copy big amount of mate-terminal content causes immediate segmentation fault

[L-U-T-i]

Expected behaviour

mate-terminal not crashing

Actual behaviour

segfault of mate-terminal, all instances (3 windows in my recent case) closed immediately

Logged in messages: kernel: mate-terminal[3367]: segfault at 7f8d5bffa010 ip 00007f8e18d3fc41 sp 00007ffcfcb65f48 error 6 in libc.so.6 (deleted)[7f8e18c86000+176000]

Steps to reproduce the behaviour

Select unlimited scroll back in profile preferences. Launch something that produces really a lot of output lines (some builds for example - like qt-4 rebuild) in mate-terminal. Choose select all after, and right-click "copy" (or, choose that option in menu).

MATE general version

1.26.0 / 1.27.0 (noticed that also before, at least since 1.22 on...).

Package version

Custom build, but more or less the same as 'mate-terminal-1.26.0-2.el9'

Linux Distribution

Rocky Linux 9.1 (happened also in CentOS 8 and Rocky Linux 8.6 before)

Link to bugreport of your Distribution (requirement)

Custom build, can't report. I'm confident it happens also with EPEL RHEL-9 build.

[cwendling]

Could you please provide a backtrace with e.g. gdb? You can run a new instance under gdb like so for example: gdb -ex run --args mate-terminal --disable-factory

I myself do not see a crash copying 562080 lines of output. I see a temporary memory and CPU spike, but no crash -- but possibly your system has less memory and some allocation fails somewhere -- a backtrace would help.

Also note that for some reason here if I choose "Select all" it only selects the visible area, not the whole output. I had to manually go to the start, start the selection and shift-select to the end.

[lukefromdc]

The "select all" only selecting visible content came from a change in libvte. I use a custom compiled libvte with that commit reverted to make make select all work

[lukefromdc]

As I recall, the original reason "select all" was reconfigured to only select viewable text in libvte was specifically that it is possible with unlimited scrollback to overrun the buffer and cause a segfault. I didn't like that solution so I reverted it in local builds, I did not realize that a workaround existed to copy scrolled back text by other means or I would have used it

[L-U-T-i]

@cwendling,

I've ran it as you've requested, the output is: Thread 1 "mate-terminal" received signal SIGSEGV, Segmentation fault. 0x00007ffff6e15661 in __memmove_avx_unaligned_erms () from /lib64/libc.so.6 Missing separate debuginfos, use: dnf debuginfo-install at-spi2-atk-2.38.0-4.el9.x86_64 at-spi2-core-2.40.3-1.el9.x86_64 bzip2-libs-1.0.8-8.el9.x86_64 graphite2-1.3.14-9.el9.x86_64 gvfs-client-1.48.1-4.el9.x86_64 ibus-gtk3-1.5.25-2.el9.rocky.0.1.x86_64 ibus-libs-1.5.25-2.el9.rocky.0.1.x86_64 json-glib-1.6.6-1.el9.x86_64 keyutils-libs-1.6.1-4.el9.x86_64 krb5-libs-1.19.1-24.el9_1.x86_64 libXau-1.0.9-8.el9.x86_64 libXcomposite-0.4.5-7.el9.x86_64 libXcursor-1.2.0-7.el9.x86_64 libXdamage-1.1.5-7.el9.x86_64 libXfixes-5.0.3-16.el9.x86_64 libXi-1.7.10-8.el9.x86_64 libXinerama-1.1.4-10.el9.x86_64 libXrandr-1.5.2-8.el9.x86_64 libXrender-0.9.10-16.el9.x86_64 libblkid-2.37.4-9.el9.x86_64 libbrotli-1.0.9-6.el9.x86_64 libcap-2.48-8.el9.x86_64 libdatrie-0.2.13-4.el9.x86_64 libepoxy-1.5.5-4.el9.x86_64 libffi-3.4.2-7.el9.x86_64 libgcrypt-1.10.0-8.el9_0.x86_64 libidn2-2.3.0-7.el9.x86_64 libjpeg-turbo-2.0.90-5.el9.x86_64 libmount-2.37.4-9.el9.x86_64 libpng-1.6.37-12.el9.x86_64 libpsl-0.21.1-5.el9.x86_64 librsvg2-2.50.7-1.el9.x86_64 libselinux-3.4-3.el9.x86_64 libsoup-2.72.0-8.el9.x86_64 libstemmer-0-18.585svn.el9.x86_64 libtasn1-4.16.0-7.el9.x86_64 libthai-0.1.28-8.el9.x86_64 libunistring-0.9.10-15.el9.x86_64 libwayland-client-1.19.0-4.el9.x86_64 libxml2-2.9.13-2.el9.x86_64 lz4-libs-1.9.3-5.el9.x86_64 nettle-3.8-3.el9_0.x86_64 openssl-libs-3.0.1-43.el9_0.x86_64 p11-kit-0.24.1-2.el9.x86_64 pcre-8.44-3.el9.3.x86_64 pixman-0.40.0-5.el9.x86_64

Does it help, or do I have to install all those debuginfo packages?

I don't think memory should be an issue, considering it is a virtual machine with 12 GB of RAM reserved, and 16 GB top. System monitor reports less than 38% used by programs and less than 40% as cache. So, at least 20% unused all the time during crash.

@lukefromdc,

I haven't done anything like you mention, and still have "select all" available both in menu and in right click (actually selecting everything back to when terminal has been opened...). I've just more or less rebuilt Fedora (before) and/or EPEL 9 (recently) packages in the past (as said, noticing that since at least a couple of years ago...), with the following:

• mate-terminal_better_defaults-1.26.0.patch
• mate terminal PR-396 patch
• mate submodules PR-18 patch
• mate submodules PR-19 patch
• mate submodules PR-20 patch
• mate submodules PR-21 patch
• mate submodules PR-23 patch
• mate submodules PR-24-commit-55591c0 patch
• mate submodules PR-24-commit-2f3e944 patch

I also haven't modified RHEL vte291 package (which I believe provides 'libvte'), just installed Rocky Linux provided one. There is a patch 'vte291-cntnr-precmd-preexec-scroll.patch' contained within vte291-0.64.2-2.el9.src.rpm, so this may be it? But, in any case, it is a stock RHEL 9.1 package...

[L-U-T-i]

After installing glibc-debuginfo (and glibc-debugsource), I've got the following:

Thread 1 "mate-terminal" received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:279
279     VMOVU   %VEC(0), (%rdi)
(gdb)

[L-U-T-i]

backtrace:

(gdb) backtrace
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:279
#1  0x00007ffff6fb4129 in g_array_append_vals () from /lib64/libglib-2.0.so.0
#2  0x00007ffff7f89d70 in vte::terminal::Terminal::get_text(long, long, long, long, bool, bool, _GArray*) [clone .constprop.0] ()
   from /lib64/libvte-2.91.so.0
#3  0x00007ffff7f56a9b in vte::terminal::Terminal::widget_copy(vte::platform::ClipboardType, vte::platform::ClipboardFormat) ()
   from /lib64/libvte-2.91.so.0
#4  0x00007ffff7f6a601 in vte_terminal_select_all () from /lib64/libvte-2.91.so.0
#5  0x00007ffff70ddc7f in g_closure_invoke () from /lib64/libgobject-2.0.so.0
#6  0x00007ffff70f9f96 in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
#7  0x00007ffff70fb85a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#8  0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#9  0x00007ffff7970d8f in _gtk_action_emit_activate (action=0x555555ac10d0) at ../gtk/deprecated/gtkaction.c:909
#10 0x00007ffff70fb92a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#11 0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#12 0x00007ffff79248dc in gtk_widget_activate (widget=0x555555af5b00) at ../gtk/gtkwidget.c:7845
#13 0x00007ffff77de8ee in gtk_menu_shell_activate_item (menu_shell=0x555555ad2b50, menu_item=0x555555af5b00, force_deactivate=<optimized out>)
    at ../gtk/gtkmenushell.c:1375
#14 0x00007ffff77ded41 in gtk_menu_shell_button_release (widget=<optimized out>, event=<optimized out>) at ../gtk/gtkmenushell.c:791
#15 0x00007ffff76575b8 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x5555556408c0, return_value=0x7fffffffd940, instance=<optimized out>, 
    args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555555eda90) at gtk/gtkmarshalers.c:130
#16 0x00007ffff70fb92a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
#17 0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
#18 0x00007ffff793b5c4 in gtk_widget_event_internal.part.0.lto_priv.0 (widget=0x555555ad2b50, event=0x7fffd800cd00) at ../gtk/gtkwidget.c:7812
#19 0x00007ffff77c7b90 in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x555555ad2b50) at ../gtk/gtkmain.c:2588
#20 propagate_event (widget=<optimized out>, event=0x7fffd800cd00, captured=<optimized out>, topmost=0x0) at ../gtk/gtkmain.c:2691
#21 0x00007ffff77c897a in gtk_main_do_event (event=<optimized out>) at ../gtk/gtkmain.c:1921
#22 gtk_main_do_event (event=<optimized out>) at ../gtk/gtkmain.c:1691
#23 0x00007ffff7505033 in _gdk_event_emit (event=0x7fffd800cd00) at ../gdk/gdkevents.c:73
#24 _gdk_event_emit (event=0x7fffd800cd00) at ../gdk/gdkevents.c:67
#25 0x00007ffff754fa56 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
    at ../gdk/x11/gdkeventsource.c:367
#26 0x00007ffff6fe4d4f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#27 0x00007ffff7039608 in g_main_context_iterate.constprop () from /lib64/libglib-2.0.so.0
#28 0x00007ffff6fe4463 in g_main_loop_run () from /lib64/libglib-2.0.so.0
#29 0x00007ffff77c40ed in gtk_main () at ../gtk/gtkmain.c:1329
#30 0x000055555556ef3f in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/mate-terminal-1.27.0-0.1.el9.ml.x86_64/src/terminal.c:576
(gdb) 

[L-U-T-i]

(gdb) bt full
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:279
No locals.
#1  0x00007ffff6fb4129 in g_array_append_vals () from /lib64/libglib-2.0.so.0
No symbol table info available.
#2  0x00007ffff7f89d70 in vte::terminal::Terminal::get_text(long, long, long, long, bool, bool, _GArray*) [clone .constprop.0] ()
   from /lib64/libvte-2.91.so.0
No symbol table info available.
#3  0x00007ffff7f56a9b in vte::terminal::Terminal::widget_copy(vte::platform::ClipboardType, vte::platform::ClipboardFormat) ()
   from /lib64/libvte-2.91.so.0
No symbol table info available.
#4  0x00007ffff7f6a601 in vte_terminal_select_all () from /lib64/libvte-2.91.so.0
No symbol table info available.
#5  0x00007ffff70ddc7f in g_closure_invoke () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#6  0x00007ffff70f9f96 in signal_emit_unlocked_R () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#7  0x00007ffff70fb85a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#8  0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#9  0x00007ffff7970d8f in _gtk_action_emit_activate (action=0x555555ac10d0) at ../gtk/deprecated/gtkaction.c:909
        group = 0x5555556c4620
#10 0x00007ffff70fb92a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#11 0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#12 0x00007ffff79248dc in gtk_widget_activate (widget=0x555555af5b00) at ../gtk/gtkwidget.c:7845
        __func__ = "gtk_widget_activate"
#13 0x00007ffff77de8ee in gtk_menu_shell_activate_item (menu_shell=0x555555ad2b50, menu_item=0x555555af5b00, force_deactivate=<optimized out>) at ../gtk/gtkmenushell.c:1375
        slist = <optimized out>
        shells = 0x55555608fa90
        deactivate = <optimized out>
        __func__ = "gtk_menu_shell_activate_item"
#14 0x00007ffff77ded41 in gtk_menu_shell_button_release (widget=<optimized out>, event=<optimized out>) at ../gtk/gtkmenushell.c:791
        menu_item = 0x555555af5b00
        deactivate = 1
        submenu = <optimized out>
        popup_time = <optimized out>
        usec_since_popup = <optimized out>
        current_time = {tv_sec = <optimized out>, tv_usec = <optimized out>}
        menu_shell = 0x555555ad2b50
        priv = 0x555555ad29f0
#15 0x00007ffff76575b8 in _gtk_marshal_BOOLEAN__BOXEDv (closure=0x5555556408c0, return_value=0x7fffffffd940, instance=<optimized out>, args=<optimized out>, marshal_data=<optimized out>, n_params=<optimized out>, param_types=0x5555555eda90) at gtk/gtkmarshalers.c:130
        cc = <optimized out>
        data1 = 0x555555ad2b50
        data2 = <optimized out>
        callback = 0x7ffff77cf240 <gtk_menu_button_release>
        v_return = <optimized out>
        arg0 = 0x7fffd800cd00
        args_copy = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffdad0, reg_save_area = 0x7fffffffda10}}
        __func__ = "_gtk_marshal_BOOLEAN__BOXEDv"
#16 0x00007ffff70fb92a in g_signal_emit_valist () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#17 0x00007ffff70fba73 in g_signal_emit () from /lib64/libgobject-2.0.so.0
No symbol table info available.
#18 0x00007ffff793b5c4 in gtk_widget_event_internal.part.0.lto_priv.0 (widget=0x555555ad2b50, event=0x7fffd800cd00) at ../gtk/gtkwidget.c:7812
        signal_num = <optimized out>
        return_val = <optimized out>
        handled = 0
        __func__ = {<optimized out> <repeats 26 times>}
#19 0x00007ffff77c7b90 in propagate_event_up (topmost=<optimized out>, event=<optimized out>, widget=0x555555ad2b50) at ../gtk/gtkmain.c:2588
        tmp = <optimized out>
        handled_event = <optimized out>
#20 propagate_event (widget=<optimized out>, event=0x7fffd800cd00, captured=<optimized out>, topmost=0x0) at ../gtk/gtkmain.c:2691
        handled_event = 0
        propagate_func = <optimized out>
#21 0x00007ffff77c897a in gtk_main_do_event (event=<optimized out>) at ../gtk/gtkmain.c:1921
        grab_widget = 0x555555af5b00
        window_group = 0x555555b39d60
        rewritten_event = <optimized out>
        device = 0x555555632800
        tmp_list = <optimized out>
        event_widget = <optimized out>
        topmost_widget = <optimized out>
        event_widget = <optimized out>
        grab_widget = <optimized out>
        topmost_widget = <optimized out>
        window_group = <optimized out>
        rewritten_event = <optimized out>
        device = <optimized out>
        tmp_list = <optimized out>
        cleanup = <optimized out>
        __func__ = {<optimized out> <repeats 18 times>}
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        window = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        mnemonics_visible = <optimized out>
        window = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
#22 gtk_main_do_event (event=<optimized out>) at ../gtk/gtkmain.c:1691
        event_widget = <optimized out>
        grab_widget = <optimized out>
        topmost_widget = <optimized out>
        window_group = <optimized out>
        rewritten_event = <optimized out>
        device = <optimized out>
        tmp_list = <optimized out>
        cleanup = <optimized out>
        __func__ = "gtk_main_do_event"
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        window = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
        mnemonics_visible = <optimized out>
        window = <optimized out>
        __inst = <optimized out>
        __t = <optimized out>
        __r = <optimized out>
#23 0x00007ffff7505033 in _gdk_event_emit (event=0x7fffd800cd00) at ../gdk/gdkevents.c:73
No locals.
#24 _gdk_event_emit (event=0x7fffd800cd00) at ../gdk/gdkevents.c:67
No locals.
#25 0x00007ffff754fa56 in gdk_event_source_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../gdk/x11/gdkeventsource.c:367
        display = <optimized out>
        event = 0x7fffd800cd00
#26 0x00007ffff6fe4d4f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#27 0x00007ffff7039608 in g_main_context_iterate.constprop () from /lib64/libglib-2.0.so.0
No symbol table info available.
#28 0x00007ffff6fe4463 in g_main_loop_run () from /lib64/libglib-2.0.so.0
No symbol table info available.
#29 0x00007ffff77c40ed in gtk_main () at ../gtk/gtkmain.c:1329
        loop = 0x5555555d9b90
#30 0x000055555556ef3f in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/mate-terminal-1.27.0-0.1.el9.ml.x86_64/src/terminal.c:576
        i = <optimized out>
        argv_copy = 0x5555555d37b0
        argc_copy = 2
        startup_id = <optimized out>
        home_dir = <optimized out>
        options = 0x5555555f7020
        error = 0x0
        working_directory = 0x5555555d3300 "\001"
        ret = 0
        display_name = 0x5555555db540 ":3"
(gdb) 

[L-U-T-i]

BTW, redirecting a process ('rpmbuild -ba qt.spec') output to a log file shows that we are talking about a 441.9 MB text file (6.656.751 lines, according to 'wc -l').

[lukefromdc]

I don't think I've ever had anything but a kernel build produce THAT much text.

BTW, if the segfault is in libvte (around which mate-terminal is but a wrapper, we have no control over it here

[lukefromdc]

Backtrace does in fact mention libvte, which does all the heavy lifting and is not maintained by us.