
#13 0x00007f3e476324c9 in g_main_context_dispatch (context=0x1a19630) at gmain.c:3201
#14 0x00007f3e476324c9 in g_main_context_dispatch (context=context@entry=0x1a19630) at gmain.c:3854
#15 0x00007f3e47632818 in g_main_context_iterate (context=0x1a19630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#16 0x00007f3e47632aea in g_main_loop_run (loop=0x4750680) at gmain.c:4123
#17 0x00007f3e4919f4b5 in gtk_main () at gtkmain.c:1312
#18 0x00000000004042a5 in main (argc=1, argv=0x7fff090c22b8) at main.c:679

I'm moving this to atk, because it's the place where the crash happens and which is responsible for the crash. The thing is that atk_gobject_accessible_dispose() is a weak-ref callback, not a real GObjectClass::dispose() implementation and as shown in comment #3, the callback can be called after the underlying object is freed, causing this use-after-free crash.

Created attachment 1273871 [details]
atk patch

This change fixed the issue for me.

Using this, and both changes from bug #1444490, make the dnd_picture test pass successfully.

Filled upstream as:
https://bugzilla.gnome.org/show_bug.cgi?id=781715

Added a patch comment upstream.

Hi Milan,
can you please make a devel_ack for this? Scratch build you provided to me fixes this issue but was still not officially released in brew.
Thanks

Upstream patch had been accepted, I'm building atk with it included now.

*** Bug 1270015 has been marked as a duplicate of this bug. ***

No longer reproducible.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2100