Package: libgtk-3-0 Version: 3.2.2-3 Severity: normal Dear Maintainer, One iteration of this segfault is button press event (mouse click) on an evolution account item in the mail sidebar (right or left click). Crash or corruption which leads to crash ensue, valgrind gives; ==8654== Invalid read of size 4 ==8654== at 0x9AD2865: model_row_changed (gtktreeviewaccessible.c:2001) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A4D1A2: gtk_tree_store_set_valist (gtktreestore.c:1164) ==8654== by 0x9A4D236: gtk_tree_store_set (gtktreestore.c:1193) ==8654== by 0x1E0DFED2: folder_tree_model_set_unread_count (em-folder-tree-model.c:456) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x1E0FFF37: flush_updates_idle_cb (mail-folder-cache.c:263) ==8654== by 0xDA8E0CE: g_main_context_dispatch (gmain.c:2442) ==8654== by 0xDA8E8C7: g_main_context_iterate.isra.19 (gmain.c:3076) ==8654== by 0xDA8EE01: g_main_loop_run (gmain.c:3284) ==8654== by 0x994BEEC: gtk_main (gtkmain.c:1362) ==8654== by 0x403079: main (main.c:688) ==8654== Address 0x42207770 is 32 bytes inside a block of size 40 free'd ==8654== at 0x4C26BCE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9AD3BAC: refresh_cell_index (gtktreeviewaccessible.c:3279) ==8654== by 0x9ABE6B3: gtk_cell_accessible_get_index_in_parent (gtkcellaccessible.c:99) ==8654== by 0x18539C37: ??? (in /usr/lib/gtk-3.0/modules/libatk-bridge.so) ==8654== by 0xD2080D8: signal_emit_unlocked_R (gsignal.c:3238) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD21219C: g_signal_emit_by_name (gsignal.c:3097) ==8654== by 0x9AD3048: focus_in (gtktreeviewaccessible.c:1957) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x9A85F41: gtk_widget_send_focus_change (gtkwidget.c:14218) ==8654== by 0x9A8B36F: do_focus_change (gtkwindow.c:5978) ==8654== by 0x9A8C699: gtk_window_real_set_focus (gtkwindow.c:6217) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A60C95: gtk_tree_view_grab_focus (gtktreeview.c:8432) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A7ABC9: gtk_widget_grab_focus (gtkwidget.c:6415) ==8654== by 0x9A503C3: grab_focus_and_unset_draw_keyfocus (gtktreeview.c:2811) ==8654== by 0x9A61870: gtk_tree_view_button_press (gtktreeview.c:3171) ==8654== by 0x1E0E30F0: folder_tree_button_press_event (em-folder-tree.c:1292) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x994C709: gtk_propagate_event (gtkmain.c:2624) ==8654== by 0x994CB0A: gtk_main_do_event (gtkmain.c:1889) ==8654== by 0x9E8F6A1: gdk_event_source_dispatch (gdkeventsource.c:360) ==8654== ^Z (evolution:8654): GLib-WARNING **: Failed to read from child watch wake up pipe: Appel système interrompu ==8654== Invalid read of size 8 ==8654== at 0x9AD3199: gtk_tree_view_accessible_ref_child (gtktreeviewaccessible.c:3252) ==8654== by 0x9AD3084: idle_cursor_changed (gtktreeviewaccessible.c:1889) ==8654== by 0x9E624DE: gdk_threads_dispatch (gdk.c:754) ==8654== by 0xDA8E0CE: g_main_context_dispatch (gmain.c:2442) ==8654== by 0xDA8E8C7: g_main_context_iterate.isra.19 (gmain.c:3076) ==8654== by 0xDA8EE01: g_main_loop_run (gmain.c:3284) ==8654== by 0x994BEEC: gtk_main (gtkmain.c:1362) ==8654== by 0x403079: main (main.c:688) ==8654== Address 0x42207750 is 0 bytes inside a block of size 40 free'd ==8654== at 0x4C26BCE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9AD3BAC: refresh_cell_index (gtktreeviewaccessible.c:3279) ==8654== by 0x9ABE6B3: gtk_cell_accessible_get_index_in_parent (gtkcellaccessible.c:99) ==8654== by 0x18539C37: ??? (in /usr/lib/gtk-3.0/modules/libatk-bridge.so) ==8654== by 0xD2080D8: signal_emit_unlocked_R (gsignal.c:3238) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD21219C: g_signal_emit_by_name (gsignal.c:3097) ==8654== by 0x9AD3048: focus_in (gtktreeviewaccessible.c:1957) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x9A85F41: gtk_widget_send_focus_change (gtkwidget.c:14218) ==8654== by 0x9A8B36F: do_focus_change (gtkwindow.c:5978) ==8654== by 0x9A8C699: gtk_window_real_set_focus (gtkwindow.c:6217) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A60C95: gtk_tree_view_grab_focus (gtktreeview.c:8432) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A7ABC9: gtk_widget_grab_focus (gtkwidget.c:6415) ==8654== by 0x9A503C3: grab_focus_and_unset_draw_keyfocus (gtktreeview.c:2811) ==8654== by 0x9A61870: gtk_tree_view_button_press (gtktreeview.c:3171) ==8654== by 0x1E0E30F0: folder_tree_button_press_event (em-folder-tree.c:1292) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x994C709: gtk_propagate_event (gtkmain.c:2624) ==8654== by 0x994CB0A: gtk_main_do_event (gtkmain.c:1889) ==8654== by 0x9E8F6A1: gdk_event_source_dispatch (gdkeventsource.c:360) ==8654== ==8654== Invalid read of size 8 ==8654== at 0x9AD0AD4: cell_info_free (gtktreeviewaccessible.c:213) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9ACF834: cell_info_new (gtktreeviewaccessible.c:3236) ==8654== by 0x9AD32F8: gtk_tree_view_accessible_ref_child (gtktreeviewaccessible.c:573) ==8654== by 0x9AD3084: idle_cursor_changed (gtktreeviewaccessible.c:1889) ==8654== by 0x9E624DE: gdk_threads_dispatch (gdk.c:754) ==8654== by 0xDA8E0CE: g_main_context_dispatch (gmain.c:2442) ==8654== by 0xDA8E8C7: g_main_context_iterate.isra.19 (gmain.c:3076) ==8654== by 0xDA8EE01: g_main_loop_run (gmain.c:3284) ==8654== by 0x994BEEC: gtk_main (gtkmain.c:1362) ==8654== by 0x403079: main (main.c:688) ==8654== Address 0x42207758 is 8 bytes inside a block of size 40 free'd ==8654== at 0x4C26BCE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9AD3BAC: refresh_cell_index (gtktreeviewaccessible.c:3279) ==8654== by 0x9ABE6B3: gtk_cell_accessible_get_index_in_parent (gtkcellaccessible.c:99) ==8654== by 0x18539C37: ??? (in /usr/lib/gtk-3.0/modules/libatk-bridge.so) ==8654== by 0xD2080D8: signal_emit_unlocked_R (gsignal.c:3238) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD21219C: g_signal_emit_by_name (gsignal.c:3097) ==8654== by 0x9AD3048: focus_in (gtktreeviewaccessible.c:1957) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x9A85F41: gtk_widget_send_focus_change (gtkwidget.c:14218) ==8654== by 0x9A8B36F: do_focus_change (gtkwindow.c:5978) ==8654== by 0x9A8C699: gtk_window_real_set_focus (gtkwindow.c:6217) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A60C95: gtk_tree_view_grab_focus (gtktreeview.c:8432) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A7ABC9: gtk_widget_grab_focus (gtkwidget.c:6415) ==8654== by 0x9A503C3: grab_focus_and_unset_draw_keyfocus (gtktreeview.c:2811) ==8654== by 0x9A61870: gtk_tree_view_button_press (gtktreeview.c:3171) ==8654== by 0x1E0E30F0: folder_tree_button_press_event (em-folder-tree.c:1292) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x994C709: gtk_propagate_event (gtkmain.c:2624) ==8654== by 0x994CB0A: gtk_main_do_event (gtkmain.c:1889) ==8654== by 0x9E8F6A1: gdk_event_source_dispatch (gdkeventsource.c:360) ==8654== ==8654== Invalid free() / delete / delete[] / realloc() ==8654== at 0x4C26BCE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9ACF834: cell_info_new (gtktreeviewaccessible.c:3236) ==8654== by 0x9AD32F8: gtk_tree_view_accessible_ref_child (gtktreeviewaccessible.c:573) ==8654== by 0x9AD3084: idle_cursor_changed (gtktreeviewaccessible.c:1889) ==8654== by 0x9E624DE: gdk_threads_dispatch (gdk.c:754) ==8654== by 0xDA8E0CE: g_main_context_dispatch (gmain.c:2442) ==8654== by 0xDA8E8C7: g_main_context_iterate.isra.19 (gmain.c:3076) ==8654== by 0xDA8EE01: g_main_loop_run (gmain.c:3284) ==8654== by 0x994BEEC: gtk_main (gtkmain.c:1362) ==8654== by 0x403079: main (main.c:688) ==8654== Address 0x42207750 is 0 bytes inside a block of size 40 free'd ==8654== at 0x4C26BCE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8654== by 0xDA7C239: g_hash_table_insert_internal (ghash.c:1108) ==8654== by 0x9AD3BAC: refresh_cell_index (gtktreeviewaccessible.c:3279) ==8654== by 0x9ABE6B3: gtk_cell_accessible_get_index_in_parent (gtkcellaccessible.c:99) ==8654== by 0x18539C37: ??? (in /usr/lib/gtk-3.0/modules/libatk-bridge.so) ==8654== by 0xD2080D8: signal_emit_unlocked_R (gsignal.c:3238) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD21219C: g_signal_emit_by_name (gsignal.c:3097) ==8654== by 0x9AD3048: focus_in (gtktreeviewaccessible.c:1957) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD208789: signal_emit_unlocked_R (gsignal.c:3272) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x9A85F41: gtk_widget_send_focus_change (gtkwidget.c:14218) ==8654== by 0x9A8B36F: do_focus_change (gtkwindow.c:5978) ==8654== by 0x9A8C699: gtk_window_real_set_focus (gtkwindow.c:6217) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A60C95: gtk_tree_view_grab_focus (gtktreeview.c:8432) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211E10: g_signal_emit_valist (gsignal.c:3003) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A7ABC9: gtk_widget_grab_focus (gtkwidget.c:6415) ==8654== by 0x9A503C3: grab_focus_and_unset_draw_keyfocus (gtktreeview.c:2811) ==8654== by 0x9A61870: gtk_tree_view_button_press (gtktreeview.c:3171) ==8654== by 0x1E0E30F0: folder_tree_button_press_event (em-folder-tree.c:1292) ==8654== by 0x994CF67: _gtk_marshal_BOOLEAN__BOXED (gtkmarshalers.c:85) ==8654== by 0xD1F6803: g_closure_invoke (gclosure.c:774) ==8654== by 0xD2085BE: signal_emit_unlocked_R (gsignal.c:3310) ==8654== by 0xD211BE2: g_signal_emit_valist (gsignal.c:3013) ==8654== by 0xD211FB1: g_signal_emit (gsignal.c:3060) ==8654== by 0x9A79A98: gtk_widget_event_internal (gtkwidget.c:6132) ==8654== by 0x994C709: gtk_propagate_event (gtkmain.c:2624) ==8654== by 0x994CB0A: gtk_main_do_event (gtkmain.c:1889) ==8654== by 0x9E8F6A1: gdk_event_source_dispatch (gdkeventsource.c:360) ==8654==
Attached patch from upstream gtk-3-2 branch fixes it. I tested it thus the 3.2.2-3.1 versioning of my packages. Cheers, Alban -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-rc5test0-00038-g373da0a (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libgtk-3-0 depends on: ii libatk1.0-0 2.2.0-2 ii libc6 2.13-23 ii libcairo-gobject2 1.10.2-6.1 ii libcairo2 1.10.2-6.1 ii libcolord1 0.1.13-1 ii libcomerr2 1.42-1 ii libcups2 1.5.0-13 ii libfontconfig1 2.8.0-3 ii libfreetype6 2.4.8-1 ii libgcrypt11 1.5.0-3 ii libgdk-pixbuf2.0-0 2.24.0-1 ii libglib2.0-0 2.30.2-4 ii libgnutls26 2.12.14-4 ii libgssapi-krb5-2 1.10+dfsg~alpha1-6 ii libgtk-3-common 3.2.2-3.1 ii libk5crypto3 1.10+dfsg~alpha1-6 ii libkrb5-3 1.10+dfsg~alpha1-6 ii libpango1.0-0 1.29.4-2 ii libx11-6 2:1.4.4-4 ii libxcomposite1 1:0.4.3-2 ii libxcursor1 1:1.1.12-1 ii libxdamage1 1:1.1.3-2 ii libxext6 2:1.3.0-3 ii libxfixes3 1:5.0-4 ii libxi6 2:1.4.3-3 ii libxinerama1 2:1.1.1-3 ii libxrandr2 2:1.3.2-2 ii multiarch-support 2.13-23 ii shared-mime-info 0.90-1 ii zlib1g 1:1.2.5.dfsg-1 Versions of packages libgtk-3-0 recommends: ii hicolor-icon-theme 0.12-1 ii libgtk-3-bin 3.2.2-3.1 Versions of packages libgtk-3-0 suggests: ii gvfs 1.10.1-2 ii librsvg2-common 2.34.2-1 -- no debconf information
Index: debian/patches/081_a11y-Fix-crash-in-treeview.patch =================================================================== --- debian/patches/081_a11y-Fix-crash-in-treeview.patch (révision 0) +++ debian/patches/081_a11y-Fix-crash-in-treeview.patch (révision 0) @@ -0,0 +1,30 @@ +From 512ac214c68d7806bfab05f5311007169892d914 Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sat, 26 Nov 2011 16:50:53 +0000 +Subject: a11y: Fix crash in treeview + +This is a band-aid fix. The master branch has a complete rework of the +treeview a11y code. Let's hope this will cause most crashes to magically +disappear. This code has been indexing by random memory on the stack for +a long while and things didn't crash, so let's hope for the best. + +https://bugzilla.gnome.org/show_bug.cgi?id=663322 +https://bugzilla.gnome.org/show_bug.cgi?id=664137 +--- +diff --git a/gtk/a11y/gtktreeviewaccessible.c b/gtk/a11y/gtktreeviewaccessible.c +index b2ca9ba..a8e4014 100644 +--- a/gtk/a11y/gtktreeviewaccessible.c ++++ b/gtk/a11y/gtktreeviewaccessible.c +@@ -3275,8 +3275,9 @@ refresh_cell_index (GtkCellAccessible *cell) + return; + + cell_info_get_index (tree_view, info, &index); ++ g_hash_table_steal (accessible->cell_info_by_index, &cell->index); + cell->index = index; +- g_hash_table_insert (accessible->cell_info_by_index, &index, info); ++ g_hash_table_insert (accessible->cell_info_by_index, &cell->index, info); + } + + static void +-- +cgit v0.9.0.2 Index: debian/patches/series =================================================================== --- debian/patches/series (révision 32058) +++ debian/patches/series (copie de travail) @@ -14,3 +14,4 @@ 061_multiarch_module_fallback.patch 70-Fix-document-generation-in-out-of-tree-builds.patch 080_filechooserdefault-Don-t-unref-value-twice.patch +081_a11y-Fix-crash-in-treeview.patch