Ubuntu
libdbusmenu package

gimp-2.6 crashed with SIGSEGV in g_variant_is_object_path()

Bug #752959 reported by ipetuhov
86
This bug affects 11 people
Affects Status Importance Assigned to Milestone
DBus Menu
Fix Released
High
Unassigned
libdbusmenu (Ubuntu)
Fix Released
High
Michael Terry
Natty
Fix Released
High
Michael Terry

Bug Description

Binary package hint: gimp

After mouse right-click on image in gimp

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: gimp 2.6.11-1ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-8.40-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
CheckboxSubmission: 3cdd3558853ee085305779345fa98f22
CheckboxSystem: 92d0a7b9779cc40ca6e505eb8aad9a01
Date: Thu Apr 7 03:12:51 2011
ExecutablePath: /usr/bin/gimp-2.6
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release Candidate amd64 (20091020.3)
ProcCmdline: gimp-2.6
ProcEnviron:
 LANGUAGE=ru_RU:en
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x7f56089305d1: movdqu (%rdi),%xmm1
 PC (0x7f56089305d1) ok
 source "(%rdi)" (0x00000002) not located in a known VMA region (needed readable region)!
 destination "%xmm1" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: gimp
StacktraceTop:
 ?? () from /lib/x86_64-linux-gnu/libc.so.6
 g_variant_is_object_path () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 g_dbus_connection_register_object () from /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0
 ?? () from /usr/lib/libdbusmenu-glib.so.3
 ?? () from /usr/lib/libdbusmenu-glib.so.3
Title: gimp-2.6 crashed with SIGSEGV in g_variant_is_object_path()
UpgradeStatus: Upgraded to natty on 2011-04-06 (0 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Revision history for this message
ipetuhov (satels) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:32
 g_variant_is_object_path (string=0x2 <Address 0x2 out of bounds>) at /build/buildd/glib2.0-2.28.5/./glib/gvariant.c:1180
 g_dbus_connection_register_object (connection=0x1819010, object_path=0x2 <Address 0x2 out of bounds>, interface_info=0x2312e40, vtable=0x7f55fb16acc0, user_data=0x2973c80, user_data_free_func=0, error=0x7fffb86a17e8) at /build/buildd/glib2.0-2.28.5/./gio/gdbusconnection.c:4698
 register_object (server=0x2973c80) at /build/buildd/libdbusmenu-0.4.1/./libdbusmenu-glib/server.c:657
 bus_got_cb (obj=<value optimized out>, result=<value optimized out>, user_data=0x2973c80) at /build/buildd/libdbusmenu-0.4.1/./libdbusmenu-glib/server.c:707

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in gimp (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Sebastien Bacher (seb128)
visibility: private → public
affects: gimp (Ubuntu) → libdbusmenu (Ubuntu)
Changed in libdbusmenu (Ubuntu):
assignee: nobody → Michael Terry (mterry)
importance: Medium → High
Changed in dbusmenu:
importance: Undecided → High
Revision history for this message
Michael Terry (mterry) wrote :

This one is confusing. If I had to guess, it's only priv->dbusobject that is bogus (value of 0x2), as other priv values are used and set before the line that crashes. The callback hasn't been cancelled. And dbusobject is only set in one place, which seems pretty innocuous. It's actually never even freed (it's leaked when the server object is finalized). So I really doubt the crash is because of the server object dying but this callback somehow being called.

Maybe... Maybe the server got passed some bogus memory for the dbusobject name. I'll look into that, but based on the trace alone, this is a hard one.

Revision history for this message
Sebastien Bacher (seb128) wrote :

seems gimp trigger that issue over the other application seeing the other bugs about that though one is a nautilus bug

Revision history for this message
Sebastien Bacher (seb128) wrote :

bug #738568 and its duplicate seem similar

Revision history for this message
Sebastien Bacher (seb128) wrote :

bug #763476 has a similar segfault where the user states it stopped happening when uninstalling the overlay scrollbars

Revision history for this message
Ted Gould (ted) wrote :

I'm not sure what we can do with this one. I think we're going to need a valgrind log as the stacktrace seems to point to an impossible condition. Can someone on this bug recreate it reliably? If so, can you get a valgrind log from GIMP?

Changed in dbusmenu:
status: New → Incomplete
Changed in libdbusmenu (Ubuntu Natty):
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :
Download full text (7.0 KiB)

valgrind log error:

==4900==
==4900== Invalid read of size 4
==4900== at 0x4A54FC2: g_type_check_instance_cast (gtype.c:3989)
==4900== by 0x9CC3140: bus_got_cb (server.c:704)
==4900== by 0x4927CCE: g_simple_async_result_complete (gsimpleasyncresult.c:747)
==4900== by 0x4927DEC: complete_in_idle_cb (gsimpleasyncresult.c:757)
==4900== by 0x4AAA310: g_idle_dispatch (gmain.c:4545)
==4900== by 0x4AAEAA7: g_main_context_dispatch (gmain.c:2440)
==4900== by 0x4AAF26F: g_main_context_iterate.clone.5 (gmain.c:3091)
==4900== by 0x4AAF92A: g_main_loop_run (gmain.c:3299)
==4900== by 0x809BE59: app_run (in /usr/bin/gimp-2.6)
==4900== by 0x809CE61: main (in /usr/bin/gimp-2.6)
==4900== Address 0x51d01e0 is 0 bytes inside a block of size 64 free'd
==4900== at 0x4025BF0: free (vg_replace_malloc.c:366)
==4900== by 0x4AB5C85: g_free (gmem.c:263)
==4900== by 0x4ACDC72: g_slice_free1 (gslice.c:907)
==4900== by 0x4A537F7: g_type_free_instance (gtype.c:1934)
==4900== by 0x4A2F996: g_object_unref (gobject.c:2747)
==4900== by 0x7FBFF35: context_dispose (bridge.c:160)
==4900== by 0x7FBFFD1: context_free (bridge.c:175)
==4900== by 0x4A4A48B: g_cclosure_marshal_VOID__VOID (gmarshal.c:79)
==4900== by 0x4A2E371: g_closure_invoke (gclosure.c:767)
==4900== by 0x4A41047: signal_emit_unlocked_R (gsignal.c:3252)
==4900== by 0x4A49B28: g_signal_emit_valist (gsignal.c:2983)
==4900== by 0x4A49CC1: g_signal_emit (gsignal.c:3040)
==4900== by 0x440B601: gtk_widget_unmap (gtkwidget.c:3432)
==4900== by 0x44196B8: gtk_window_hide (gtkwindow.c:4670)
==4900== by 0x4A4A48B: g_cclosure_marshal_VOID__VOID (gmarshal.c:79)
==4900== by 0x4A2CCC6: g_type_class_meta_marshal (gclosure.c:878)
==4900== by 0x4A2E371: g_closure_invoke (gclosure.c:767)
==4900== by 0x4A407B5: signal_emit_unlocked_R (gsignal.c:3182)
==4900== by 0x4A49B28: g_signal_emit_valist (gsignal.c:2983)
==4900== by 0x4A49CC1: g_signal_emit (gsignal.c:3040)
==4900== by 0x44131EF: gtk_widget_hide (gtkwidget.c:3298)
==4900== by 0x42E0C22: gtk_menu_popdown (gtkmenu.c:1682)
==4900== by 0x42E766C: _gtk_menu_item_popdown_submenu (gtkmenuitem.c:1693)
==4900== by 0x42E7726: gtk_real_menu_item_deselect (gtkmenuitem.c:1405)
==4900== by 0x4A4A48B: g_cclosure_marshal_VOID__VOID (gmarshal.c:79)
==4900== by 0x4A2CCC6: g_type_class_meta_marshal (gclosure.c:878)
==4900== by 0x4A2E371: g_closure_invoke (gclosure.c:767)
==4900== by 0x4A407B5: signal_emit_unlocked_R (gsignal.c:3182)
==4900== by 0x4A49B28: g_signal_emit_valist (gsignal.c:2983)
==4900== by 0x4A49CC1: g_signal_emit (gsignal.c:3040)
==4900== by 0x42C017E: gtk_item_deselect (gtkitem.c:115)
==4900== by 0x42E70BF: gtk_menu_item_deselect (gtkmenuitem.c:898)
==4900== by 0x42EA7A1: gtk_menu_shell_real_select_item (gtkmenushell.c:1278)
==4900== by 0x42DCCD7: gtk_menu_select_item (gtkmenu.c:4763)
==4900== by 0x42EA9F8: gtk_menu_shell_select_item (gtkmenushell.c:1264)
==4900== by 0x42EAC72: gtk_menu_shell_enter_notify (gtkmenushell.c:1027)
==4900== by 0x42DE7B1: gtk_menu_enter_notify (gtkmenu.c:3944)
==4900== by 0x42D5A03: _gtk_marshal_BOOLEAN__BOXED (g...

Read more...

Revision history for this message
Sebastien Bacher (seb128) wrote :

should be fixed with that upload

"libdbusmenu (0.4.3-0ubuntu3) natty; urgency=low

  * Backport bug fixes from trunk:
    - Fix a typo in the signal name to make it match the XML
      files (LP: #641209)
    - Ref'ing the server for the entire time we're getting the
      bus (LP: #738568)"

Changed in libdbusmenu (Ubuntu Natty):
status: Incomplete → Fix Released
Changed in dbusmenu:
status: Incomplete → Fix Committed
Revision history for this message
schnere (schnere) wrote :
Download full text (7.5 KiB)

valgrind made a few seconds ago with latest updates installed (including libdbusmenu):

valgrind gimp
==2576== Memcheck, a memory error detector
==2576== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==2576== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==2576== Command: gimp
==2576==

(gimp:2576): GLib-WARNING **: /build/buildd/glib2.0-2.28.6/./glib/goption.c:2132: ignoring no-arg, optional-arg or filename flags (8) on option of type 0
==2576== Conditional jump or move depends on uninitialised value(s)
==2576== at 0x82D6AA4: babl_free (in /usr/lib/libbabl-0.0.so.0.22.0)
==2576== by 0x82D6EBA: babl_realloc (in /usr/lib/libbabl-0.0.so.0.22.0)
==2576== by 0x82D7062: babl_strcat (in /usr/lib/libbabl-0.0.so.0.22.0)
==2576== by 0x82D0D85: babl_extension_init (in /usr/lib/libbabl-0.0.so.0.22.0)
==2576== by 0x82CE704: babl_init (in /usr/lib/libbabl-0.0.so.0.22.0)
==2576== by 0x7D60F8F: ??? (in /usr/lib/libgegl-0.0.so.0.22.0)
==2576== by 0x8C25AC8: g_option_context_parse (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.2800.6)
==2576== by 0x468821: main (in /usr/bin/gimp-2.6)
==2576==
==2576== Conditional jump or move depends on uninitialised value(s)
==2576== at 0x8F4B0CB: __GI___strcasecmp_l (strcmp.S:243)
==2576== by 0x8EE4F60: __gconv_open (gconv_open.c:70)
==2576== by 0x8EF3106: _nl_find_msg (dcigettext.c:990)
==2576== by 0x8EF3818: __dcigettext (dcigettext.c:654)
==2576== by 0x8F474B2: strerror_r (_strerror.c:65)
==2576== by 0x8F473BD: strerror (strerror.c:33)
==2576== by 0xBD0F3F4: dlerror (dlerror.c:100)
==2576== by 0x947B157: ??? (in /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.2800.6)
==2576== by 0x947BD10: g_module_open (in /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.2800.6)
==2576== by 0x5F3EC34: ubuntu_gtk_scrolled_window_init (in /usr/lib/libgtk-x11-2.0.so.0.2400.4)
==2576== by 0x5ED743B: ??? (in /usr/lib/libgtk-x11-2.0.so.0.2400.4)
==2576== by 0x8C25AC8: g_option_context_parse (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.2800.6)
==2576==
==2576== Use of uninitialised value of size 8
==2576== at 0x8F4D204: __GI___strcasecmp_l (strcmp.S:2257)
==2576== by 0x8EE4F60: __gconv_open (gconv_open.c:70)
==2576== by 0x8EF3106: _nl_find_msg (dcigettext.c:990)
==2576== by 0x8EF3818: __dcigettext (dcigettext.c:654)
==2576== by 0x8F474B2: strerror_r (_strerror.c:65)
==2576== by 0x8F473BD: strerror (strerror.c:33)
==2576== by 0xBD0F3F4: dlerror (dlerror.c:100)
==2576== by 0x947B157: ??? (in /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.2800.6)
==2576== by 0x947BD10: g_module_open (in /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0.280...

Read more...

Revision history for this message
Michael Terry (mterry) wrote :

schnere, can you please file a new crash report bug for that crash? Your valgrind log makes me think it is a different issue.

Ted Gould (ted)
Changed in dbusmenu:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.