798256 – Crash in recnFinishCB

Bug 798256 - Crash in recnFinishCB

Summary: Crash in recnFinishCB

Status:	RESOLVED FIXED

Alias:	None

Product:	GnuCash
Classification:	Unclassified
Component:	User Interface General (show other bugs)
Version:	4.6
Hardware:	PC Mac OS

Importance:	Normal normal
Target Milestone:	---
Assignee:	ui
QA Contact:	ui

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-07-19 16:53 EDT by John Ralls
Modified:	2021-09-09 21:08 EDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description John Ralls 2021-07-19 16:53:59 EDT

After an accidental click somewhere in the post-reconcile transfer window when switching back to GnuCash.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       EXC_I386_GPFLT
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [435]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libgobject-2.0.0.dylib        	0x0000000103c658d5 g_type_check_instance_cast + 37 (gtype.c:4114)
1   libgnc-gnome.dylib            	0x0000000102900cdb recnFinishCB + 155
2   libgobject-2.0.0.dylib        	0x0000000103c477e4 g_closure_invoke + 196 (gclosure.c:810)
3   libgobject-2.0.0.dylib        	0x0000000103c5e193 signal_emit_unlocked_R + 2195 (gsignal.c:3741)
4   libgobject-2.0.0.dylib        	0x0000000103c5efed g_signal_emit_valist + 2765 (gsignal.c:3497)
5   libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
6   libgtk-3.0.dylib              	0x0000000102f4d044 _gtk_action_emit_activate + 68 (gtkaction.c:909)
7   libgtk-3.0.dylib              	0x0000000102ead26e button_clicked + 46 (gtktoolbutton.c:952)
8   libgobject-2.0.0.dylib        	0x0000000103c479cd _g_closure_invoke_va + 205 (gclosure.c:873)
9   libgobject-2.0.0.dylib        	0x0000000103c5e9fa g_signal_emit_valist + 1242 (gsignal.c:3406)
10  libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
11  libgtk-3.0.dylib              	0x0000000102c43ed2 gtk_button_do_release + 42 (gtkbutton.c:1845) [inlined]
12  libgtk-3.0.dylib              	0x0000000102c43ed2 gtk_real_button_released + 274 (gtkbutton.c:1963)
13  libgobject-2.0.0.dylib        	0x0000000103c479cd _g_closure_invoke_va + 205 (gclosure.c:873)
14  libgobject-2.0.0.dylib        	0x0000000103c5e9fa g_signal_emit_valist + 1242 (gsignal.c:3406)
15  libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
16  libgtk-3.0.dylib              	0x0000000102c445a8 multipress_released_cb + 104 (gtkbutton.c:666)
17  libgtk-3.0.dylib              	0x0000000102bf82a9 _gtk_marshal_VOID__INT_DOUBLE_DOUBLEv + 201 (gtkmarshalers.c:4804)
18  libgobject-2.0.0.dylib        	0x0000000103c479cd _g_closure_invoke_va + 205 (gclosure.c:873)
19  libgobject-2.0.0.dylib        	0x0000000103c5e9fa g_signal_emit_valist + 1242 (gsignal.c:3406)
20  libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
21  libgtk-3.0.dylib              	0x0000000102d319a7 gtk_gesture_multi_press_end + 199 (gtkgesturemultipress.c:287)
22  libgobject-2.0.0.dylib        	0x0000000103c4b001 g_cclosure_marshal_VOID__BOXEDv + 177 (gmarshal.c:1686)
23  libgobject-2.0.0.dylib        	0x0000000103c479cd _g_closure_invoke_va + 205 (gclosure.c:873)
24  libgobject-2.0.0.dylib        	0x0000000103c5e9fa g_signal_emit_valist + 1242 (gsignal.c:3406)
25  libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
26  libgtk-3.0.dylib              	0x0000000102d2f224 _gtk_gesture_check_recognized + 119 [inlined]
27  libgtk-3.0.dylib              	0x0000000102d2f224 gtk_gesture_handle_event + 756 (gtkgesture.c:778)
28  libgtk-3.0.dylib              	0x0000000102d33b1a gtk_gesture_single_handle_event + 618 (gtkgesturesingle.c:222)
29  libgtk-3.0.dylib              	0x0000000102ceb10c gtk_event_controller_handle_event + 156 (gtkeventcontroller.c:230)
30  libgtk-3.0.dylib              	0x0000000102f076ec _gtk_widget_run_controllers + 140 (gtkwidget.c:7443)
31  libgtk-3.0.dylib              	0x0000000102bf2085 _gtk_marshal_BOOLEAN__BOXEDv + 181 (gtkmarshalers.c:130)
32  libgobject-2.0.0.dylib        	0x0000000103c479cd _g_closure_invoke_va + 205 (gclosure.c:873)
33  libgobject-2.0.0.dylib        	0x0000000103c5e9fa g_signal_emit_valist + 1242 (gsignal.c:3406)
34  libgobject-2.0.0.dylib        	0x0000000103c5f4c2 g_signal_emit + 130 (gsignal.c:3553)
35  libgtk-3.0.dylib              	0x0000000102f07208 gtk_widget_event_internal + 248 (gtkwidget.c:7808)
36  libgtk-3.0.dylib              	0x0000000102d89edf propagate_event_up + 39 (gtkmain.c:2588) [inlined]
37  libgtk-3.0.dylib              	0x0000000102d89edf propagate_event + 182 (gtkmain.c:2691) [inlined]
38  libgtk-3.0.dylib              	0x0000000102d89edf gtk_propagate_event + 255 (gtkmain.c:2725)
39  libgtk-3.0.dylib              	0x0000000102d898d0 gtk_main_do_event + 1248 (gtkmain.c:1921)
40  libgdk-3.0.dylib              	0x00000001035863c1 _gdk_event_emit + 49 (gdkevents.c:73)
41  libgdk-3.0.dylib              	0x00000001035b2f62 gdk_event_dispatch + 50 (gdkeventloop-quartz.c:715)
42  libglib-2.0.0.dylib           	0x00000001026b2cec g_main_dispatch + 309 (gmain.c:3337) [inlined]
43  libglib-2.0.0.dylib           	0x00000001026b2cec g_main_context_dispatch + 348 (gmain.c:4055)
44  libglib-2.0.0.dylib           	0x00000001026b305d g_main_context_iterate + 525 (gmain.c:4131)
45  libglib-2.0.0.dylib           	0x00000001026b337a g_main_loop_run + 218 (gmain.c:4329)
46  libgtk-3.0.dylib              	0x0000000102d8927a gtk_main + 74 (gtkmain.c:1329)
47  libgnc-gnome-utils.dylib      	0x0000000102b1490c gnc_ui_start_event_loop + 76
48  org.gnucash.Gnucash           	0x000000010229ed3f scm_run_gnucash(void*, int, char**) + 1039
49  libguile-2.2.1.dylib          	0x00000001024df932 invoke_main_func + 34
50  libguile-2.2.1.dylib          	0x00000001024beb3f c_body + 15
51  libguile-2.2.1.dylib          	0x000000010254c34b vm_regular_engine + 1467
52  libguile-2.2.1.dylib          	0x000000010254aef5 scm_call_n + 773
53  libguile-2.2.1.dylib          	0x0000000102547922 catch + 498
54  libguile-2.2.1.dylib          	0x00000001024beb09 scm_c_with_continuation_barrier + 137
55  libguile-2.2.1.dylib          	0x000000010254748f with_guile + 63
56  libgc.1.dylib                 	0x000000010261fef6 GC_call_with_stack_base + 22
57  libguile-2.2.1.dylib          	0x00000001025454ab scm_with_guile + 43
58  libguile-2.2.1.dylib          	0x00000001024df8f5 scm_boot_guile + 69
59  org.gnucash.Gnucash           	0x000000010229e8d9 Gnucash::Gnucash::start(int, char**) + 617
60  org.gnucash.Gnucash           	0x000000010229f4f1 main + 1009
61  libdyld.dylib                 	0x00007fff2035df5d start + 1

Comment 1 John Ralls 2021-07-19 17:04:09 EDT

It's at https://github.com/Gnucash/gnucash/blob/f69ed3dab75f69258bea692b43309afc4ca1a3fa/gnucash/gnome/window-reconcile.c#L2264

libgnc-gnome.dylib[0xa5b97] <+119>: movl   $0x1, 0xa8(%r12)
libgnc-gnome.dylib[0xa5ba3] <+131>: movq   0x90(%r12), %rbx
libgnc-gnome.dylib[0xa5bab] <+139>: callq  0x9f340                   ; gnc_reconcile_view_get_type at reconcile-view.c:72
libgnc-gnome.dylib[0xa5bb0] <+144>: movq   %rbx, %rdi
libgnc-gnome.dylib[0xa5bb3] <+147>: movq   %rax, %rsi
libgnc-gnome.dylib[0xa5bb6] <+150>: callq  0xad134                   ; symbol stub for: g_type_check_instance_cast
libgnc-gnome.dylib[0xa5bbb] <+155>: movq   %rax, %rdi
libgnc-gnome.dylib[0xa5bbe] <+158>: movq   %r14, %rsi
libgnc-gnome.dylib[0xa5bc1] <+161>: callq  0xa03a0                   ; gnc_reconcile_view_commit at reconcile-view.c:851
libgnc-gnome.dylib[0xa5bc6] <+166>: movq   0x88(%r12), %rbx

Probably a use-after-free of recnData->commit.

Comment 2 John Ralls 2021-09-09 21:08:52 EDT

> Probably a use-after-free of recnData->commit.

It was. The first run of recnFinishCB creates a transfer window for the CC balance and destroys the reconcile window, which in turn frees the RecnWindow. I somehow managed to activate recnFinishCB again which tried to access that freed recnData, crashing as one would expect.

Fix is to make the RecnWindow actions not sensitive before destroying it.

Note You need to log in before you can comment on or make changes to this bug.