Crash in libmuffin-clutter (NULL pointer dereference)

[rainerjung]

Distribution

Linux Mint 22.2 Zara

Package version

Cinnamon 6.4.8+xia, libmuffin 6.4.1+xia

Graphics hardware in use

Intel Alder Lake-P Integrated Graphics, driver: i915, CPU 12th Gen Intel Core i5-1240P

Frequency

Quite often

Bug description

Cinnamon crashes in libmuffin-clutter-0.so.0.0.0. From kern.log:

cinnamon[62228]: segfault at 20 ip 0000790da361369b sp 00007ffc3022aa20 error 4 in libmuffin-clutter-0.so.0.0.0[790da35f5000+a4000] likely on CPU 9 (core 17, socket 0)

gdb info see below.

Steps to reproduce

The crash happens only when a new window is expected to appear. The Cinnamon crash popup appears and I can confirm the restart of cinnamon which again works as normal after a few seconds (and the new window can be seen and used).

It does not always happen for new windows but maybe about 5% of the time a new window is expected to appear.

Such windows can be libre office document windows, firefox windows, nemo windows etc.

Expected behavior

No crash.

Additional information

I do have about 17 core dumps from the last 14 days. The problem happens for me since a few years, so not directly related to Mint, Cinnamon or Muffin version. Although I can not be sure, that the root cause was always the same.

It happens with kernel 6.8 and kernel 6.14.

gdb info: all crashes show it happening in:

_clutter_actor_queue_only_relayout (self=0x0) at ../clutter/clutter/clutter-actor.c:9304

From "threads apply all bt full" in gdb:

Thread 1 (Thread 0x790d9c2a9680 (LWP 62228)):
#0  _clutter_actor_queue_only_relayout (self=0x0) at ../clutter/clutter/clutter-actor.c:9304
        priv = <optimized out>
#1  clutter_actor_add_child_internal (data=<optimized out>, add_func=<optimized out>, flags=<optimized out>, child=0x5ba87c2b8940, self=0x5ba8795ae320) at ../clutter/clutter/clutter-actor.c:13275
        emit_parent_set = <optimized out>
        emit_actor_added = <optimized out>
        text_dir = <optimized out>
        create_meta = <optimized out>
        notify_first_last = 1
        show_on_set_parent = <optimized out>
        old_first_child = 0x0
        obj = 0x5ba8795ae320
        check_state = <optimized out>
        old_last_child = <optimized out>
        text_dir = <optimized out>
        create_meta = <optimized out>
        emit_parent_set = <optimized out>
        emit_actor_added = <optimized out>
        check_state = <optimized out>
        notify_first_last = <optimized out>
        show_on_set_parent = <optimized out>
        old_first_child = <optimized out>
        old_last_child = <optimized out>
        obj = <optimized out>
        __func__ = {<optimized out> <repeats 33 times>}
        _g_boolean_var_137 = <optimized out>
#2  clutter_actor_add_child_internal (self=0x5ba8795ae320, child=0x5ba87c2b8940, flags=<optimized out>, add_func=<optimized out>, data=<optimized out>) at ../clutter/clutter/clutter-actor.c:13084
        text_dir = <optimized out>
        create_meta = <optimized out>
        emit_parent_set = <optimized out>
        emit_actor_added = <optimized out>
        check_state = <optimized out>
        notify_first_last = <optimized out>
        show_on_set_parent = <optimized out>
        old_first_child = <optimized out>
        old_last_child = <optimized out>
        obj = <optimized out>
        __func__ = "clutter_actor_add_child_internal"
        _g_boolean_var_137 = <optimized out>

Code in question (line 9304):

 9301 void
 9302 _clutter_actor_queue_only_relayout (ClutterActor *self)
 9303 {
 9304   ClutterActorPrivate *priv = self->priv;
 9305 

called from line 13275:

13083 static inline void
13084 clutter_actor_add_child_internal (ClutterActor              *self,
13085                                   ClutterActor              *child,
13086                                   ClutterActorAddChildFlags  flags,
13087                                   ClutterActorAddChildFunc   add_func,
13088                                   gpointer                   data)
13089 {
...
13187   g_object_ref_sink (child);
13188   child->priv->parent = NULL;
13189   child->priv->next_sibling = NULL;
13190   child->priv->prev_sibling = NULL;
13191     
13192   /* delegate the actual insertion */
13193   add_func (self, child, data);
13194       
13195   g_assert (child->priv->parent == self);
...
13271       /* we only queue a relayout here, because any possible
13272        * redraw has already been queued either by show() or
13273        * by our call to queue_redraw() above
13274        */
13275       _clutter_actor_queue_only_relayout (child->priv->parent);

Somehow child->priv->parent gets corrupted (NULL). I assume, although it is explicitly set to NULL in line 13188 it probably gets set to non-null in 13193, though I am not sure whether the g:assert() in 13195 is enabled.

I could try to add a NULL check at the beginning of _clutter_actor_queue_only_relayout() (returning from the function if self is NULL) and recompile the lib to see whether that helps. If you think that workaround is viable the result would be helpful, let me know. Of course it would be better to find out, why the pointer is NULL in the first place.

[mtwebster]

Have you tried creating a new user account on your machine to test this out with a clean configuration and no additional applets or extensions? Do you use any third party 'spices' in Cinnamon?

[rainerjung]

Thanks for your fast response.
I will try with a clean new user.
I am not aware of spices, but how would I double check? Could it be Desklet (I am using a German Desktop)? I had one 3rd-party Desklet installed but not active. I deinstalled it now.
When asked for a cinnamon restart I always confirm to disable addons/plugins (not sure what the exact formulation is) but the problem can happen again later in the same session.
Desktop and Windows Effects are disabled.

[rainerjung]

Note that the code around line 13275 was removed as part of bigger changes in GNOME mutter/clutter in revision 29caa5bea576ed056aa6c82de192426abe6019ae five years ago.

[rainerjung]

And a bit more from gdb:

#0  _clutter_actor_queue_only_relayout (self=0x0) at ../clutter/clutter/clutter-actor.c:9304
9304	in ../clutter/clutter/clutter-actor.c
(gdb) print self
$20 = 0x0
(gdb) up
#1  clutter_actor_add_child_internal (data=<optimized out>, add_func=<optimized out>, flags=<optimized out>, child=0x5ba87c2b8940, 
    self=0x5ba8795ae320) at ../clutter/clutter/clutter-actor.c:13275
13275	in ../clutter/clutter/clutter-actor.c
(gdb) print self
$21 = 0x5ba8795ae320
(gdb) print *self
$22 = {parent_instance = {g_type_instance = {g_class = Python Exception <class 'gdb.error'>: No type named TypeNode.
}, ref_count = 2, qdata = 0x5ba8795ae860}, flags = 20, private_flags = 0, 
  priv = 0x5ba8795adff0}
(gdb) print child
$23 = 0x5ba87c2b8940
(gdb) print *child
$24 = {parent_instance = {g_type_instance = {g_class = Python Exception <class 'gdb.error'>: No type named TypeNode.
}, ref_count = 1, qdata = 0x5ba87ac80cb0}, flags = 16, private_flags = 0, 
  priv = 0x5ba87c2b8610}
(gdb) print *self->priv
$25 = {request_mode = CLUTTER_REQUEST_HEIGHT_FOR_WIDTH, width_requests = {{age = 0, for_size = 0, min_size = 0, natural_size = 0}, {age = 0, 
      for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, min_size = 0, natural_size = 0}}, height_requests = {{age = 0, 
      for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, 
      min_size = 0, natural_size = 0}}, cached_height_age = 1114, cached_width_age = 2026, allocation = {x1 = 6, y1 = 6, x2 = 70, y2 = 70}, 
  allocation_flags = CLUTTER_ABSOLUTE_ORIGIN_CHANGED, clip = {origin = {x = 0, y = 0}, size = {width = 0, height = 0}}, transform = {xx = 1, 
    yx = 0, zx = 0, wx = 0, xy = 0, yy = 1, zy = 0, wy = 0, xz = 0, yz = 0, zz = 1, wz = 0, xw = 6, yw = 6, zw = 0, ww = 1, private_member_inv = {
      0 <repeats 16 times>}, private_member_type = 0, private_member_flags = 1284, private_member__padding3 = 0}, resource_scale = 1, 
  opacity = 255 '\377', opacity_override = -1, inhibit_culling_counter = 0, offscreen_redirect = 0, flatten_effect = 0x0, parent = 0x5ba8795ab880, 
  prev_sibling = 0x5ba8795add70, next_sibling = 0x5ba8795af940, first_child = 0x5ba87ac7a930, last_child = 0x5ba87ac7a930, n_children = 1, 
  age = 657, name = 0x5ba879592dc0 "appMenuIcon", pango_context = 0x0, text_direction = CLUTTER_TEXT_DIRECTION_LTR, actions = 0x0, 
  constraints = 0x0, effects = 0x0, layout_manager = 0x5ba8795ae640, content = 0x0, content_box = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
  content_gravity = CLUTTER_CONTENT_GRAVITY_RESIZE_FILL, min_filter = CLUTTER_SCALING_FILTER_LINEAR, mag_filter = CLUTTER_SCALING_FILTER_LINEAR, 
  content_repeat = CLUTTER_REPEAT_NONE, current_effect = 0x0, effect_to_redraw = 0x0, next_effect_to_paint = 0x0, paint_volume = {
    actor = 0x5ba8795ae320, vertices = {{x = 0, y = 0, z = 0}, {x = 64, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 64, z = 0}, {x = 0, 
        y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}}, is_static = 1, is_empty = 0, is_complete = 0, 
    is_2d = 1, is_axis_aligned = 1}, last_paint_volume = {actor = 0x0, vertices = {{x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, 
        z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}}, is_static = 1, 
    is_empty = 1, is_complete = 1, is_2d = 1, is_axis_aligned = 1}, queue_redraw_entry = 0x0, bg_color = {red = 0 '\000', green = 0 '\000', 
    blue = 0 '\000', alpha = 0 '\000'}, clones = 0x0, in_cloned_branch = 0, child_model = 0x0, create_child_func = 0x0, create_child_data = 0x0, 
  create_child_notify = 0x0, resolution_changed_id = 0, font_changed_id = 0, position_set = 0, min_width_set = 0, min_height_set = 0, 
  natural_width_set = 0, natural_height_set = 0, needs_width_request = 1, needs_height_request = 1, needs_allocation = 1, show_on_set_parent = 1, 
  has_clip = 0, clip_to_allocation = 0, enable_model_view_transform = 1, enable_paint_unmapped = 0, has_pointer = 0, has_key_focus = 0, 
  propagated_one_redraw = 1, paint_volume_valid = 1, last_paint_volume_valid = 1, in_clone_paint = 0, transform_valid = 1, is_dirty = 1, 
  bg_color_set = 0, content_box_valid = 0, x_expand_set = 0, y_expand_set = 0, needs_compute_expand = 0, needs_x_expand = 0, needs_y_expand = 0, 
  needs_paint_volume_update = 1, had_effects_on_last_paint_volume_update = 0, needs_compute_resource_scale = 1}
(gdb) print *child->priv
$26 = {request_mode = CLUTTER_REQUEST_HEIGHT_FOR_WIDTH, width_requests = {{age = 0, for_size = 0, min_size = 0, natural_size = 0}, {age = 0, 
      for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, min_size = 0, natural_size = 0}}, height_requests = {{age = 0, 
      for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, min_size = 0, natural_size = 0}, {age = 0, for_size = 0, 
      min_size = 0, natural_size = 0}}, cached_height_age = 1, cached_width_age = 1, allocation = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, 
  allocation_flags = CLUTTER_ALLOCATION_NONE, clip = {origin = {x = 0, y = 0}, size = {width = 0, height = 0}}, transform = {xx = 0, yx = 0, 
    zx = 0, wx = 0, xy = 0, yy = 0, zy = 0, wy = 0, xz = 0, yz = 0, zz = 0, wz = 0, xw = 0, yw = 0, zw = 0, ww = 0, private_member_inv = {
      0 <repeats 16 times>}, private_member_type = 0, private_member_flags = 0, private_member__padding3 = 0}, resource_scale = -1, 
  opacity = 255 '\377', opacity_override = -1, inhibit_culling_counter = 0, offscreen_redirect = 0, flatten_effect = 0x0, parent = 0x0, 
  prev_sibling = 0x0, next_sibling = 0x0, first_child = 0x0, last_child = 0x0, n_children = 0, age = 0, name = 0x0, pango_context = 0x0, 
  text_direction = CLUTTER_TEXT_DIRECTION_LTR, actions = 0x0, constraints = 0x0, effects = 0x0, layout_manager = 0x0, content = 0x0, 
  content_box = {x1 = 0, y1 = 0, x2 = 0, y2 = 0}, content_gravity = CLUTTER_CONTENT_GRAVITY_RESIZE_FILL, 
  min_filter = CLUTTER_SCALING_FILTER_LINEAR, mag_filter = CLUTTER_SCALING_FILTER_LINEAR, content_repeat = CLUTTER_REPEAT_NONE, 
  current_effect = 0x0, effect_to_redraw = 0x0, next_effect_to_paint = 0x0, paint_volume = {actor = 0x0, vertices = {{x = 0, y = 0, z = 0}, {
        x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {
        x = 0, y = 0, z = 0}}, is_static = 0, is_empty = 0, is_complete = 0, is_2d = 0, is_axis_aligned = 0}, last_paint_volume = {actor = 0x0, 
    vertices = {{x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, 
        z = 0}, {x = 0, y = 0, z = 0}, {x = 0, y = 0, z = 0}}, is_static = 1, is_empty = 1, is_complete = 1, is_2d = 1, is_axis_aligned = 1}, 
  queue_redraw_entry = 0x0, bg_color = {red = 0 '\000', green = 0 '\000', blue = 0 '\000', alpha = 0 '\000'}, clones = 0x0, in_cloned_branch = 0, 
  child_model = 0x0, create_child_func = 0x0, create_child_data = 0x0, create_child_notify = 0x0, resolution_changed_id = 0, font_changed_id = 0, 
  position_set = 0, min_width_set = 0, min_height_set = 0, natural_width_set = 0, natural_height_set = 0, needs_width_request = 1, 
  needs_height_request = 1, needs_allocation = 1, show_on_set_parent = 1, has_clip = 0, clip_to_allocation = 0, enable_model_view_transform = 1, 
  enable_paint_unmapped = 0, has_pointer = 0, has_key_focus = 0, propagated_one_redraw = 0, paint_volume_valid = 0, last_paint_volume_valid = 1, 
  in_clone_paint = 0, transform_valid = 0, is_dirty = 0, bg_color_set = 0, content_box_valid = 0, x_expand_set = 0, y_expand_set = 0, 
  needs_compute_expand = 0, needs_x_expand = 0, needs_y_expand = 0, needs_paint_volume_update = 1, had_effects_on_last_paint_volume_update = 0, 
  needs_compute_resource_scale = 1}
(gdb) print child->priv->parent
$27 = 0x0

[JotaRandom]

I'm trying to reproduce it on a HD3000 (Intel) and I can't.

For the record I did s fresh install of Arch Linux and I tested it on X11 and Wayland unsuccessfully.

Since Arch doesn't ship Mint-themes neither icons by default i use Adwaita and the Adwaita default theme.

Did you where doing something before the crash (I mean previous session) or did you use some custom theme? Did you deleted muffins/cinnamon related config before running it from Wayland/X11?

[rainerjung]

Thanks for the attempt. Note that here it is happening on Linux Mint, not Arch Linux. I am not aware of either using custom theme or anything special else. The only slightly exotic thing is a scaling config for the screen of 150% due to the high screen resolution.

In my process table I see Xorg, not Wayland.

I am pretty sure I did not delete muffin/cinnamon configs.

I did in-line updates from Linux Mint 20 to 21 to 22 over the years,

I don't exactly understand the question "Did you where doing something before the crash (I mean previous session) ". As already noted, the crashes only happen when opening new Windows (but only in about 2-5% of such window opens). It could be a new Firefox Windows, a new Nemo Window, a new Remmina Windows etc. I expect it to be a race situation, so no easy reproduction scenario.

[JotaRandom]

I asked and mentioned Arch because in Arch we did have something similar and was due to a missing dependency (libibus).

now, for my question, "before crashing you where doing something?" i mean, like using dual monitor or running a video, or something that may interact and use GPU.

also since you mentioned went from 20 to 21 and 22 i will try doing something like that on another system to test.

[rainerjung]

No, nothing special. It happens out of the blue. I rarely use video or dual monitors.

I hope, that the code stacks will help. At least it seems the null pointer is "proven", just that we don't know what the root cause is. But hardening with a null check might at least prevent the crashes.

[JotaRandom]

I tried an install of 21 then upgrade way up to even 22 (Installed, open all the apps at least once then upgrade and again).

What I get it sometimes the apps don't open and I need to clic them twice, but that may be a totally different issue.

Therefore I can't reproduce at least on my available hardware.