[1.15.5] regression: core dump when closing liferea with multiple tabs open (in Debian)

[paulgevers]

Since a while I have an autopkgtest 1 added to the Debian build of liferea. Most likely due to commit 5bf126b the test broke and due to the time_t transition that's currently ongoing I ignored the failure for some days. Today I debugged a bit, got the test to start up again and was surprised it causes a segmentation fault. As I was happily using 1.15.5 for daily use, it had to be something non-default. I figured out I could crash my normal instance too, if I opened multiple tabs (in my case, FAQ, Help Contents and Quick Reference) and then quit liferea. See the stack trace below.

I hope this report is useful, should be easy to reproduce.

Thread 1 "liferea" received signal SIGSEGV, Segmentation fault.
0x000055555559e1af in ?? ()
(gdb) bt full
#0  0x000055555559e1af in ?? ()
No symbol table info available.
#1  0x00007ffff0d48a8c in g_object_unref (_object=0x5555558d3500) at ../../../gobject/gobject.c:3941
        weak_locations = <optimized out>
        nqueue = 0x555556258ed0
        object = <optimized out>
        old_ref = <optimized out>
        retry_atomic_decrement1 = <optimized out>
        object = <optimized out>
        old_ref = <optimized out>
        __func__ = "g_object_unref"
        retry_atomic_decrement1 = <optimized out>
        _g_boolean_var_133 = <optimized out>
        gaig_temp = <optimized out>
        weak_locations = <optimized out>
        nqueue = <optimized out>
        gaig_temp = <optimized out>
        _pp = <optimized out>
        _ptr = <optimized out>
        gaig_temp = <optimized out>
        gaig_temp = <optimized out>
        _g_boolean_var_144 = <optimized out>
        _g_boolean_var_145 = <optimized out>
#2  g_object_unref (_object=0x5555558d3500) at ../../../gobject/gobject.c:3805
        object = 0x5555558d3500
        old_ref = <optimized out>
        __func__ = "g_object_unref"
        retry_atomic_decrement1 = <optimized out>
        gaig_temp = <optimized out>
        weak_locations = <optimized out>
        nqueue = <optimized out>
        gaig_temp = <optimized out>
        _pp = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
        _ptr = <optimized out>
        gaig_temp = <optimized out>
        gaig_temp = <optimized out>
        _g_boolean_var_144 = <optimized out>
        _g_boolean_var_145 = <optimized out>
#3  0x00005555555a64f3 in liferea_shell_destroy ()
No symbol table info available.
#4  0x00005555555830af in ?? ()
No symbol table info available.
#5  0x00007ffff0d43540 in g_closure_invoke (closure=0x55555560e390, return_value=0x0, n_param_values=1, param_values=0x7fffffffd700, 
    invocation_hint=0x7fffffffd650) at ../../../gobject/gclosure.c:832
        marshal = 0x7ffff0d458e0 <g_cclosure_marshal_VOID__VOID>
        marshal_data = 0x0
        in_marshal = 0
        real_closure = 0x55555560e370
        __func__ = "g_closure_invoke"
#6  0x00007ffff0d56afc in signal_emit_unlocked_R (node=node@entry=0x7fffffffd7b0, detail=detail@entry=0, instance=instance@entry=0x55555560c120, 
    emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd700) at ../../../gobject/gsignal.c:3980
        tmp = <optimized out>
        handler = 0x55555560e330
        accumulator = <optimized out>
        emission = {next = 0x0, instance = 0x55555560c120, ihint = {signal_id = 7, detail = 0, 
            run_type = (G_SIGNAL_RUN_FIRST | G_SIGNAL_ACCUMULATOR_FIRST_RUN)}, state = EMISSION_RUN, chain_type = 4}
        class_closure = <optimized out>
        hlist = <optimized out>
        handler_list = 0x55555560e330
        return_accu = <optimized out>
        accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, 
              v_pointer = 0x0}}}
        signal_id = <optimized out>
        max_sequential_handler_number = <optimized out>
        return_value_altered = <optimized out>
        n_params = <optimized out>
        EMIT_RESTART = <optimized out>
        __func__ = "signal_emit_unlocked_R"
#7  0x00007ffff0d58501 in signal_emit_valist_unlocked (instance=instance@entry=0x55555560c120, signal_id=signal_id@entry=7, detail=detail@entry=0, 
    var_args=var_args@entry=0x7fffffffd910) at ../../../gobject/gsignal.c:3612
        instance_and_params = 0x7fffffffd700
        param_values = 0x7fffffffd718
        node = <optimized out>
        i = <optimized out>
        __func__ = "signal_emit_valist_unlocked"
        node_copy = {signal_id = 7, itype = 93824992962400, name = 0x7ffff0f3a8f7 "shutdown", destroyed = 0, flags = 2, n_params = 0, 
          single_va_closure_is_valid = 1, single_va_closure_is_after = 1, param_types = 0x0, return_type = 4, class_closure_bsa = 0x5555556080e0, 
          accumulator = 0x0, c_marshaller = 0x7ffff0d458e0 <g_cclosure_marshal_VOID__VOID>, 
          va_marshaller = 0x7ffff0d45970 <g_cclosure_marshal_VOID__VOIDv>, emission_hooks = 0x0, single_va_closure = 0x5555556087c0}
#8  0x00007ffff0d5e186 in g_signal_emit_valist (instance=0x55555560c120, signal_id=7, detail=0, var_args=0x7fffffffd910)
    at ../../../gobject/gsignal.c:3355
No locals.
#9  0x00007ffff0d5e243 in g_signal_emit (instance=instance@entry=0x55555560c120, signal_id=<optimized out>, detail=detail@entry=0)
    at ../../../gobject/gsignal.c:3675
        var_args = {{gp_offset = 24, fp_offset = 48, overflow_arg_area = 0x7fffffffd9f0, reg_save_area = 0x7fffffffd930}}
#10 0x00007ffff0ecad92 in g_application_run (application=0x55555560c120, argc=<optimized out>, argv=<optimized out>)
    at ../../../gio/gapplication.c:2583
        arguments = 0x55555560e7d0
        status = 0
        context = 0x55555560e850
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#11 0x00005555555836f6 in liferea_application_new ()
No symbol table info available.
#12 0x00007ffff094d6ca in __libc_start_call_main (main=main@entry=0x555555574530 <main>, argc=argc@entry=1, argv=argv@entry=0x7fffffffdb78)
    at ../sysdeps/nptl/libc_start_call_main.h:58
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737488345976, -4568258250732863009, 0, 140737488345992, 93824992802928, 140737354125312, 
                4568258249810248159, 4568242642060837343}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7fffffffdb78, 0x7fffffffdb78}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = -9352}}}
        not_first_call = <optimized out>
#13 0x00007ffff094d785 in __libc_start_main_impl (main=0x555555574530 <main>, argc=1, argv=0x7fffffffdb78, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdb68) at ../csu/libc-start.c:360
No locals.
#14 0x00005555555745d1 in _start ()
No symbol table info available.
(gdb)

[lwindolf]

I'm trying to reproduce it with the interact script, but I run into the following issue:

  [...]
  sleeping for 0.500000
  sleeping for 0.500000
  sleeping for 0.500000
  sleeping for 0.500000
  sleeping for 0.500000
  sleeping for 0.500000
  sleeping for 0.500000
  Translation not found for "View"
  Warning: /home/lars/git/liferea/./interact:147: The requested widget could not be focused: child with name="View":
        main()
  
  Traceback (most recent call last):
    File "/home/lars/git/liferea/./interact", line 147, in <module>
      main()
    File "/home/lars/git/liferea/./interact", line 102, in main
      click('View')
    File "/usr/lib/python3/dist-packages/dogtail/procedural.py", line 364, in __call__
      Click.node.click(button)
      ^^^^^^^^^^^^^^^^
  AttributeError: 'NoneType' object has no attribute 'click'

Is this some locale effect?

Also I cannot reproduce it manually.

[paulgevers]

Sorry, yes, I had to work around some changes. Can you try with the latest version if you didn't use that already: https://salsa.debian.org/debian/liferea/-/blob/master/debian/tests/interact?ref_type=heads

Wait, in that script I work around the crash with the <Control>w lines so comment those out. (line 158, 159 and 160)

[lwindolf]

Thanks, that helped me overcome it. Now I'm running into negative coordinates on "Fullscreen" and after "Contents". Do you know why those happen?

Clicking on [menu | Help]
raw click on Help [menu | Help] at (593.5,229.5)
Mouse button 1 click at (593.5,229.5)
searching for descendent of [menu | Help]: child with name="Contents" (attempt 0)
Clicking on [menu item | Contents]
raw click on Contents [menu item | Contents] at (-2147483647.5,-2147483647.5)
Traceback (most recent call last):
  File "/home/lars/git/liferea/./interact", line 170, in <module>
    main()
  File "/home/lars/git/liferea/./interact", line 115, in main
    click('Contents')
  File "/usr/lib/python3/dist-packages/dogtail/procedural.py", line 364, in __call__
    Click.node.click(button)
  File "/usr/lib/python3/dist-packages/dogtail/tree.py", line 466, in click
    rawinput.click(clickX, clickY, button)
  File "/usr/lib/python3/dist-packages/dogtail/rawinput.py", line 38, in click
    checkCoordinates(x, y)
  File "/usr/lib/python3/dist-packages/dogtail/rawinput.py", line 30, in checkCoordinates
    raise ValueError("Attempting to generate a mouse event at negative coordinates: (%s,%s)" % (x, y))
ValueError: Attempting to generate a mouse event at negative coordinates: (-2147483647.5,-2147483647.5)

[paulgevers]

Do you know why those happen?

No. What I noticed (but I assume you too) is that while the test is running you have to stop your work, as it's dogtail is really interacting with your environment and if you move focus and/or mouse position, things go wrong.