1398234 – [Regression] Exiting mate-terminal terminates all instances

Bug 1398234 - [Regression] Exiting mate-terminal terminates all instances

Summary: [Regression] Exiting mate-terminal terminates all instances

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mate-terminal
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Wolfgang Ulbrich
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1392132
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-24 10:27 UTC by Milan Crha
Modified:	2017-02-09 04:22 UTC (History)
CC List:	1 user (show)
Fixed In Version:	mate-terminal-1.16.1-4.fc25
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-09 04:22:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milan Crha 2016-11-24 10:27:10 UTC

When I run multiple mate-terminals and close one of them then all are currently running instances are closed too. That's a regression and a bad behaviour, the terminal windows are independent.

Steps:
a) run mate-terminal
b) in there run: mate-terminal &
c) in either of the two press either Ctrl+D or execute: exit

Both windows are closed, but only the one where the c) had been done should be closed. Note, I run the terminals from a custom .desktop file.

This is with mate-terminal-1.16.1-2.fc25.x86_64

Downgrading to mate-terminal-1.16.1-1.fc25.x86_64 fixes the issue.

Comment 1 Wolfgang Ulbrich 2016-11-24 16:53:53 UTC

Hmm, i can't reproduce this with mate-terminal-1.16.1-2.fc25.x86_64.
I used you steps to reproduce.
Here only the terminal window which has focus will close with crtl-d or exit.
Same if i fire fire up a lot of terminal windows with crtl+t (setup in keybindings), i can only close one window.

Comment 2 Wolfgang Ulbrich 2016-11-24 17:41:03 UTC

> custom .desktop file

Why ?
Looks like this causes the issue.

Comment 3 Milan Crha 2016-11-25 10:44:49 UTC

Looking more closely into this, the other instances didn't close, they had been terminated due to a crash. Below is the backtrace. I use a custom .desktop file to have opened a terminal at the position and with the size I want it, without a need to always reposition and resize it. Though the custom launcher is not needed to reproduce it here. Better steps:

a) run a gnome-terminal or any other
b) execute: gdb mate-terminal --ex r
   a new mate terminal window opens
c) in that new window execute: mate-terminal &
   a new mate terminal window opens
d) in that new window press Ctrl+D

Right now the terminal from step a) shows a gdb prompt with the below backtrace. This is with:

mate-terminal-1.16.1-2.fc25.x86_64
vte291-0.46.1-1.fc25.x86_64
gtk3-3.22.2-2.fc25.x86_64

Interestingly, using exactly the same packages as above in a virtual machine do not trigger the crash. Only my real machine reproduces it. It might be about my environment variables, but I'm lazy to find out which one it is exactly, also because when I run the mate-terminal under valgrind [2], then I see a use-after-free on both machines. That's not there with downgraded mate-terminal. It's possible you uncovered a bug in gtk_notebook_detach_tab(), though more likely the detach of the only tab also freed the notebook, which caused the use-after-free. Like in a handler of a "page-removed" signal of the GtkNotebook.

By the way, from the added patch in the 1.16.1-2, using gtk_notebook_detach_tab() on a place whose name suggest that it's going to fully remove the tab, and possibly doesn't have it referenced, really feels like a misuse of the gtk_notebook_detach_tab() function. But it's only my feeling, I'm not familiar with the mate-terminal code at all.

Thread 1 "mate-terminal" received signal SIGSEGV, Segmentation fault.
0x00007ffff68cb6f8 in gtk_notebook_detach_tab (notebook=0x555555bc6480, child=<optimized out>) at gtknotebook.c:3929
3929	  notebook->priv->remove_in_detach = FALSE;
(gdb) bt
#0  0x00007ffff68cb6f8 in gtk_notebook_detach_tab (notebook=0x555555bc6480, child=<optimized out>) at gtknotebook.c:3929
#4  0x00007ffff4ddb43f in <emit signal ??? on instance 0x555555e64da0 [TerminalScreen]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3447
    #1  0x00007ffff4dc03e5 in g_closure_invoke (closure=0x555555ed3870, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7fffffffd2d0, invocation_hint=invocation_hint@entry=0x7fffffffd250) at gclosure.c:804
    #2  0x00007ffff4dd2432 in signal_emit_unlocked_R (node=node@entry=0x555555a1e730, detail=detail@entry=0, instance=instance@entry=0x555555e64da0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd2d0) at gsignal.c:3635
    #3  0x00007ffff4ddb05f in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd490) at gsignal.c:3391
#8  0x00007ffff4ddb43f in <emit signal ??? on instance 0x555555e64da0 [TerminalScreen]> (instance=instance@entry=0x555555e64da0, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
    #5  0x00007ffff4dc03e5 in g_closure_invoke (closure=closure@entry=0x555555aa4720, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fffffffd720, invocation_hint=invocation_hint@entry=0x7fffffffd6a0) at gclosure.c:804
    #6  0x00007ffff4dd282d in signal_emit_unlocked_R (node=node@entry=0x555555aa4770, detail=detail@entry=0, instance=instance@entry=0x555555e64da0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd720) at gsignal.c:3673
    #7  0x00007ffff4ddb05f in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd8f0) at gsignal.c:3391
#9  0x00007ffff798a6d3 in VteTerminalPrivate::child_watch_done(int, int) (this=0x555555e62d70, status=0, pid=<optimized out>) at vte.cc:3158
#10 0x00007ffff798a753 in VteTerminalPrivate::child_watch_done(int, int) (status=0, pid=2593, this=0x555555e62d70) at vte.cc:3121
#11 0x00007ffff798a753 in child_watch_cb(GPid, int, VteTerminalPrivate*) (pid=2593, pid@entry=<error reading variable: value has been optimized out>, status=0, 
    status@entry=<error reading variable: value has been optimized out>, that=0x555555e62d70, that@entry=<error reading variable: value has been optimized out>) at vte.cc:3120
#12 0x00007ffff4ae48a4 in g_child_watch_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gmain.c:5323
#13 0x00007ffff4ae7e42 in g_main_dispatch (context=0x55555580edc0) at gmain.c:3203
#14 0x00007ffff4ae7e42 in g_main_context_dispatch (context=context@entry=0x55555580edc0) at gmain.c:3856
#15 0x00007ffff4ae81c0 in g_main_context_iterate (context=0x55555580edc0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3929
#16 0x00007ffff4ae84e2 in g_main_loop_run (loop=0x555555858f80) at gmain.c:4125
#17 0x00007ffff6897395 in gtk_main () at gtkmain.c:1301
#18 0x0000555555567971 in main (argc=<optimized out>, argv=<optimized out>) at terminal.c:633


[2] The valgrind output with debug symbols from command:
    $ G_SLICE=always-malloc valgrind --num-callers=50 mate-terminal
and repeating the steps above from point c):

 Warning: noted but unhandled ioctl 0x5420 with no size/direction hints.
    This could cause spurious value errors to appear.
    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.

 Invalid read of size 8
    at 0x5EFA6F4: gtk_notebook_detach_tab (gtknotebook.c:3929)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone .part.64] (vte.cc:3158)
    by 0x507A752: child_watch_done (vte.cc:3121)
    by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
    by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
    by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
    by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
    by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
    by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
    by 0x5EC6394: gtk_main (gtkmain.c:1301)
    by 0x11B970: main (terminal.c:633)
  Address 0x199cc318 is 568 bytes inside a block of size 584 free'd
    at 0x4C2ED4A: free (vg_replace_malloc.c:530)
    by 0x7EAF6BD: g_free (gmem.c:189)
    by 0x7EC820F: g_slice_free1 (gslice.c:1136)
    by 0x7C40B01: g_type_free_instance (gtype.c:1937)
    by 0x5EFA6F3: gtk_notebook_detach_tab (gtknotebook.c:3928)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone .part.64] (vte.cc:3158)
    by 0x507A752: child_watch_done (vte.cc:3121)
    by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
    by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
    by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
    by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
    by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
    by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
    by 0x5EC6394: gtk_main (gtkmain.c:1301)
    by 0x11B970: main (terminal.c:633)
  Block was alloc'd at
    at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
    by 0x7EAF5A8: g_malloc (gmem.c:94)
    by 0x7EC7B02: g_slice_alloc (gslice.c:1025)
    by 0x7EC812D: g_slice_alloc0 (gslice.c:1051)
    by 0x7C40839: g_type_create_instance (gtype.c:1839)
    by 0x7C2269A: g_object_new_internal (gobject.c:1783)
    by 0x7C240AC: g_object_newv (gobject.c:1930)
    by 0x7C24863: g_object_new (gobject.c:1623)
    by 0x13A260: terminal_window_init (terminal-window.c:2194)
    by 0x7C407FA: g_type_create_instance (gtype.c:1866)
    by 0x7C2269A: g_object_new_internal (gobject.c:1783)
    by 0x7C240AC: g_object_newv (gobject.c:1930)
    by 0x7C24863: g_object_new (gobject.c:1623)
    by 0x1217DE: terminal_app_new_window (terminal-app.c:1871)
    by 0x123C12: terminal_app_handle_options (terminal-app.c:1779)
    by 0x11EF30: method_call_cb (terminal.c:192)
    by 0x793529B: call_in_idle_cb (gdbusconnection.c:4836)
    by 0x7EA68E6: g_idle_dispatch (gmain.c:5545)
    by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
    by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
    by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
    by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
    by 0x5EC6394: gtk_main (gtkmain.c:1301)
    by 0x11B970: main (terminal.c:633)
 
 Invalid read of size 1
    at 0x5EFA6F8: gtk_notebook_detach_tab (gtknotebook.c:3929)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
    by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
    by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
    by 0x7C3843E: g_signal_emit (gsignal.c:3447)
    by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone .part.64] (vte.cc:3158)
    by 0x507A752: child_watch_done (vte.cc:3121)
    by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
    by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
    by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
    by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
    by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
    by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
    by 0x5EC6394: gtk_main (gtkmain.c:1301)
    by 0x11B970: main (terminal.c:633)
  Address 0xec is not stack'd, malloc'd or (recently) free'd

Comment 4 Wolfgang Ulbrich 2017-01-27 09:24:35 UTC

Well, if you think it's a regression caused by by an upstream commit which fixed another issue, can you please open an upstream report for it?
https://github.com/mate-desktop/mate-terminal

Comment 5 Milan Crha 2017-01-27 11:49:36 UTC

Going one version back in Fedora fixes the crash and the valgrind output as well. And that version only added one patch.

I do not have a github account, I'm sorry.

Comment 6 Wolfgang Ulbrich 2017-01-27 19:58:30 UTC

(In reply to Milan Crha from comment #5)
> Going one version back in Fedora fixes the crash and the valgrind output as
> well. And that version only added one patch.
> 
> I do not have a github account, I'm sorry.

...lol, it's not forbidden to create one.
....and sorry i 've a complete work overload.

Comment 7 Wolfgang Ulbrich 2017-01-27 21:35:13 UTC

(In reply to Milan Crha from comment #3)
> Looking more closely into this, the other instances didn't close, they had
> been terminated due to a crash. Below is the backtrace. I use a custom
> .desktop file to have opened a terminal at the position and with the size I
> want it, without a need to always reposition and resize it. Though the
> custom launcher is not needed to reproduce it here. Better steps:
> 
> a) run a gnome-terminal or any other
> b) execute: gdb mate-terminal --ex r
>    a new mate terminal window opens
> c) in that new window execute: mate-terminal &
>    a new mate terminal window opens
> d) in that new window press Ctrl+D
> 
> Right now the terminal from step a) shows a gdb prompt with the below
> backtrace. This is with:
> 
> mate-terminal-1.16.1-2.fc25.x86_64
> vte291-0.46.1-1.fc25.x86_64
> gtk3-3.22.2-2.fc25.x86_64

Again, i can't reproduce the issue with those steps.
On an origin f25 or with a developer version on f24, i don't get any backtrace with gdb.
> 
> Interestingly, using exactly the same packages as above in a virtual machine
> do not trigger the crash. Only my real machine reproduces it. It might be
> about my environment variables, but I'm lazy to find out which one it is
> exactly, also because when I run the mate-terminal under valgrind [2], then
> I see a use-after-free on both machines. That's not there with downgraded
> mate-terminal. It's possible you uncovered a bug in
> gtk_notebook_detach_tab(), though more likely the detach of the only tab
> also freed the notebook, which caused the use-after-free. Like in a handler
> of a "page-removed" signal of the GtkNotebook.
> 
> By the way, from the added patch in the 1.16.1-2, using
> gtk_notebook_detach_tab() on a place whose name suggest that it's going to
> fully remove the tab, and possibly doesn't have it referenced, really feels
> like a misuse of the gtk_notebook_detach_tab() function. But it's only my
> feeling, I'm not familiar with the mate-terminal code at all.
> 
> Thread 1 "mate-terminal" received signal SIGSEGV, Segmentation fault.
> 0x00007ffff68cb6f8 in gtk_notebook_detach_tab (notebook=0x555555bc6480,
> child=<optimized out>) at gtknotebook.c:3929
> 3929	  notebook->priv->remove_in_detach = FALSE;
> (gdb) bt
> #0  0x00007ffff68cb6f8 in gtk_notebook_detach_tab (notebook=0x555555bc6480,
> child=<optimized out>) at gtknotebook.c:3929
> #4  0x00007ffff4ddb43f in <emit signal ??? on instance 0x555555e64da0
> [TerminalScreen]> (instance=<optimized out>, signal_id=<optimized out>,
> detail=<optimized out>) at gsignal.c:3447
>     #1  0x00007ffff4dc03e5 in g_closure_invoke (closure=0x555555ed3870,
> return_value=return_value@entry=0x0, n_param_values=1,
> param_values=param_values@entry=0x7fffffffd2d0,
> invocation_hint=invocation_hint@entry=0x7fffffffd250) at gclosure.c:804
>     #2  0x00007ffff4dd2432 in signal_emit_unlocked_R
> (node=node@entry=0x555555a1e730, detail=detail@entry=0,
> instance=instance@entry=0x555555e64da0,
> emission_return=emission_return@entry=0x0,
> instance_and_params=instance_and_params@entry=0x7fffffffd2d0) at
> gsignal.c:3635
>     #3  0x00007ffff4ddb05f in g_signal_emit_valist (instance=<optimized
> out>, signal_id=<optimized out>, detail=<optimized out>,
> var_args=var_args@entry=0x7fffffffd490) at gsignal.c:3391
> #8  0x00007ffff4ddb43f in <emit signal ??? on instance 0x555555e64da0
> [TerminalScreen]> (instance=instance@entry=0x555555e64da0,
> signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
>     #5  0x00007ffff4dc03e5 in g_closure_invoke
> (closure=closure@entry=0x555555aa4720, return_value=return_value@entry=0x0,
> n_param_values=2, param_values=param_values@entry=0x7fffffffd720,
> invocation_hint=invocation_hint@entry=0x7fffffffd6a0) at gclosure.c:804
>     #6  0x00007ffff4dd282d in signal_emit_unlocked_R
> (node=node@entry=0x555555aa4770, detail=detail@entry=0,
> instance=instance@entry=0x555555e64da0,
> emission_return=emission_return@entry=0x0,
> instance_and_params=instance_and_params@entry=0x7fffffffd720) at
> gsignal.c:3673
>     #7  0x00007ffff4ddb05f in g_signal_emit_valist (instance=<optimized
> out>, signal_id=<optimized out>, detail=<optimized out>,
> var_args=var_args@entry=0x7fffffffd8f0) at gsignal.c:3391
> #9  0x00007ffff798a6d3 in VteTerminalPrivate::child_watch_done(int, int)
> (this=0x555555e62d70, status=0, pid=<optimized out>) at vte.cc:3158
> #10 0x00007ffff798a753 in VteTerminalPrivate::child_watch_done(int, int)
> (status=0, pid=2593, this=0x555555e62d70) at vte.cc:3121
> #11 0x00007ffff798a753 in child_watch_cb(GPid, int, VteTerminalPrivate*)
> (pid=2593, pid@entry=<error reading variable: value has been optimized out>,
> status=0, 
>     status@entry=<error reading variable: value has been optimized out>,
> that=0x555555e62d70, that@entry=<error reading variable: value has been
> optimized out>) at vte.cc:3120
> #12 0x00007ffff4ae48a4 in g_child_watch_dispatch (source=<optimized out>,
> callback=<optimized out>, user_data=<optimized out>) at gmain.c:5323
> #13 0x00007ffff4ae7e42 in g_main_dispatch (context=0x55555580edc0) at
> gmain.c:3203
> #14 0x00007ffff4ae7e42 in g_main_context_dispatch
> (context=context@entry=0x55555580edc0) at gmain.c:3856
> #15 0x00007ffff4ae81c0 in g_main_context_iterate (context=0x55555580edc0,
> block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
> gmain.c:3929
> #16 0x00007ffff4ae84e2 in g_main_loop_run (loop=0x555555858f80) at
> gmain.c:4125
> #17 0x00007ffff6897395 in gtk_main () at gtkmain.c:1301
> #18 0x0000555555567971 in main (argc=<optimized out>, argv=<optimized out>)
> at terminal.c:633
> 
> 
> [2] The valgrind output with debug symbols from command:
>     $ G_SLICE=always-malloc valgrind --num-callers=50 mate-terminal
> and repeating the steps above from point c):
> 
>  Warning: noted but unhandled ioctl 0x5420 with no size/direction hints.
>     This could cause spurious value errors to appear.
>     See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper
> wrapper.
> 
>  Invalid read of size 8
>     at 0x5EFA6F4: gtk_notebook_detach_tab (gtknotebook.c:3929)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone
> .part.64] (vte.cc:3158)
>     by 0x507A752: child_watch_done (vte.cc:3121)
>     by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
>     by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
>     by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
>     by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
>     by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
>     by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
>     by 0x5EC6394: gtk_main (gtkmain.c:1301)
>     by 0x11B970: main (terminal.c:633)
>   Address 0x199cc318 is 568 bytes inside a block of size 584 free'd
>     at 0x4C2ED4A: free (vg_replace_malloc.c:530)
>     by 0x7EAF6BD: g_free (gmem.c:189)
>     by 0x7EC820F: g_slice_free1 (gslice.c:1136)
>     by 0x7C40B01: g_type_free_instance (gtype.c:1937)
>     by 0x5EFA6F3: gtk_notebook_detach_tab (gtknotebook.c:3928)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone
> .part.64] (vte.cc:3158)
>     by 0x507A752: child_watch_done (vte.cc:3121)
>     by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
>     by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
>     by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
>     by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
>     by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
>     by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
>     by 0x5EC6394: gtk_main (gtkmain.c:1301)
>     by 0x11B970: main (terminal.c:633)
>   Block was alloc'd at
>     at 0x4C2DB9D: malloc (vg_replace_malloc.c:299)
>     by 0x7EAF5A8: g_malloc (gmem.c:94)
>     by 0x7EC7B02: g_slice_alloc (gslice.c:1025)
>     by 0x7EC812D: g_slice_alloc0 (gslice.c:1051)
>     by 0x7C40839: g_type_create_instance (gtype.c:1839)
>     by 0x7C2269A: g_object_new_internal (gobject.c:1783)
>     by 0x7C240AC: g_object_newv (gobject.c:1930)
>     by 0x7C24863: g_object_new (gobject.c:1623)
>     by 0x13A260: terminal_window_init (terminal-window.c:2194)
>     by 0x7C407FA: g_type_create_instance (gtype.c:1866)
>     by 0x7C2269A: g_object_new_internal (gobject.c:1783)
>     by 0x7C240AC: g_object_newv (gobject.c:1930)
>     by 0x7C24863: g_object_new (gobject.c:1623)
>     by 0x1217DE: terminal_app_new_window (terminal-app.c:1871)
>     by 0x123C12: terminal_app_handle_options (terminal-app.c:1779)
>     by 0x11EF30: method_call_cb (terminal.c:192)
>     by 0x793529B: call_in_idle_cb (gdbusconnection.c:4836)
>     by 0x7EA68E6: g_idle_dispatch (gmain.c:5545)
>     by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
>     by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
>     by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
>     by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
>     by 0x5EC6394: gtk_main (gtkmain.c:1301)
>     by 0x11B970: main (terminal.c:633)
>  
>  Invalid read of size 1
>     at 0x5EFA6F8: gtk_notebook_detach_tab (gtknotebook.c:3929)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F431: signal_emit_unlocked_R (gsignal.c:3635)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x7C1D3E4: g_closure_invoke (gclosure.c:804)
>     by 0x7C2F82C: signal_emit_unlocked_R (gsignal.c:3673)
>     by 0x7C3805E: g_signal_emit_valist (gsignal.c:3391)
>     by 0x7C3843E: g_signal_emit (gsignal.c:3447)
>     by 0x507A6D2: VteTerminalPrivate::child_watch_done(int, int) [clone
> .part.64] (vte.cc:3158)
>     by 0x507A752: child_watch_done (vte.cc:3121)
>     by 0x507A752: child_watch_cb(int, int, VteTerminalPrivate*) (vte.cc:3120)
>     by 0x7EA68A3: g_child_watch_dispatch (gmain.c:5323)
>     by 0x7EA9E41: g_main_dispatch (gmain.c:3203)
>     by 0x7EA9E41: g_main_context_dispatch (gmain.c:3856)
>     by 0x7EAA1BF: g_main_context_iterate.isra.24 (gmain.c:3929)
>     by 0x7EAA4E1: g_main_loop_run (gmain.c:4125)
>     by 0x5EC6394: gtk_main (gtkmain.c:1301)
>     by 0x11B970: main (terminal.c:633)
>   Address 0xec is not stack'd, malloc'd or (recently) free'd

Comment 8 Milan Crha 2017-01-30 09:01:45 UTC

Okay, step a1): in the gnome-terminal from step a) execute this first:
   $ export G_DEBUG=gc-friendly

Then follow the steps and it crashes. If you try with valgrind, then you'll see the output too, with or without G_DEBUG.

Comment 9 Wolfgang Ulbrich 2017-01-30 10:33:06 UTC

Possible fix from upstream in scratch build
Patch11:       mate-terminal_fix-for-1398234.patch
https://koji.fedoraproject.org/koji/taskinfo?taskID=17497794
If this doesn't help i strongly recommend to talk with them directly at irc freenode channel mate-dev, ZenWalker is his nick name.

Comment 10 Milan Crha 2017-01-30 11:24:45 UTC

(In reply to Wolfgang Ulbrich from comment #9)
> Possible fix from upstream in scratch build
> Patch11:       mate-terminal_fix-for-1398234.patch

That fixed it, it neither crashes nor valgrind claims anything. Thanks.

Comment 11 Fedora Update System 2017-01-31 09:34:23 UTC

mate-terminal-1.16.1-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2dba9fe0a4

Comment 12 Fedora Update System 2017-01-31 23:49:42 UTC

mate-terminal-1.16.1-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2dba9fe0a4

Comment 13 Fedora Update System 2017-02-09 04:22:01 UTC

mate-terminal-1.16.1-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.