Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 287687 - [gnome overlay] x11-libs/gtk+-2.18.1 makes firefox crash in gmail
Summary: [gnome overlay] x11-libs/gtk+-2.18.1 makes firefox crash in gmail
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL: https://bugzilla.gnome.org/show_bug.c...
Whiteboard:
Keywords:
Depends on:
Blocks: gnome2.28
  Show dependency tree
 
Reported: 2009-10-05 00:56 UTC by Alexandre Rostovtsev (RETIRED)
Modified: 2009-11-20 22:48 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
backtrace (backtrace2.log,4.89 KB, text/plain)
2009-10-05 02:45 UTC, Alexandre Rostovtsev (RETIRED)
Details
better backtrace (backtrace3.log,38.15 KB, text/plain)
2009-10-05 02:56 UTC, Alexandre Rostovtsev (RETIRED)
Details
revert commit 6b7fef09ca588ce6e24bb76284adf3fee576f6a5 (gtk+-2.18-revert-dont-forget-to-set-client-window.patch,509 bytes, patch)
2009-11-01 23:43 UTC, Alexandre Rostovtsev (RETIRED)
Details | Diff
uim-1.5.6-toplevel-delete-event.patch (uim-1.5.6-toplevel-delete-event.patch,870 bytes, patch)
2009-11-20 08:30 UTC, Alexandre Rostovtsev (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-05 00:56:52 UTC
x11-libs/gtk+-2.18.1 (and 2.18 also, before the ebuild was renamed) from Gnome overlay make www-client/mozilla-firefox-3.5.3 crash after logging in gmail.

To reproduce:
1. Create a new firefox profile
2. Install a few extensions - for example https://addons.mozilla.org/en-US/firefox/addon/139 and https://addons.mozilla.org/en-US/firefox/addon/433
3. Log in to gmail.com in one tab, open bugzilla.gnome.org in another tab
With probability >50%, firefox will crash within one minute.

When using gtk-2.16.6 (both with glib-2.20.5 and glib-2.22.1), Firefox is stable.

I have observed these symptoms on two separate machines (both ~amd64).

# emerge --info
Portage 2.2_rc43 (default/linux/amd64/2008.0/desktop, gcc-4.4.1, glibc-2.10.1-r0, 2.6.31-gentoo-r1 x86_64)
=================================================================
System uname: Linux-2.6.31-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P7370_@_2.00GHz-with-gentoo-2.0.1
Timestamp of tree: Sun, 04 Oct 2009 19:30:21 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.0_p33
dev-java/java-config: 1.3.7-r1, 2.1.9-r1
dev-lang/python:     2.4.6, 2.5.4-r3, 2.6.3, 3.1.1-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.4.3-r3
sys-apps/sandbox:    2.1
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2, 1.11
sys-devel/binutils:  2.18-r4, 2.19.1-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests ccache distlocks fixpackages parallel-fetch parllel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en ru"
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-05 01:40:07 UTC
I have not been able to produce a core dump (Firefox doesn't seem to leave a core dump even when run from a terminal where I have "ulimit -c unlimited") or a backtrace (for some reason, even when I put -ggdb in CFLAGS, the /usr/lib64/mozilla-firefox/firefox executable is built without debug information).

Messages printed in terminal immediately before crash:

(firefox:8401): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject'

(firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(firefox:8401): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject'

(firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(firefox:8401): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:8401): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-05 02:45:27 UTC
Created attachment 206049 [details]
backtrace

Managed to get a backtrace.

$ gdb /usr/lib64/mozilla-firefox/firefox
[...]
[Thread 0x7fffc90ff910 (LWP 26622) exited]
[Thread 0x7fffce1ff910 (LWP 26623) exited]
[New Thread 0x7fffce1ff910 (LWP 26624)]
[New Thread 0x7fffc90ff910 (LWP 26625)]

(firefox:26586): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject'

(firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
[Thread 0x7fffce1ff910 (LWP 26624) exited]
[Thread 0x7fffc90ff910 (LWP 26625) exited]

(firefox:26586): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkObject'

(firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(firefox:26586): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(firefox:26586): GLib-GObject-CRITICAL **: g_signal_handler_disconnect: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

Program received signal SIGBUS, Bus error.
0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffcc06c040, iface_type=140737333860672) at gtype.c:3729
3729	gtype.c: No such file or directory.
	in gtype.c
Current language:  auto; currently c
Comment 3 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-05 02:56:59 UTC
Created attachment 206053 [details]
better backtrace

Better backtrace (thread apply all bt full)
Comment 4 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-05 04:03:17 UTC
I also reported the bug upstream: https://bugzilla.gnome.org/show_bug.cgi?id=597372
Comment 5 Gilles Dartiguelongue gentoo-dev 2009-10-21 19:46:54 UTC
Looks like thread 1 is the interesting block:

Thread 1 (Thread 0x7ffff7fb2710 (LWP 26671)):
#0  0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffdf47db80, iface_type=140737333860672) at gtype.c:3729
        node = 0x3ac200003b40
        iface = <value optimized out>
        is_instantiatable = 1
#1  0x00007fffdfbe65dd in ?? () from /usr/lib64/gtk-2.0/2.10.0/immodules/im-uim.so
No symbol table info available.
#2  0x00007fffdfbe66bc in ?? () from /usr/lib64/gtk-2.0/2.10.0/immodules/im-uim.so
No symbol table info available.
#3  0x00007ffff59c87bd in nsWindow::OnContainerFocusOutEvent (this=0x7fffe3c6fc00, aWidget=<value optimized out>, 
    aEvent=<value optimized out>) at nsWindow.cpp:3062
        tmpWindow = 0x7fffc8fb3bd0 [GdkWindow]
        tmpnsWindow = <value optimized out>
        kungFuDeathGrip = {mRawPtr = 0x7fffcc268600}

it refers to im-uim, could you try disabling scim and see if it fixes the problem ?
Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-21 20:50:51 UTC
(In reply to comment #5)
> it refers to im-uim, could you try disabling scim and see if it fixes the
> problem ?

I am using uim, not scim. If I disable it (export GTK_IM_MODULE=gtk-im-context-simple), the crashes seem to go away.

Here is a snippet from a backtrace where uim is compiled with debug enabled:

Thread 1 (Thread 0x7ffff7fb2710 (LWP 30078)):
#0  0x00007ffff28ff0ff in IA__g_type_check_instance_cast (type_instance=0x7fffc637d300, iface_type=140737333860672) at gtype.c:3729
        node = 0x3ac200003b40
        iface = <value optimized out>
        is_instantiatable = 1
#1  0x00007fffdfbe65ed in remove_cur_toplevel () at gtk-im-uim.c:322
No locals.
#2  0x00007fffdfbe66cc in im_uim_focus_out (ic=<value optimized out>) at gtk-im-uim.c:1278
        uic = 0x7fffe28b2980 [GtkIMContextUIM]
#3  0x00007ffff59c87bd in nsWindow::OnContainerFocusOutEvent (this=0x7fffe3c6ec00, aWidget=<value optimized out>, 
    aEvent=<value optimized out>) at nsWindow.cpp:3062
        tmpWindow = 0x7fffc85369c0 [GdkWindow]
        tmpnsWindow = <value optimized out>
        kungFuDeathGrip = {mRawPtr = 0x7fffca117880}
#4  0x00007ffff59c8856 in focus_out_event_cb (widget=0x7fffe3c75100 [MozContainer], event=0x7fffc75b3c10) at nsWindow.cpp:5581
        window = {mRawPtr = 0x7fffe3c6ec00}

The actual behavior seems to be the following:
In the process of loading gmail, firefox creates several new (presumably invisible) toplevel windows, focuses in on them (assigning uim as the input manager), and then focuses out (resetting uim back to the main firefox window). But with gtk+-2.18.*, sometimes, when it focuses out and calls im_uim_focus_out, the invisible top-level window is already overwritten with random data (i.e. is deleted).

Uim uses GTK_WIDGET_TOPLEVEL macro to check that the toplevel pointer it is using is actually a toplevel window; that macro makes uim (or rather, glib) follow several pointers to neverland, eventually causing a segmentation fault.

(By the way, debugging this is quite frustrating: to prevent input focus switches, you have to use gdb-remote, and that entails horrible pain.)
Comment 7 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-10-21 20:52:32 UTC
(In reply to comment #6)
> gdb-remote

Typo, I meant gdbserver.
Comment 8 Gilles Dartiguelongue gentoo-dev 2009-10-21 21:10:31 UTC
That explanation sounds reasonable, firefox and all mozilla derivative indeed does crazy magic with X to support things like single instance (iirc).
Comment 9 Gilles Dartiguelongue gentoo-dev 2009-10-31 23:48:49 UTC
btw to get a better backtrace you'll need to rebuild uim stuff with debugging symbols
Comment 10 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-11-01 23:43:40 UTC
Created attachment 208996 [details, diff]
revert commit 6b7fef09ca588ce6e24bb76284adf3fee576f6a5

Using git bisect, found the bad commit:

6b7fef09ca588ce6e24bb76284adf3fee576f6a5 is the first bad commit
commit 6b7fef09ca588ce6e24bb76284adf3fee576f6a5
Author: Matthias Clasen <mclasen@redhat.com>
Date:   Fri Sep 4 20:34:09 2009 -0400

    Don't forget to set the client window on the slave

:040000 040000 670736654da7970d79784649a60a34708319979a a411a3c6bc4d038f8c33c0056116ba7b78fc303f M      gtk


Reverting that commit (using the attached patch) makes firefox function correctly - verified with the gtk+-2.18.3 ebuild in the tree.
Comment 11 Gilles Dartiguelongue gentoo-dev 2009-11-02 00:36:33 UTC
I don't believe this is the right approach to the problem. uim must be fixed to not crash everything down since obviously this commit was made to fix some input method problem. Could you paste this info on the upstream bug ?
Comment 12 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-11-02 01:19:27 UTC
(In reply to comment #11)
> I don't believe this is the right approach to the problem. uim must be fixed to
> not crash everything down since obviously this commit was made to fix some
> input method problem. Could you paste this info on the upstream bug ?

I also submitted the git bisect information upstream.

It is completely non-obvious to me that this commit fixed an existing input method problem. If it's obvious to you, can you please explain it?

I do not see a good way to patch uim to prevent this crash. How can you detect that a GtkWidget pointer does not point to deleted data? After all, running a GTK_WIDGET_TOPLEVEL() macro to verify the pointer is what causes the segfault, and any other GTK_WIDGET_* macro would cause the same crash.
Comment 13 Jeremy Murphy 2009-11-10 06:48:48 UTC
Hi there.  I'm experiencing this bug on x86 since mozilla-firefox-3.5.4 just went stable, but I have gtk+-2.16.6 installed.  :\  Strangely enough (or not), I don't get the bug on my amd64 system that has a very similar configuration.

I'm also having trouble generating a backtrace with firefox to verify that it is the same bug.  What trickery is required?  I have used the portage env hack successfully in the past, but it just isn't working here.  The firefox ebuild seems to override some of the debugging flags to start with.
Comment 14 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-11-20 08:30:51 UTC
Created attachment 210683 [details, diff]
uim-1.5.6-toplevel-delete-event.patch

Etsushi Kato (uim developer) has found the cause of this bug: uim-1.5.6 did not have a handler to delete the pointer to the toplevel window when the toplevel window is destroyed, and that caused races and crashes in firefox with some versions of gtk+ under certain usage scenarios. His patch to fix the error is attached.

See http://bugs.freedesktop.org/show_bug.cgi?id=25139 for details.

If I use the attached patch with uim-1.5.6-r3, and use plain gtk+-2.18.3 from the portage tree, firefox is stable and does not crash in gmail.

This bug report should probably be reassigned to the CJK team.
Comment 15 MATSUU Takuto (RETIRED) gentoo-dev 2009-11-20 17:09:38 UTC
uim-1.5.6-r4 in cvs with the patch.
Comment 16 Alexandre Rostovtsev (RETIRED) gentoo-dev 2009-11-20 22:48:56 UTC
(In reply to comment #13)
> I'm also having trouble generating a backtrace with firefox to verify that it
> is the same bug.  What trickery is required?

You can run firefox using the xulrunner-stub executable from net-libs/xulrunner.

cp /usr/lib/xulrunner-1.9.1/xulrunner-stub /usr/lib/mozilla-firefox
mkdir /usr/lib/debug/usr/lib64/mozilla-firefox/
cp /usr/lib/debug/usr/lib64/xulrunner-1.9.1/xulrunner-stub.debug /usr/lib/debug/usr/lib64/mozilla-firefox/

(In reply to comment #15)
> uim-1.5.6-r4 in cvs with the patch.

Thank you, it solves the crash. Closing the bug as fixed.