x11-libs/gtk+-2.18.1 (and 2.18 also, before the ebuild was renamed) from Gnome overlay make www-client/mozilla-firefox-3.5.3 crash after logging in gmail. To reproduce: 1. Create a new firefox profile 2. Install a few extensions - for example https://addons.mozilla.org/en-US/firefox/addon/139 and https://addons.mozilla.org/en-US/firefox/addon/433 3. Log in to gmail.com in one tab, open bugzilla.gnome.org in another tab With probability >50%, firefox will crash within one minute. When using gtk-2.16.6 (both with glib-2.20.5 and glib-2.22.1), Firefox is stable. I have observed these symptoms on two separate machines (both ~amd64). # emerge --info Portage 2.2_rc43 (default/linux/amd64/2008.0/desktop, gcc-4.4.1, glibc-2.10.1-r0, 2.6.31-gentoo-r1 x86_64) ================================================================= System uname: Linux-2.6.31-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P7370_@_2.00GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 04 Oct 2009 19:30:21 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.0_p33 dev-java/java-config: 1.3.7-r1, 2.1.9-r1 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.3, 3.1.1-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.4.3-r3 sys-apps/sandbox: 2.1 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.18-r4, 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages parallel-fetch parllel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en ru"
I have not been able to produce a core dump (Firefox doesn't seem to leave a core dump even when run from a terminal where I have "ulimit -c unlimited") or a backtrace (for some reason, even when I put -ggdb in CFLAGS, the /usr/lib64/mozilla-firefox/firefox executable is built without debug information). Messages printed in terminal immediately before crash: (firefox:8401): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject' (firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (firefox:8401): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject' (firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
Created attachment 206049 [details] backtrace Managed to get a backtrace. $ gdb /usr/lib64/mozilla-firefox/firefox [...] [Thread 0x7fffc90ff910 (LWP 26622) exited] [Thread 0x7fffce1ff910 (LWP 26623) exited] [New Thread 0x7fffce1ff910 (LWP 26624)] [New Thread 0x7fffc90ff910 (LWP 26625)] (firefox:26586): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject' (firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed [Thread 0x7fffce1ff910 (LWP 26624) exited] [Thread 0x7fffc90ff910 (LWP 26625) exited] (firefox:26586): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject' (firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed (firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer (firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed Program received signal SIGBUS, Bus error. 0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffcc06c040, iface_type=140737333860672) at gtype.c:3729 3729 gtype.c: No such file or directory. in gtype.c Current language: auto; currently c
Created attachment 206053 [details] better backtrace Better backtrace (thread apply all bt full)
I also reported the bug upstream: https://bugzilla.gnome.org/show_bug.cgi?id=597372
Looks like thread 1 is the interesting block: Thread 1 (Thread 0x7ffff7fb2710 (LWP 26671)): #0 0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffdf47db80, iface_type=140737333860672) at gtype.c:3729 node = 0x3ac200003b40 iface = <value optimized out> is_instantiatable = 1 #1 0x00007fffdfbe65dd in ?? () from /usr/lib64/gtk-2.0/2.10.0/immodules/im-uim.so No symbol table info available. #2 0x00007fffdfbe66bc in ?? () from /usr/lib64/gtk-2.0/2.10.0/immodules/im-uim.so No symbol table info available. #3 0x00007ffff59c87bd in nsWindow::OnContainerFocusOutEvent (this=0x7fffe3c6fc00, aWidget=<value optimized out>, aEvent=<value optimized out>) at nsWindow.cpp:3062 tmpWindow = 0x7fffc8fb3bd0 [GdkWindow] tmpnsWindow = <value optimized out> kungFuDeathGrip = {mRawPtr = 0x7fffcc268600} it refers to im-uim, could you try disabling scim and see if it fixes the problem ?
(In reply to comment #5) > it refers to im-uim, could you try disabling scim and see if it fixes the > problem ? I am using uim, not scim. If I disable it (export GTK_IM_MODULE=gtk-im-context-simple), the crashes seem to go away. Here is a snippet from a backtrace where uim is compiled with debug enabled: Thread 1 (Thread 0x7ffff7fb2710 (LWP 30078)): #0 0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffc637d300, iface_type=140737333860672) at gtype.c:3729 node = 0x3ac200003b40 iface = <value optimized out> is_instantiatable = 1 #1 0x00007fffdfbe65ed in remove_cur_toplevel () at gtk-im-uim.c:322 No locals. #2 0x00007fffdfbe66cc in im_uim_focus_out (ic=<value optimized out>) at gtk-im-uim.c:1278 uic = 0x7fffe28b2980 [GtkIMContextUIM] #3 0x00007ffff59c87bd in nsWindow::OnContainerFocusOutEvent (this=0x7fffe3c6ec00, aWidget=<value optimized out>, aEvent=<value optimized out>) at nsWindow.cpp:3062 tmpWindow = 0x7fffc85369c0 [GdkWindow] tmpnsWindow = <value optimized out> kungFuDeathGrip = {mRawPtr = 0x7fffca117880} #4 0x00007ffff59c8856 in focus_out_event_cb (widget=0x7fffe3c75100 [MozContainer], event=0x7fffc75b3c10) at nsWindow.cpp:5581 window = {mRawPtr = 0x7fffe3c6ec00} The actual behavior seems to be the following: In the process of loading gmail, firefox creates several new (presumably invisible) toplevel windows, focuses in on them (assigning uim as the input manager), and then focuses out (resetting uim back to the main firefox window). But with gtk+-2.18.*, sometimes, when it focuses out and calls im_uim_focus_out, the invisible top-level window is already overwritten with random data (i.e. is deleted). Uim uses GTK_WIDGET_TOPLEVEL macro to check that the toplevel pointer it is using is actually a toplevel window; that macro makes uim (or rather, glib) follow several pointers to neverland, eventually causing a segmentation fault. (By the way, debugging this is quite frustrating: to prevent input focus switches, you have to use gdb-remote, and that entails horrible pain.)
(In reply to comment #6) > gdb-remote Typo, I meant gdbserver.
That explanation sounds reasonable, firefox and all mozilla derivative indeed does crazy magic with X to support things like single instance (iirc).
btw to get a better backtrace you'll need to rebuild uim stuff with debugging symbols
Created attachment 208996 [details, diff] revert commit 6b7fef09ca588ce6e24bb76284adf3fee576f6a5 Using git bisect, found the bad commit: 6b7fef09ca588ce6e24bb76284adf3fee576f6a5 is the first bad commit commit 6b7fef09ca588ce6e24bb76284adf3fee576f6a5 Author: Matthias Clasen <mclasen@redhat.com> Date: Fri Sep 4 20:34:09 2009 -0400 Don't forget to set the client window on the slave :040000 040000 670736654da7970d79784649a60a34708319979a a411a3c6bc4d038f8c33c0056116ba7b78fc303f M gtk Reverting that commit (using the attached patch) makes firefox function correctly - verified with the gtk+-2.18.3 ebuild in the tree.
I don't believe this is the right approach to the problem. uim must be fixed to not crash everything down since obviously this commit was made to fix some input method problem. Could you paste this info on the upstream bug ?
(In reply to comment #11) > I don't believe this is the right approach to the problem. uim must be fixed to > not crash everything down since obviously this commit was made to fix some > input method problem. Could you paste this info on the upstream bug ? I also submitted the git bisect information upstream. It is completely non-obvious to me that this commit fixed an existing input method problem. If it's obvious to you, can you please explain it? I do not see a good way to patch uim to prevent this crash. How can you detect that a GtkWidget pointer does not point to deleted data? After all, running a GTK_WIDGET_TOPLEVEL() macro to verify the pointer is what causes the segfault, and any other GTK_WIDGET_* macro would cause the same crash.
Hi there. I'm experiencing this bug on x86 since mozilla-firefox-3.5.4 just went stable, but I have gtk+-2.16.6 installed. :\ Strangely enough (or not), I don't get the bug on my amd64 system that has a very similar configuration. I'm also having trouble generating a backtrace with firefox to verify that it is the same bug. What trickery is required? I have used the portage env hack successfully in the past, but it just isn't working here. The firefox ebuild seems to override some of the debugging flags to start with.
Created attachment 210683 [details, diff] uim-1.5.6-toplevel-delete-event.patch Etsushi Kato (uim developer) has found the cause of this bug: uim-1.5.6 did not have a handler to delete the pointer to the toplevel window when the toplevel window is destroyed, and that caused races and crashes in firefox with some versions of gtk+ under certain usage scenarios. His patch to fix the error is attached. See http://bugs.freedesktop.org/show_bug.cgi?id=25139 for details. If I use the attached patch with uim-1.5.6-r3, and use plain gtk+-2.18.3 from the portage tree, firefox is stable and does not crash in gmail. This bug report should probably be reassigned to the CJK team.
uim-1.5.6-r4 in cvs with the patch.
(In reply to comment #13) > I'm also having trouble generating a backtrace with firefox to verify that it > is the same bug. What trickery is required? You can run firefox using the xulrunner-stub executable from net-libs/xulrunner. cp /usr/lib/xulrunner-1.9.1/xulrunner-stub /usr/lib/mozilla-firefox mkdir /usr/lib/debug/usr/lib64/mozilla-firefox/ cp /usr/lib/debug/usr/lib64/xulrunner-1.9.1/xulrunner-stub.debug /usr/lib/debug/usr/lib64/mozilla-firefox/ (In reply to comment #15) > uim-1.5.6-r4 in cvs with the patch. Thank you, it solves the crash. Closing the bug as fixed.