[Pidgin] #6229: Crash (tooltips race)

Wed Jul 2 07:31:47 EDT 2008

#6229: Crash (tooltips race)
---------------------------+------------------------------------------------
 Reporter:  jankratochvil  |       Type:  defect
   Status:  new            |   Priority:  minor 
Component:  pidgin (gtk)   |    Version:  2.4.2 
 Keywords:                 |    Pending:  0     
---------------------------+------------------------------------------------
 I got a random crash
 {{{
 System: Linux 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008
 x86_64
 X Vendor: The X.Org Foundation
 X Vendor Release: 10499902
 Selinux: No
 Accessibility: Disabled
 GTK+ Theme: Nodoka
 Icon Theme: Fedora

 Memory status: size: 545456128 vsize: 545456128 resident: 50597888 share:
 16953344 rss: 50597888 rss_rlim: 18446744073709551615
 CPU usage: start_time: 1214749964 rtime: 42351 utime: 40335 stime: 2016
 cutime:217 cstime: 640 timeout: 0 it_real_value: 0 frequency: 100

 Backtrace was generated from '/usr/bin/pidgin'

 [Thread debugging using libthread_db enabled]
 [New Thread 0x7f0860064780 (LWP 11471)]
 0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>,
     stat_loc=<value optimized out>, options=<value optimized out>)
     at ../sysdeps/unix/sysv/linux/waitpid.c:32
 32            return INLINE_SYSCALL (wait4, 4, pid, stat_loc, options,
 NULL);
 #0  0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>,
     stat_loc=<value optimized out>, options=<value optimized out>)
     at ../sysdeps/unix/sysv/linux/waitpid.c:32
 #1  0x0000003f2e86e849 in IA__g_spawn_sync (
     working_directory=<value optimized out>, argv=<value optimized out>,
     envp=<value optimized out>, flags=<value optimized out>,
     child_setup=<value optimized out>, user_data=<value optimized out>,
     standard_output=) at gspawn.c:374
 #2  0x0000003f2e86eb58 in IA__g_spawn_command_line_sync (
     command_line=<value optimized out>,
     standard_output=<value optimized out>,
     standard_error=<value optimized out>, exit_status=<value optimized
 out>,
     error=<value optimized out>) at gspawn.c:682
 #3  0x00000000006ee606 in check_if_gdb (
     callback_context=<value optimized out>) at gnome-breakpad.cc:213
 #4  0x00000000006ee6bd in bugbuddy_segv_handle (signum=<value optimized
 out>)
     at gnome-breakpad.cc:87
 #5  <signal handler called>
 #6  0x0000003f2d032215 in raise (sig=<value optimized out>)
     at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 #7  0x0000003f2d033d83 in abort () at abort.c:88
 #8  0x00000000004817b8 in sighandler (sig=<value optimized out>)
     at gtkmain.c:193
 #9  <signal handler called>
 #10 0x0000003f2ec24e23 in IA__g_type_check_instance_is_a (
     type_instance=<value optimized out>, iface_type=<value optimized out>)
     at gtype.c:3144
 #11 0x00000000004b6797 in pidgin_tooltip_timeout (data=0x7f0850c09c60)
     at pidgintooltip.c:271
 #12 0x0000003f2e837c5b in g_timeout_dispatch (source=<value optimized
 out>,
     callback=<value optimized out>, user_data=<value optimized out>)
     at gmain.c:3443
 #13 0x0000003f2e83749b in IA__g_main_context_dispatch (
     context=<value optimized out>) at gmain.c:2009
 #14 0x0000003f2e83ac7d in g_main_context_iterate (
     context=<value optimized out>, block=<value optimized out>,
     dispatch=<value optimized out>, self=<value optimized out>)
     at gmain.c:2642
 #15 0x0000003f2e83b1ad in IA__g_main_loop_run (loop=<value optimized out>)
     at gmain.c:2850
 #16 0x0000003f34183a98 in IA__gtk_main () at gtkmain.c:1163
 #17 0x0000000000481f5b in main (argc=1, argv=0x7fff68091a38) at
 gtkmain.c:890

 Thread 1 (Thread 0x7f0860064780 (LWP 11471)):
 #0  0x0000003f2dc0e835 in __libc_waitpid (pid=<value optimized out>,
     stat_loc=<value optimized out>, options=<value optimized out>)
     at ../sysdeps/unix/sysv/linux/waitpid.c:32
         oldtype = <value optimized out>
         result = <value optimized out>
 #1  0x0000003f2e86e849 in IA__g_spawn_sync (
     working_directory=<value optimized out>, argv=<value optimized out>,
     envp=<value optimized out>, flags=<value optimized out>,
     child_setup=<value optimized out>, user_data=<value optimized out>,
     standard_output=) at gspawn.c:374
         outpipe =
 The program is running.  Quit anyway (and detach it)? (y or n) [answered
 Y; input not from terminal]

 ----------- .xsession-errors ---------------------
 Please make sure to specify what you were doing at the time
 and post the backtrace from the core file.  If you do not know
 how to get the backtrace, please read the instructions at
 http://developer.pidgin.im/wiki/GetABacktrace
 If you need further assistance, please IM either SeanEgn or
 LSchiere (via AIM).  Contact information for Sean and Luke
 on other protocols is at
 http://developer.pidgin.im/wiki/DeveloperPages
 warning:
 "/usr/lib/debug/lib/modules/2.6.25.6-55.fc9.x86_64/vdso/vdso.so.debug":
 The separate debug info file has no debug info
 Could not find the frame base for "IA__g_spawn_sync".
 Could not find the frame base for "IA__g_spawn_sync".
 Could not find the frame base for "IA__g_spawn_sync".
 --------------------------------------------------
 }}}

 It is clear there that row_motion_cb() adds a timeout with its `userdata'
 parameter but the time the timeout gets invoked the `userdata' parameter
 content may get already deleted.  The handler `row_motion_cb' gets
 automatically discarded when the TREE object gets `destroy'ed but the
 already scheduled timeout is not removed and it later crashes on the
 already freed TREE object.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6229>
Pidgin <http://pidgin.im>
Pidgin