Bug 2178615

Summary: [abrt] Possible use-after-free under gtk_widget_get_settings()
Product: [Fedora] Fedora Reporter: Saravanan <saravanan.2407>
Component: gtk4Assignee: Kalev Lember <klember>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: gnome-sig, klember, mclasen, mcrha, rhughes, schuyler.cavender, thatsfwright
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/c45dd25e2c48885359511b88148d7dbb4bbf42a
Whiteboard: abrt_hash:cd8187258bc80254b4b0e22c443b1d4cc8a925a1;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-21 06:32:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: proc_pid_status
none
File: maps
none
File: limits
none
File: environ
none
File: open_fds
none
File: mountinfo
none
File: os_info
none
File: cpuinfo
none
File: core_backtrace
none
File: exploitable
none
File: dso_list
none
File: var_log_messages
none
File: backtrace none

Description Saravanan 2023-03-15 12:35:08 UTC 
Version-Release number of selected component:
gnome-software-44~rc-1.fc38

Additional info:
reporter:       libreport-2.17.8
type:           CCpp
reason:         gnome-software killed by SIGSEGV
journald_cursor: s=dd572682c8fc4df2b628c5890775384c;i=7768;b=609eeb71469c4e0b987c14491ae0f43a;m=13057925;t=5f6ef6e03a37a;x=f6f3b1ecb8ea5edb
executable:     /usr/bin/gnome-software
cmdline:        /usr/bin/gnome-software --gapplication-service
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/app-gnome-org.gnome.Software-2418.scope
rootdir:        /
uid:            1000
kernel:         6.2.6-300.fc38.x86_64
package:        gnome-software-44~rc-1.fc38
runlevel:       N 5
backtrace_rating: 4
crash_function: gtk_widget_get_settings

Truncated backtrace:
Thread no. 1 (17 frames)
 #0 gtk_widget_get_settings at ../gtk/gtkwidget.c:7160
 #1 gtk_scrolled_window_update_use_indicators at ../gtk/gtkscrolledwindow.c:3796
 #3 signal_emit_unlocked_R.isra.0 at ../gobject/gsignal.c:3802
 #7 g_object_notify_by_spec_internal at ../gobject/gobject.c:1552
 #8 g_object_notify_by_pspec at ../gobject/gobject.c:1658
 #9 g_cclosure_marshal_VOID__STRINGv at ../gobject/gmarshal.c:1462
 #10 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #13 g_cclosure_marshal_VOID__STRINGv at ../gobject/gmarshal.c:1462
 #14 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #17 g_settings_real_change_event at ../gio/gsettings.c:392
 #18 _g_cclosure_marshal_BOOLEAN__POINTER_INTv at ../gio/gmarshal-internal.c:428
 #19 _g_closure_invoke_va at ../gobject/gclosure.c:895
 #22 settings_backend_path_changed at ../gio/gsettings.c:467
 #24 g_settings_backend_invoke_closure at ../gio/gsettingsbackend.c:275
 #28 g_main_context_iterate.isra.0 at ../glib/gmain.c:4276
 #29 g_main_context_iteration at ../glib/gmain.c:4343
 #30 g_application_run at ../gio/gapplication.c:2573
Comment 1 Saravanan 2023-03-15 12:35:13 UTC 
Created attachment 1950967 [details]
File: proc_pid_status
Comment 2 Saravanan 2023-03-15 12:35:15 UTC 
Created attachment 1950968 [details]
File: maps
Comment 3 Saravanan 2023-03-15 12:35:17 UTC 
Created attachment 1950969 [details]
File: limits
Comment 4 Saravanan 2023-03-15 12:35:19 UTC 
Created attachment 1950970 [details]
File: environ
Comment 5 Saravanan 2023-03-15 12:35:21 UTC 
Created attachment 1950971 [details]
File: open_fds
Comment 6 Saravanan 2023-03-15 12:35:23 UTC 
Created attachment 1950972 [details]
File: mountinfo
Comment 7 Saravanan 2023-03-15 12:35:25 UTC 
Created attachment 1950973 [details]
File: os_info
Comment 8 Saravanan 2023-03-15 12:35:27 UTC 
Created attachment 1950974 [details]
File: cpuinfo
Comment 9 Saravanan 2023-03-15 12:35:30 UTC 
Created attachment 1950975 [details]
File: core_backtrace
Comment 10 Saravanan 2023-03-15 12:35:32 UTC 
Created attachment 1950976 [details]
File: exploitable
Comment 11 Saravanan 2023-03-15 12:35:34 UTC 
Created attachment 1950977 [details]
File: dso_list
Comment 12 Saravanan 2023-03-15 12:35:37 UTC 
Created attachment 1950978 [details]
File: var_log_messages
Comment 13 Saravanan 2023-03-15 12:35:39 UTC 
Created attachment 1950979 [details]
File: backtrace
Comment 14 Milan Crha 2023-03-15 13:00:53 UTC 
Thanks for a bug report. I see this is crashing in a gtk4 code, but I'm not sure from the backtrace whether it's a gtk4 bug or not. Can you reproduce it anyhow, please? It seems there had been a change in the GSettings (key `overlay-scrolling` of a path not shown in the backtrace), which gtk+ tried to propagate further. I guess some preceding action in the gnome-software left things in a bad state, which had been discovered only after this code had been executed, but it's only a wild guess.
Comment 15 Milan Crha 2023-03-15 13:55:44 UTC 
I tried to reproduce this under rawhide with

   gnome-software-44~rc-1.fc39.x86_64
   gtk4-4.10.0-4.fc39.x86_64
   libadwaita-1.3~rc-1.fc39.x86_64

and when I open Menu->About and then closing the about dialog and runnign from a second terminal:

   gsettings set org.gnome.desktop.interface overlay-scrolling false
   gsettings set org.gnome.desktop.interface overlay-scrolling true

then the gnome-software terminal shows:

   13:51:07:260 Gtk gtk_widget_get_settings: assertion 'GTK_IS_WIDGET (widget)' failed
   13:51:07:260 GLib-GObject g_object_get: assertion 'G_IS_OBJECT (object)' failed

When I open Menu->Software Repositories and close them, then immediately after closing the window I see on the terminal:

   13:53:28:844 Gtk gtk_widget_dispose_template: assertion 'template != NULL' failed
   13:53:28:845 Gtk Finalizing GsReposSection 0x55c44c49d940, but it still has children left:
   13:53:28:845 Gtk    - GtkBox 0x55c44ddd28c0
   13:53:28:845 Gtk gtk_widget_dispose_template: assertion 'template != NULL' failed
   13:53:28:845 Gtk Finalizing GsReposSection 0x55c44d8453a0, but it still has children left:
   13:53:28:845 Gtk    - GtkBox 0x55c44dbad8e0
   13:53:28:845 Gtk gtk_widget_dispose_template: assertion 'template != NULL' failed
   13:53:28:845 Gtk Finalizing GsReposSection 0x55c44b603160, but it still has children left:
   13:53:28:845 Gtk    - GtkBox 0x55c44dca6300
   13:53:28:845 Gtk gtk_widget_dispose_template: assertion 'template != NULL' failed
   13:53:28:845 Gtk Finalizing GsReposSection 0x55c44d809140, but it still has children left:
   13:53:28:845 Gtk    - GtkBox 0x55c44d809ae0

which is something I do not see with gtk4-4.8.2-2.fc37.x86_64. I move this to the gtk4 for further investigation.
Comment 16 Milan Crha 2023-03-21 06:25:35 UTC 
*** Bug 2180240 has been marked as a duplicate of this bug. ***
Comment 17 Milan Crha 2023-03-21 06:32:03 UTC 
I moved this upstream for better visibility:
https://gitlab.gnome.org/GNOME/gtk/-/issues/5684

Please see it for any further updates.
Comment 18 Schuyler Cavender 2023-03-22 07:28:00 UTC 
Appologies for not responding. I can try to reproduce if it's still needed. It will have to waiting until later in the evening CST.
Comment 19 Milan Crha 2023-03-27 06:20:57 UTC 
*** Bug 2181669 has been marked as a duplicate of this bug. ***
Comment 20 Milan Crha 2023-03-27 06:21:37 UTC 
*** Bug 2181760 has been marked as a duplicate of this bug. ***
Comment 21 André 2023-04-02 15:12:56 UTC 
I installed Wineglass rpm app.


reporter:       libreport-2.17.9
type:           CCpp
reason:         gnome-software killed by SIGSEGV
journald_cursor: s=9e72d5632b574a7384472e6604e0d57c;i=f358b;b=8bb5dc15625448b4b65a30852b5190ed;m=36f3b6083;t=5f85bd7deabe0;x=b20eb147c92644ef
executable:     /usr/bin/gnome-software
cmdline:        /usr/bin/gnome-software --gapplication-service
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/app-gnome-org.gnome.Software-2397.scope
rootdir:        /
uid:            1000
kernel:         6.2.9-300.fc38.x86_64
package:        gnome-software-44.0-3.fc38
runlevel:       N 5
dso_list:       /usr/bin/gnome-software gnome-software-44.0-3.fc38.x86_64 (Fedora Project) 1680010285
backtrace_rating: 4
crash_function: gtk_widget_get_settings
comment:        I installed Wineglass rpm app.