Ubuntu
gnome-settings-daemon package

gnome-settings-daemon crashed with SIGSEGV in __libc_free()

Bug #685785 reported by Matt Zimmerman
26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-settings-daemon (Ubuntu)
Fix Released
Medium
Rodrigo Moya

Bug Description

Binary package hint: gnome-settings-daemon

This is a third attempt to report the problem I have reported in bug 672124 and bug 684880. The retracer wasn't able to give a complete stack trace on either of those reports. I still don't have a reproducer, but the problem is clearly still present in current Maverick.

This might be related to bug 658777, but I can't tell until it's retraced.

ProblemType: Crash
DistroRelease: Ubuntu 10.10
Package: gnome-settings-daemon 2.32.0-0ubuntu3.1
ProcVersionSignature: Ubuntu 2.6.35-23.41-generic 2.6.35.7
Uname: Linux 2.6.35-23-generic x86_64
Architecture: amd64
CrashCounter: 1
Date: Mon Dec 6 08:38:23 2010
ExecutablePath: /usr/lib/gnome-settings-daemon/gnome-settings-daemon
ProcCmdline: /usr/lib/gnome-settings-daemon/gnome-settings-daemon
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.utf8
 SHELL=/bin/zsh
SegvAnalysis:
 Segfault happened at: 0x7ff45cee6c50 <__libc_free+64>: mov (%rax),%rbx
 PC (0x7ff45cee6c50) ok
 source "(%rax)" (0x7ff45c000000) in non-readable VMA region: 0x7ff45bf81000-0x7ff45c180000 ---p /usr/lib/libXcursor.so.1.0.2
 destination "%rbx" ok
SegvReason: reading VMA /usr/lib/libXcursor.so.1.0.2
Signal: 11
SourcePackage: gnome-settings-daemon
StacktraceTop:
 __libc_free (mem=0x7ff45e1cb2e3) at malloc.c:3724
 ?? () from /usr/lib/gnome-settings-daemon-2.0/libkeyboard.so
 ?? () from /usr/lib/gnome-settings-daemon-2.0/libkeyboard.so
 g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
 ?? () from /usr/lib/libgobject-2.0.so.0
Title: gnome-settings-daemon crashed with SIGSEGV in __libc_free()
UserGroups: adm admin audio cdrom dialout fuse kvm libvirtd lpadmin plugdev sambashare video

Related branches

lp:~rodrigo-moya/ubuntu/natty/gnome-settings-daemon/fix_685785
Ubuntu Desktop: Pending requested
Diff: 27 lines (+8/-1)
2 files modified
debian/changelog (+7/-0)
debian/patches/06_use_application_indicator.patch (+1/-1)
lp:~ubuntu-desktop/gnome-settings-daemon/ubuntu
lp:ubuntu/natty/gnome-settings-daemon
Revision history for this message
Matt Zimmerman (mdz) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 *__GI___libc_free (mem=0x7ff45e1cb2e3)
 popup_menu_set_group (item=<value optimized out>,
 apply_xkb_settings () at gsd-keyboard-xkb.c:546
 g_closure_invoke (closure=0x234bf80,
 signal_emit_unlocked_R (node=0x2336140,

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in gnome-settings-daemon (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Matt Zimmerman (mdz)
visibility: private → public
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Hmmm, it's a shame that the trace doesn't show the value of group_number in frame #1. If group_number > g, then there would be a condition where free() is called on an uninitialized pointer, which I guess is what is happening here (layout_name looks fairly uninitialized to me)

Revision history for this message
Matt Zimmerman (mdz) wrote :

@Chris, can you tell if this is the same as bug 658777 or not?

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Bug 658777 was a different issue, but still one that could have caused a similar crash, and I fixed that one already.

We could just initialize the pointer that I think is being wrongly freed here, but the condition that causes it to happen shouldn't really occur anyway, so I'd like to try and figure that out too. How often does this normally happen?

Revision history for this message
Matt Zimmerman (mdz) wrote : Re: [Bug 685785] Re: gnome-settings-daemon crashed with SIGSEGV in __libc_free()

On Tue, Dec 14, 2010 at 12:30:29PM -0000, Chris Coulson wrote:
> We could just initialize the pointer that I think is being wrongly freed
> here, but the condition that causes it to happen shouldn't really occur
> anyway, so I'd like to try and figure that out too. How often does this
> normally happen?

It happens about once or twice per week, perhaps depending on how often I
suspend and resume.

I could try plugging in a USB keyboard repeatedly and see if that triggers
the problem, but at present I have no recipe.

--
 - mdz

Revision history for this message
Matt Zimmerman (mdz) wrote :

I rebuilt gnome-settings-daemon for debugging, and just had it crash again. Unfortunately, telepathy-gabble is also still crashing routinely on my system (bug 668306) and this seems to have prevented apport from capturing the crash because they both crashed at the same time:

apport (pid 2974) Thu Dec 16 08:44:10 2010: another apport instance is already running, aborting
apport (pid 2996) Thu Dec 16 08:44:10 2010: called for pid 30681, signal 11
apport (pid 2996) Thu Dec 16 08:44:10 2010: executable: /usr/lib/telepathy/telepathy-gabble (command line "/usr/lib/telepathy/telepathy-gabble")
apport (pid 2996) Thu Dec 16 08:44:13 2010: this executable already crashed 2 times, ignoring

Revision history for this message
Matt Zimmerman (mdz) wrote :

Two other symptoms I've seen which may be related:

X Error of failed request: XI_BadDevice (invalid Device parameter)
  Major opcode of failed request: 141 (XInputExtension)
  Minor opcode of failed request: 37 (X_ChangeDeviceProperty)
  Device id in failed request: 0x17
  Serial number of failed request: 1476
  Current serial number in output stream: 1477

The above was output by gnome-settings-daemon while it was running in the background attached to a terminal.

** (gnome-settings-daemon:1869): WARNING **: Connection failed, reconnecting...

The above was found in ~/.xsession-errors, adjacent to update-notifier's "checking for valid crashreport now" indicating a crash happened around the same time (though it may or may not have been gnome-settings-daemon).

Revision history for this message
Matt Zimmerman (mdz) wrote :

I've tried repeatedly suspending and resuming my laptop, and also connecting and disconnecting a USB keyboard while it's running, to try to trigger this problem. So far, I have been unsuccessful in finding a reproducer, though it continues to crash as shown in comment #9.

Revision history for this message
Matt Zimmerman (mdz) wrote :

@Chris - It looks like your hypothesis was correct.

I've rebuilt gnome-settings-daemon with DEB_BUILD_OPTIONS="noopt nostrip" to get a full stack trace, and filed a new crash report as bug 692149. Here's the popup_menu_set_group stack frame showing group_number > g:

#5 0x00007f4cb00667b0 in popup_menu_set_group (item=0x0, param=0x2) at gsd-keyboard-xkb.c:391
        shortnames = 0x1f8ef70
        lname = 0x1f8f050 "USA"
        ln2cnt_map = 0x1f8f9e0
        guide = 0x7f4cb006a507 "XXX"
        longnames = 0x1f8f0c0
        layout_name = 0x1 <Address 0x1 out of bounds>
        group_number = 2
        engine = 0x1650f80
        st = 0x165ba4c
        cur = 96469911
        __func__ = "popup_menu_set_group"
        xklrec = 0x1f16900
        registry = 0x1f8f2e0
        g = 1

Matt Zimmerman (mdz)
Changed in gnome-settings-daemon (Ubuntu):
status: New → Triaged
Rick Spencer (rick-rickspencer3)
Changed in gnome-settings-daemon (Ubuntu):
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
Revision history for this message
Martin Pitt (pitti) wrote :

Mike, as Chris already has tons of bugs assigned, do you have some time to look into this? Thanks!

Changed in gnome-settings-daemon (Ubuntu):
assignee: Canonical Desktop Team (canonical-desktop-team) → Chris Coulson (chrisccoulson)
assignee: Chris Coulson (chrisccoulson) → Michael Terry (mterry)
Revision history for this message
Sebastien Bacher (seb128) wrote :

Rodrigo says he has an idea about the issue

Changed in gnome-settings-daemon (Ubuntu):
assignee: Michael Terry (mterry) → Rodrigo Moya (rodrigo-moya)
Revision history for this message
Rodrigo Moya (rodrigo-moya) wrote :

See attached branch. I think this should fix it, so please Matt, can you test it? To build the package, just run, from the branch:

bzr bd -- -b

and install the packages that it builds.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-settings-daemon - 2.32.1-0ubuntu5

---------------
gnome-settings-daemon (2.32.1-0ubuntu5) natty; urgency=low

  * debian/patches/06_use_application_indicator.patch:
    - Initialize variable to avoid crashes on free (LP: #685785)
 -- Rodrigo Moya <email address hidden> Tue, 18 Jan 2011 16:23:55 +0100

Changed in gnome-settings-daemon (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.