Bug 99462

Summary: Easy to crash any application with a gtk2 file open dialog
Product: [Retired] Red Hat Raw Hide Reporter: Nathan G. Grennan <redhat-bugzilla>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 1.0CC: anvil, fweimer, ken, michael, otaylor, rh-bugzilla, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.3.2-68 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-05 14:31:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 100643    

Description Nathan G. Grennan 2003-07-20 14:55:59 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030703 Galeon/1.3.5

Description of problem:
Using a gtk2 file open dialog in any application with one and clicking ..
repeatedly will result in the application hanging and the library seg faulting.

It doesn't seem to be nptl related.

strace info:

ioctl(3, FIONREAD, [0])                 = 0
poll([{fd=4, events=POLLIN}, {fd=3, events=POLLIN}, {fd=8, events=POLLIN},
{fd=11, events=POLLIN|POLLPRI}, {fd=12, events=POLLIN|POLLPRI}, {fd=13,
events=POLLIN|POLLPRI}, {fd=15, events=POLLIN|POLLPRI}, {fd=14,
events=POLLIN|POLLPRI}, {fd=17, events=POLLIN}, {fd=10, events=POLLIN|POLLPRI}],
10, 0) = 0
write(3, "\f\30\4\0-\1 \2@\0 \2\0\0\0\0\10\0\2\0-\1 \0025\30\4\0"..., 2040) = 2040
write(3, ">\30\7\0C\2 \2j\2 \2\6\0 \2\0\0\0\0\17\0*\0\v\0:\0008\2"..., 1728) = 1728
read(3, 0xbff84aa0, 32)                 = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], NULL, NULL, NULL)        = 1 (in [3])
read(3, "\1\2Q\24\0\0\0\0$\1 \2\0\0\0\0\0\0\0\0\30\0\0\0P\271\35"..., 32) = 32
ioctl(3, FIONREAD, [0])                 = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
write(3, "5\30\4\0w\2 \2/\1 \2\264\0\234\0007\0\6\0x\2 \2w\2 \2\4"..., 152) = 152
write(3, " \30\2\0\0\0\0\0", 8)         = 8
write(3, "+\30\1\0", 4)                 = 4
read(3, 0xbff83c2c, 32)                 = -1 EAGAIN (Resource temporarily
unavailable)
select(4, [3], NULL, NULL, NULL)        = 1 (in [3])
read(3, "\1\2\\\24\0\0\0\0$\1 \2\0\0\0\0\0\0\0\0\30\0\0\0P\271\35"..., 32) = 32
futex(0x4c2bc0, FUTEX_WAIT, -1, NULL

Version-Release number of selected component (if applicable):
gtk2-2.2.2-2.1

How reproducible:
Always

Steps to Reproduce:
1. Open gedit
2. Select the File menu
3. Select Open
4. Click on .. repeatedly

Actual Results:  Application hangs and library seg faults

Expected Results:  Application to always take me to the next directory up in the
tree

Additional info:

I have seen a very similar issue with gtk1 before.
Comment 1 Nathan G. Grennan 2003-07-20 14:56:17 UTC 
gdb info:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1084347840 (LWP 1901)]
0x0040186d in malloc_consolidate () from /lib/tls/libc.so.6
(gdb) backtrace
#0  0x0040186d in malloc_consolidate () from /lib/tls/libc.so.6
#1  0x00400eaa in _int_malloc () from /lib/tls/libc.so.6
#2  0x0040026b in malloc () from /lib/tls/libc.so.6
#3  0x00a18897 in g_malloc () from /usr/lib/libglib-2.0.so.0
#4  0x00813430 in pango_get_mirror_char () from /usr/lib/libpango-1.0.so.0
#5  0x00813d44 in pango_log2vis_get_embedding_levels ()
   from /usr/lib/libpango-1.0.so.0
#6  0x00804b09 in pango_itemize () from /usr/lib/libpango-1.0.so.0
#7  0x0080be6f in no_shape_filter_func () from /usr/lib/libpango-1.0.so.0
#8  0x0080a394 in pango_layout_get_cursor_pos ()
   from /usr/lib/libpango-1.0.so.0
#9  0x0080a689 in pango_layout_get_extents () from /usr/lib/libpango-1.0.so.0
#10 0x0080a734 in pango_layout_get_pixel_extents ()
   from /usr/lib/libpango-1.0.so.0
#11 0x00155c1b in gtk_cell_renderer_text_new ()
   from /usr/lib/libgtk-x11-2.0.so.0
#12 0x00155ddf in gtk_cell_renderer_text_new ()
   from /usr/lib/libgtk-x11-2.0.so.0
#13 0x00152bcf in gtk_cell_renderer_render () from /usr/lib/libgtk-x11-2.0.so.0
#14 0x002a47af in gtk_tree_view_column_cell_get_size ()
   from /usr/lib/libgtk-x11-2.0.so.0
#15 0x002a48eb in _gtk_tree_view_column_cell_render ()
   from /usr/lib/libgtk-x11-2.0.so.0
#16 0x0029063c in gtk_tree_view_get_type () from /usr/lib/libgtk-x11-2.0.so.0
#17 0x001d2682 in _gtk_marshal_BOOLEAN__BOXED ()
   from /usr/lib/libgtk-x11-2.0.so.0
#18 0x00a65007 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#19 0x00a64cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#20 0x00a7667c in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#21 0x00a75a0d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#22 0x00a75e74 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#23 0x002b1119 in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#24 0x001d118d in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#25 0x00c98a53 in gdk_window_clear_area_e () from /usr/lib/libgdk-x11-2.0.so.0
#26 0x00c98b5a in gdk_window_process_all_updates ()
   from /usr/lib/libgdk-x11-2.0.so.0
#27 0x00c98bc1 in gdk_window_process_all_updates ()
   from /usr/lib/libgdk-x11-2.0.so.0
#28 0x00a15b03 in g_timeout_add () from /usr/lib/libglib-2.0.so.0
#29 0x00a12fad in unblock_source () from /usr/lib/libglib-2.0.so.0
#30 0x00a13fa8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#31 0x00a142bf in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#32 0x00a1499f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#33 0x001d09ef in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#34 0x0657db47 in bonobo_control_life_get_count ()
   from /usr/lib/libbonoboui-2.so.0
#35 0x0657dd5f in bonobo_file_selector_open_multi ()
   from /usr/lib/libbonoboui-2.so.0
#36 0x080716e0 in gedit_file_open ()
#37 0x06581f98 in bonobo_socket_add_id () from /usr/lib/libbonoboui-2.so.0
#38 0x00a64cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#39 0x0649e25a in bonobo_closure_invoke_va_list ()
   from /usr/lib/libbonobo-2.so.0
#40 0x0649e4f7 in bonobo_closure_invoke () from /usr/lib/libbonobo-2.so.0
#41 0x06581e32 in bonobo_socket_add_id () from /usr/lib/libbonoboui-2.so.0
#42 0x064a2ce0 in Bonobo_UIComponent_execVerb () from /usr/lib/libbonobo-2.so.0
#43 0x065890ab in bonobo_ui_engine_get_ui_container ()
   from /usr/lib/libbonoboui-2.so.0
#44 0x065892ab in bonobo_ui_engine_get_ui_container ()
   from /usr/lib/libbonoboui-2.so.0
#45 0x00a77c7e in g_cclosure_marshal_VOID__POINTER ()
   from /usr/lib/libgobject-2.0.so.0
#46 0x00a65007 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#47 0x00a64cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#48 0x00a7667c in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#49 0x00a75c36 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#50 0x00a75e74 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#51 0x0658bb25 in bonobo_ui_engine_emit_verb_on_w ()
   from /usr/lib/libbonoboui-2.so.0
#52 0x06591197 in bonobo_ui_sync_menu_add_popup ()
   from /usr/lib/libbonoboui-2.so.0
#53 0x00a77051 in g_cclosure_marshal_VOID__VOID ()
   from /usr/lib/libgobject-2.0.so.0
#54 0x00a64cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#55 0x00a76bbf in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#56 0x00a75c36 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#57 0x00a75e74 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#58 0x002b12e9 in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#59 0x001e1a62 in gtk_menu_shell_activate_item ()
   from /usr/lib/libgtk-x11-2.0.so.0
#60 0x001e0e06 in _gtk_menu_shell_activate () from /usr/lib/libgtk-x11-2.0.so.0
#61 0x001da5f6 in gtk_menu_reorder_child () from /usr/lib/libgtk-x11-2.0.so.0
#62 0x001d2682 in _gtk_marshal_BOOLEAN__BOXED ()
   from /usr/lib/libgtk-x11-2.0.so.0
#63 0x00a65007 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#64 0x00a64cb0 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#65 0x00a7667c in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#66 0x00a75a0d in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#67 0x00a75e74 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#68 0x002b1119 in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#69 0x001d2457 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#70 0x001d11b6 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#71 0x00ca8e35 in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#72 0x00a12fad in unblock_source () from /usr/lib/libglib-2.0.so.0
#73 0x00a13fa8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#74 0x00a142bf in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#75 0x00a1499f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#76 0x001d09ef in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#77 0x0805e4d9 in main ()
#78 0x003a5678 in __libc_start_main () from /lib/tls/libc.so.6
Comment 2 Dams 2003-07-21 00:25:36 UTC 
I also have this behaviour with gnome-background-properties utility. Launch it,
try to select a new picture and see how it freeze.. 
Package version : gtk2-2.2.2-2.1.
Comment 3 Michael Lee Yohe 2003-07-22 18:43:54 UTC 
I am unable to reproduce this problem whilst clicking '..' about a hundred times.
Comment 4 Enrico Scholz 2003-07-22 21:09:17 UTC 
Reproducible; valgrind tells a NULL-pointer immediately after startup:

| $ valgrind --num-callers=10 gedit
| ...
| ==25773== Using valgrind-1.9.6, a program instrumentation system for x86-linux.
| ...
| ==25773== Invalid read of size 4
| ==25773==    at 0x408C4B6B: gconf_engine_all_dirs (in /usr/lib/libgconf-2.so.4.1.0)
| ==25773==    by 0x408C9AC6: gconf_client_preload (in /usr/lib/libgconf-2.so.4.1.0)
| ==25773==    by 0x408C8D8C: gconf_client_add_dir (in /usr/lib/libgconf-2.so.4.1.0)
| ==25773==    by 0x40765F91: (within /usr/lib/libgnomeui-2.so.0.200.0)
| ==25773==    by 0x408476F9: gnome_program_postinit (in /usr/lib/libgnome-2.so.0.200.2)
| ==25773==    by 0x4084794C: gnome_program_initv (in /usr/lib/libgnome-2.so.0.200.2)
| ==25773==    by 0x408477B9: gnome_program_init (in /usr/lib/libgnome-2.so.0.200.2)
| ==25773==    by 0x805E45E: main (in /usr/bin/gedit)
| ==25773==    by 0x40F28A76: __libc_start_main (in /lib/i686/libc-2.3.2.so)


Currently, I do not have the -debuginfo packages and can not provide
further details therefore.
Comment 5 Owen Taylor 2003-07-23 13:52:39 UTC 
Enrico - your problem looks entirely unrelated, and should be filed
separately (I'd file it against gconf ... I'd guess it's something
to do with your system's configuration causing a segfault in libgconf)

For the other bugs, this looks very much like a bug recently tracked
down on the libc-alpha mailing list with wcpncpy, which caused
memory corruption with the GTK+ file selector.

I checked the  current GLibc package, and it indeed seems to have the 
broken version of wcpncpy version; it needs the fix that Ulrich Drepper checked
into CVS in the last day or so.

(http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/wcsmbs/wcpncpy.c.diff?r1=1.4&r2=1.5&cvsroot=glibc)

Reassigning.
Comment 6 Owen Taylor 2003-07-28 19:47:05 UTC 
*** Bug 100412 has been marked as a duplicate of this bug. ***
Comment 7 Jakub Jelinek 2003-08-04 07:47:00 UTC 
Please try ftp://people.redhat.com/jakub/glibc/2.3.2-68/
Comment 8 Nathan G. Grennan 2003-08-04 15:58:58 UTC 
I just upgraded to glibc-2.3.2-68, and gtk2 open file dialogs work as they should.

Note, you left the tzdata rpm out of your glibc directory. I had to fetch it
from rawhide.

Also what is up with glibc-debuginfo-common not being glibc-common-debuginfo, or
I am not understanding exactly what it is?
Comment 9 Jakub Jelinek 2003-08-05 14:31:39 UTC 
glibc-debuginfo-common is not debuginfo for glibc-common package, but
common files between glibc-debuginfo*.i386.rpm and glibc-debuginfo*.i686.rpm.
Both these rpms depend on glibc-debuginfo-common.