Bug 1472819 - FF crashes when open/save dialog is opened
Summary: FF crashes when open/save dialog is opened
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: gvfs
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ondrej Holy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1470102 1475549 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-19 13:01 UTC by Vít Ondruch
Modified: 2017-07-27 09:51 UTC (History)
10 users (show)

Fixed In Version: gvfs-1.33.3-3.fc27
Clone Of:
Environment:
Last Closed: 2017-07-24 12:38:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 784953 0 None None None 2017-07-24 09:38:02 UTC

Description Vít Ondruch 2017-07-19 13:01:44 UTC 
Description of problem:
Once I try to open/save some file for download/upload, FF immediately crashes. 



Version-Release number of selected component (if applicable):
$ rpm -q firefox
firefox-54.0-2.fc27.x86_64

$ rpm -q gtk2
gtk2-2.24.31-4.fc27.x86_64

$ rpm -q gtk3
gtk3-3.22.16-1.fc27.x86_64



How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
FF crashes once file open/save dialog is opened.


Expected results:
FF can open/save file.


Additional info:
BTW the same apply for Thunderbird :/

$ rpm -q thunderbird
thunderbird-52.2.0-1.fc27.x86_64
Comment 1 Jan Pokorný [poki] 2017-07-21 11:25:44 UTC 
Observing this too, with sway/wayland.
Comment 2 Jan Horak 2017-07-21 12:35:55 UTC 
I can reproduce in virtual machine too:
...
#5  0x00007f1a5a2fc3f1 in WasmFaultHandler<(Signal)0> (signum=11, info=0x7ffc426463f0, context=0x7ffc426462c0) at /home/jhorak/gecko-dev/js/src/wasm/WasmSigna
lHandlers.cpp:1402
#6  <signal handler called>
#7  0x00007f1a63d5398e in g_type_check_instance_is_fundamentally_a (type_instance=0x7f1a42b4c900, fundamental_type=80) at gtype.c:4025
#8  0x00007f1a63d38b83 in g_object_unref (_object=0x7f1a42b4c900) at gobject.c:3211
#9  0x00007f1a63a3d34a in g_source_callback_unref (cb_data=0x7f1a42a02500) at gmain.c:1566
#10 0x00007f1a63a3cae8 in g_source_destroy_internal (source=0x7f1a3621d100, context=0x7f1a68e70ea0, have_lock=1) at gmain.c:1255
#11 0x00007f1a63a3ede5 in g_main_dispatch (context=0x7f1a68e70ea0) at gmain.c:3172
#12 0x00007f1a63a3fc4f in g_main_context_dispatch (context=0x7f1a68e70ea0) at gmain.c:3813
#13 0x00007f1a63a3fe43 in g_main_context_iterate (context=0x7f1a68e70ea0, block=0, dispatch=1, self=0x7f1a4ac4aa00) at gmain.c:3886
#14 0x00007f1a63a3ff1b in g_main_context_iteration (context=0x7f1a68e70ea0, may_block=0) at gmain.c:3947
#15 0x00007f1a571facd1 in nsAppShell::ProcessNextNativeEvent (this=0x7f1a4244de80, mayWait=false) at /home/jhorak/gecko-dev/widget/gtk/nsAppShell.cpp:280
#16 0x00007f1a571aa85d in nsBaseAppShell::DoProcessNextNativeEvent (this=0x7f1a4244de80, mayWait=false) at /home/jhorak/gecko-dev/widget/nsBaseAppShell.cpp:13
8
...
Looks like free of already freed memory.
Comment 3 Jan Horak 2017-07-21 12:39:02 UTC 
Upstream build crashes too. Looks like problem with gtk3 or glib2 in rawhide.
Comment 4 Jan Horak 2017-07-21 14:49:32 UTC 
Actually downgrading gvfs to 1.33.1 helps to me. Can you acknowledge or deny it?
https://koji.fedoraproject.org/koji/buildinfo?buildID=889019
Comment 5 Jan Horak 2017-07-21 15:12:52 UTC 
*** Bug 1470102 has been marked as a duplicate of this bug. ***
Comment 6 Jan Horak 2017-07-21 15:19:47 UTC 
This seems to be regression in gvfs 1.33.3, most likely introduced by this changeset [1].

The handle_done used to return bool which determine if the object has to be freed in g_main_dispatch [2].

[1] https://github.com/GNOME/gvfs/commit/2eae1086656ebfa1b8eb20019636043a5e151c97#diff-807c42ad4e1b904c0dc56688083e6af9L184
[2] https://github.com/GNOME/glib/blob/c4b5702e08d97b1b1163c2022ad4c7d92bee140c/glib/gmain.c#L3148
Comment 7 Jan Pokorný [poki] 2017-07-21 15:50:47 UTC 
Confirming the workaround from [comment 4].
Looking at "dnf history gvfs", 2017-06-27 indeed vaguely matches
the point I started to observe these problems.

Actually I've once tried searching through upstream bugzilla,
but found no exact hit.

Note that only dialogs spawned by Firefox are affected, despite
looking pretty generic as used by other software.
Does Firefox apply some further tweaks?
Comment 8 Jan Horak 2017-07-24 06:54:06 UTC 
Not tweaks, but it is using gtkfilepicker widget instead of dialog.
Comment 9 Vít Ondruch 2017-07-24 09:17:03 UTC 
(In reply to Jan Horak from comment #4)
> Actually downgrading gvfs to 1.33.1 helps to me. Can you acknowledge or deny
> it?
> https://koji.fedoraproject.org/koji/buildinfo?buildID=889019

This seems to help

(In reply to Jan Pokorný from comment #7)
> Note that only dialogs spawned by Firefox are affected

Also TB is affected ... but the codebase is probably quite similar to TB.
Comment 10 Ondrej Holy 2017-07-24 09:38:02 UTC 
(In reply to Jan Horak from comment #6)
> This seems to be regression in gvfs 1.33.3, most likely introduced by this
> changeset [1].
> 
> The handle_done used to return bool which determine if the object has to be
> freed in g_main_dispatch [2].
> 
> [1]
> https://github.com/GNOME/gvfs/commit/
> 2eae1086656ebfa1b8eb20019636043a5e151c97#diff-
> 807c42ad4e1b904c0dc56688083e6af9L184

Thanks for debugging, yes, this seems to be the culprit, working on fix...
Comment 11 Ondrej Holy 2017-07-24 12:38:54 UTC 
I've just submitted the following build which should fix this issue:
https://koji.fedoraproject.org/koji/taskinfo?taskID=20712601

Thanks all for your help!
Comment 12 Jan Pokorný [poki] 2017-07-24 17:59:02 UTC 
Thanks, confirming gvfs-1.33.3-3 fixes the issue for me.

Btw. FF as flatpak was working well all the time, I've realized.
So while flatpak is a whole new problem surface on its own, it can
help overcome/prove some new regressions thanks to a separate runtime,
or serve as a fallback when available.
Comment 13 George R. Goffe 2017-07-25 15:13:39 UTC 
Hi,

I'm at gvfs-1.33.3-1.fc27.x86_64 and am still seeing this problem. I reported this bug in the Mozilla bugzilla web site at https://bugzilla.mozilla.org/show_bug.cgi?id=1383895. They pointed me to this bug (thank you very much).

Here's the gdb output from that bug below, it seems that gdb doesn't understand the firefox libxul debuginfo? Is this right?

George...

(gdb) where
#0  0x00007fe5174641cf in g_type_check_instance_is_fundamentally_a (type_instance=type_instance@entry=0x7fe4dcaff3c0, fundamental_type=fundamental_type@entry=80) at gtype.c:4025
#1  0x00007fe5174423d5 in g_object_unref (_object=0x7fe4dcaff3c0) at gobject.c:3211
#2  0x00007fe51715ffb8 in g_source_callback_unref (cb_data=0x7fe4f049eb80) at gmain.c:1566
#3  0x00007fe517161804 in g_source_destroy_internal (source=0x7fe4cb919100, context=0x7fe51c0cd480, have_lock=1) at gmain.c:1255
#4  0x00007fe517163640 in g_main_dispatch (context=0x7fe51c0cd480) at gmain.c:3172
#5  0x00007fe517163640 in g_main_context_dispatch (context=context@entry=0x7fe51c0cd480) at gmain.c:3813
#6  0x00007fe517163938 in g_main_context_iterate (context=0x7fe51c0cd480, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3886
#7  0x00007fe517163c52 in g_main_loop_run (loop=0x7fe4d09f1b00) at gmain.c:4082
#8  0x00007fe519f42543 in gtk_dialog_run (dialog=0x7fe4cf335cf0 [GtkPrintUnixDialog]) at gtkdialog.c:1397
#9  0x00007fe50e171d6e in  () at /opt/firefox-vers1/libxul.so
#10 0x00007fe50e173b43 in  () at /opt/firefox-vers1/libxul.so
#11 0x00007fe50eae492c in  () at /opt/firefox-vers1/libxul.so
#12 0x00007fe50eae30ba in  () at /opt/firefox-vers1/libxul.so
#13 0x00007fe50eae312d in  () at /opt/firefox-vers1/libxul.so
#14 0x00007fe50d3b7f4c in  () at /opt/firefox-vers1/libxul.so
#15 0x00007fe50d484b51 in  () at /opt/firefox-vers1/libxul.so
#16 0x00007fe50eefad65 in  () at /opt/firefox-vers1/libxul.so
#17 0x00007fe50d307891 in  () at /opt/firefox-vers1/libxul.so
#18 0x00007fe50eefa584 in  () at /opt/firefox-vers1/libxul.so
#19 0x00007fe50eea67d6 in  () at /opt/firefox-vers1/libxul.so
#20 0x00007fe50eea65d9 in  () at /opt/firefox-vers1/libxul.so
#21 0x00007fe50eef95a1 in  () at /opt/firefox-vers1/libxul.so
#22 0x00007fe50f778792 in  () at /opt/firefox-vers1/libxul.so
#23 0x00007fe50f91d70a in  () at /opt/firefox-vers1/libxul.so
#24 0x00007fe50fa1895e in  () at /opt/firefox-vers1/libxul.so
#25 0x00007fe50fa321d1 in  () at /opt/firefox-vers1/libxul.so
#26 0x00007fe50fa2f770 in  () at /opt/firefox-vers1/libxul.so
#27 0x00007fe50fa2f3c2 in  () at /opt/firefox-vers1/libxul.so
#28 0x00000000004187ee in _start ()
(gdb) continue
Continuing.
ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...
23472
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
Detaching after fork from child process 23473.
Comment 14 George R. Goffe 2017-07-25 15:28:00 UTC 
Hi,

Here's the latest gdb output. I have posted this to the mozilla bug as well. How can I get gdb to "see" the debuginfo that the file command says is present in the FF distributed (latest) libxuŀso?

George...

[Thread 0x7fb2522ff700 (LWP 4329) exited]

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
g_type_check_instance_is_fundamentally_a (type_instance=type_instance@entry=0x7fb26ef64120, fundamental_type=fundamental_type@entry=80)
    at gtype.c:4025
4025      node = lookup_type_node_I (type_instance->g_class->g_type);
(gdb) where
#0  0x00007fb2a87641cf in g_type_check_instance_is_fundamentally_a (type_instance=type_instance@entry=0x7fb26ef64120, fundamental_type=fundamental_type@entry=80) at gtype.c:4025
#1  0x00007fb2a87423d5 in g_object_unref (_object=0x7fb26ef64120) at gobject.c:3211
#2  0x00007fb2a845ffb8 in g_source_callback_unref (cb_data=0x7fb26f120520) at gmain.c:1566
#3  0x00007fb2a8461804 in g_source_destroy_internal (source=0x7fb2748e9520, context=0x7fb2ad3cd480, have_lock=1) at gmain.c:1255
#4  0x00007fb2a8463640 in g_main_dispatch (context=0x7fb2ad3cd480) at gmain.c:3172
#5  0x00007fb2a8463640 in g_main_context_dispatch (context=context@entry=0x7fb2ad3cd480) at gmain.c:3813
#6  0x00007fb2a8463938 in g_main_context_iterate (context=0x7fb2ad3cd480, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3886
#7  0x00007fb2a8463c52 in g_main_loop_run (loop=0x7fb267a57730) at gmain.c:4082
#8  0x00007fb2ab242543 in gtk_dialog_run (dialog=0x7fb25cb294f0 [GtkPrintUnixDialog]) at gtkdialog.c:1397
#9  0x00007fb29f471d6e in  () at /opt/firefox-vers1/libxul.so
#10 0x00007fb29f473b43 in  () at /opt/firefox-vers1/libxul.so
#11 0x00007fb29fde492c in  () at /opt/firefox-vers1/libxul.so
#12 0x00007fb29fde30ba in  () at /opt/firefox-vers1/libxul.so
#13 0x00007fb29fde312d in  () at /opt/firefox-vers1/libxul.so
#14 0x00007fb29e6b7f4c in  () at /opt/firefox-vers1/libxul.so
#15 0x00007fb29e784b51 in  () at /opt/firefox-vers1/libxul.so
#16 0x00007fb2a01fad65 in  () at /opt/firefox-vers1/libxul.so
#17 0x00007fb29e607891 in  () at /opt/firefox-vers1/libxul.so
#18 0x00007fb2a01fa584 in  () at /opt/firefox-vers1/libxul.so
#19 0x00007fb2a01a67d6 in  () at /opt/firefox-vers1/libxul.so
#20 0x00007fb2a01a65d9 in  () at /opt/firefox-vers1/libxul.so
#21 0x00007fb2a01f95a1 in  () at /opt/firefox-vers1/libxul.so
#22 0x00007fb2a0a78792 in  () at /opt/firefox-vers1/libxul.so
#23 0x00007fb2a0c1d70a in  () at /opt/firefox-vers1/libxul.so
#24 0x00007fb2a0d1895e in  () at /opt/firefox-vers1/libxul.so
#25 0x00007fb2a0d321d1 in  () at /opt/firefox-vers1/libxul.so
#26 0x00007fb2a0d2f770 in  () at /opt/firefox-vers1/libxul.so
#27 0x00007fb2a0d2f3c2 in  () at /opt/firefox-vers1/libxul.so
#28 0x00000000004187ee in _start ()
(gdb) continue
Continuing.
ExceptionHandler::GenerateDump cloned child 4379
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
Detaching after fork from child process 4380.
[Thread 0x7fb2617ff700 (LWP 4265) exited]
[Thread 0x7fb2647ef700 (LWP 4263) exited]
[Thread 0x7fb2667f1700 (LWP 4261) exited]
[Thread 0x7fb26b0ff700 (LWP 4240) exited]
[Thread 0x7fb27dcff700 (LWP 4237) exited]
[Thread 0x7fb2677f2700 (LWP 4260) exited]
[Thread 0x7fb2712fe700 (LWP 4235) exited]
[Thread 0x7fb2600ff700 (LWP 4266) exited]
[Thread 0x7fb283445700 (LWP 4268) exited]
[Thread 0x7fb25aafd700 (LWP 4272) exited]
[Thread 0x7fb2588ff700 (LWP 4289) exited]
[Thread 0x7fb2512fe700 (LWP 4330) exited]
[Thread 0x7fb2550ff700 (LWP 4293) exited]
[Thread 0x7fb25caff700 (LWP 4342) exited]
[Thread 0x7fb2540fe700 (LWP 4294) exited]
[Thread 0x7fb2562fe700 (LWP 4291) exited]
[Thread 0x7fb2572ff700 (LWP 4290) exited]
[Thread 0x7fb2690fd700 (LWP 4288) exited]
[Thread 0x7fb25dcff700 (LWP 4269) exited]
[Thread 0x7fb25f0fe700 (LWP 4267) exited]
[Thread 0x7fb2657f0700 (LWP 4262) exited]
[Thread 0x7fb26c2ff700 (LWP 4238) exited]
[Thread 0x7fb2722ff700 (LWP 4236) exited]
[Thread 0x7fb26e3ff700 (LWP 4231) exited]
[Thread 0x7fb26fdff700 (LWP 4228) exited]
[Thread 0x7fb2735fe700 (LWP 4225) exited]
[Thread 0x7fb2745ff700 (LWP 4224) exited]
[Thread 0x7fb2765fa700 (LWP 4223) exited]
[Thread 0x7fb2775fb700 (LWP 4222) exited]
[Thread 0x7fb2785fc700 (LWP 4221) exited]
[Thread 0x7fb2795fd700 (LWP 4220) exited]
[Thread 0x7fb27a5fe700 (LWP 4219) exited]
[Thread 0x7fb27b5ff700 (LWP 4218) exited]
[Thread 0x7fb27c8ff700 (LWP 4217) exited]
[Thread 0x7fb27eeff700 (LWP 4215) exited]
[Thread 0x7fb2805ff700 (LWP 4214) exited]
[Thread 0x7fb2844ff700 (LWP 4213) exited]
[Thread 0x7fb289c88700 (LWP 4177) exited]
[Thread 0x7fb28ac89700 (LWP 4176) exited]
[Thread 0x7fb28c2ff700 (LWP 4175) exited]
[Thread 0x7fb28c9f3700 (LWP 4174) exited]
[Thread 0x7fb28cbf4700 (LWP 4173) exited]
[Thread 0x7fb28cdf5700 (LWP 4172) exited]
[Thread 0x7fb28cff6700 (LWP 4171) exited]
[Thread 0x7fb28d1f7700 (LWP 4170) exited]
[Thread 0x7fb28d3f8700 (LWP 4169) exited]
[Thread 0x7fb28d5f9700 (LWP 4168) exited]
[Thread 0x7fb28d7fa700 (LWP 4167) exited]
[Thread 0x7fb28d9fb700 (LWP 4166) exited]
[Thread 0x7fb28dbfc700 (LWP 4165) exited]
[Thread 0x7fb28ddfd700 (LWP 4164) exited]
[Thread 0x7fb28dffe700 (LWP 4163) exited]
[Thread 0x7fb28efff700 (LWP 4162) exited]
[Thread 0x7fb2901fd700 (LWP 4161) exited]
[Thread 0x7fb2911fe700 (LWP 4160) exited]
[Thread 0x7fb2921ff700 (LWP 4159) exited]
[Thread 0x7fb29cf7f700 (LWP 4158) exited]
[Thread 0x7fb2aeac9f00 (LWP 4143) exited]
[Inferior 1 (process 4143) exited with code 013]
(gdb) 2017-07-25 08:22:53: minidump.cc:4808: ERROR: ReadBytes: read 0/32
2017-07-25 08:22:53: minidump.cc:4453: ERROR: Minidump cannot read header
OK
The program is not being run.
(gdb) q
fc27-bash 4.4 ~# rpm -q gvfs
gvfs-1.33.3-1.fc27.x86_64
fc27-bash 4.4 ~# Failed to open curl lib from binary, use libcurl.so instead
Sandbox: Unexpected EOF, op 0 flags 01101 path /tmp/GeckoChildCrash4292.extra
Comment 15 Ondrej Holy 2017-07-26 06:53:13 UTC 
(In reply to George R. Goffe from comment #13)
> Hi,
> 
> I'm at gvfs-1.33.3-1.fc27.x86_64 and am still seeing this problem. I

Please update to gvfs-1.33.3-3.fc27 and try again. If it is still not distributed in all mirrors, you can download the rpm files manually from:
https://koji.fedoraproject.org/koji/taskinfo?taskID=20712601
Comment 16 George R. Goffe 2017-07-26 12:27:27 UTC 
Ondrej,

I just tested these fixes and can verify that they work GREAT!

Thanks to everyone for all the hard work.

George...
Comment 17 Jan Horak 2017-07-27 09:51:56 UTC 
*** Bug 1475549 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.