Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#6229 closed defect (fixed)

Crash (tooltips race)

Reported by: jankratochvil Owned by:
Milestone: 2.5.0 Component: pidgin (gtk)
Version: 2.4.2 Keywords:
Cc:

Description

I got a random crash

System: Linux 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64
X Vendor: The X.Org Foundation
X Vendor Release: 10499902
Selinux: No
Accessibility: Disabled
GTK+ Theme: Nodoka
Icon Theme: Fedora

Memory status: size: 545456128 vsize: 545456128 resident: 50597888 share: 16953344 rss: 50597888 rss_rlim: 18446744073709551615
CPU usage: start_time: 1214749964 rtime: 42351 utime: 40335 stime: 2016 cutime:217 cstime: 640 timeout: 0 it_real_value: 0 frequency: 100

Backtrace was generated from '/usr/bin/pidgin'

[Thread debugging using libthread_db enabled]
[New Thread 0x7f0860064780 (LWP 11471)]
0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>, 
    stat_loc=<value optimized out>, options=<value optimized out>)
    at ../sysdeps/unix/sysv/linux/waitpid.c:32
32            return INLINE_SYSCALL (wait4, 4, pid, stat_loc, options, NULL);
#0  0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>, 
    stat_loc=<value optimized out>, options=<value optimized out>)
    at ../sysdeps/unix/sysv/linux/waitpid.c:32
#1  0x0000003f2e86e849 in IA__g_spawn_sync (
    working_directory=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>, flags=<value optimized out>, 
    child_setup=<value optimized out>, user_data=<value optimized out>, 
    standard_output=) at gspawn.c:374
#2  0x0000003f2e86eb58 in IA__g_spawn_command_line_sync (
    command_line=<value optimized out>, 
    standard_output=<value optimized out>, 
    standard_error=<value optimized out>, exit_status=<value optimized out>, 
    error=<value optimized out>) at gspawn.c:682
#3  0x00000000006ee606 in check_if_gdb (
    callback_context=<value optimized out>) at gnome-breakpad.cc:213
#4  0x00000000006ee6bd in bugbuddy_segv_handle (signum=<value optimized out>)
    at gnome-breakpad.cc:87
#5  <signal handler called>
#6  0x0000003f2d032215 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#7  0x0000003f2d033d83 in abort () at abort.c:88
#8  0x00000000004817b8 in sighandler (sig=<value optimized out>)
    at gtkmain.c:193
#9  <signal handler called>
#10 0x0000003f2ec24e23 in IA__g_type_check_instance_is_a (
    type_instance=<value optimized out>, iface_type=<value optimized out>)
    at gtype.c:3144
#11 0x00000000004b6797 in pidgin_tooltip_timeout (data=0x7f0850c09c60)
    at pidgintooltip.c:271
#12 0x0000003f2e837c5b in g_timeout_dispatch (source=<value optimized out>, 
    callback=<value optimized out>, user_data=<value optimized out>)
    at gmain.c:3443
#13 0x0000003f2e83749b in IA__g_main_context_dispatch (
    context=<value optimized out>) at gmain.c:2009
#14 0x0000003f2e83ac7d in g_main_context_iterate (
    context=<value optimized out>, block=<value optimized out>, 
    dispatch=<value optimized out>, self=<value optimized out>)
    at gmain.c:2642
#15 0x0000003f2e83b1ad in IA__g_main_loop_run (loop=<value optimized out>)
    at gmain.c:2850
#16 0x0000003f34183a98 in IA__gtk_main () at gtkmain.c:1163
#17 0x0000000000481f5b in main (argc=1, argv=0x7fff68091a38) at gtkmain.c:890

Thread 1 (Thread 0x7f0860064780 (LWP 11471)):
#0  0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>, 
    stat_loc=<value optimized out>, options=<value optimized out>)
    at ../sysdeps/unix/sysv/linux/waitpid.c:32
	oldtype = <value optimized out>
	result = <value optimized out>
#1  0x0000003f2e86e849 in IA__g_spawn_sync (
    working_directory=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>, flags=<value optimized out>, 
    child_setup=<value optimized out>, user_data=<value optimized out>, 
    standard_output=) at gspawn.c:374
	outpipe = 
The program is running.  Quit anyway (and detach it)? (y or n) [answered Y; input not from terminal]


----------- .xsession-errors ---------------------
Please make sure to specify what you were doing at the time
and post the backtrace from the core file.  If you do not know
how to get the backtrace, please read the instructions at
http://developer.pidgin.im/wiki/GetABacktrace
If you need further assistance, please IM either SeanEgn or 
LSchiere (via AIM).  Contact information for Sean and Luke 
on other protocols is at
http://developer.pidgin.im/wiki/DeveloperPages
warning: "/usr/lib/debug/lib/modules/2.6.25.6-55.fc9.x86_64/vdso/vdso.so.debug": The separate debug info file has no debug info
Could not find the frame base for "IA__g_spawn_sync".
Could not find the frame base for "IA__g_spawn_sync".
Could not find the frame base for "IA__g_spawn_sync".
--------------------------------------------------

It is clear there that row_motion_cb() adds a timeout with its userdata' parameter but the time the timeout gets invoked the userdata' parameter content may get already deleted. The handler row_motion_cb' gets automatically discarded when the TREE object gets destroy'ed but the already scheduled timeout is not removed and it later crashes on the already freed TREE object.

Change History (3)

comment:1 Changed 11 years ago by datallah

Good catch (and the analysis is exactly right). Thanks!

comment:2 Changed 11 years ago by datallah@…

  • Milestone set to 2.5.0
  • Resolution set to fixed
  • Status changed from new to closed

(In 5b3cd3600d9a992cc943d490b68c1174e0346b8b):
Jan Kratochvil noticed there was a race condition in the treeview tooltip code, this fixes it. Fixes #6229.

comment:3 Changed 11 years ago by jankratochvil

Wow, that was only a oneliner. Thanks.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!