eog crashed with SIGSEGV in geis_dispatch_events()

StacktraceTop:
 geis_backend_multiplexor_pump (mx=0x7c893024) at geis_backend_multiplexor.c:177
 geis_dispatch_events (geis=0x8072030) at geis.c:878
 geis_event_dispatch (instance=0xa510d88) at geis_v1.c:555
 ?? () from /tmp/tmpADuTHF/usr/lib/libgrip.so.0
 g_io_unix_dispatch (source=0xa583b38, callback=0x46b020, user_data=0xa3f3638) at /build/buildd/glib2.0-2.29.16/./glib/giounix.c:166

libutouch crash, reassigning.

I just tried eog and evince, and they are both crashing on start up.

I was afraid this was hitting many people, but apparently not. I have found the memory corruption bug that is crashing eog and evince on my machine, but it looks like it requires having three or more multitouch devices connected at once. As such, I'm lowering the severity.

Fyodor,

We pushed a commit to the utouch-grail development branch that fixes a memory corruption bug. Can you do the following to test:

$ sudo add-apt-repository ppa:utouch-team/daily
$ sudo apt-get update
$ sudo apt-get install libutouch-geis1

Test for crashing and post results here.

$ sudo ppa-purge ppa:utouch-team/daily

Thanks!

I just saw this crash and I have no multitouch devices... just a standard keyboard and mouse.

Chase: I updated using the PPA and still see the crash. I ran valgrind on eog and it crashed after reading from some freed memory. Log attached - though some of the symbols appear to be missing.

Seem to be able to reproduce by running eog multiple times from the command line.

Also saw this error once on the command line:

(eog:7799): GLib-GIO-CRITICAL **: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)

Actually it looks like it crashed after trying to write to a very suspicious address:

Address 0xaaaaaaaaaaaaaac2 is not stack'd, malloc'd or (recently) free'd

The valgrind traceback shows libgrip is trying to use a geis instance it has already disposed of. I suspect the problem may lie in libgrip in this case.

I installed the dbgsym packages and ran valgrind again to get the full stack trace. Note that this is for the current oneiric packages not the PPA. I captured two crashes. Hope this helps.

I just pushed a fix to libgrip trunk that should fix this. Please try it out.

Status changed to 'Confirmed' because the bug affects multiple users.

Is libgrip trunk in the PPA?

Chris,

We have a daily ppa which builds the latest trunk version of libgrip among other packages. It is at: ppa:utouch-team/daily. Unfortunately, there is a bug which causes the libgrip package to be built with the wrong version. I am fixing that up now and it should be resolved shortly. I'll comment again when it is ready for testing.

It took a bit longer than we thought, but Stephen Webb was able to get the daily ppa working for libgrip again. Please test it out to see if things are fixed.

Thanks!

OK, updated from the PPA and valgrind again. Observed two different crashes:

 ==18552== Invalid write of size 4
==18552== at 0x44CA49: visible_range_changed_cb (eog-thumb-view.c:244)
==18552== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18552== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18552== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18552== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18552== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18552== by 0x41CE8E: main (main.c:168)
==18552== Address 0xaaaaaaaaaaaaaac2 is not stack'd, malloc'd or (recently) free'd
==18552==
==18552==
==18552== Process terminating with default action of signal 11 (SIGSEGV)
==18552== General Protection Fault
==18552== at 0x44CA49: visible_range_changed_cb (eog-thumb-view.c:244)
==18552== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18552== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18552== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18552== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18552== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18552== by 0x41CE8E: main (main.c:168)

AND

(eog:18609): Gtk-CRITICAL **: gtk_container_foreach: assertion `GTK_IS_CONTAINER (container)' failed
==18609== Invalid read of size 8
==18609== at 0xA5E8D44: geis_event_dispatch (in /usr/lib/libutouch-geis.so.1.2.0)
==18609== by 0x6066C8C: ??? (in /usr/lib/libgrip.so.0.302.0)
==18609== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18609== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18609== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18609== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18609== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18609== by 0x41CE8E: main (main.c:168)
==18609== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18609==
==18609==
==18609== Process terminating with default action of signal 11 (SIGSEGV)
==18609== Access not within mapped region at address 0x0
==18609== at 0xA5E8D44: geis_event_dispatch (in /usr/lib/libutouch-geis.so.1.2.0)
==18609== by 0x6066C8C: ??? (in /usr/lib/libgrip.so.0.302.0)
==18609== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18609== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18609== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18609== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18609== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18609== by 0x41CE8E: main (main.c:168)

It appears there are no symbols for the PPA packages? The dbgsym packages got uninstalled when I updated to the PPA.

I compiled with debug symbols from the PPA source packages. This is a backtrace of the second crash from my post above:

Program received signal SIGSEGV, Segmentation fault.
geis_event_dispatch (instance=0x0) at geis_v1.c:555
555 geis_dispatch_events(instance->geis);
(gdb) bt
#0 geis_event_dispatch (instance=0x0) at geis_v1.c:555
#1 0x00007ffff69a1c8d in io_callback (source=<optimized out>, condition=<optimized out>, data=<optimized out>)
    at gripgesturemanager.c:944
#2 0x00007ffff4444b4d in g_main_dispatch (context=0x6cc410) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:2441
#3 g_main_context_dispatch (context=0x6cc410) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3011
#4 0x00007ffff4445348 in g_main_context_iterate (context=0x6cc410, block=<optimized out>, dispatch=1,
    self=<optimized out>) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3089
#5 0x00007ffff4445882 in g_main_loop_run (loop=0x7b3f20) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3297
#6 0x00007ffff647578d in gtk_main () at /build/buildd/gtk+3.0-3.1.92/./gtk/gtkmain.c:1367
#7 0x00007ffff5bb034e in g_application_run (application=0x7a9670, argc=<optimized out>, argv=<optimized out>)
    at /build/buildd/glib2.0-2.29.92/./gio/gapplication.c:1323
#8 0x000000000041ce8f in main (argc=1, argv=0x7fffffffe568) at main.c:168

It seems to happen sometimes when I have more than one eog window open. I close one eog window and then click on "Previous" in another.

Unfortunately, ppas don't have pkg-create-dbgsym installed, so dbgsym packages aren't created. I have created a workaround for libgrip so that it does not strip binaries created from a daily build. The new package in the daily ppa should have debug symbols now.

I followed the instructions at http://wiki.debian.org/DebugPackage to enable debug package building for libgrip and utouch-geis, it actually turned out to be pretty easy. I posted the backtrace with symbols in #20.

I also found bug #156575 "PPA builds do not create -dbgsym packages" which seems to suggest that support for building a PPA with dbgsym packages already exists. The other eog crash I posted in #19 in visible_range_changed_cb() already had all the symbols. That write to address 0xaaaaaaaaaaaaaac2 is something that I had already seen and posted in valgrind.txt above. Since I saw it without the geis memory issues this time I wonder if it's an unrelated issue.

the suspiciouos memory address could be an unrelated bug, but invalid memory accesses had a strange way about them and can manifest in unexpected ways. We will fix the libgrip bug, then see what obtains.

A new version of libgrip has been built in the daily ppa. I believe this version should fix the latest backtrace from comment #20. It is a more complete fix for the original issue. Please test again. Note that the daily build libgrip package should now have debug symbols in it.

Thanks!

Ok, it seemed a bit harder to trigger a crash this time. I did not see the crash in geis_dispatch_event. However the other crash in visible_range_changed_cb() is still there. There's also a crash which I haven't seen before in gdk_window_has_impl().

To reproduce the gdk_window_has_impl crash I do "gdb eog" in one window, and "for x in {1..10}; do eog *; sleep 1; done" in another. While the windows are opening click next/previous in the opened windows.

The gdk_window_has_impl crash looks like bug #843313

Ok I have played with this a bit more and still do not see a repeat of the geis_dispatch_events() crash. I suspect it may be fixed with the latest PPA updates.

OK I'm going to go ahead and say that the visible_range_changed_cb() is an unrelated issue in eog, that the gdk_window_has_impl() issue is already reported in #843313 and should not be dealt with here, and that the original problem reported in this bug has been resolved by the latest change to libgrip.

This bug was fixed in the package libgrip - 0.3.2-0ubuntu2

---------------
libgrip (0.3.2-0ubuntu2) oneiric; urgency=low

  * Properly handle GTK+ IO channel shutdown (LP: #830640)
 -- Chase Douglas <email address hidden> Fri, 23 Sep 2011 10:34:36 -0700

visible_range_changed_cb() crash filed as bug #858197