Bug 782487

Summary: [abrt] gimp-2.6.11-23.fc16: __strncmp_sse4_2: Process /usr/bin/gimp-2.6 was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Miguel <montiel_martinez>
Component: gtk2Assignee: Matthias Clasen <mclasen>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kennethjamesmiller, mclasen, nphilipp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard: abrt_hash:e56c0d783df45cadf24550763bf91bc1767fd602
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-30 13:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: dso_list
none
File: build_ids
none
File: event_log
none
File: maps
none
File: backtrace none

Description Miguel 2012-01-17 15:30:20 UTC 
libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        gimp-2.6
comment:        I converted a png image in jpeg image with default options
crash_function: __strncmp_sse4_2
executable:     /usr/bin/gimp-2.6
kernel:         3.1.8-2.fc16.i686
pid:            2249
pwd:            /home/mike
reason:         Process /usr/bin/gimp-2.6 was killed by signal 11 (SIGSEGV)
time:           mar 17 ene 2012 07:33:20 CST
uid:            1000
username:       mike

backtrace:      Text file, 67083 bytes
build_ids:      Text file, 4141 bytes
dso_list:       Text file, 10547 bytes
event_log:      Text file, 20460 bytes
maps:           Text file, 29343 bytes

environ:
:XDG_VTNR=1
:XDG_SESSION_ID=2
:HOSTNAME=TuzaLabs3
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:SHELL=/bin/bash
:TERM=dumb
:HISTSIZE=1000
:XDG_SESSION_COOKIE=da7798741be674f13e98727900000016-1326806435.695570-1432447468
:QTDIR=/usr/lib/qt-3.3
:GNOME_KEYRING_CONTROL=/tmp/keyring-NQliHP
:QTINC=/usr/lib/qt-3.3/include
:IMSETTINGS_MODULE=none
:USER=mike
:USERNAME=mike
:MAIL=/var/spool/mail/mike
:PATH=/usr/lib/qt-3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/libexec/sdcc:/home/mike/.local/bin:/home/mike/bin
:DESKTOP_SESSION=gnome
:QT_IM_MODULE=xim
:PWD=/home/mike
:XMODIFIERS=@im=none
:KDE_IS_PRELINKED=1
:GNOME_KEYRING_PID=1422
:LANG=es_ES.utf8
:GDM_LANG=es_ES.utf8
:KDEDIRS=/usr
:GDMSESSION=gnome
:HISTCONTROL=ignoredups
:HOME=/home/mike
:XDG_SEAT=seat0
:SHLVL=1
:LOGNAME=mike
:QTLIB=/usr/lib/qt-3.3/lib
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-FQGW1dNkAE,guid=7556597bfbd6c04d94b2955e000000af
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:WINDOWPATH=1
:XDG_RUNTIME_DIR=/run/user/mike
:DISPLAY=:0
:XAUTHORITY=/var/run/gdm/auth-for-mike-PMCBGJ/database
:_=/usr/bin/gnome-session
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1430,unix/unix:/tmp/.ICE-unix/1430
:SSH_AUTH_SOCK=/tmp/keyring-NQliHP/ssh
:GPG_AGENT_INFO=/tmp/keyring-NQliHP/gpg:0:1
:GJS_DEBUG_OUTPUT=stderr
:'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'
:DESKTOP_STARTUP_ID=gnome-shell-1652-TuzaLabs3-gimp-2.6-4_TIME904697
:GIO_LAUNCHED_DESKTOP_FILE=/usr/share/applications/gimp.desktop
:GIO_LAUNCHED_DESKTOP_FILE_PID=2249

var_log_messages:
:Jan 17 07:33:20 TuzaLabs3 kernel: [  939.233751] gimp-2.6[2249]: segfault at 0 ip 0e0cdedc sp bfa02378 error 4 in libc-2.14.90.so[df93000+1a6000]
:Jan 17 07:33:21 TuzaLabs3 abrt[2276]: Saved core dump of pid 2249 (/usr/bin/gimp-2.6) to /var/spool/abrt/ccpp-2012-01-17-07:33:20-2249 (111239168 bytes)
Comment 1 Miguel 2012-01-17 15:30:25 UTC 
Created attachment 555813 [details]
File: dso_list
Comment 2 Miguel 2012-01-17 15:30:27 UTC 
Created attachment 555814 [details]
File: build_ids
Comment 3 Miguel 2012-01-17 15:30:31 UTC 
Created attachment 555815 [details]
File: event_log
Comment 4 Miguel 2012-01-17 15:30:37 UTC 
Created attachment 555816 [details]
File: maps
Comment 5 Miguel 2012-01-17 15:30:45 UTC 
Created attachment 555817 [details]
File: backtrace
Comment 6 Nils Philippsen 2012-01-18 10:47:34 UTC 
(In reply to comment #0)
> libreport version: 2.0.8
> abrt_version:   2.0.7
> backtrace_rating: 4
> cmdline:        gimp-2.6
> comment:        I converted a png image in jpeg image with default options

I'm not exactly sure when exactly this bug happens to you, but I guess it's at the time you attempt to save the converted image. Miguel, is this correct?

Anyway, this bug is very similar, if not the same, as bug #716325 for Fedora 15: The backtrace shows that you click a button (presumably "Ok" in the file dialog), and in response to it the file dialog window and its child widgets/components get destroyed:

... GimpFileDialog
==> GtkVBox
==> GtkFileChooserWidget
==> GtkFileChooserDefault
==> GtkVBox
==> GtkTable
==> GtkFileChooserEntry: sets its completion to NULL, original completion unref()ed
==> GtkEntryCompletion
==> GtkTreeView: removes a column
==> GAIL/accessibility: columns_changed() -> get_row_count() -> count_rows()
 => gtk_tree_model_iter_n_children()
 => gtk_tree_model_filter_iter_n_children()
 => gtk_tree_model_filter_build_level()
 => gtk_tree_model_filter_visible()
 => gtk_entry_completion_visible_func()
 => completion_match_func():

    # Tries to pull what I presume should be a file name from the
    # chooser_entry->completion_store tree model which at this point
    # contains garbage:

    ... gtkfilechooserentry.c, line 387 ...
    gtk_tree_model_get (GTK_TREE_MODEL (chooser_entry->completion_store), iter, DISPLAY_NAME_COLUMN, &name, -1);
    ...

    # --> name = 0x156d94 "\215d$\030[\303\215\266"

    # UTF8-normalize the file part of the entry and the name from above
    ... line 410 ...
    norm_file_part = g_utf8_normalize (chooser_entry->file_part, -1, G_NORMALIZE_ALL);
    norm_name = g_utf8_normalize (name, -1, G_NORMALIZE_ALL);
    ...

    # At this point, norm_name is NULL because name is not valid UTF8
    # (norm_file_part is, but I guess that's simply luck -- the ASCII
    # "start of heading" character doesn't look like a valid file name
    # to me) and g_utf8_normalize returns NULL on input which is not
    # valid UTF-8.

    ... line 427 ...
    result = (strncmp (norm_file_part, norm_name, strlen (norm_file_part)) == 0);
    ...
    # This ^^ calls __strncmp_sse4_2("\001", NULL, 1) which crashes
    # because one of the compared strings cannot be dereferenced.

My knowledge about gtk is limited, but I think that one of these ways or a combination of them would avoid crashing:

- don't call the whole accessibility stuff when widgets are destroyed
- catch NULL values that stem from garbage being UTF8-normalized (not sure if this is 100% effective -- the garbage could still be valid UTF8 and I have no idea what happens when the normalized garbage is compared subsequently)
- catch garbage before UTF8-normalization is attempted (how? perhaps rather:)
- explicitly set certain struct members to NULL so functions can check for this value before operating on garbage

Changing component to gtk2 -- Matthias, what do you think?
Comment 7 Nils Philippsen 2012-03-19 14:21:28 UTC 
*** Bug 804338 has been marked as a duplicate of this bug. ***
Comment 8 abrt-bot 2012-03-30 13:41:53 UTC 
Backtrace analysis found this bug to be similar to bug #716325, closing as duplicate.

Bugs which were found to be similar to this bug: 
  gimp: bug #804338
  gtk2: bug #716325
  inkscape: bug #806973, bug #807188

This comment is automatically generated.

*** This bug has been marked as a duplicate of bug 716325 ***