Bug 458544

Summary: libvte segfaulting durring mouse selection
Product: [Fedora] Fedora Reporter: Adam Huffman <bloch>
Component: vteAssignee: Behdad Esfahbod <behdad>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: che_guevara_3, jan.kratochvil, mclasen, nalin, zkabelac
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-08-23 20:23:18 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 457945    
Attachments:
Description Flags
core.bz2 none

Description Adam Huffman 2008-08-09 12:02:13 EDT
Description of problem:

On my Rawhide system libvte has been segfaulting, causing gnome-terminal to crash.  It seems to be triggered by mouse selection, though the problem is intermittent.

The error in /var/log/messages:

segfault at 80260d5fe ip 0
00000312f629240 sp 00007fffa02bc050 error 4 in libvte.so.9.3.0[312f600000+128000
]

Version-Release number of selected component (if applicable):
vte-0.17.1-1.fc10.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Jan Kratochvil 2008-08-10 10:08:13 EDT
Created attachment 313891 [details]
core.bz2

Reproducible by a mouse copy-clicking.

gnome-terminal-2.23.6-1.fc10.x86_64
vte-0.17.1-1.fc10.x86_64
GConf2-2.23.1-1.fc10.x86_64 ORBit2-2.14.13-1.fc10.x86_64 alsa-lib-1.0.17-2.fc10.x86_64 atk-1.23.5-1.fc10.x86_64 audiofile-0.2.6-9.fc10.x86_64 avahi-0.6.22-11.fc10.x86_64 avahi-glib-0.6.22-11.fc10.x86_64 bzip2-libs-1.0.5-2.fc9.x86_64 cairo-1.6.4-1.fc9.x86_64 dbus-glib-0.76-2.fc10.x86_64 dbus-libs-1.2.3-1.fc10.x86_64 e2fsprogs-libs-1.41.0-1.fc10.x86_64 esound-libs-0.2.39-2.fc10.x86_64 expat-2.0.1-5.x86_64 fontconfig-2.6.0-2.fc10.x86_64 freetype-2.3.6-1.fc10.x86_64 glib2-2.17.6-1.fc10.x86_64 glibc-2.8.90-11.x86_64 gnome-keyring-2.23.6-1.fc10.x86_64 gnome-vfs2-2.23.0-1.fc10.x86_64 gtk-nodoka-engine-0.7.1-1.fc10.x86_64 gtk2-2.13.6-1.fc10.x86_64 gvfs-0.99.4-1.fc10.x86_64 keyutils-libs-1.2-3.fc9.x86_64 krb5-libs-1.6.3-16.fc10.x86_64 libICE-1.0.4-4.fc10.x86_64 libSM-1.1.0-2.fc10.x86_64 libX11-1.1.4-2.fc10.x86_64 libXau-1.0.3-6.fc10.x86_64 libXcomposite-0.4.0-5.fc10.x86_64 libXcursor-1.1.9-3.fc10.x86_64 libXdmcp-1.0.2-6.fc10.x86_64 libXext-1.0.4-1.fc9.x86_64 libXfixes-4.0.3-4.fc10.x86_64 libXft-2.1.12-5.fc9.x86_64 libXi-1.1.3-4.fc9.x86_64 libXinerama-1.0.3-2.fc10.x86_64 libXrandr-1.2.2-3.fc9.x86_64 libXrender-0.9.4-3.fc9.x86_64 libart_lgpl-2.3.20-1.fc9.x86_64 libbonobo-2.23.0-1.fc10.x86_64 libbonoboui-2.23.5-1.fc10.x86_64 libcanberra-0.6-1.fc10.x86_64 libcanberra-gtk2-0.6-1.fc10.x86_64 libcap-2.10-2.fc10.x86_64 libcroco-0.6.1-5.fc9.x86_64 libgnome-2.23.4-2.fc10.x86_64 libgnomecanvas-2.20.1.1-2.fc9.x86_64 libgnomeui-2.23.4-1.fc10.x86_64 libgsf-1.14.8-2.fc10.x86_64 libogg-1.1.3-9.fc9.x86_64 libpng-1.2.29-1.fc10.x86_64 librsvg2-2.22.2-1.fc9.x86_64 libselinux-2.0.71-1.fc10.x86_64 libtool-ltdl-1.5.26-3.fc10.x86_64 libvorbis-1.2.0-4.fc10.x86_64 libxcb-1.1-4.fc9.x86_64 libxml2-2.6.32-3.fc10.x86_64 ncurses-libs-5.6-19.20080628.fc10.x86_64 openssl-0.9.8g-10.fc10.x86_64 pango-1.21.3-1.fc10.x86_64 pixman-0.11.8-1.fc10.x86_64 popt-1.13-4.fc10.x86_64 startup-notification-0.9-4.fc9.x86_64 zlib-1.2.3-18.fc9.x86_64

(gdb) bt
#0  vte_terminal_extend_selection (terminal=<value optimized out>, x=<value optimized out>, y=<value optimized out>, 
    always_grow=<value optimized out>, force=<value optimized out>) at vte.c:6178
#1  0x0000003df382b04f in vte_terminal_motion_notify (widget=<value optimized out>, event=<value optimized out>) at vte.c:6632
#2  0x0000003df016ca90 in _gtk_marshal_BOOLEAN__BOXED (closure=Could not find the frame base for "_gtk_marshal_BOOLEAN__BOXED".
) at gtkmarshalers.c:84
#3  0x0000003dee00b7fd in IA__g_closure_invoke (closure=<value optimized out>, return_value=<value optimized out>, 
    n_param_values=<value optimized out>, param_values=<value optimized out>, invocation_hint=<value optimized out>)
    at gclosure.c:767
#4  0x0000003dee022264 in signal_emit_unlocked_R (node=<value optimized out>, detail=<value optimized out>, 
    instance=<value optimized out>, emission_return=<value optimized out>, instance_and_params=<value optimized out>)
    at gsignal.c:3282
#5  0x0000003dee023b58 in IA__g_signal_emit_valist (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=<value optimized out>) at gsignal.c:2987
#6  0x0000003dee024213 in IA__g_signal_emit (instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>) at gsignal.c:3034
#7  0x0000003df02d7d95 in gtk_widget_event_internal (widget=Could not find the frame base for "gtk_widget_event_internal".
) at gtkwidget.c:4745
#8  0x0000003df02d78b7 in IA__gtk_widget_event (widget=Could not find the frame base for "IA__gtk_widget_event".
) at gtkwidget.c:4542
#9  0x0000003df016ad22 in IA__gtk_propagate_event (widget=Could not find the frame base for "IA__gtk_propagate_event".
) at gtkmain.c:2363
#10 0x0000003df01696f0 in IA__gtk_main_do_event (event=Could not find the frame base for "IA__gtk_main_do_event".
) at gtkmain.c:1568
#11 0x0000003df0861e93 in gdk_event_dispatch (source=Could not find the frame base for "gdk_event_dispatch".
) at gdkevents-x11.c:2365
#12 0x0000003dedc378c2 in g_main_dispatch () at gmain.c:2072
#13 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2624
#14 0x0000003dedc3b05d in g_main_context_iterate (context=<value optimized out>, block=<value optimized out>, 
    dispatch=<value optimized out>, self=<value optimized out>) at gmain.c:2705
#15 0x0000003dedc3b58d in IA__g_main_loop_run (loop=<value optimized out>) at gmain.c:2928
#16 0x0000003df0168e41 in IA__gtk_main () at gtkmain.c:1172
#17 0x0000000000415d75 in main (argc=2, argv=0x7ffff1f64868) at terminal.c:1253
(gdb) l vte.c:6178
6173			if (rowdata != NULL) {
6174				/* Find the last non-empty character on the last line. */
6175				for (i = rowdata->cells->len - 1; i >= 0; i--) {
6176					cell = &g_array_index(rowdata->cells,
6177							struct vte_charcell, i);
6178					if (cell->attr.fragment || cell->c != 0)
6179						break;
6180				}
6181				/* If the end point is to its right, then extend the
6182				 * endpoint as far right as we can expect. */
(gdb) info line *$rip
Line 6178 of "vte.c" starts at address 0x3df3829240 <vte_terminal_extend_selection+3024>
   and ends at 0x3df382924c <vte_terminal_extend_selection+3036>.
(gdb) x/10i $rip
0x3df3829240 <vte_terminal_extend_selection+3024>:	testb  $0x40,0x6(%rcx)
0x3df3829244 <vte_terminal_extend_selection+3028>:	jne    0x3df3829264 <vte_terminal_extend_selection+3060>
0x3df3829246 <vte_terminal_extend_selection+3030>:	mov    (%rcx),%ebx
0x3df3829248 <vte_terminal_extend_selection+3032>:	test   %ebx,%ebx
0x3df382924a <vte_terminal_extend_selection+3034>:	jne    0x3df3829264 <vte_terminal_extend_selection+3060>
(gdb) p/x $rcx
$3 = 0x801a5e708
(gdb) p *(struct vte_charcell *)$rcx
Cannot access memory at address 0x801a5e708
Comment 2 Matthias Clasen 2008-08-13 16:51:17 EDT
Upstream bug: http://bugzilla.gnome.org/show_bug.cgi?id=546940
Comment 3 Matthias Clasen 2008-08-13 16:56:24 EDT
I haven't been able to reproduce this yet.
Comment 4 Nalin Dahyabhai 2008-08-13 17:04:00 EDT
(In reply to comment #3)
> I haven't been able to reproduce this yet.

The first comment in the upstream report reproduced it for me.
Comment 5 Ilya Eremin 2008-08-13 21:35:25 EDT
Fixed upstream now
Comment 6 Behdad Esfahbod 2008-08-14 11:37:52 EDT
*** Bug 458940 has been marked as a duplicate of this bug. ***
Comment 7 Behdad Esfahbod 2008-08-14 14:55:26 EDT
I'll roll a package as soon as koji is back.
Comment 8 Matthias Clasen 2008-08-23 20:23:18 EDT
Built in rawhide now