gala
gala copied to clipboard
elementary
IconGroupContainer/force_reposition: Fix crash (use after free)
Tries to fix #1984
@bobby285271 unfortunately I can't really reproduce your crash but according to your bisect I tried a fix, although I'm not at all sure it does actually work :sweat_smile: Does it for you?
Ugh, now crashes with a different backtrace:
#0 0x00007fabf5484442 in gala_drag_drop_action_release_actor (self=0x19c2460, actor=0x19c1d90) at ../lib/DragDropAction.vala:150
_tmp0_ = <optimized out>
_tmp5_ = <optimized out>
__func__ = "gala_drag_drop_action_release_actor"
#1 0x00007fabf52c0faf in weak_refs_notify (data=0x19c2590) at ../gobject/gobject.c:3646
wstack = 0x19c2590
i = 0
#2 0x00007fabf5347a01 in g_data_set_internal (datalist=<optimized out>, key_id=<optimized out>, new_data=<optimized out>, new_destroy_func=<optimized out>, dataset=0x0) at ../glib/gdataset.c:468
d_to_free = 0x19c2314
d = 0x19c2310
new_d = 0x0
old = {key = <optimized out>, data = 0x19c2590, destroy = 0x7fabf52c0f80 <weak_refs_notify>}
data = <optimized out>
idx = <optimized out>
#3 0x00007fabf52c13cf in g_object_real_dispose (object=0x19c1d90) at ../gobject/gobject.c:1755
No locals.
#4 0x00007fabf52c2de7 in g_object_unref (_object=_object@entry=0x19c1d90) at ../gobject/gobject.c:4413
object = 0x19c1d90
old_ref = 1
toggle_notify = <optimized out>
toggle_data = <optimized out>
nqueue = 0x184a140
obj_gtype = <optimized out>
__func__ = "g_object_unref"
retry_beginning = <optimized out>
retry_decrement = <optimized out>
#5 0x000000000046de2c in gala_icon_group_container_remove_group (self=self@entry=0x1a56ea0, group=0x19bf550) at ../src/Widgets/IconGroupContainer.vala:72
thumb = 0x19c1d90
_tmp0_ = <optimized out>
_tmp1_ = 0x19c1d90
_tmp2_ = 1
_tmp3_ = 2325
__func__ = "gala_icon_group_container_remove_group"
#6 0x00000000004710ab in gala_multitasking_view_remove_workspace (num=<optimized out>, self=0x1a58500) at ../src/Widgets/MultitaskingView.vala:561
_tmp26_ = 0x1a56ea0
_tmp27_ = 0x1c7e770
_tmp28_ = <optimized out>
_tmp29_ = <optimized out>
workspace = 0x1c7e770
manager = <optimized out>
_tmp17_ = 0x1c7e770
_tmp20_ = 0x1c7e770
_tmp24_ = <optimized out>
existing_workspaces = <optimized out>
_tmp23_ = 0x1c7e770
--Type <RET> for more, q to quit, c to continue without paging--
_tmp30_ = <optimized out>
_tmp1_ = <optimized out>
_tmp9_ = <optimized out>
_tmp19_ = 432
_tmp22_ = <optimized out>
_tmp0_ = <optimized out>
_tmp8_ = <optimized out>
_tmp18_ = 0x1c7e770
_tmp21_ = 433
_tmp25_ = <optimized out>
workspace = <optimized out>
manager = <optimized out>
_tmp0_ = <optimized out>
_tmp1_ = <optimized out>
existing_workspaces = <optimized out>
_tmp8_ = <optimized out>
_tmp9_ = <optimized out>
_tmp17_ = <optimized out>
_tmp18_ = <optimized out>
_tmp19_ = <optimized out>
_tmp20_ = <optimized out>
_tmp21_ = <optimized out>
_tmp22_ = <optimized out>
_tmp23_ = <optimized out>
_tmp24_ = <optimized out>
_tmp25_ = <optimized out>
_tmp30_ = <optimized out>
__func__ = "gala_multitasking_view_remove_workspace"
_g_boolean_var_24 = <optimized out>
i = <optimized out>
_tmp2_ = <optimized out>
_tmp4_ = <optimized out>
_tmp5_ = <optimized out>
_tmp6_ = <optimized out>
_tmp7_ = <optimized out>
_tmp3_ = <optimized out>
child_collection = <optimized out>
child_it = <optimized out>
child = <optimized out>
clone = <optimized out>
_tmp10_ = <optimized out>
_tmp11_ = <optimized out>
_tmp12_ = <optimized out>
_tmp13_ = <optimized out>
_tmp14_ = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
_tmp15_ = <optimized out>
_tmp16_ = <optimized out>
_tmp26_ = <optimized out>
_tmp27_ = <optimized out>
_tmp28_ = <optimized out>
_tmp29_ = <optimized out>
#7 _gala_multitasking_view_remove_workspace_meta_workspace_manager_workspace_removed (_sender=<optimized out>, object=<optimized out>, self=0x1a58500) at ../src/Widgets/MultitaskingView.vala:106
No locals.
#8 0x00007fabf52bcd38 in g_closure_invoke (closure=0x1a88700, return_value=0x0, n_param_values=2, param_values=0x7ffc479ed780, invocation_hint=0x7ffc479ed6d0) at ../gobject/gclosure.c:834
marshal = 0x7fabf52bf2d0 <g_cclosure_marshal_VOID__INT>
marshal_data = 0x0
in_marshal = 0
real_closure = 0x1a886e0
__func__ = "g_closure_invoke"
#9 0x00007fabf52d1fcc in signal_emit_unlocked_R (node=node@entry=0x7ffc479ed850, detail=detail@entry=0, instance=instance@entry=0x17b6a20, emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7ffc479ed780) at ../gobject/gsignal.c:3888
tmp = <optimized out>
handler = 0x19fd110
accumulator = 0x0
emission = {next = 0x7ffc479edc20, instance = 0x17b6a20, ihint = {signal_id = 181, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 4}
class_closure = 0x0
hlist = <optimized out>
handler_list = 0x19fd110
return_accu = <optimized out>
accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0,
v_float = 0, v_double = 0, v_pointer = 0x0}}}
signal_id = 181
max_sequential_handler_number = 1259
return_value_altered = <optimized out>
n_params = <optimized out>
EMIT_RESTART = <optimized out>
__func__ = "signal_emit_unlocked_R"
#10 0x00007fabf52d3981 in signal_emit_valist_unlocked (instance=instance@entry=0x17b6a20, signal_id=signal_id@entry=181, detail=detail@entry=0, var_args=var_args@entry=0x7ffc479ed9b0) at ../gobject/gsignal.c:3520
instance_and_params = <optimized out>
param_values = <optimized out>
node = <optimized out>
i = <optimized out>
__func__ = "signal_emit_valist_unlocked"
node_copy = {signal_id = 181, itype = 25421120, name = 0x17e29aa "workspace-removed", destroyed = 0, flags = 2, n_params = 1, single_va_closure_is_valid = 1, single_va_closure_is_after = 0, param_types = 0x17b5500,
return_type = 4, class_closure_bsa = 0x0, accumulator = 0x0, c_marshaller = 0x7fabf52bf2d0 <g_cclosure_marshal_VOID__INT>, va_marshaller = 0x7fabf52bf360 <g_cclosure_marshal_VOID__INTv>, emission_hooks = 0x0,
single_va_closure = 0x1}
#11 0x00007fabf52d97f2 in g_signal_emit_valist (instance=0x17b6a20, signal_id=181, detail=0, var_args=0x7ffc479ed9b0) at ../gobject/gsignal.c:3263
No locals.
#12 0x00007fabf52d98af in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../gobject/gsignal.c:3583
var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffc479eda90, reg_save_area = 0x7ffc479ed9d0}}
--Type <RET> for more, q to quit, c to continue without paging--
#13 0x00007fabf42fd9cf in meta_workspace_manager_remove_workspace () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#14 0x000000000044fffb in gala_workspace_manager_remove_workspace (self=0x19b7730, workspace=0x1857cc0) at ../src/WorkspaceManager.vala:235
display = <optimized out>
_tmp0_ = <optimized out>
manager = 0x17b6a20
_tmp1_ = <optimized out>
_tmp2_ = 0x17b6a20
time = 0
_tmp3_ = <optimized out>
active_workspace = <optimized out>
_tmp4_ = 0x17b6a20
_tmp5_ = <optimized out>
_tmp6_ = <optimized out>
_tmp16_ = <optimized out>
_tmp17_ = 186
_tmp18_ = 187
_tmp19_ = <optimized out>
_tmp20_ = 0x17b6a20
__func__ = "gala_workspace_manager_remove_workspace"
#15 0x00007fabf52bcd38 in g_closure_invoke (closure=0x19b7b80, return_value=0x0, n_param_values=2, param_values=0x7ffc479edce0, invocation_hint=0x7ffc479edc30) at ../gobject/gclosure.c:834
marshal = 0x7fabf52c0130 <g_cclosure_marshal_VOID__OBJECT>
marshal_data = 0x0
in_marshal = 0
real_closure = 0x19b7b60
__func__ = "g_closure_invoke"
#16 0x00007fabf52d1fcc in signal_emit_unlocked_R (node=node@entry=0x7ffc479eddb0, detail=detail@entry=0, instance=instance@entry=0x17b5b10, emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7ffc479edce0) at ../gobject/gsignal.c:3888
tmp = <optimized out>
handler = 0x19b7a90
accumulator = 0x0
emission = {next = 0x0, instance = 0x17b5b10, ihint = {signal_id = 187, detail = 0, run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 4}
class_closure = 0x0
hlist = <optimized out>
handler_list = 0x1aac490
return_accu = <optimized out>
accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0,
v_float = 0, v_double = 0, v_pointer = 0x0}}}
signal_id = 187
max_sequential_handler_number = 1259
return_value_altered = <optimized out>
n_params = <optimized out>
EMIT_RESTART = <optimized out>
__func__ = "signal_emit_unlocked_R"
#17 0x00007fabf52d3981 in signal_emit_valist_unlocked (instance=instance@entry=0x17b5b10, signal_id=signal_id@entry=187, detail=detail@entry=0, var_args=var_args@entry=0x7ffc479edf10) at ../gobject/gsignal.c:3520
--Type <RET> for more, q to quit, c to continue without paging--
instance_and_params = <optimized out>
param_values = <optimized out>
node = <optimized out>
i = <optimized out>
__func__ = "signal_emit_valist_unlocked"
node_copy = {signal_id = 187, itype = 24865392, name = 0x17e298b "window-removed", destroyed = 0, flags = 2, n_params = 1, single_va_closure_is_valid = 1, single_va_closure_is_after = 0, param_types = 0x17b5900,
return_type = 4, class_closure_bsa = 0x0, accumulator = 0x0, c_marshaller = 0x7fabf52c0130 <g_cclosure_marshal_VOID__OBJECT>, va_marshaller = 0x7fabf52c01c0 <g_cclosure_marshal_VOID__OBJECTv>, emission_hooks = 0x0,
single_va_closure = 0x1}
#18 0x00007fabf52d97f2 in g_signal_emit_valist (instance=0x17b5b10, signal_id=187, detail=0, var_args=0x7ffc479edf10) at ../gobject/gsignal.c:3263
No locals.
#19 0x00007fabf52d98af in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at ../gobject/gsignal.c:3583
var_args = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffc479edff0, reg_save_area = 0x7ffc479edf30}}
#20 0x00007fabf4314b59 in meta_workspace_remove_window () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#21 0x00007fabf430c02e in set_workspace_state () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#22 0x00007fabf430ee29 in meta_window_unmanage () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#23 0x00007fabf42eae03 in meta_display_close () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#24 0x00007fabf42f5946 in meta_context_dispose () from /nix/store/8j25hx5ayawkwgc7qb455hb805s9mvs1-mutter-46.3.1/lib/libmutter-14.so.0
No symbol table info available.
#25 0x00007fabf52c2de7 in g_object_unref (_object=0x140b8c0) at ../gobject/gobject.c:4413
object = 0x140b8c0
old_ref = 1
toggle_notify = <optimized out>
toggle_data = <optimized out>
nqueue = 0x18cbac0
obj_gtype = <optimized out>
__func__ = "g_object_unref"
retry_beginning = <optimized out>
retry_decrement = <optimized out>
#26 0x00000000004329c8 in block2_data_unref (_userdata_=0x14085c0) at ../src/Main.vala:29
_data2_ = <optimized out>
_data2_ = <optimized out>
#27 block2_data_unref (_userdata_=0x14085c0) at /build/source/build/Main.c:115
_data2_ = 0x14085c0
#28 0x0000000000432e16 in gala_main (args=<optimized out>, args_length1=<optimized out>) at ../src/Main.vala:94
_data2_ = 0x14085c0
_tmp0_ = <optimized out>
_tmp1_ = <optimized out>
_tmp7_ = <optimized out>
empty_mask = <optimized out>
_tmp8_ = {__val = {0 <repeats 16 times>}}
act = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {<optimized out> <repeats 16 times>}}, sa_flags = <optimized out>, sa_restorer = <optimized out>}
--Type <RET> for more, q to quit, c to continue without paging--
_tmp9_ = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
_tmp10_ = 0x1
_tmp11_ = <optimized out>
_tmp12_ = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
_tmp14_ = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0x0}
_tmp21_ = <optimized out>
_tmp22_ = <optimized out>
_inner_error0_ = 0x0
result = 0
_g_boolean_var_11 = <optimized out>
_tmp6_ = <optimized out>
_g_boolean_var_13 = <optimized out>
_tmp20_ = <optimized out>
_g_boolean_var_17 = <optimized out>
_tmp34_ = <optimized out>
#29 0x00007fabf3ae414e in __libc_start_call_main (main=main@entry=0x423b50 <main>, argc=argc@entry=1, argv=argv@entry=0x7ffc479ee5b8) at ../sysdeps/nptl/libc_start_call_main.h:58
self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140721510081976, 5513257607532905453, 0, 140721510081992, 140376531677184, 4963416, -5513661961229171731, -5488513788590291987}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0,
0x7ffc479ee5b8, 0x1}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1201595832}}}
not_first_call = <optimized out>
#30 0x00007fabf3ae4209 in __libc_start_main_impl (main=0x423b50 <main>, argc=1, argv=0x7ffc479ee5b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc479ee5a8) at ../csu/libc-start.c:360
No locals.
#31 0x0000000000423b85 in _start ()
No symbol table info available.
@bobby285271 I probably should have looked more at your backtrace :sweat_smile: The list used in the crashing function only has weak references which would cause the actors to be freed (because they aren't kept alive anymore since the commit you bisected to which was leaking memory) but they were used again after that. So the current version of this PR should hopefully fix it.
Hmmm, on 72ee7e1d751370779675a86258b5a764b363142a it crashes at the original place.
Hmmm ok now I'm really confused :( Since I'm not too familiar with nix may I ask what mutter, glib and maybe even vala version you are using? And no idea if it's going to be helpful but just to be sure could you provide the generated c code for gala_icon_group_container_force_reposition?
And no idea if it's going to be helpful but just to be sure could you provide the generated c code for gala_icon_group_container_force_reposition? (I edited above probably after you saw it sry)
I pushed my build dir here: https://github.com/bobby285271/gala-pr-1990/blob/e7dc0f83bea3e1442f1d23d5ad8b7f1c7c7c1a0f/build/src/gala.p/Widgets/IconGroupContainer.c#L617
Hmm unfortunately I still can't reproduce this and I've completely run out of ideas what's happening here. If you want you can add some debug messages after every line and some with like info about values of variables at certain points because I've got no fucking clue what's going on (and probably too little experience 😐)