1444405 – [abrt] Crash under atk_gobject_accessible_dispose()

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1444405 - [abrt] Crash under atk_gobject_accessible_dispose()

Summary: [abrt] Crash under atk_gobject_accessible_dispose()

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atk
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florian Müllner
QA Contact:	Desktop QE
Docs Contact:
URL:	http://faf.lab.eng.brq.redhat.com/faf...
Whiteboard:
Duplicates (1):	1270015 (view as bug list)
Depends On:	1444490
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-21 09:47 UTC by Vladimir Benes
Modified:	2017-08-01 12:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:	atk-2.22.0-2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:30:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
atk patch (1.35 KB, patch) 2017-04-25 10:41 UTC, Milan Crha	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	781715	0	Normal	RESOLVED	Crash under atk_gobject_accessible_dispose()	2020-10-21 17:29:03 UTC
Red Hat Product Errata	RHBA-2017:2100	0	normal	SHIPPED_LIVE	GTK+ bug fix update	2017-08-01 16:06:50 UTC

Description Vladimir Benes 2017-04-21 09:47:42 UTC

This bug has been created based on an anonymous crash report requested by the package maintainer.

Report URL: http://faf.lab.eng.brq.redhat.com/faf/reports/bthash/cecb51eaaf238e8f1cb66dd4549e24b3ddeec11d/

Comment 1 Milan Crha 2017-04-21 10:02:22 UTC

Unfortunately no debug symbols there, neither line numbers, which is a pita, but anyway. Below is the crashing thread. There is also eti_dispose(), like in bug #1270015, but this one is different object, this is in gal-a11y-e-table-item.c, according to the call of free_columns(), which is done there, not in e-table-item.c. The two use the same eti_dispose(), which makes the confusion, especially when there are no debug symbols.

I am not able to reproduce this myself, but we try to find the cause.

Thread 1 (Thread 0x7f2c8ea6ea80 (LWP 26455)):
#0  0x00007f2c84b56e8b in atk_gobject_accessible_dispose () from /lib64/libatk-1.0.so.0
#1  0x00007f2c839c878f in weak_refs_notify () from /lib64/libgobject-2.0.so.0
#2  0x00007f2c839c9602 in g_object_unref () from /lib64/libgobject-2.0.so.0
#3  0x00007f2c8e3e3e39 in free_columns () from /usr/lib64/evolution/libevolution-util.so
#4  0x00007f2c8e3e5fc2 in eti_dispose () from /usr/lib64/evolution/libevolution-util.so
#5  0x00007f2c839c9602 in g_object_unref () from /lib64/libgobject-2.0.so.0
#6  0x00007f2c84b58c11 in atk_object_finalize () from /lib64/libatk-1.0.so.0
#7  0x00007f2c839c96f4 in g_object_unref () from /lib64/libgobject-2.0.so.0
#8  0x00007f2c7a512afd in expiry_func () from /lib64/libatk-bridge-2.0.so.0
#9  0x00007f2c836edeed in g_timeout_dispatch () from /lib64/libglib-2.0.so.0
#10 0x00007f2c836ed4c9 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#11 0x00007f2c836ed818 in g_main_context_iterate.isra.21 () from /lib64/libglib-2.0.so.0
#12 0x00007f2c836edaea in g_main_loop_run () from /lib64/libglib-2.0.so.0
#13 0x00007f2c8525a4b5 in gtk_main () from /lib64/libgtk-3.so.0
#14 0x0000000000403de1 in main ()

Comment 2 Milan Crha 2017-04-21 12:47:15 UTC

I want to wait for resolution of bug #1444490, because it's likely it's the cause.

Comment 3 Milan Crha 2017-04-24 18:16:50 UTC

Detailed backtrace of the crash. Line numbers do not match, due to added debug prints, but it shows some other useful things.

It looks like atkgobjectaccesible expects the accessible being alive longer than the object to which it belongs. The crash happens due to atk_gobject_accessible_dispose() is being called with 'data' of already finalized object. From my debug prints:

The object is allocated here:
   etch_init: 0x54b76c0:
	   at g_type_create_instance() at gtype.c:1875
	   by g_object_new_internal() at gobject.c:1785
	   by g_object_newv() at gobject.c:1932
	   by g_object_new() at gobject.c:1623
	   by gal_a11y_e_table_column_header_new() at gal-a11y-e-table-column-header.c:305
	   by eti_ref_child() at gal-a11y-e-table-item.c:331
	   by impl_GetChildAtIndex() at accessible-adaptor.c:184
	   by handle_message() at droute.c:553
	   by _dbus_object_tree_dispatch_and_unlock()
	   by dbus_connection_dispatch()
	   by message_queue_dispatch()
	   by g_main_context_dispatch() at gmain.c:3201
	   by g_main_context_iterate.isra.21() at gmain.c:3927
	   by g_main_loop_run() at gmain.c:4122
	   by gtk_main() at gtkmain.c:1313
	   by main() at main.c:682
	   by __libc_start_main()
	   by _start()

shortly after its scheduled for unref, while it has only one reference:

      spi_leasing_take: obj:0x54b76c0 refs:1 (GalA11yETableColumnHeader)

after a little timeout (taken by spi_leasing) the object is finally freed:

   gal_a11y_e_table_column_header_dispose: 0x54b76c0:
	   at g_object_unref() at gobject.c:3149
	   by expiry_func() at accessible-leasing.c:123
	   by g_timeout_dispatch() at gmain.c:4672
	   by g_main_context_dispatch() at gmain.c:3201
	   by g_main_context_iterate.isra.21() at gmain.c:3927
	   by g_main_loop_run() at gmain.c:4122
	   by gtk_main() at gtkmain.c:1313
	   by main() at main.c:682
	   by __libc_start_main()
	   by _start()

  atk_gobject_accessible_real_dispose: atk-obj:0x54b76c0
     gal_a11y_e_table_column_header_finalize: 0x54b76c0:
  atk_gobject_accessible_real_finalize: atk-obj:0x54b76c0

and then there is called:

free_columns: unreffing 0x498c880
   atk_gobject_accessible_dispose: atk-obj:0x54b76c0

For this already freed object (0x54b76c0).

Program received signal SIGSEGV, Segmentation fault.
0x00007f3e4792bf74 in g_type_check_instance_is_a (type_instance=type_instance@entry=0x54b76c0, iface_type=<optimized out>) at gtype.c:4012
4012	  check = node && node->is_instantiatable && iface && type_node_conforms_to_U (node, iface, TRUE, FALSE);
Missing separate debuginfos, use: debuginfo-install evolution-3.22.6-8.el7.x86_64
#0  0x00007f3e4792bf74 in g_type_check_instance_is_a (type_instance=type_instance@entry=0x54b76c0, iface_type=<optimized out>) at gtype.c:4012
#1  0x00007f3e48a9c087 in atk_gobject_accessible_dispose (data=0x54b76c0) at atkgobjectaccessible.c:162
#2  0x00007f3e4790d78f in weak_refs_notify (data=0x674f7e0) at gobject.c:2638
#3  0x00007f3e523173f6 in etc_dispose (object=0x498c880 [ETableCol]) at e-table-col.c:75
#4  0x00007f3e4790e602 in g_object_unref (_object=0x498c880) at gobject.c:3148
#5  0x00007f3e523938ae in free_columns (columns=0x4d30f50) at gal-a11y-e-table-item.c:85
#6  0x00007f3e52394199 in eti_dispose (object=0x4d2f8b0 [GalA11yETableItem]) at gal-a11y-e-table-item.c:289
#7  0x00007f3e4790e602 in g_object_unref (_object=0x4d2f8b0) at gobject.c:3148
#8  0x00007f3e48a9de01 in atk_object_finalize (object=0x4cb8110 [GalA11yETableColumnHeader]) at atkobject.c:1408
#9  0x00007f3e52392c07 in gal_a11y_e_table_column_header_finalize (object=0x4cb8110 [GalA11yETableColumnHeader]) at gal-a11y-e-table-column-header.c:108
#10 0x00007f3e4790e6f4 in g_object_unref (_object=0x4cb8110) at gobject.c:3185
#11 0x00007f3e3e210c1d in expiry_func (data=data@entry=0x1a3e290) at accessible-leasing.c:122
#12 0x00007f3e47632eed in g_timeout_dispatch (source=0x58c3e80, callback=0x7f3e3e210bc0 <expiry_func>, user_data=0x1a3e290) at gmain.c:4672
#13 0x00007f3e476324c9 in g_main_context_dispatch (context=0x1a19630) at gmain.c:3201
#14 0x00007f3e476324c9 in g_main_context_dispatch (context=context@entry=0x1a19630) at gmain.c:3854
#15 0x00007f3e47632818 in g_main_context_iterate (context=0x1a19630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3927
#16 0x00007f3e47632aea in g_main_loop_run (loop=0x4750680) at gmain.c:4123
#17 0x00007f3e4919f4b5 in gtk_main () at gtkmain.c:1312
#18 0x00000000004042a5 in main (argc=1, argv=0x7fff090c22b8) at main.c:679

Comment 4 Milan Crha 2017-04-25 10:39:10 UTC

I'm moving this to atk, because it's the place where the crash happens and which is responsible for the crash. The thing is that atk_gobject_accessible_dispose() is a weak-ref callback, not a real GObjectClass::dispose() implementation and as shown in comment #3, the callback can be called after the underlying object is freed, causing this use-after-free crash.

Comment 5 Milan Crha 2017-04-25 10:41:13 UTC

Created attachment 1273871 [details]
atk patch

This change fixed the issue for me.

Using this, and both changes from bug #1444490, make the dnd_picture test pass successfully.

Comment 6 Milan Crha 2017-04-25 13:29:17 UTC

Filled upstream as:
https://bugzilla.gnome.org/show_bug.cgi?id=781715

Comment 7 Rui Matos 2017-04-25 15:55:16 UTC

Added a patch comment upstream.

Comment 8 Michal Odehnal 2017-05-22 10:31:14 UTC

Hi Milan,
can you please make a devel_ack for this? Scratch build you provided to me fixes this issue but was still not officially released in brew.
Thanks

Comment 9 Milan Crha 2017-05-23 13:42:10 UTC

Upstream patch had been accepted, I'm building atk with it included now.

Comment 11 Milan Crha 2017-05-29 21:23:18 UTC

*** Bug 1270015 has been marked as a duplicate of this bug. ***

Comment 13 Michal Odehnal 2017-05-31 11:44:14 UTC

No longer reproducible.

Comment 14 errata-xmlrpc 2017-08-01 12:30:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2100

Note You need to log in before you can comment on or make changes to this bug.