The crash appears to be caused by glib 2.37 or newer and does affect Ubuntu 13.10 and Fedora 20. https://bugs.launchpad.net/ubuntu/+source/xfce4-terminal/+bug/1206739
After some investigation we found that the problem stops happening if one line in terminal-encoding-action.c is commented: /* category item */ item = gtk_menu_item_new_with_label (_(terminal_encodings_names[n])); gtk_menu_shell_append (GTK_MENU_SHELL (menu), item); //groups = g_slist_prepend (groups, item); <-- THIS LINE gtk_widget_show (item); submenu = gtk_menu_new (); The cause seems to be as follows: The encoding menu uses radio menu items to indicate which encoding is currently active. Radio items are mutually exclusive - only one item can be active in a given group. 'groups' is used to store the group of radio items. The encoding menu is also categorized into submenus. The category menu items are NOT radio items, but they are added to the radio group still. It seems that having a none-radio item in a radio group was not a problem with gtk 2.36, but causes a segfault in gtk 2.38. Simply not adding the category menu items to the radio group (ie comment that one line) makes the bug not happen, and does not seem to affect functionality of the program at all.
Looking deeper at this, the whole function seems fishy. According to https://developer.gnome.org/gtk2/stable/GtkRadioMenuItem.html, the correct way to construct a radio item group is like this: GSList group = NULL; item1 = gtk_radio_menu_item_new_with_label (group, "This is an example"); group = gtk_radio_menu_item_get_group (GTK_RADIO_MENU_ITEM (item1)); item2 = gtk_radio_menu_item_new_with_label (group, "This is an example"); group = gtk_radio_menu_item_get_group (GTK_RADIO_MENU_ITEM (item2)); ... gtk_radio_menu_item_new does this (pseudocode): tmp_list = group; radio_menu_item->group = g_slist_prepend (group, radio_menu_item); for each tmp_menu_item in tmp_group: tmp_menu_item->group = radio_menu_item->group; g_slist_prepend does this: new_list = _g_slist_alloc (); new_list->data = data; new_list->next = list; return new_list; In xfce4-terminal, instead of: group = gtk_radio_menu_item_get_group (GTK_RADIO_MENU_ITEM (item)); it does: group = g_slist_prepend (group, item); This produces a list with the same VALUES, but it is NOT the same list as what is stored inside the item. The two lists have a different first node, because prepending the same data again creates a new node. Both of the first nodes point to the same tail. The list inside the item is overwritten when the next item is created, and so this causes a memory leak, as the first node is not in the new list (it's a different one with the same value.) Luckily the fix is very simple: just do what the example code does. This also fully explains the crash: tmp_menu_item->group = radio_menu_item->group; segfaults if radio_menu_item is not a radio menu item.
Created attachment 5186 Fix up encoding menu creation.
Patch works for me, too. Please ship it! :)
Maybe if you aren't getting enought attention want drop this to the mailist. and yes that patch here work too for glib2 2.38.1 and since this is a .1 release of glib, this mean that the fix belong to xfce
Hi Nick, could you import that patch to master?
Pushed. Thanks.
*** Bug 10412 has been marked as a duplicate of this bug. ***