https://bugzilla.redhat.com/show_bug.cgi?id=1637856 Bug ID: 1637856 Summary: ibus-extension-gtk3 killed by SIGSEGV in Wayland Product: Red Hat Enterprise Linux 8 Version: 8.0 Component: ibus Keywords: i18n Assignee: tfujiwar(a)redhat.com Reporter: tfujiwar(a)redhat.com QA Contact: qe-i18n-bugs(a)redhat.com CC: bbarve(a)redhat.com, eng-i18n-bugs(a)redhat.com, extras-qa(a)fedoraproject.org, i18n-bugs(a)lists.fedoraproject.org, shawn.p.huang(a)gmail.com, tfujiwar(a)redhat.com Depends On: 1618682 Group: redhat +++ This bug was initially created as a clone of Bug #1618682 +++ Description of problem: Installed rawhide at - https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Worksta... dated 13-03-2018. Installation locale - ja_JP In gedit, opened emoji selector by pressing ctrl+shift+e. Tried to enter some random keyboard input and ibus crashed. Following was the core backtrace excerpt from gnome-abrt - --- Additional comment from Bhushan Barve on 2018-08-27 08:37:53 EDT --- Installed the required debuginfos and following was generated - --------------------------------------------- [test@localhost ~]$ gdb /usr/libexec/ibus-ui-emojier --ex r --ex bt --ex q GNU gdb (GDB) Fedora 8.1.90.20180727-45.fc30 Thread 1 "ibus-ui-emojier" received signal SIGSEGV, Segmentation fault. 0x0000555555565961 in ibus_emojier_get_current_candidate (self=<optimized out>) at emojier.c:7875 7875 _tmp7_ = g_strdup (_tmp6_); #0 0x0000555555565961 in ibus_emojier_get_current_candidate (self=<optimized out>) at emojier.c:7875 #1 0x0000555555566eb0 in ibus_emojier_real_key_press_event (base=0x555555ab2440 [IBusEmojier], event=<optimized out>) at emojier.c:8096 #2 0x00007ffff7c34d48 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x5555555fdcd0, return_value=0x7fffffffd270, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555555b15f0) at gtkmarshalers.c:129 #3 0x00007ffff73e2066 in _g_closure_invoke_va (closure=0x5555555fdcd0, return_value=0x7fffffffd270, instance=0x555555ab2440, args=0x7fffffffd340, n_params=1, param_types=0x5555555b15f0) at gclosure.c:873 #4 0x00007ffff73feda4 in g_signal_emit_valist (instance=0x555555ab2440, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd340) at gsignal.c:3300 #5 0x00007ffff73ff923 in g_signal_emit (instance=instance@entry=0x555555ab2440, signal_id=<optimized out>, detail=detail@entry=0) --Type <RET> for more, q to quit, c to continue without paging-- at gsignal.c:3447 #6 0x00007ffff7bda9b4 in gtk_widget_event_internal (widget=0x555555ab2440 [IBusEmojier], event=0x5555555c08e0) at gtkwidget.c:7744 #7 0x00007ffff7a7b081 in propagate_event (widget=0x555555ab2440 [IBusEmojier], event=0x5555555c08e0, captured=<optimized out>, topmost=0x0) at gtkmain.c:2675 #8 0x00007ffff7a7d17b in gtk_main_do_event (event=<optimized out>) at gtkmain.c:1915 #9 0x00007ffff7734fd9 in _gdk_event_emit (event=event@entry=0x5555555c08e0) at gdkevents.c:73 #10 0x00007ffff7799da6 in gdk_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at gdkeventsource.c:124 #11 0x00007ffff73002ad in g_main_dispatch (context=0x5555555a8020) at gmain.c:3182 #12 0x00007ffff73002ad in g_main_context_dispatch (context=context@entry=0x5555555a8020) at gmain.c:3847 #13 0x00007ffff7300678 in g_main_context_iterate (context=context@entry=0x5555555a8020, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3920 #14 0x00007ffff7300710 in g_main_context_iteration (context=context@entry=0x5555555a8020, may_block=may_block@entry=1) at gmain.c:3981 #15 0x00007ffff74d20b5 in g_application_run (application=0x5555556cf240 [EmojiApplication], argc=<optimized out>, argv=0x7fffffffd7c8) at gapplication.c:2470 #16 0x000055555555e547 in emoji_application_main (args=<optimized out>, args_length1=<optimized out>) at emojierapp.c:756 #17 0x00007ffff70ef413 in __libc_start_main (main= 0x55555555d790 <main>, argc=1, argv=0x7fffffffd7c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd7b8) at ../csu/libc-start.c:308 #18 0x000055555555d7ce in _start () at emojierapp.c:767 A debugging session is active. Inferior 1 [process 2527] will be killed. Quit anyway? (y or n) n Not confirmed. (gdb) quit A debugging session is active. Inferior 1 [process 2527] will be killed. Quit anyway? (y or n) y ------------------------------------------ Please check and see if this helps. --- Additional comment from fujiwara on 2018-08-29 00:29:48 EDT --- (In reply to Bhushan Barve from comment #2) I understand your problem happens when you type Enter key from your backtrace. But strdup() should work even if _tmp6_ is 0 and the backtrace might not help to get the root cause. I guess a buffer overflow might happen in your ibus and cause the SEGV. Are you able to get more reproducing steps? E.g. When I repeat to type Ctrl-Shift-e, "red", Space x 2, Enter, I don't see any problems. I guess you use GNOME Xorg? Also I'd ask you to get values when you get SEGV with gdb: (gdb) print _tmp0_ (gdb) print _tmp2_ (gdb) print _tmp3_ (gdb) print _tmp4_ (gdb) print _tmp5_ (gdb) print _tmp6_ (gdb) print ibus_lookup_table_get_number_of_candidates(_tmp3_) (gdb) print self->priv->m_annotation --- Additional comment from Bhushan Barve on 2018-08-29 03:22:48 EDT --- (In reply to fujiwara from comment #3) Yes, no issue here. However for the reproducer, please follow the steps as below- 1. Launch gedit 2. Press ctrl + shift + e 3. press space 4. Select a category in the emoji window like 'flags' 5. Without selecting any flag, just press any text keys and hit enter. The issue will reproduce. Mine is Wayland session - [test@localhost ~]$ loginctl SESSION UID USER SEAT TTY 2 1000 test seat0 tty2 1 sessions listed. [test@localhost ~]$ loginctl show-session 2 Id=2 User=1000 Name=test Timestamp=Wed 2018-08-29 12:20:08 IST TimestampMonotonic=107148947 VTNr=2 Seat=seat0 TTY=tty2 Remote=no Service=gdm-password Scope=session-2.scope Leader=1451 Audit=2 Type=wayland Class=user Active=yes State=active IdleHint=no IdleSinceHint=1535525814649649 IdleSinceHintMonotonic=513288522 LockedHint=no --- Additional comment from Bhushan Barve on 2018-08-29 05:01:05 EDT --- (In reply to fujiwara from comment #3) here is the output - (gdb) print _tmp0_ $1 = <optimized out> (gdb) print _tmp2_ $2 = <optimized out> (gdb) print _tmp3_ $3 = <optimized out> (gdb) print _tmp4_ $4 = <optimized out> (gdb) print _tmp5_ $5 = 0x0 (gdb) print _tmp6_ Cannot access memory at address 0x38 (gdb) print ibus_lookup_table_get_number_of_candidates(_tmp3_) value has been optimized out (gdb) print self->priv->m_annotation value has been optimized out (gdb) --- Additional comment from Bhushan Barve on 2018-08-29 05:15:04 EDT --- Thread 1 "ibus-ui-emojier" received signal SIGSEGV, Segmentation fault. 0x0000555555565961 in ibus_emojier_get_current_candidate (self=<optimized out>) at emojier.c:7875 7875 _tmp7_ = g_strdup (_tmp6_); #0 0x0000555555565961 in ibus_emojier_get_current_candidate (self=<optimized out>) at emojier.c:7875 _tmp0_ = <optimized out> cursor = <optimized out> _tmp2_ = <optimized out> _tmp3_ = <optimized out> _tmp4_ = <optimized out> _tmp5_ = 0x0 _tmp6_ = Python Exception <class 'gdb.MemoryError'> Cannot access memory at address 0x38: --- Additional comment from fujiwara on 2018-08-29 05:41:38 EDT --- (In reply to Bhushan Barve from comment #4) Thank you. I could reproduce the bug. GtkEntry still exists internally in the previous ibus emojier and it cleans up the emoji candidates with char key press and causes the bug. Probably it's good to delete GtkEntry completely now. (In reply to Bhushan Barve from comment #5) Thank you. I got it. Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1618682 [Bug 1618682] ibus-extension-gtk3 killed by SIGSEGV in Wayland -- You are receiving this mail because: You are on the CC list for the bug.