1412958 – gtk3-demo (on Wayland, with GDK_BACKEND=x11) segfaults when invoking Pickers - Folder combo box

Bug 1412958 - gtk3-demo (on Wayland, with GDK_BACKEND=x11) segfaults when invoking Pickers - Folder combo box

Summary: gtk3-demo (on Wayland, with GDK_BACKEND=x11) segfaults when invoking Pickers ...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gtk3
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthias Clasen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-13 09:20 UTC by Jan Pokorný [poki]
Modified:	2018-05-29 11:25 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-29 11:25:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Pokorný [poki] 2017-01-13 09:20:40 UTC

coredumpctl info:

Stack trace of thread 2126:
#0  0x00007f3dd357fd52 gtk_menu_shell_select_item (libgtk-3.so.0)
#1  0x00007f3dd348f923 gtk_combo_box_menu_popup (libgtk-3.so.0)
#2  0x00007f3dd348fb96 gtk_combo_box_menu_button_press (libgtk-3.so.0)
#3  0x00007f3dd35634cc _gtk_marshal_BOOLEAN__BOXED (libgtk-3.so.0)
#4  0x00007f3dcefc4535 g_closure_invoke (libgobject-2.0.so.0)
#5  0x00007f3dcefd7042 signal_emit_unlocked_R (libgobject-2.0.so.0)
#6  0x00007f3dcefdfa6f g_signal_emit_valist (libgobject-2.0.so.0)
#7  0x00007f3dcefe031f g_signal_emit (libgobject-2.0.so.0)
#8  0x00007f3dd36afffc gtk_widget_event_internal (libgtk-3.so.0)
#9  0x00007f3dd35605ce propagate_event (libgtk-3.so.0)
#10 0x00007f3dd356260e gtk_main_do_event (libgtk-3.so.0) 
#11 0x00007f3dd3079535 _gdk_event_emit (libgdk-3.so.0) 
#12 0x00007f3dd30aa552 gdk_event_source_dispatch (libgdk-3.so.0) 
#13 0x00007f3dceceaf22 g_main_context_dispatch (libglib-2.0.so.0)
#14 0x00007f3dceceb2a0 g_main_context_iterate.isra.24 (libglib-2.0.so.0)
#15 0x00007f3dceceb34c g_main_context_iteration (libglib-2.0.so.0)
#16 0x00007f3dd1ea95dd g_application_run (libgio-2.0.so.0)
#17 0x0000562c6cb91c00 main (gtk3-demo)
#18 0x00007f3dce1e1601 __libc_start_main (libc.so.6)
#19 0x0000562c6cb91c3a _start (gtk3-demo)

Stack trace of thread 2130: 
#0  0x00007f3dce2c7f99 syscall (libc.so.6)
#1  0x00007f3dced30d3a g_cond_wait_until (libglib-2.0.so.0)
#2  0x00007f3dcecbf919 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0)
#3  0x00007f3dcecbff3c g_async_queue_timeout_pop (libglib-2.0.so.0)
#4  0x00007f3dced1388d g_thread_pool_thread_proxy (libglib-2.0.so.0)
#5  0x00007f3dced12dc3 g_thread_proxy (libglib-2.0.so.0)
#6  0x00007f3dce5957cd start_thread (libpthread.so.0)
#7  0x00007f3dce2cd9af __clone (libc.so.6)

Stack trace of thread 2132: 
#0  0x00007f3dce2c1bbd poll (libc.so.6)
#1  0x00007f3dceceb236 g_main_context_iterate.isra.24 (libglib-2.0.so.0)
#2  0x00007f3dceceb34c g_main_context_iteration (libglib-2.0.so.0)
#3  0x00007f3dc5404fad dconf_gdbus_worker_thread (libdconfsettings.so)
#4  0x00007f3dced12dc3 g_thread_proxy (libglib-2.0.so.0)
#5  0x00007f3dce5957cd start_thread (libpthread.so.0)
#6  0x00007f3dce2cd9af __clone (libc.so.6)

Stack trace of thread 2128: 
#0  0x00007f3dce2c1bbd poll (libc.so.6)
#1  0x00007f3dceceb236 g_main_context_iterate.isra.24 (libglib-2.0.so.0)
#2  0x00007f3dceceb5c2 g_main_loop_run (libglib-2.0.so.0)
#3  0x00007f3dd1ed6786 gdbus_shared_thread_func (libgio-2.0.so.0)
#4  0x00007f3dced12dc3 g_thread_proxy (libglib-2.0.so.0)
#5  0x00007f3dce5957cd start_thread (libpthread.so.0)
#6  0x00007f3dce2cd9af __clone (libc.so.6)

Stack trace of thread 2127:
#0  0x00007f3dce2c1bbd poll (libc.so.6)
#1  0x00007f3dceceb236 g_main_context_iterate.isra.24 (libglib-2.0.so.0)
#2  0x00007f3dceceb34c g_main_context_iteration (libglib-2.0.so.0)
#3  0x00007f3dceceb391 glib_worker_main (libglib-2.0.so.0)
#4  0x00007f3dced12dc3 g_thread_proxy (libglib-2.0.so.0)
#5  0x00007f3dce5957cd start_thread (libpthread.so.0)
#6  0x00007f3dce2cd9af __clone (libc.so.6)

Details on the segfaulting thread:

1243	{
1244	  GtkMenuShellPrivate *priv = menu_shell->priv;
1245	  GtkMenuShellClass *class;
1246	
1247	  g_return_if_fail (GTK_IS_MENU_SHELL (menu_shell));
1248	  g_return_if_fail (GTK_IS_MENU_ITEM (menu_item));    <---
1249	
1250	  class = GTK_MENU_SHELL_GET_CLASS (menu_shell);
1251	
1252	  if (class->select_item &&

#0  0x00007f3dd357fd52 in gtk_menu_shell_select_item (menu_shell=0x562c6f314a20 [GtkTreeMenu], menu_item=0x562c6f418db0) at gtkmenushell.c:1248
        __inst = 0x562c6f418db0
        __t = 94748839607392
        __r = <optimized out>
        priv = <optimized out>
        class = <optimized out>
        __func__ = "gtk_menu_shell_select_item"
#1  0x00007f3dd348f923 in gtk_combo_box_menu_popup (combo_box=combo_box@entry=0x562c6ef0e9a0 [GtkComboBox], trigger_event=trigger_event@entry=0x562c6f4cc3e0) at gtkcombobox.c:2229
        priv = 0x562c6ef0e790
        path = <optimized out>
        active_item = <optimized out>
        width = <optimized out>
        min_width = 0
        nat_width = 0
        border_allocation = {
          x = 27, 
          y = 22060, 
          width = 0, 
          height = 0
        }
        content_allocation = {
          x = 74, 
          y = 131, 
          width = 163, 
          height = 34
        }
        rect_anchor_dy = <optimized out>
        child_height = 27
        active = 0x562c6f418db0
        select = 0x562c6f418db0
        child = <optimized out>
        i = 0x562c6f033340 = {0x562c6f02bda0}
#2  0x00007f3dd348fb96 in gtk_combo_box_menu_button_press (widget=widget@entry=0x562c6f312590 [GtkToggleButton], event=0x562c6f4cc3e0, user_data=0x562c6ef0e9a0) at gtkcombobox.c:2816
        combo_box = 0x562c6ef0e9a0 [GtkComboBox]
        priv = 0x562c6ef0e790
#7  0x00007f3dcefe031f in <emit signal ??? on instance 0x562c6f312590 [GtkToggleButton]> (instance=instance@entry=0x562c6f312590, signal_id=<optimized out>, detail=detail@entry=0) at gsignal.c:3447
        var_args = {{
            gp_offset = 32, 
            fp_offset = 48, 
            overflow_arg_area = 0x7ffe8ff76710, 
            reg_save_area = 0x7ffe8ff76650
          }}
    #3  0x00007f3dd35634cc in _gtk_marshal_BOOLEAN__BOXED (closure=0x562c6f421b90, return_value=0x7ffe8ff76400, n_param_values=<optimized out>, param_values=0x7ffe8ff76460, invocation_hint=<optimized out>, marshal_data=<optimized out>) at gtkmarshalers.c:86
                callback = 0x7f3dd348fb20 <gtk_combo_box_menu_button_press>
                cc = 0x562c6f421b90
                data1 = 0x562c6f312590
                data2 = <optimized out>
                v_return = <optimized out>
                __func__ = "_gtk_marshal_BOOLEAN__BOXED"
    #4  0x00007f3dcefc4535 in g_closure_invoke (closure=0x562c6f421b90, return_value=return_value@entry=0x7ffe8ff76400, n_param_values=2, param_values=param_values@entry=0x7ffe8ff76460, invocation_hint=invocation_hint@entry=0x7ffe8ff763e0) at gclosure.c:804
                marshal = <optimized out>
                marshal_data = <optimized out>
                in_marshal = 0
                real_closure = 0x562c6f421b70
                __func__ = "g_closure_invoke"
    #5  0x00007f3dcefd7042 in signal_emit_unlocked_R (node=node@entry=0x562c6eecfd70, detail=detail@entry=0, instance=instance@entry=0x562c6f312590, emission_return=emission_return@entry=0x7ffe8ff76580, instance_and_params=instance_and_params@entry=0x7ffe8ff76460) at gsignal.c:3635
                tmp = <optimized out>
                handler = 0x562c6f41b640
                accumulator = 0x562c6eecfde0
                emission = {
                  next = 0x0, 
                  instance = 0x562c6f312590, 
                  ihint = {
                    signal_id = 78, 
                    detail = 0, 
                    run_type = G_SIGNAL_RUN_FIRST
                  }, 
                  state = EMISSION_RUN, 
                  chain_type = 4
                }
                class_closure = 0x562c6eecfd20
                handler_list = 0x562c6f41b640
                return_accu = 0x7ffe8ff76400
                accu = {
                  g_type = 20, 
                  data = {{
                      v_int = 0, 
                      v_uint = 0, 
                      v_long = 0, 
                      v_ulong = 0, 
                      v_int64 = 0, 
                      v_uint64 = 0, 
                      v_float = 0, 
                      v_double = 0, 
                      v_pointer = 0x0
                    }, {
                      v_int = 0, 
                      v_uint = 0, 
                      v_long = 0, 
                      v_ulong = 0, 
                      v_int64 = 0, 
                      v_uint64 = 0, 
                      v_float = 0, 
                      v_double = 0, 
                      v_pointer = 0x0
                    }}
                }
                signal_id = 78
                max_sequential_handler_number = 6787
                return_value_altered = 0
    #6  0x00007f3dcefdfa6f in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7ffe8ff76630) at gsignal.c:3401
                return_value = {
                  g_type = 20, 
                  data = {{
                      v_int = 0, 
                      v_uint = 0, 
                      v_long = 0, 
                      v_ulong = 0, 
                      v_int64 = 0, 
                      v_uint64 = 0, 
                      v_float = 0, 
                      v_double = 0, 
                      v_pointer = 0x0
                    }, {
                      v_int = 0, 
                      v_uint = 0, 
                      v_long = 0, 
                      v_ulong = 0, 
                      v_int64 = 0, 
                      v_uint64 = 0, 
                      v_float = 0, 
                      v_double = 0, 
                      v_pointer = 0x0
                    }}
                }
                error = 0x0
                rtype = 20
                static_scope = 0
                instance_and_params = 0x7ffe8ff76460
                signal_return_type = <optimized out>
                param_values = 0x7ffe8ff76478
                node = <optimized out>
                i = <optimized out>
                n_params = <optimized out>
                __func__ = "g_signal_emit_valist"
#8  0x00007f3dd36afffc in gtk_widget_event_internal (widget=0x562c6f312590 [GtkToggleButton], event=0x562c6f4cc3e0) at gtkwidget.c:7723
        signal_num = <optimized out>
        handled = 0
        event = 0x562c6f4cc3e0
        widget = 0x562c6f312590 [GtkToggleButton]
#9  0x00007f3dd35605ce in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x562c6f312590 [GtkToggleButton]) at gtkmain.c:2557
        tmp = <optimized out>
        handled_event = <optimized out>
        handled_event = 0
#10 0x00007f3dd35605ce in propagate_event (widget=<optimized out>, event=0x562c6f4cc3e0, captured=<optimized out>, topmost=0x0) at gtkmain.c:2659
        handled_event = 0
#11 0x00007f3dd356260e in gtk_main_do_event (event=0x562c6f4cc3e0) at gtkmain.c:1890
        event_widget = <optimized out>
        grab_widget = 0x562c6f312590 [GtkToggleButton]
        topmost_widget = <optimized out>
        window_group = 0x562c6efdb080 [GtkWindowGroup]
        rewritten_event = <optimized out>
        device = 0x562c6eec7020 [GdkX11DeviceXI2]
        tmp_list = <optimized out>
        __func__ = "gtk_main_do_event"
#12 0x00007f3dd3079535 in _gdk_event_emit (event=event@entry=0x562c6f4cc3e0) at gdkevents.c:73
#13 0x00007f3dd30aa552 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at gdkeventsource.c:367
        display = <optimized out>
        event = 0x562c6f4cc3e0
#14 0x00007f3dceceaf22 in g_main_dispatch (context=0x562c6ee72c00) at gmain.c:3203
        dispatch = 0x7f3dd30aa530 <gdk_event_source_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x562c6eec3950
        current = 0x562c6ee80210
        i = 0
[...]

gtk3-3.22.6-2.fc26.x86_64
xorg-x11-server-common-1.19.0-4.fc26.x86_64

Comment 1 Jan Pokorný [poki] 2017-01-16 16:33:36 UTC

(gdb) p *menu_item
> $1 = {
>   parent_instance = {
>     g_type_instance = {
>       g_class =	0xaaaaaaaaaaaaaaaa
>     },                            
>     ref_count = 2863311530,
>     qdata = 0xaaaaaaaaaaaaaaaa
>   },
>   priv = 0xaaaaaaaaaaaaaaaa
> }
(gdb) p *menu_item->priv
> Cannot access memory at address 0xaaaaaaaaaaaaaaaa

This doesn't seem inflicted by using sway/wlc/wayland I use.

Comment 2 Jan Pokorný [poki] 2017-01-17 13:41:17 UTC

Verified this is not specific for Wayland with GDK_BACKEND=x11 in environment.

Comment 3 Jan Pokorný [poki] 2017-01-18 09:32:13 UTC

Updated to these packages without any difference in behavior:
gtk3-3.22.7-1.fc26.x86_64
gdk-pixbuf2-2.36.4-1.fc26.x86_64
xorg-x11-server-*-1.19.1-1.fc26.x86_64

Comment 4 Fedora End Of Life 2017-02-28 10:57:15 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 5 Fedora End Of Life 2018-05-03 08:11:02 UTC

This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 6 Fedora End Of Life 2018-05-29 11:25:02 UTC

Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.