Bug#708559: Seeing the same issue with chrome
On Sun, 31 May 2015 01:33:17 +0200 Tobias Diedrich wrote: > I'm seeing the same issue triggered by using dwm and chrome: [...] > I suspect that this is a nullpointer dereference of icon->priv? [...] More likely use-after-free since priv seems to be allocated together with the main object according to gtk docs (though priv is 0 in the crash trace, I presume that dispose nulls it out): (gdb) bt full #0 0x7282d616 in gtk_tray_icon_manager_filter (xevent=0x7fffd9b0, event=, user_data=0x1fc1e1487ea0) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400 icon = 0x1fc1e1487ea0 xev = 0x7fffd9b0 [...] (gdb) print icon $1 = 0x1fc1e1487ea0 (gdb) print *icon $2 = {parent_instance = {window = {bin = {container = {widget = {object = {parent_instance = {g_type_instance = {g_class = 0xf}, ref_count = 0, qdata = 0x0}, flags = 0}, private_flags = 0, state = 0 '\000', saved_state = 0 '\000', name = 0x ,~ style = 0x, requisition = {width = 2010019790, height = 30670}, allocation = {x = 0, y = -353703190, width = 60138, height = 0}, window = 0xd36cd36cd36c, parent = 0x-e090e0a}, focus_child = 0xf1f6, border_width = 29298, need_resize = 1, resize_mode = 3, reallocate_redraws = 1,~ has_focus_chain = 1}, child = 0x-20d420d5}, title = 0xdf2b , wmclass_name = 0x0, wmclass_class = 0x0, wm_role = 0x0, focus_widget = 0x0, default_widget = 0x-1, transient_parent = 0x, geometry_info = 0x7fff7fff7fff, frame = 0x-1,~ group = 0x, configure_request_count = 24541, allow_shrink = 1, allow_grow = 0, configure_notify_received = 1, need_default_position = 1, need_default_size = 0, position = 3, type = 15, has_user_ref_count = 0, has_focus = 0, modal = 0, destroy_with_parent = 1, has_frame = 1, iconify_initially = 0,~ stick_initially = 0, maximize_initially = 1, decorated = 0, type_hint = 1, gravity = 2, is_active = 0, has_toplevel_focus = 1, frame_left = 0, frame_top = 3941264106, frame_right = 60138, frame_bottom = 0, keys_changed_handler = 2678026866, mnemonic_modifier = 53199, screen = 0x-ccd0cce},~ socket_window = 0x1f332, modality_window = 0x1, modality_group = 0x1fc1e9a8b410, grabbed_keys = 0x0, same_app = 0}, priv = 0x0} (gdb) Looking at the code it is supposed to remove the gtk_tray_icon_manager_filter before disposing the object, however it seems possible that: 1) Either gdk_window_remove_filter is called on the wrong window as the window argument is looked up anew using gdk_window_lookup_for_display/gdk_screen_get_root_window and I don't know if gdk guarantees that to be the same result 2) Or it's a threading issue and the filter is invoked on a different thread than the dispose call and they race (since there doesn't seem to be locking).
Bug#708559: Seeing the same issue with chrome
I'm seeing the same issue triggered by using dwm and chrome: Program received signal SIGSEGV, Segmentation fault. 0x7282d616 in gtk_tray_icon_manager_filter (xevent=0x7fffd9c0, event=, user_data=0x2b036eb7f9d0) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400 400 /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c: No such file or directory. (gdb) bt #0 0x7282d616 in gtk_tray_icon_manager_filter (xevent=0x7fffd9c0, event=, user_data=0x2b036eb7f9d0) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gtk/gtktrayicon-x11.c:400 #1 0x7230ed71 in gdk_event_apply_filters (xevent=0x7fffd9c0, event=0x2b036f9ee500, window=0x0) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11 /gdkevents-x11.c:371 #2 0x72310074 in gdk_event_translate (display=0x2b0364a4d020 [GdkDisplayX11], event=0x2b036f9ee500, xevent=0x7fffd9c0, return_exposes=return_exposes@entry=0) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:969 #3 0x72311a86 in _gdk_events_queue (display=display@entry=0x2b0364a4d020 [GdkDisplayX11]) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:2358 #4 0x72311b2e in gdk_event_dispatch (source=, callback=, user_data=) at /build/gtk+2.0-czQfyJ/gtk+2.0-2.24.25/gdk/x11/gdkevents-x11.c:2419 #5 0x772b3c3d in g_main_context_dispatch (context=0x2b03649df790) at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3122 #6 0x772b3c3d in g_main_context_dispatch (context=context@entry =0x2b03649df790) at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3737 #7 0x772b3f20 in g_main_context_iterate (context=context@entry=0x2b03649df790, block=block@entry=0, dispatch=dispatch@entry=1, self=) at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3808 #8 0x772b3fcc in g_main_context_iteration (context=0x2b03649df790, may_block=0) at /build/glib2.0-NiYzoW/glib2.0-2.44.1/./glib/gmain.c:3869 #9 0x565b1e12 in () #10 0x2b03649e4480 in () #11 0x0001565b9500 in () #12 0x0001 in () #13 0x7fffdca8 in () #14 0x55fdc028 in () #15 0x7fffdf50 in () #16 0x7fffdc38 in () #17 0x2b0364a15ea0 in () #18 0x5b3927d0 in () #19 0x56579540 in () #20 0x5b3927d0 in () #21 0x012e444f in () #22 0x2b0364a14c80 in () #23 0x2b0300052a20 in () #24 0x in () (gdb) The gtktrayicon-x11.c code is this: 383: static GdkFilterReturn 384: gtk_tray_icon_manager_filter (GdkXEvent *xevent, 385: GdkEvent *event, 386: gpointer user_data) 387: { 388: GtkTrayIcon *icon = user_data; 389: XEvent *xev = (XEvent *)xevent; 390: 391: if (xev->xany.type == ClientMessage && 392: xev->xclient.message_type == icon->priv->manager_atom && 393: xev->xclient.data.l[1] == icon->priv->selection_atom) 394: { 395: GTK_NOTE (PLUGSOCKET, 396: g_print ("GtkStatusIcon %p: tray manager appeared\n", icon)); 397: 398: gtk_tray_icon_update_manager_window (icon); 399: } 400: else if (xev->xany.window == icon->priv->manager_window) { if (xev->xany.type == PropertyNotify && xev->xproperty.atom == icon->priv->orientation_atom) { GTK_NOTE (PLUGSOCKET, g_print ("GtkStatusIcon %p: got PropertyNotify on manager window for orientation atom\n", icon)); gtk_tray_icon_get_orientation_property (icon); } else if (xev->xany.type == DestroyNotify) { GTK_NOTE (PLUGSOCKET, g_print ("GtkStatusIcon %p: got DestroyNotify for manager window\n", icon)); gtk_tray_icon_manager_window_destroyed (icon); } else GTK_NOTE (PLUGSOCKET, g_print ("GtkStatusIcon %p: got other message on manager window\n", icon)); } return GDK_FILTER_CONTINUE; } I suspect that this is a nullpointer dereference of icon->priv? If there is an upstream fix in GTK+3, it would be nice to backport this to the gtk2 lib as I'm getting ~daily crashes from this bug.