Opened 7 weeks ago

Closed 7 weeks ago

Last modified 7 weeks ago

#18533 closed defect (fixed)

'dataview' example crashes when deleting items from wxDataViewTreeCtrl

Reported by: ettl.martin Owned by: Vadim Zeitlin <vadim@…>
Priority: high Milestone: 3.1.3
Component: wxGTK Version: dev-latest
Keywords: wxDataViewTreeCtrl crash regression Cc: ettl.martin78@…
Blocked By: Blocking:
Patch: no

Description

Steps to reproduce:
1) Compile latest git-head (https://github.com/wxWidgets/wxWidgets/commit/a3212b35f6a92f75de64f58fb1ae01d254910055) on Ubuntu Linux 19.04 (64-bit) with default configuration.

$ mkdir builgtk && cd buildgtk && ./configure && make


2) Compile the 'dataview' sample with

   $ cd samples/dataview && make -f makefile.unx


3) Execute the sample

   $ ./dataview

4) Change to wxDataViewTreeCtrl tab and push the "Delete All" button, leading to a segmentation fault.

Our application heavily relies on wxDataViewTreeCtrl and we stuck on the previous version at the moment.

Here is a full backtrace:

backtrace:
#0  0x00005555558f2940 in  ()
#1  0x00007ffff7adffb2 in wxDataViewCtrlInternal::iter_children(_GtkTreeIter*, _GtkTreeIter*) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#2  0x00007ffff6de44e5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#3  0x00007ffff6de91f5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#4  0x00007ffff6df462c in gtk_tree_view_set_model () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#5  0x00007ffff7adad62 in wxDataViewCtrlInternal::UseModel(bool) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#6  0x00007ffff7adad8f in wxGtkDataViewModelNotifier::BeforeReset() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#7  0x00007ffff7ad62fa in wxGtkDataViewModelNotifier::Cleared() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#8  0x00007ffff7d22c01 in wxDataViewModel::Cleared() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#9  0x0000555555579abd in MyFrame::OnDeleteAllTreeItems(wxCommandEvent&) ()
#10 0x00007ffff7603bfe in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#11 0x00007ffff7603dcb in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) () at /usr/local/lib/libwx_baseu-3.1.so.3
#12 0x00007ffff7604409 in wxEvtHandler::TryHereOnly(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#13 0x00007ffff760448a in wxEvtHandler::ProcessEventLocally(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#14 0x00007ffff7604591 in wxEvtHandler::ProcessEvent(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#15 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#16 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#17 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#18 0x00007ffff7605d97 in wxEvtHandler::SafelyProcessEvent(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#19 0x00007ffff7a78112 in wxgtk_button_clicked_callback () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#20 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00007ffff6751054 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007ffff675a4ae in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007ffff6c51fb5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#25 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#26 0x00007ffff67516a4 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007ffff675a4ae in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#29 0x00007ffff6c50ef9 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#30 0x00007ffff6cf7cfb in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#31 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#32 0x00007ffff6750dad in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#33 0x00007ffff6759b9b in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#34 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#35 0x00007ffff6e0f00c in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#36 0x00007ffff6cf5f9c in gtk_propagate_event () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#37 0x00007ffff6cf638b in gtk_main_do_event () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#38 0x00007ffff6b66ccc in  () at /lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#39 0x00007ffff66119ee in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#40 0x00007ffff6611c88 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#41 0x00007ffff6611f82 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#42 0x00007ffff6cf53e7 in gtk_main () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#43 0x00007ffff7a0cb55 in wxGUIEventLoop::DoRun() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#44 0x00007ffff74d38ad in wxEventLoopBase::Run() () at /usr/local/lib/libwx_baseu-3.1.so.3
#45 0x00007ffff749e1a6 in wxAppConsoleBase::MainLoop() () at /usr/local/lib/libwx_baseu-3.1.so.3
#46 0x00007ffff751ff05 in wxEntry(int&, wchar_t**) () at /usr/local/lib/libwx_baseu-3.1.so.3
#47 0x000055555556d008 in main ()


registers:
rax            0x5555558b6e70      93824995782256
rbx            0x5555558b2d40      93824995765568
rcx            0x0                 0
rdx            0x5555558f2940      93824996026688
rsi            0x7fffffffc960      140737488341344
rdi            0x5555558b6e70      93824995782256
rbp            0x7fffffffca10      0x7fffffffca10
rsp            0x7fffffffc958      0x7fffffffc958
r8             0x55555580df38      93824995090232
r9             0x55555580df40      93824995090240
r10            0x55555580d6d8      93824995088088
r11            0xaaaaaaaaaaaaaaab  -6148914691236517205
r12            0x7fffffffc9a0      140737488341408
r13            0x7fffffffca10      140737488341520
r14            0x5555558b2cc0      93824995765440
r15            0x0                 0
rip            0x5555558f2940      0x5555558f2940
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0


current instructions:
=> 0x5555558f2940:	add    %al,(%rax)
   0x5555558f2942:	add    %al,(%rax)
   0x5555558f2944:	add    %al,(%rax)
   0x5555558f2946:	add    %al,(%rax)
   0x5555558f2948:	xchg   %eax,%ecx
   0x5555558f2949:	add    %al,(%rax)
   0x5555558f294b:	add    %al,(%rax)
   0x5555558f294d:	add    %al,(%rax)
   0x5555558f294f:	add    %dl,0x1d(%rax)
   0x5555558f2952:	test   %dl,0x55(%rbp)
   0x5555558f2955:	push   %rbp
   0x5555558f2956:	add    %al,(%rax)
   0x5555558f2958:	lock movabs %al,0xc02000005555558b
   0x5555558f2962:	mov    0x55(%rbp),%dl
   0x5555558f2965:	push   %rbp
   0x5555558f2966:	add    %al,(%rax)


threads backtrace:

Thread 5 (Thread 0x7ffff2195700 (LWP 32517)):
#0  0x00007ffff71252e9 in syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1  0x00007ffff665ca5a in g_cond_wait_until () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff65e30c1 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff65e3681 in g_async_queue_timeout_pop () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff663b2e1 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff663a87d in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff60bd182 in start_thread (arg=<optimized out>) at pthread_create.c:486
#7  0x00007ffff712bb1f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7ffff3197700 (LWP 32514)):
#0  0x00007ffff711f729 in __GI___poll (fds=0x5555557ee630, nfds=3, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007ffff6611bf6 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff6611f82 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff68f9e26 in  () at /lib/x86_64-linux-gnu/libgio-2.0.so.0
#4  0x00007ffff663a87d in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff60bd182 in start_thread (arg=<optimized out>) at pthread_create.c:486
#6  0x00007ffff712bb1f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7ffff3998700 (LWP 32512)):
#0  0x00007ffff711f729 in __GI___poll (fds=0x5555557df590, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
#1  0x00007ffff6611bf6 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff6611d1c in g_main_context_iteration () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff6611d61 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4  0x00007ffff663a87d in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff60bd182 in start_thread (arg=<optimized out>) at pthread_create.c:486
#6  0x00007ffff712bb1f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7ffff471ea00 (LWP 31664)):
#0  0x00005555558f2940 in  ()
#1  0x00007ffff7adffb2 in wxDataViewCtrlInternal::iter_children(_GtkTreeIter*, _GtkTreeIter*) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#2  0x00007ffff6de44e5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#3  0x00007ffff6de91f5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#4  0x00007ffff6df462c in gtk_tree_view_set_model () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#5  0x00007ffff7adad62 in wxDataViewCtrlInternal::UseModel(bool) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#6  0x00007ffff7adad8f in wxGtkDataViewModelNotifier::BeforeReset() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#7  0x00007ffff7ad62fa in wxGtkDataViewModelNotifier::Cleared() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#8  0x00007ffff7d22c01 in wxDataViewModel::Cleared() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#9  0x0000555555579abd in MyFrame::OnDeleteAllTreeItems(wxCommandEvent&) ()
#10 0x00007ffff7603bfe in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#11 0x00007ffff7603dcb in wxEventHashTable::HandleEvent(wxEvent&, wxEvtHandler*) () at /usr/local/lib/libwx_baseu-3.1.so.3
#12 0x00007ffff7604409 in wxEvtHandler::TryHereOnly(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#13 0x00007ffff760448a in wxEvtHandler::ProcessEventLocally(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#14 0x00007ffff7604591 in wxEvtHandler::ProcessEvent(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#15 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#16 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#17 0x00007ffff7c29cbb in wxWindowBase::TryAfter(wxEvent&) () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#18 0x00007ffff7605d97 in wxEvtHandler::SafelyProcessEvent(wxEvent&) () at /usr/local/lib/libwx_baseu-3.1.so.3
#19 0x00007ffff7a78112 in wxgtk_button_clicked_callback () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#20 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#21 0x00007ffff6751054 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#22 0x00007ffff675a4ae in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#23 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#24 0x00007ffff6c51fb5 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#25 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#26 0x00007ffff67516a4 in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#27 0x00007ffff675a4ae in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#28 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#29 0x00007ffff6c50ef9 in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#30 0x00007ffff6cf7cfb in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#31 0x00007ffff673de8d in g_closure_invoke () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#32 0x00007ffff6750dad in  () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#33 0x00007ffff6759b9b in g_signal_emit_valist () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#34 0x00007ffff675ab6f in g_signal_emit () at /lib/x86_64-linux-gnu/libgobject-2.0.so.0
#35 0x00007ffff6e0f00c in  () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#36 0x00007ffff6cf5f9c in gtk_propagate_event () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#37 0x00007ffff6cf638b in gtk_main_do_event () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#38 0x00007ffff6b66ccc in  () at /lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0
#39 0x00007ffff66119ee in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#40 0x00007ffff6611c88 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#41 0x00007ffff6611f82 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#42 0x00007ffff6cf53e7 in gtk_main () at /lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
#43 0x00007ffff7a0cb55 in wxGUIEventLoop::DoRun() () at /usr/local/lib/libwx_gtk2u_core-3.1.so.3
#44 0x00007ffff74d38ad in wxEventLoopBase::Run() () at /usr/local/lib/libwx_baseu-3.1.so.3
#45 0x00007ffff749e1a6 in wxAppConsoleBase::MainLoop() () at /usr/local/lib/libwx_baseu-3.1.so.3
#46 0x00007ffff751ff05 in wxEntry(int&, wchar_t**) () at /usr/local/lib/libwx_baseu-3.1.so.3
#47 0x000055555556d008 in main ()

Change History (4)

comment:1 Changed 7 weeks ago by vadz

  • Component changed from GUI-all to wxGTK
  • Keywords regression added
  • Milestone set to 3.1.3
  • Status changed from new to confirmed

Thanks for reporting, this is almost certainly due to 5403ec4e086c4fbc3d9ee9bf4b38964a48357826 so I'll check how did I break it.

comment:2 Changed 7 weeks ago by Vadim Zeitlin <vadim@…>

  • Owner set to Vadim Zeitlin <vadim@…>
  • Resolution set to fixed
  • Status changed from confirmed to closed

In 7a980c455/git-wxWidgets:

Fix crash in wxDataViewTreeCtrl::DeleteAllItems() in wxGTK

Restore the checks for the model stamp, reverting the changes of
18594afe76efdadd1dd5d8a84fa7cafc9004ce62: we still need to ignore the
calls to at least iter_children() and iter_nth_child() model methods
that can be called from inside gtk_tree_view_set_model() when we reset
the model, as running these methods crashes when trying to use the
pointers to already deleted items.

For consistency and robustness, add checks for the model stamp to all
the methods and not just those two, just in case other ones end up being
called later in some way.

Also add a unit test checking that DeleteAllItems() doesn't crash and
does delete all items.

Closes #18533.

comment:3 Changed 7 weeks ago by ettl.martin

  • Cc ettl.martin78@… added

Thanks!

comment:4 Changed 7 weeks ago by Vadim Zeitlin <vadim@…>

In 7a980c455/git-wxWidgets:

Fix crash in wxDataViewTreeCtrl::DeleteAllItems() in wxGTK

Restore the checks for the model stamp, reverting the changes of
18594afe76efdadd1dd5d8a84fa7cafc9004ce62: we still need to ignore the
calls to at least iter_children() and iter_nth_child() model methods
that can be called from inside gtk_tree_view_set_model() when we reset
the model, as running these methods crashes when trying to use the
pointers to already deleted items.

For consistency and robustness, add checks for the model stamp to all
the methods and not just those two, just in case other ones end up being
called later in some way.

Also add a unit test checking that DeleteAllItems() doesn't crash and
does delete all items.

Closes #18533.

Note: See TracTickets for help on using tickets.