Bug 264270

Summary:

x11/tilda: Bus error (core dumped): vte_terminal_match_set_cursor_type(VteTerminal *, int, GdkCursorType): assertion 'tag >= 0' failed

Product:

Ports & Packages

Reporter:

iron.udjin

Component:

Individual Port(s)

Assignee:

Rodrigo Osorio <rodrigo>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

urtp5

Priority:

---

Keywords:

crash, needs-qa

Version:

Latest

Flags:

bugzilla: maintainer-feedback? (rodrigo)
koobs: merge-quarterly?

Hardware:

amd64

OS:

Any

Attachments:

Description	Flags
pkg version -v	none
pkg version -v	none
pkg info tilda	none
patch fix OOB memory access	none

Description iron.udjin 2022-05-27 01:13:23 UTC

OS: 13.1-STABLE 13-n250924-94cea2fc0761

$ tilda

(tilda:4575): VTE-CRITICAL **: 04:08:40.979: void vte_terminal_match_set_cursor_type(VteTerminal *, int, GdkCursorType): assertion 'tag >= 0' failed
Bus error (core dumped)

$ gdb `which tilda` /var/tmp/1001.tilda.core
...
Reading symbols from /usr/local/bin/tilda...
(No debugging symbols found in /usr/local/bin/tilda)
[New LWP 151992]
[New LWP 155533]
[New LWP 155534]
[New LWP 155535]
Core was generated by `tilda'.
Program terminated with signal SIGBUS, Bus error.
Object-specific hardware error.
#0  0x00000008012f4304 in strlen () from /lib/libc.so.7
[Current thread is 1 (LWP 151992)]
(gdb) bt
#0  0x00000008012f4304 in strlen () from /lib/libc.so.7
#1  0x0000000800f67d17 in g_strdup () from /usr/local/lib/libglib-2.0.so.0
#2  0x0000000800feda6f in ?? () from /usr/local/lib/libvte-2.91.so.0
#3  0x0000000800fee58e in vte_pty_spawn_with_fds_async () from /usr/local/lib/libvte-2.91.so.0
#4  0x000000080101ca1c in vte_terminal_spawn_with_fds_async () from /usr/local/lib/libvte-2.91.so.0
#5  0x000000080101ce0e in vte_terminal_spawn_async () from /usr/local/lib/libvte-2.91.so.0
#6  0x0000000000218c40 in ?? ()
#7  0x0000000000217e41 in ?? ()
#8  0x000000000021a676 in ?? ()
#9  0x000000000021a34c in ?? ()
#10 0x00000000002156e6 in ?? ()
#11 0x0000000000212f90 in ?? ()
#12 0x0000000000212e90 in ?? ()
#13 0x0000000000000000 in ?? ()

If I compille current version of tilda from https://github.com/lanoxx/tilda - everything works fine.

Comment 1 Kubilay Kocak freebsd_committer

2022-05-27 01:18:10 UTC

@Reporter Could you include additional information:

- full uname -a output (including kernel)
- pkg version -v output (as an attachment)
- pkg info tilda output (as an attachment)

Thanks!

Comment 2 iron.udjin 2022-05-27 01:21:26 UTC

(In reply to Kubilay Kocak from comment #1)

$ uname -a
FreeBSD IRON 13.1-STABLE FreeBSD 13.1-STABLE #0 stable/13-n250924-94cea2fc0761: Wed May 25 14:40:02 EEST 2022     root@IRON:/usr/obj/usr/src/amd64.amd64/sys/IRON amd64

$ pkg info tilda
tilda-1.5.0
Name           : tilda
Version        : 1.5.0
Installed on   : Fri May 27 00:29:49 2022 EEST
Origin         : x11/tilda
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : x11
Licenses       : GPLv2
Maintainer     : rodrigo@FreeBSD.org
WWW            : https://github.com/lanoxx/tilda
Comment        : Drop down x11 terminal with transparency support
Options        :
	DOCS           : off
Shared Libs required:
	libgio-2.0.so.0
	libconfuse.so.2
	libintl.so.8
	libglib-2.0.so.0
	libgobject-2.0.so.0
	libpango-1.0.so.0
	libgdk-3.so.0
	libgdk_pixbuf-2.0.so.0
	libgtk-3.so.0
	libvte-2.91.so.0
	libX11.so.6
Annotations    :
	FreeBSD_version: 1301503
Flat size      : 322KiB

Comment 3 iron.udjin 2022-05-27 01:22:33 UTC

Created attachment 234242 [details]
pkg version -v

Comment 4 Rodrigo Osorio freebsd_committer

2022-06-06 09:34:12 UTC

(In reply to iron.udjin from comment #3)

Is this a custom build on your own poudriere ?
I ask that because I can't see the repo details
I have on my own install:

  pkg info tilda
  tilda-1.5.0
  <<------------------
     skipped lines
  ------------------>>
Annotations    :
	FreeBSD_version: 1300139
	repo_type      : binary
	repository     : FreeBSD
Flat size      : 357KiB
Description    :
Tilda is a x11 terminal taking after the likeness of many classic
terminals from first person shooter games, Quake, Doom and Half-Life
to name a few, where the terminal has no border and is hidden from
the desktop till a key or keys is hit.

WWW: https://github.com/lanoxx/tilda

BTW tilda doesn't crash on my install (FreeBSD 13.0) but I need to test it in 13.1

Comment 5 iron.udjin 2022-06-06 20:15:10 UTC

(In reply to Rodrigo Osorio from comment #4)

It's my own build from ports (portmaster was used).

Comment 6 Yuri Dolgoruki 2022-10-30 08:13:44 UTC

Hi All!

I have a identical problem with my favourite terminal x11/tilda.

I have a fresh -CURRENT amd64 installation.
uname -a: FreeBSD BSD-RYZEN 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n258754-9ca7ca92f3a: Tue Oct 25 02:07:23 +05 2022     urx@BSD-RYZEN:/usr/obj/usr/src/amd64.amd64/sys/BSDSERV amd64

And when I try to startup tilda, it segfaults with message:
(tilda:56739): VTE-CRITICAL **: 12:52:02.902: void vte_terminal_match_set_cursor_type(VteTerminal *, int, GdkCursorType): assertion 'tag >= 0' failed
Segmentation fault (core dumped)

As I try to search on internet, that error appears not only with FreeBSD or tilda, it appears on various linux-distro, and various utils. But none of these get a solution.

I have tilda and other pkg's installed from ports, but I'm also try to install them with pkg, and no success.

Comment 7 Yuri Dolgoruki 2022-10-30 08:15:32 UTC

Created attachment 237715 [details]
pkg version -v

pkg version -v output

Comment 8 Yuri Dolgoruki 2022-10-30 08:16:04 UTC

Created attachment 237716 [details]
pkg info tilda

pkg info tilda output

Comment 9 Rodrigo Osorio freebsd_committer

2022-10-30 15:35:01 UTC

Created attachment 237725 [details]
patch fix OOB memory access

After some investigations, the bug seems to be caused by a
misallocation in tilda code silently fixed but never released.

In file
https://github.com/lanoxx/tilda/blob/tilda-1-5/src/tilda_terminal.c
in start_default_shell function, if no "command_login_shell" was defined,
argv allocation has a wrong size of 1 instead of 2 (argv[O] and argv[1])

The issue wasn't easy to spot since it requires to build all the components
with debug symbols in order to have a clear understanding of the call chain.

A patch is ready and will be pushed by the end of the day

If you wanna try, you can fin the patch attached to this ticket
and a amd64 binary for fbsd13 here: https://people.freebsd.org/~rodrigo/tilda-1.5.0.pkg

Comment 10 iron.udjin 2022-10-30 15:45:01 UTC

(In reply to Rodrigo Osorio from comment #9)

I can confirm that the attached patch fixes tilda crash.

Comment 11 commit-hook freebsd_committer

2022-10-30 22:05:40 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4dbdc33a8d7e75b863ed5ccc34a072536b97ff2d

commit 4dbdc33a8d7e75b863ed5ccc34a072536b97ff2d
Author:     Rodrigo Osorio <rodrigo@FreeBSD.org>
AuthorDate: 2022-10-30 16:02:26 +0000
Commit:     Rodrigo Osorio <rodrigo@FreeBSD.org>
CommitDate: 2022-10-30 21:55:14 +0000

    x11/tilda: Fix OOB write in start_default_shell()

    The fix was committed to upstream in May 9, but no release was made
    for it until now.

    https://github.com/lanoxx/tilda/commit/51a980a55ad6d750daa21d43a66d44577dad277b

    Update Makefile to make portlint happy

    PR:             264270
    Reported by:    <iron.udjin@gmail.com>
    Tested by:      <iron.udjin@gmail.com>

 x11/tilda/Makefile                               | 15 +++++++++------
 x11/tilda/files/patch-src_tilda_terminal.c (new) | 11 +++++++++++
 2 files changed, 20 insertions(+), 6 deletions(-)

Comment 12 Rodrigo Osorio freebsd_committer

2022-10-30 22:06:45 UTC

Fixed, thanks for the report.