Closed
Bug 1212139
Opened 9 years ago
Closed 8 years ago
crash in libgio-2.0.so.0.4600.0@0xcfd96 the second time I click "Browse" button on file-picker, with GTK3 and Ubuntu 15.10 beta (after "g_dbus_connection_is_closed: assertion 'G_IS_DBUS_CONNECTION (connection)")
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
VERIFIED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: dholbert, Unassigned)
References
()
Details
(Keywords: crash, dogfood)
Crash Data
Attachments
(1 file)
|
17.41 KB,
text/plain
|
Details |
This bug was filed from the Socorro interface and is
report bp-43a6470f-d9cb-48a3-bfc0-69d492151006.
=============================================================
STR:
0. Be using Ubuntu 15.10 beta [not sure if necessary]
1. Visit this data URL (or any site, with a file-upload widget, e.g. bugzilla)
data:text/html,<input type=file>
2. Click "Browse" button.
3. Double-click some file in the file-picker dialog (or select a file and hit the "open" button to accept the choice).
4. Click "Browse" again.
ACTUAL RESULTS: Crash in libgio-2.0.so.0.4600.0@0xcfd96
bp-fa0236a9-6053-4bff-b24b-436f02151006
bp-43a6470f-d9cb-48a3-bfc0-69d492151006
...or in libgobject-2.0.so.0.4600.0@0x3500c:
bp-e821690a-58fd-495b-b912-d85c12151006
bp-7cc35939-3f96-4210-bde1-e79ae2151006
EXPECTED RESULTS: No crash.
This is 100% reproducible for me right now. Regression range goes back to when we enabled gtk3 by default:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1ee54e043b9b05d69e6a9f981aa6c4ef0dd65be3&tochange=939320b957c588ad809e9b4a64b7f232dd4d9b72
I suspect this is a bug in some system gtk3 library on Ubuntu 15.10. Filing this mozilla bug for it anyway, since we're exposing the bug to the web and it's preventing me from e.g. using Firefox to upload patches to bugzilla without crashing.
|
Reporter | |
Comment 1•9 years ago
|
||
My libgtk-3-0 package is at version: 3.16.7-0ubuntu2
|
|
Reporter | |
Comment 2•9 years ago
|
||
I can't reproduce the crash with epiphany-browser (which uses the same kind of gtk3 file-picker dialog that we do). But epiphany does spam this error output to my terminal, instead of crashing:
{
(epiphany:29318): GLib-GIO-CRITICAL **: g_dbus_connection_is_closed: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(epiphany:29318): GLib-GObject-CRITICAL **: g_value_type_compatible: assertion 'G_TYPE_IS_VALUE (src_type)' failed
(epiphany:29318): GLib-GObject-CRITICAL **: g_object_new_valist: invalid object type '
(epiphany:29318): GLib-GIO-CRITICAL **: g_dbus_connection_call_sync_internal: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
(epiphany:29318): GLib-CRITICAL **: g_propagate_error: assertion 'src != NULL' failed
}
|
|
Reporter | |
Updated•9 years ago
|
|
|
Reporter | |
Comment 3•9 years ago
|
||
I do also see this just before the crash in Firefox, too:
(firefox:29844): GLib-GIO-CRITICAL **: g_dbus_connection_is_closed: assertion 'G_IS_DBUS_CONNECTION (connection)' failed
Here's a backtrace captured in a debug build. I installed libglib2.0-0-dbg to get debug symbols; that package & libglib2.0-0 are at version: 2.46.0-2
|
|
Reporter | |
Comment 4•9 years ago
|
||
I'm crashing at the last line here in gtype.c (libglib2.0-0) -- this is line 4167 referenced in my backtrace:
> static inline gboolean
> type_check_is_value_type_U (GType type)
> {
> GTypeFlags tflags = G_TYPE_FLAG_VALUE_ABSTRACT;
> TypeNode *node;
>
> /* common path speed up */
> node = lookup_type_node_I (type);
> if (node && node->mutatable_check_cache)
> return TRUE;
>
> G_READ_LOCK (&type_rw_lock);
> restart_check:
> if (node)
> {
> if (node->data && NODE_REFCOUNT (node) > 0 &&
> node->data->common.value_table->value_init)
node->data is bogus here.
(gdb) p *node
$9 = {
ref_count = 3850979413,
plugin = 0xf0758948f87d8948,
n_children = 3897919816,
n_supers = 72,
n_prerequisites = 395,
is_classed = 0,
is_instantiatable = 1,
mutatable_check_cache = 0,
children = 0xe87d8348d0558948,
data = 0xbf0000002a850f00,
qname = 1,
global_gdata = 0x5dc158d48062305,
_prot = {
iface_entries = {
data = 0x25de510d8d480623
},
offsets = {
data = 0x25de510d8d480623
}
},
prerequisites = 0xe8000003bdb84106,
supers = {14786566523078656772}
}
(gdb) p *node->data
Cannot access memory at address 0xbf0000002a850f00
|
|
Reporter | |
Comment 5•9 years ago
|
||
I'm going to hold off on investigating this further, and hope that a libglib or libgtk update ships in the next couple of days that fixes this.
Summary: crash in libgio-2.0.so.0.4600.0@0xcfd96 the second time I click "Browse" button on file-picker, with GTK3 and Ubuntu 15.10 beta → crash in libgio-2.0.so.0.4600.0@0xcfd96 the second time I click "Browse" button on file-picker, with GTK3 and Ubuntu 15.10 beta (after "g_dbus_connection_is_closed: assertion 'G_IS_DBUS_CONNECTION (connection)")
|
|
Reporter | |
Comment 6•9 years ago
|
||
Investigating upstream a bit, actually.
The changelog for my most recent update glib2.0 update was:
====
(2.46.0-2) unstable; urgency=medium
* debian/patches/0001-Revert-list-store-Fix-a-parameter-check.patch:
Cherry-pick from upstream to fix GSequence (this at least makes
GStreamer's testsuite fail).
-- Iain Lane <laney@debian.org> Mon, 28 Sep 2015 13:07:06 +0100
====
The patch mentioned here ("Revert-list-store-Fix-a-parameter-check") does involve "node management" (e.g. it changes a call to node_find_closest and the implementation of that function as well). So it's conceivable that it's responsible for me ending up with a bogus node->data pointer as shown in comment 4.
|
|
Reporter | |
Comment 7•9 years ago
|
||
Filed upstream bug on glib: https://bugzilla.gnome.org/show_bug.cgi?id=756153
|
|
Reporter | |
Comment 8•9 years ago
|
||
As noted on the upstream bug, this seems to be a regression in the "gvfs" package (which received an update on Monday, right before I started noticing this).
Last good version is https://launchpad.net/ubuntu/wily/amd64/gvfs/1.24.2-0ubuntu1
First bad version is https://launchpad.net/ubuntu/wily/amd64/gvfs/1.24.2-0ubuntu2
|
||
Comment 9•9 years ago
|
||
In case it's helpful, GLib critical warnings are usually from bad pointers or UaF.
G_DEBUG=fatal-criticals may be useful to kill the process a little earlier.
If it is UaF, then debug (with jemalloc) or asan builds may catch the bug a little earlier than opt builds.
|
|
||
Comment 10•9 years ago
|
||
https://bugzilla.gnome.org/show_bug.cgi?id=756153#c20 says fixed in 1.26.1.1
|
||
Comment 11•8 years ago
|
||
no current crashes of this being reported.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 12•8 years ago
|
||
Yeah, I haven't hit this for a while (and can't reproduce right now, with Ubuntu 16.10 prerelease).
I think Karl's comment 10 correctly indicated that this was fixed in a system library. Hooray!
|
|
Reporter | |
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•