Bug 163648

This bug affects RHEL 4 as well, need to pick up this fix for RHEL 4.

+++ This bug was initially created as a clone of Bug #153020 +++

fedora core 3

Here is the situation, the application wants its dialogs close (cancel) when the
Esc key is hit anywhere in the dialog. When the dialog closes all its children
are destroyed. Let say there is a entry in this dialog, this entry has japanese
input method on (ready to enter kana). The Esc key is hit, first the entry
process its key down handler (call im_filter_key, etc), then the application
process the key and destroy the dialog and all its children along with it. This
cause the application to crash.
I notice that if the application processes the esc key before the gtkentry
nothing bad happens.
The crash seems to happen in the function im_context_iiim_new(), in the module
im-iiim.so, when it attempts to free some memory.
Here is the stack:
#25 	0x08048cd4 	in main () at pr89720.c:38
#24 	0x00bd707e 	in gtk_main () from libgtk-x11-2.0.so.0
#23 	0x007084ef 	in g_main_loop_run () from libglib-2.0.so.0
#22 	0x00708242 	in g_main_context_acquire () from libglib-2.0.so.0
#21 	0x007067bb 	in g_main_context_dispatch () from libglib-2.0.so.0
#20 	0x00a670a2 	in gdk_event_get_graphics_expose () from libgdk-x11-2.0.so.0
#19 	0x00bd7d20 	in gtk_main_do_event () from libgtk-x11-2.0.so.0
#18 	0x00bd7b6a 	in gtk_propagate_event () from libgtk-x11-2.0.so.0
#17 	0x00ccd545 	in gtk_widget_activate () from libgtk-x11-2.0.so.0
#16 	0x007a5f5a 	in g_signal_emit () from libgobject-2.0.so.0
#15 	0x007a5913 	in g_signal_emit_valist () from libgobject-2.0.so.0
#14 	0x007a4646 	in g_signal_has_handler_pending () from libgobject-2.0.so.0	
#13 	0x0078e347 	in g_closure_invoke () from libgobject-2.0.so.0
#12 	0x0078e6b2 	in g_cclosure_new_swap () from libgobject-2.0.so.0
#11 	0x00bd9757 	in gtk_marshal_VOID__UINT_STRING () from libgtk-x11-2.0.so.0
#10 	0x00ce27cb 	in gtk_window_activate_key () from libgtk-x11-2.0.so.0
#9  	0x00cddbc7 	in gtk_window_propagate_key_event () from libgtk-x11-2.0.so.0
#8  	0x007908dc 	in g_object_unref () from libgobject-2.0.so.0
#7  	0x00b7bdb3 	in gtk_entry_set_completion () from libgtk-x11-2.0.so.0
#6  	0x007908dc 	in g_object_unref () from libgobject-2.0.so.0
#5  	0x00bbbf63 	in gtk_im_multicontext_new () from libgtk-x11-2.0.so.0
#4  	0x00bbbd3a 	in gtk_im_multicontext_new () from libgtk-x11-2.0.so.0
#3  	0x007908dc 	in g_object_unref () from libgobject-2.0.so.0
#2  	0x00137326 	in im_context_iiim_new () from im-iiim.so
#1  	0x00a411ef 	in gdk_event_free () from libgdk-x11-2.0.so.0
#0  	0x0070def1 	in g_mem_chunk_free () from libglib-2.0.so.0


Here is the console warnings:
-sh-3.00$ ./t

(t:10190): Gdk-CRITICAL **: file gdkevents.c: line 446 (gdk_event_free):
assertion `event != NULL' failed

(t:10190): Gdk-CRITICAL **: file gdkevents.c: line 446 (gdk_event_free):
assertion `event != NULL' failed

(t:10190): GLib-GObject-CRITICAL **: file gobject.c: line 1579 (g_object_unref):
assertion `G_IS_OBJECT (object)' failed
Segmentation fault

Here is the code to reproduce the bug:

----------------<---------------<-----------------<-------------
#include <gtk/gtk.h>
#include <gdk/gdkkeysyms.h>

int keydown (GtkWidget *widget, GdkEventKey *event, gpointer data) {
	GTK_WIDGET_CLASS (G_OBJECT_GET_CLASS(widget))->key_press_event (widget, event);
	if (event->keyval == GDK_Escape) {
		gtk_widget_destroy (GTK_WIDGET(data));
	}
	return 1;
}

int eventafter (GtkWidget *widget, GdkEvent *event, gpointer data) {
	if (event->type == GDK_KEY_PRESS && event->key.keyval == GDK_Escape) {
		gtk_widget_destroy (GTK_WIDGET(data));
	}
	return 0;
}

int main (int argc, char** argv) {
	GtkWidget *shellHandle, *vboxHandle, *entryHandle, *entryHandle2;
	
	gtk_init_check (&argc, &argv);
	shellHandle = gtk_window_new (GTK_WINDOW_TOPLEVEL);
	vboxHandle = gtk_vbox_new (FALSE, 8);
	entryHandle = gtk_entry_new ();
	entryHandle2 = gtk_entry_new ();
	gtk_container_add (GTK_CONTAINER (shellHandle), vboxHandle);
	gtk_container_add (GTK_CONTAINER (vboxHandle), entryHandle);
	gtk_container_add (GTK_CONTAINER (vboxHandle), entryHandle2);
	
	g_signal_connect (G_OBJECT (entryHandle), "event-after", G_CALLBACK
(eventafter), shellHandle);	
//	g_signal_connect (G_OBJECT (entryHandle), "key-press-event", G_CALLBACK
(keydown), shellHandle);
	g_signal_connect (G_OBJECT (shellHandle), "destroy", G_CALLBACK
(gtk_main_quit), NULL);
	g_signal_connect (G_OBJECT (shellHandle), "delete_event",G_CALLBACK
(gtk_main_quit), NULL);
	gtk_window_set_default_size (GTK_WINDOW (shellHandle), 280, 40);

	gtk_widget_show_all (shellHandle);
	gtk_main();
}

---------<------------------<---------------- 
just compile and run the code above, you can use event-afer or keydown, both
will cause the same segfaults, you just to have the gtkentry keypress handlers
to run first.
Put the focus in the fist entry and change the IM to japanese, make sure its on
(ctrl+space), hit esc, ka-booom.