Bug 4025 - Segmentation fault in libgobject's g_type_check_instance_cast
Summary: Segmentation fault in libgobject's g_type_check_instance_cast
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: UI/Message List (show other bugs)
Version: 3.17.0
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2018-05-08 11:43 UTC by Ricardo Mones
Modified: 2018-05-09 07:31 UTC (History)
0 users

See Also:


Attachments
Crash backtrace (6.81 KB, text/plain)
2018-05-08 11:43 UTC, Ricardo Mones
no flags Details

Description Ricardo Mones 2018-05-08 11:43:25 UTC
Created attachment 1872 [details]
Crash backtrace

This one is not directly reproducible (at leas had not found the way to do it) but it has been happening here lately several times already, filtered output from dmesg:

[887818.749509] claws-mail[26266]: segfault at 1 ip 00007f70012be95a sp 00007ffd8d230fb0 error 4 in libgobject-2.0.so.0.5000.3[7f700128a000+52000]
[1816326.205629] claws-mail[9140]: segfault at 1 ip 00007f5dcf20395a sp 00007ffc9c2a52b0 error 4 in libgobject-2.0.so.0.5000.3[7f5dcf1cf000+52000]
[2432025.284487] claws-mail[11241]: segfault at 1 ip 00007f9bc314995a sp 00007fff278f1920 error 4 in libgobject-2.0.so.0.5000.3[7f9bc3115000+52000]

After that I decided to run it under gdb for a while and just catched it again today. I think it happened while trying to toggle message view with 'v' key, but surely requires some other condition happening (I use 'v' key much more often than it crashes ;). Attached the gdb's backtrace.

Thanks in advance,
Comment 1 wwp 2018-05-08 11:54:32 UTC
I'm struggling after this exact bug since yesterday. To reproduce it here it is necessary to perform a quicksearch first (then press Hide message view).
The stack trace I get:
#0  0x00007ffff3c0f5b4 in g_type_check_instance_cast () at /lib64/libgobject-2.0.so.0
#1  0x00000000004d8e69 in main_window_toggle_message_view (mainwin=0x1357940) at mainwindow.c:2764
        summaryview = 0x1555420
        ppaned = 0x15e3e70
        container = 0x1
#2  0x000000000059293b in summary_toggle_pressed (summaryview=<optimized out>) at summaryview.c:3854
#3  0x000000000059293b in summary_toggle_pressed (eventbox=<optimized out>, event=<optimized out>, summaryview=0x1555420) at summaryview.c:6838
#4  0x00007ffff7056bdc in _gtk_marshal_BOOLEAN__BOXED () at /lib64/libgtk-x11-2.0.so.0
#5  0x00007ffff3bec968 in g_closure_invoke () at /lib64/libgobject-2.0.so.0
#6  0x00007ffff3bfea7d in signal_emit_unlocked_R () at /lib64/libgobject-2.0.so.0
#7  0x00007ffff3c067dc in g_signal_emit_valist () at /lib64/libgobject-2.0.so.0
#8  0x00007ffff3c06ddf in g_signal_emit () at /lib64/libgobject-2.0.so.0
#9  0x00007ffff7186dc4 in gtk_widget_event_internal () at /lib64/libgtk-x11-2.0.so.0
#10 0x00007ffff7054e04 in gtk_propagate_event () at /lib64/libgtk-x11-2.0.so.0
#11 0x00007ffff70551fb in gtk_main_do_event () at /lib64/libgtk-x11-2.0.so.0
#12 0x00007ffff6cafa0c in gdk_event_dispatch () at /lib64/libgdk-x11-2.0.so.0
#13 0x00007ffff39154c9 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#14 0x00007ffff3915818 in g_main_context_iterate.isra.21 () at /lib64/libglib-2.0.so.0
#15 0x00007ffff3915aea in g_main_loop_run () at /lib64/libglib-2.0.so.0
#16 0x00007ffff7054247 in gtk_main () at /lib64/libgtk-x11-2.0.so.0
#17 0x000000000044bfe5 in main (argc=1, argv=0x7fffffffe098) at main.c:1633
Comment 2 wwp 2018-05-08 11:57:54 UTC
Could not find yet why container (mainwin->hpaned) is 0x1. This could look like a mistyped assignment or a wrong memory write (data corruption). Running valgrind didn't show anything specific yet, excepted what I commited yesterday.
Do you think this crash has been recently introduced?
Comment 3 Michael Rasmussen 2018-05-08 12:29:17 UTC
(In reply to comment #2)
> Could not find yet why container (mainwin->hpaned) is 0x1. This could look
> like a mistyped assignment or a wrong memory write (data corruption).
> Running valgrind didn't show anything specific yet, excepted what I commited
> yesterday.
> Do you think this crash has been recently introduced?

Could it be a bad cast from a pointer to a struct?
Comment 4 wwp 2018-05-08 12:42:47 UTC
FYI I cannot reproduce the crash with 3.16.0 (built from the same conditions).
Comment 5 Andrej Kacian 2018-05-08 13:11:18 UTC
Something in quicksearch_show() overwrites the beginning of the MainWindow object in memory (hpaned is the first member in the struct). I tried changing the member order, and whichever member is first, gets overwritten.

Possibly an off-by-one error somewhere.
Comment 6 Andrej Kacian 2018-05-08 13:19:16 UTC
(In reply to comment #4)
> FYI I cannot reproduce the crash with 3.16.0 (built from the same
> conditions).

Git bisect is your friend, then. :)
Comment 7 Paul 2018-05-08 13:49:24 UTC
(In reply to comment #4)
> FYI I cannot reproduce the crash with 3.16.0 (built from the same
> conditions).

Revert this commit and should find that there is no crash:

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=7fafe08ddd93145b93b9f95a423ed2af8d9f9369
Comment 8 Andrej Kacian 2018-05-08 15:06:24 UTC
Oops, I found my mistake from that commit. Should be fixed now, sorry about that. :)
Comment 9 Ricardo Mones 2018-05-09 07:31:37 UTC
(In reply to comment #8)
> Oops, I found my mistake from that commit. Should be fixed now, sorry about
> that. :)

Indeed, commit 2059b3ae¹ fixes it, many thanks to all! ;-)

¹ http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=2059b3ae33cb6e557a54a0cb2a9f8e7c36608808

Note You need to log in before you can comment on or make changes to this bug.