virt-manager: g_type_check_instance_cast(): python3.11 killed by SIGSEGV

[kparal]

Distro: Fedora 38 Beta, virt-manager-4.1.0-2.fc38.noarch

Virt-manager keeps randomly crashing. There's a downstream Fedora bug containing tracebacks here:
https://bugzilla.redhat.com/show_bug.cgi?id=2175667

The latest traceback:

Core was generated by `/usr/bin/python3 /usr/bin/virt-manager'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  g_type_check_instance_cast (type_instance=type_instance@entry=0x55b64ec2fa60, iface_type=94241189159856) at ../gobject/gtype.c:4199
4199		  is_instantiatable = node && node->is_instantiatable;
[Current thread is 1 (Thread 0x7fe7b9f1c740 (LWP 74273))]
#0  g_type_check_instance_cast (type_instance=type_instance@entry=0x55b64ec2fa60, iface_type=94241189159856) at ../gobject/gtype.c:4199
        node = 0x303030307830
        iface = <optimized out>
        is_instantiatable = <optimized out>
        check = <optimized out>
#1  0x00007fe773bf52bf in registry_handle_global (data=0x55b64ec2fa60, registry=<optimized out>, name=31, interface=0x55b640306620 "wl_output", version=<optimized out>) at ../src/wayland-extensions.c:77
        widget = <optimized out>
#2  0x00007fe7ac585be6 in ffi_call_unix64 () at ../src/x86/unix64.S:104
No locals.
#3  0x00007fe7ac5824bf in ffi_call_int (cif=cif@entry=0x7ffef46da4f0, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
        classes = {X86_64_INTEGERSI_CLASS, X86_64_NO_CLASS, 2891477568, 32743}
        stack = <optimized out>
        argp = 0x7ffef46da330 ""
        arg_types = <optimized out>
        gprcount = 5
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        flags = <optimized out>
        reg_args = <optimized out>
#4  0x00007fe7ac58518e in ffi_call (cif=cif@entry=0x7ffef46da4f0, fn=<optimized out>, rvalue=rvalue@entry=0x0, avalue=avalue@entry=0x7ffef46da5c0) at ../src/x86/ffi64.c:710
        arg_types = 0x7ffef46da510
        i = <optimized out>
        nargs = 5
        max_reg_struct_size = <optimized out>
#5  0x00007fe7a848ef1e in wl_closure_invoke (closure=closure@entry=0x55b640306540, target=<optimized out>, target@entry=0x55b642107160, opcode=opcode@entry=0, data=<optimized out>, flags=1) at ../src/connection.c:1025
        count = 3
        cif = {abi = FFI_UNIX64, nargs = 5, arg_types = 0x7ffef46da510, rtype = 0x7fe7ac5871a0 <ffi_type_void>, bytes = 0, flags = 0}
        ffi_types = {0x7fe7ac5872a0 <ffi_type_pointer>, 0x7fe7ac5872a0 <ffi_type_pointer>, 0x7fe7ac587240 <ffi_type_uint32>, 0x7fe7ac5872a0 <ffi_type_pointer>, 0x7fe7ac587240 <ffi_type_uint32>, 0x0, 0x55b64d1283d0, 0x7fe7a849385f, 0x7fe7a8496640 <wl_registry_events>, 0x0, 0x0, 0x7fe7ac360b40 <sysprof_collector_get+80>, 0x7ffef46da5d0, 0x7fe7a848e148 <wl_closure_init+248>, 0x7ffef46da5b0, 0xf0, 0xac587275, 0xc2b79d8e23d2bf00, 0x55b64f0ad278, 0x55b63cd8a548, 0x55b63cd8a548, 0x18}
        ffi_args = {0x7ffef46da4d0, 0x7ffef46da4d8, 0x55b640306558, 0x55b640306560, 0x55b640306568, 0x7fe7ab1875d4, 0x0, 0x7fe7ac41c3c0 <_pygi_closure_handle>, 0x55b63cd8a600, 0xc2b79d8e23d2bf00, 0x7ffe00000020, 0x7fe7ac36bb9e, 0x7fe7ac3630be, 0x7ffef46da6d0, 0x55b63c9df3d0, 0x55b64da33c20, 0x7ffef46da6c0, 0x7fe7ac36150e <sysprof_collector_mark_vprintf+62>, 0x55b600000000, 0xe3, 0x7ffef46da6d0, 0x7fe7ba5f16db <_int_free+539>}
        implementation = <optimized out>
#6  0x00007fe7a848f713 in dispatch_event (display=display@entry=0x55b63c9cd950, queue=0x55b63c9cda20) at ../src/wayland-client.c:1595
        closure = 0x55b640306540
        proxy = 0x55b642107160
        opcode = 0
        proxy_destroyed = <optimized out>
#7  0x00007fe7a848f8fc in dispatch_queue (queue=0x55b63c9cda20, display=0x55b63c9cd950) at ../src/wayland-client.c:1741
        count = 6
        count = <optimized out>
        err = <optimized out>
#8  wl_display_dispatch_queue_pending (display=0x55b63c9cd950, queue=0x55b63c9cda20) at ../src/wayland-client.c:1983
        ret = <optimized out>
#9  0x00007fe7a848f960 in wl_display_dispatch_pending (display=<optimized out>) at ../src/wayland-client.c:2046
No locals.
#10 0x00007fe7a8686860 in _gdk_wayland_display_queue_events (display=<optimized out>) at ../gdk/wayland/gdkeventsource.c:201
        display_wayland = <optimized out>
        source = 0x55b63c9f3810
        __func__ = "_gdk_wayland_display_queue_events"
#11 0x00007fe7a864b7fb in gdk_display_get_event (display=0x55b63c9d29f0) at ../gdk/gdkdisplay.c:442
        __func__ = "gdk_display_get_event"
#12 0x00007fe7a868bf8e in gdk_event_source_dispatch (base=<optimized out>, callback=<optimized out>, data=<optimized out>) at ../gdk/wayland/gdkeventsource.c:120
        source = <optimized out>
        display = 0x55b63c9d29f0
        event = <optimized out>
#13 0x00007fe7ac301788 in g_main_dispatch (context=0x55b63c9df3d0) at ../glib/gmain.c:3460
        dispatch = 0x7fe7a868bf70 <gdk_event_source_dispatch>
        prev_source = 0x0
        begin_time_nsec = 38030583835815
        was_in_call = 0
        user_data = 0x0
        callback = 0x0
        cb_funcs = 0x0
        cb_data = 0x0
        need_destroy = <optimized out>
        source = 0x55b63c9f3810
        current = 0x55b63c9df600
        i = 0
        current = <optimized out>
        i = <optimized out>
        __func__ = <optimized out>
        source = <optimized out>
        _g_boolean_var_165 = <optimized out>
        was_in_call = <optimized out>
        user_data = <optimized out>
        callback = <optimized out>
        cb_funcs = <optimized out>
        cb_data = <optimized out>
        need_destroy = <optimized out>
        dispatch = <optimized out>
        prev_source = <optimized out>
        begin_time_nsec = <optimized out>
        _g_boolean_var_166 = <optimized out>
#14 g_main_context_dispatch (context=0x55b63c9df3d0) at ../glib/gmain.c:4200
No locals.
#15 0x00007fe7ac35fdd8 in g_main_context_iterate.isra.0 (context=0x55b63c9df3d0, block=1, dispatch=1, self=<optimized out>) at ../glib/gmain.c:4276
        max_priority = 2147483647
        timeout = 2818
        some_ready = 1
        nfds = 40
        allocated_nfds = <optimized out>
        fds = <optimized out>
        begin_time_nsec = 38030548428569
#16 0x00007fe7ac2ff113 in g_main_context_iteration (context=context@entry=0x55b63c9df3d0, may_block=may_block@entry=1) at ../glib/gmain.c:4343
        retval = <optimized out>
#17 0x00007fe7ac09b95d in g_application_run (application=0x55b63cb6f030, argc=<optimized out>, argv=0x0) at ../gio/gapplication.c:2573
        arguments = 0x55b63cd05ed0
        status = 0
        context = 0x55b63c9df3d0
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#18 0x00007fe7ac585be6 in ffi_call_unix64 () at ../src/x86/unix64.S:104
No locals.
#19 0x00007fe7ac5824bf in ffi_call_int (cif=cif@entry=0x55b63cd00f18, fn=<optimized out>, rvalue=<optimized out>, avalue=<optimized out>, closure=closure@entry=0x0) at ../src/x86/ffi64.c:673
        classes = {X86_64_INTEGER_CLASS, X86_64_NO_CLASS, 2836415744, 32743}
        stack = <optimized out>
        argp = 0x7ffef46da9a0 "\006"
        arg_types = <optimized out>
        gprcount = 3
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        flags = <optimized out>
        reg_args = <optimized out>
#20 0x00007fe7ac58518e in ffi_call (cif=cif@entry=0x55b63cd00f18, fn=<optimized out>, rvalue=rvalue@entry=0x7ffef46dab88, avalue=<optimized out>) at ../src/x86/ffi64.c:710
        arg_types = 0x55b63cc55a70
        i = <optimized out>
        nargs = 3
        max_reg_struct_size = <optimized out>
#21 0x00007fe7ac41d67b in pygi_invoke_c_callable (function_cache=0x55b63cd00e70, state=<optimized out>, py_args=<optimized out>, py_kwargs=<optimized out>) at ../gi/pygi-invoke.c:684
        _save = 0x7fe7ba513bf8 <_PyRuntime+166328>
        cache = 0x55b63cd00e70
        ffi_return_value = {v_boolean = 0, v_int8 = 0 '\000', v_uint8 = 0 '\000', v_int16 = 0, v_uint16 = 0, v_int32 = 0, v_uint32 = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_short = 0, v_ushort = 0, v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_ssize = 0, v_size = 0, v_string = 0x0, v_pointer = 0x0}
        ret = 0x0
#22 0x00007fe7ac41bfca in pygi_function_cache_invoke (py_kwargs=0x7fe7a89c4140, py_args=0x7fe7a4d4b4c0, function_cache=<optimized out>) at ../gi/pygi-cache.c:862
        state = {py_in_args = 0x7fe7a4d4b4c0, n_py_in_args = 2, n_args = 3, ffi_args = 0x55b63cb954f0, args = 0x55b63cb95490, return_arg = {v_boolean = 0, v_int8 = 0 '\000', v_uint8 = 0 '\000', v_int16 = 0, v_uint16 = 0, v_int32 = 0, v_uint32 = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_short = 0, v_ushort = 0, v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_ssize = 0, v_size = 0, v_string = 0x0, v_pointer = 0x0}, to_py_return_arg_cleanup_data = 0x0, error = 0x0, failed = 0, user_data = 0x0, function_ptr = 0x7fe7ac09b780 <g_application_run>}
#23 pygi_callable_info_invoke (user_data=0x0, cache=<optimized out>, kwargs=0x7fe7a89c4140, py_args=0x7fe7a4d4b4c0, info=<optimized out>) at ../gi/pygi-invoke.c:727
No locals.
#24 _wrap_g_callable_info_invoke (self=<optimized out>, py_args=0x7fe7a4d4b4c0, kwargs=0x7fe7a89c4140) at ../gi/pygi-invoke.c:764
No locals.
#25 0x00007fe7ba1e2f19 in _PyObject_Call (tstate=0x7fe7ba513bf8 <_PyRuntime+166328>, callable=0x7fe7ab49a530, args=0x7fe7a4d4b4c0, kwargs=<optimized out>) at /usr/src/debug/python3.11-3.11.2-1.fc38.x86_64/Objects/call.c:343
        call = 0x7fe7ac410420 <_function_info_call>
        result = <optimized out>
        vector_func = <optimized out>
...

[taoky]

I could not find a quick and reliable way to reproduce this issue, but it crashes if it runs long enough in background:

> virt-manager --no-fork
fish: Job 1, 'virt-manager --no-fork' terminated by signal SIGSEGV (Address boundary error)
⏎

And with almost identical backtrace.

This looks like an issue in spice-gtk wayland-extensions.c, where the pointer data seems pointing to some non-GtkWidget objects, or those that have been freed. Sampled some recent coredumps of virt-manager locally:

Coredump 1:

>>> print *type_instance
$1 = {
  g_class = <error reading variable: Cannot access memory at address 0x303030307858>
}

Coredump 2:

>>> print *type_instance
$1 = {
  g_class = <error reading variable: Cannot access memory at address 0x5daea447b1c7>
}

Coredump 3:

>>> print *type_instance
$1 = {
  g_class = <error reading variable: Cannot access memory at address 0x2e6666c3fa1e1018>
}

Coredump 4:

>>> print *type_instance
$1 = {
  g_class = <error reading variable: Cannot access memory at address 0x32>
}

And interestingly, all coredumps I could find shows that interface arguments of registry_handle_global() are all "wl_output".

[taoky]

I submitted a MR to spice-gtk: https://gitlab.freedesktop.org/spice/spice-gtk/-/merge_requests/125, and I believe that it could fix this crash under wayland.

[crobinso]

@taoky great job tracking this down and sending patches! much appreciated