Bug #95917 “wallpapertray crashes when changing wallpaper” : Bugs : wallpaper-tray package : Ubuntu

Revision history for this message

StarglowOne (starglowone) wrote on 2007-03-25:

#1

CoreDump.gz Edit (520.5 KiB, application/x-gzip)
Dependencies.txt Edit (3.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (869 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (20.4 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (671 bytes, text/plain; charset="utf-8")
Registers.txt Edit (512 bytes, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2007-03-26: Symbolic stack trace

#2

Stacktrace.txt (retraced) Edit (13.5 KiB, text/plain)

StacktraceTop:_int_free () from /lib/tls/i686/cmov/libc.so.6
free () from /lib/tls/i686/cmov/libc.so.6
IA__g_free (mem=0x80c6b88) at gmem.c:187
f_set_rand_wallpaper (button=0x0, user_data=0x0) at wp_tray_util.c:359
_gtk_marshal_BOOLEAN__BOXED (closure=0x80bd888, return_value=0xbf8f0650, n_param_values=2, param_values=0xbf8f072c, invocation_hint=0xbf8f063c,

Revision history for this message

Apport retracing service (apport) wrote on 2007-03-26: Symbolic threaded stack trace

#3

ThreadStacktrace.txt (retraced) Edit (13.6 KiB, text/plain)

Revision history for this message

Peter Goss (stone-nomad) wrote on 2007-06-05:

#4

Download full text (6.1 KiB)

I also noticed that wallpaper-tray will stop running after a period of time. I ran it from a terminal with the -v flag and clicked the tray icon to switch the image until it crashed and got the following output:
<code>
*** glibc detected *** wallpaper-tray: munmap_chunk(): invalid pointer: 0x081bfa78 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(cfree+0x1bb)[0xb72a1f5b]
/usr/lib/libglib-2.0.so.0(g_free+0x31)[0xb73ad131]
/usr/lib/libgconf-2.so.4(gconf_value_free+0xaf)[0xb7cf90cf]
/usr/lib/libgconf-2.so.4(gconf_entry_unref+0x59)[0xb7cf9199]
/usr/lib/libgconf-2.so.4(gconf_entry_free+0x1d)[0xb7cf920d]
/usr/lib/libgconf-2.so.4[0xb7d006fe]
/usr/lib/libgconf-2.so.4[0xb7d0450b]
/usr/lib/libgconf-2.so.4[0xb7cfb5b6]
/usr/lib/libgconf-2.so.4(_ORBIT_skel_small_ConfigListener_notify+0x4e)[0xb7d04afe]
/usr/lib/libORBit-2.so.0[0xb7cbc767]
/usr/lib/libORBit-2.so.0(ORBit_OAObject_invoke+0x35)[0xb7cc28d5]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_adaptor+0x53c)[0xb7cafa1c]
/usr/lib/libORBit-2.so.0[0xb7cc0576]
/usr/lib/libORBit-2.so.0[0xb7cc0c22]
/usr/lib/libORBit-2.so.0[0xb7cc1693]
/usr/lib/libORBit-2.so.0(ORBit_handle_request+0xa2)[0xb7cc2a72]
/usr/lib/libORBit-2.so.0(giop_connection_handle_input+0x2c7)[0xb7cabcc7]
/usr/lib/libORBit-2.so.0[0xb7cc96ed]
/usr/lib/libORBit-2.so.0[0xb7ccc5de]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73a5df2]
/usr/lib/libglib-2.0.so.0[0xb73a8dcf]
/usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x65)[0xb73a9335]
/usr/lib/libORBit-2.so.0(link_main_iteration+0x27)[0xb7cc7e57]
/usr/lib/libORBit-2.so.0(giop_recv_buffer_get+0x57)[0xb7cab437]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_stub+0x11b)[0xb7caffab]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_stub_n+0x7e)[0xb7cb01ce]
/usr/lib/libORBit-2.so.0(ORBit_c_stub_invoke+0x182)[0xb7cbc992]
/usr/lib/libgconf-2.so.4(ConfigDatabase_set+0x7a)[0xb7d0821a]
/usr/lib/libgconf-2.so.4(gconf_engine_set+0x207)[0xb7cfe557]
/usr/lib/libgconf-2.so.4[0xb7cfe65d]
/usr/lib/libgconf-2.so.4(gconf_client_set_string+0xa9)[0xb7d02369]
wallpaper-tray(f_set_rand_wallpaper+0x234)[0x804ee14]
/usr/lib/libgtk-x11-2.0.so.0(_gtk_marshal_BOOLEAN__BOXED+0x60)[0xb7a3b6b0]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0xb741f62b]
/usr/lib/libgobject-2.0.so.0[0xb7430103]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0xb74313ef]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xb74317e9]
/usr/lib/libgtk-x11-2.0.so.0[0xb7b4fe18]
/usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0x183)[0xb7a349c3]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x317)[0xb7a35bc7]
/usr/lib/libgdk-x11-2.0.so.0[0xb779a12a]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73a5df2]
/usr/lib/libglib-2.0.so.0[0xb73a8dcf]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb73a9179]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a36044]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb724cebc]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 03:01 427533 /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 03:01 427533 /usr/bin/wallpaper-tray
08051000-081e2000 rw-p 08051000 00:00 0 ...

I also noticed that wallpaper-tray will stop running after a period of time.  I ran it from a terminal with the -v flag and clicked the tray icon to switch the image until it crashed and got the following output:
<code>
*** glibc detected *** wallpaper-tray: munmap_chunk(): invalid pointer: 0x081bfa78 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(cfree+0x1bb)[0xb72a1f5b]
/usr/lib/libglib-2.0.so.0(g_free+0x31)[0xb73ad131]
/usr/lib/libgconf-2.so.4(gconf_value_free+0xaf)[0xb7cf90cf]
/usr/lib/libgconf-2.so.4(gconf_entry_unref+0x59)[0xb7cf9199]
/usr/lib/libgconf-2.so.4(gconf_entry_free+0x1d)[0xb7cf920d]
/usr/lib/libgconf-2.so.4[0xb7d006fe]
/usr/lib/libgconf-2.so.4[0xb7d0450b]
/usr/lib/libgconf-2.so.4[0xb7cfb5b6]
/usr/lib/libgconf-2.so.4(_ORBIT_skel_small_ConfigListener_notify+0x4e)[0xb7d04afe]
/usr/lib/libORBit-2.so.0[0xb7cbc767]
/usr/lib/libORBit-2.so.0(ORBit_OAObject_invoke+0x35)[0xb7cc28d5]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_adaptor+0x53c)[0xb7cafa1c]
/usr/lib/libORBit-2.so.0[0xb7cc0576]
/usr/lib/libORBit-2.so.0[0xb7cc0c22]
/usr/lib/libORBit-2.so.0[0xb7cc1693]
/usr/lib/libORBit-2.so.0(ORBit_handle_request+0xa2)[0xb7cc2a72]
/usr/lib/libORBit-2.so.0(giop_connection_handle_input+0x2c7)[0xb7cabcc7]
/usr/lib/libORBit-2.so.0[0xb7cc96ed]
/usr/lib/libORBit-2.so.0[0xb7ccc5de]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73a5df2]
/usr/lib/libglib-2.0.so.0[0xb73a8dcf]
/usr/lib/libglib-2.0.so.0(g_main_context_iteration+0x65)[0xb73a9335]
/usr/lib/libORBit-2.so.0(link_main_iteration+0x27)[0xb7cc7e57]
/usr/lib/libORBit-2.so.0(giop_recv_buffer_get+0x57)[0xb7cab437]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_stub+0x11b)[0xb7caffab]
/usr/lib/libORBit-2.so.0(ORBit_small_invoke_stub_n+0x7e)[0xb7cb01ce]
/usr/lib/libORBit-2.so.0(ORBit_c_stub_invoke+0x182)[0xb7cbc992]
/usr/lib/libgconf-2.so.4(ConfigDatabase_set+0x7a)[0xb7d0821a]
/usr/lib/libgconf-2.so.4(gconf_engine_set+0x207)[0xb7cfe557]
/usr/lib/libgconf-2.so.4[0xb7cfe65d]
/usr/lib/libgconf-2.so.4(gconf_client_set_string+0xa9)[0xb7d02369]
wallpaper-tray(f_set_rand_wallpaper+0x234)[0x804ee14]
/usr/lib/libgtk-x11-2.0.so.0(_gtk_marshal_BOOLEAN__BOXED+0x60)[0xb7a3b6b0]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x12b)[0xb741f62b]
/usr/lib/libgobject-2.0.so.0[0xb7430103]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0xb74313ef]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xb74317e9]
/usr/lib/libgtk-x11-2.0.so.0[0xb7b4fe18]
/usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0x183)[0xb7a349c3]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x317)[0xb7a35bc7]
/usr/lib/libgdk-x11-2.0.so.0[0xb779a12a]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73a5df2]
/usr/lib/libglib-2.0.so.0[0xb73a8dcf]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb73a9179]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a36044]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb724cebc]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 03:01 427533     /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 03:01 427533     /usr/bin/wallpaper-tray
08051000-081e2000 rw-p 08051000 00:00 0          [heap]
b6c4d000-b6c58000 r-xp 00000000 03:01 262208     /lib/libgcc_s.so.1
b6c58000-b6c59000 rw-p 0000a000 03:01 262208     /lib/libgcc_s.so.1
b6c67000-b6ce4000 r--p 00000000 03:01 625330     /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
b6ce4000-b6ce6000 r-xp 00000000 03:01 558071     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6ce6000-b6ce7000 rw-p 00001000 03:01 558071     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6ce7000-b6ced000 r--s 00000000 03:01 824527     /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b6ced000-b6cee000 r--s 00000000 03:01 824555     /var/cache/fontconfig/fd9505950c048a77dc4b710eb6a628ed-x86.cache-2
b6cee000-b6cf1000 r--s 00000000 03:01 824543     /var/cache/fontconfig/ddc79d3ea06a7c6ffa86ede85f3bb5df-x86.cache-2
b6cf1000-b6cf2000 r--s 00000000 03:01 824549     /var/cache/fontconfig/e7071f4a29fa870f4323321c154eba04-x86.cache-2
b6cf2000-b6cf3000 r--s 00000000 03:01 824530     /var/cache/fontconfig/a2ab74764b07279e7c36ddb1d302cf26-x86.cache-2
b6cf3000-b6cf7000 r--s 00000000 03:01 824524     /var/cache/fontconfig/921a30a17f0be15c70ac14043cb7a739-x86.cache-2
b6cf7000-b6cf8000 r--s 00000000 03:01 824512     /var/cache/fontconfig/4c73fe0c47614734b17d736dbde7580a-x86.cache-2
b6cf8000-b6cfa000 r--s 00000000 03:01 824517     /var/cache/fontconfig/646addb8444faa74ee138aa00ab0b6a0-x86.cache-2
b6cfa000-b6cfc000 r--s 00000000 03:01 824505     /var/cache/fontconfig/20bd79ad97094406f7d1b9654bfbd926-x86.cache-2
b6cfc000-b6cfd000 r--s 00000000 03:01 824520     /var/cache/fontconfig/75a2cd575a62c63e802c11411fb87c37-x86.cache-2
b6cfd000-b6cff000 r--s 00000000 03:01 824528     /var/cache/fontconfig/9c0624108b9a2ae8552f664125be8356-x86.cache-2
b6cff000-b6d05000 r--s 00000000 03:01 824518     /var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b6d05000-b6d07000 r--s 00000000 03:01 824544     /var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b6d07000-b6d09000 r--s 00000000 03:01 824541     /var/cache/fontconfig/da1bd5ca8443ffe22927a23ce431d198-x86.cache-2
b6d09000-b6d11000 r--s 00000000 03:01 824547     /var/cache/fontconfig/e3de0de479f42330eadf588a55fb5bf4-x86.cache-2
b6d11000-b6d17000 r--s 00000000 03:01 824501     /var/cache/fontconfig/0f34bcd4b6ee430af32735b75db7f02b-x86.cache-2
b6d17000-b6d18000 r--s 00000000 03:01 824510     /var/cache/fontconfig/4794a0821666d79190d59a36cb4f44b5Aborted (core dumped)
 </code>

This is not the only way that it crashes though. sometimes it looks very similar but with different starting lines.
examples of starting line:
1)*** glibc detected *** wallpaper-tray: munmap_chunk(): invalid pointer: 0x081bfa78 ***
2)*** glibc detected *** wallpaper-tray: double free or corruption (out): 0x081a2890 ***
3)*** glibc detected *** wallpaper-tray: malloc(): memory corruption: 0x081afd60 ***

it also has the potential of outputting only the following line with no other information:
Segmentation fault (core dumped)

sometimes it takes a long time for it to crash and sometimes it crashes very quickly.

Revision history for this message

Philippe Le Toquin (ppmt) wrote on 2007-07-06:

#5

_usr_bin_wallpaper-tray.1001.crash Edit (515.3 KiB, text/plain)

I have the same behaviour as Goosrock. Wallpaper will work for some time then suddenly disappear from the tray.

I have 2 user on the same computer running it at the same time and it happens fro both user. I have found a crash file in /var/crash for each user. I attach one

Revision history for this message

Philippe Le Toquin (ppmt) wrote on 2007-07-06:

#6

Download full text (4.0 KiB)

after running wallpaper-tray -v here is what I had after a while

*** glibc detected *** wallpaper-tray: free(): invalid next size (normal): 0x081f5be0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb72e07cd]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb72e3e30]
wallpaper-tray(f_set_rand_wallpaper+0x25a)[0x804ee3a]
/usr/lib/libglib-2.0.so.0[0xb73e83c6]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73e7df2]
/usr/lib/libglib-2.0.so.0[0xb73eadcf]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb73eb179]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a78044]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb728eebc]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 08:01 933910 /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 08:01 933910 /usr/bin/wallpaper-tray
08051000-08235000 rw-p 08051000 00:00 0 [heap]
b5f00000-b5f21000 rw-p b5f00000 00:00 0
b5f21000-b6000000 ---p b5f21000 00:00 0
b6015000-b6020000 r-xp 00000000 08:01 4014314 /lib/libgcc_s.so.1
b6020000-b6021000 rw-p 0000a000 08:01 4014314 /lib/libgcc_s.so.1
b6033000-b6036000 r-xp 00000000 08:01 4997145 /usr/lib/libglade/2.0/libbonobo.so
b6036000-b6037000 rw-p 00002000 08:01 4997145 /usr/lib/libglade/2.0/libbonobo.so
b6037000-b603e000 r-xp 00000000 08:01 4997323 /usr/lib/libglade/2.0/libgnome.so
b603e000-b603f000 rw-p 00006000 08:01 4997323 /usr/lib/libglade/2.0/libgnome.so
b603f000-b609f000 rw-s 00000000 00:08 217710609 /SYSV00000000 (deleted)
b609f000-b60c6000 r--p 00000000 08:01 67136 /usr/share/fonts/truetype/Liberation/LiberationSerif-Regular.ttf
b60c6000-b60c8000 r-xp 00000000 08:01 299473 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b60c8000-b60c9000 rw-p 00001000 08:01 299473 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b60c9000-b60cf000 r--s 00000000 08:01 297827 /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b60cf000-b60d0000 r--s 00000000 08:01 297825 /var/cache/fontconfig/fd9505950c048a77dc4b710eb6a628ed-x86.cache-2
b60d0000-b60d3000 r--s 00000000 08:01 297824 /var/cache/fontconfig/ddc79d3ea06a7c6ffa86ede85f3bb5df-x86.cache-2
b60d3000-b60d4000 r--s 00000000 08:01 297823 /var/cache/fontconfig/e7071f4a29fa870f4323321c154eba04-x86.cache-2
b60d4000-b60d5000 r--s 00000000 08:01 294972 /var/cache/fontconfig/a2ab74764b07279e7c36ddb1d302cf26-x86.cache-2
b60d5000-b60d9000 r--s 00000000 08:01 297822 /var/cache/fontconfig/921a30a17f0be15c70ac14043cb7a739-x86.cache-2
b60d9000-b60da000 r--s 00000000 08:01 297820 /var/cache/fontconfig/4c73fe0c47614734b17d736dbde7580a-x86.cache-2
b60da000-b60dc000 r--s 00000000 08:01 297819 /var/cache/fontconfig/646addb8444faa74ee138aa00ab0b6a0-x86.cache-2
b60dc000-b60de000 r--s 00000000 08:01 297818 /var/cache/fontconfig/20bd79ad97094406f7d1b9654bfbd926-x86.cache-2
b60de000-b60df000 r--s 00000000 08:01 297817 /var/cache/fontconfig/75a2cd575a62c63e802c11411fb87c37-x86.cache-2
b60df000-b60e1000 r--s 00000000 08:01 297816 /var/cache/fontconfig/9c0624108b9a2ae8552f664125be8356-x86.cache-2
b60e1000-b60e7000 r--s 00000000 08:01 ...

after running wallpaper-tray -v here is what I had after a while

*** glibc detected *** wallpaper-tray: free(): invalid next size (normal): 0x081f5be0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb72e07cd]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb72e3e30]
wallpaper-tray(f_set_rand_wallpaper+0x25a)[0x804ee3a]
/usr/lib/libglib-2.0.so.0[0xb73e83c6]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x182)[0xb73e7df2]
/usr/lib/libglib-2.0.so.0[0xb73eadcf]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb73eb179]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a78044]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb728eebc]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 08:01 933910     /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 08:01 933910     /usr/bin/wallpaper-tray
08051000-08235000 rw-p 08051000 00:00 0          [heap]
b5f00000-b5f21000 rw-p b5f00000 00:00 0 
b5f21000-b6000000 ---p b5f21000 00:00 0 
b6015000-b6020000 r-xp 00000000 08:01 4014314    /lib/libgcc_s.so.1
b6020000-b6021000 rw-p 0000a000 08:01 4014314    /lib/libgcc_s.so.1
b6033000-b6036000 r-xp 00000000 08:01 4997145    /usr/lib/libglade/2.0/libbonobo.so
b6036000-b6037000 rw-p 00002000 08:01 4997145    /usr/lib/libglade/2.0/libbonobo.so
b6037000-b603e000 r-xp 00000000 08:01 4997323    /usr/lib/libglade/2.0/libgnome.so
b603e000-b603f000 rw-p 00006000 08:01 4997323    /usr/lib/libglade/2.0/libgnome.so
b603f000-b609f000 rw-s 00000000 00:08 217710609  /SYSV00000000 (deleted)
b609f000-b60c6000 r--p 00000000 08:01 67136      /usr/share/fonts/truetype/Liberation/LiberationSerif-Regular.ttf
b60c6000-b60c8000 r-xp 00000000 08:01 299473     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b60c8000-b60c9000 rw-p 00001000 08:01 299473     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b60c9000-b60cf000 r--s 00000000 08:01 297827     /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b60cf000-b60d0000 r--s 00000000 08:01 297825     /var/cache/fontconfig/fd9505950c048a77dc4b710eb6a628ed-x86.cache-2
b60d0000-b60d3000 r--s 00000000 08:01 297824     /var/cache/fontconfig/ddc79d3ea06a7c6ffa86ede85f3bb5df-x86.cache-2
b60d3000-b60d4000 r--s 00000000 08:01 297823     /var/cache/fontconfig/e7071f4a29fa870f4323321c154eba04-x86.cache-2
b60d4000-b60d5000 r--s 00000000 08:01 294972     /var/cache/fontconfig/a2ab74764b07279e7c36ddb1d302cf26-x86.cache-2
b60d5000-b60d9000 r--s 00000000 08:01 297822     /var/cache/fontconfig/921a30a17f0be15c70ac14043cb7a739-x86.cache-2
b60d9000-b60da000 r--s 00000000 08:01 297820     /var/cache/fontconfig/4c73fe0c47614734b17d736dbde7580a-x86.cache-2
b60da000-b60dc000 r--s 00000000 08:01 297819     /var/cache/fontconfig/646addb8444faa74ee138aa00ab0b6a0-x86.cache-2
b60dc000-b60de000 r--s 00000000 08:01 297818     /var/cache/fontconfig/20bd79ad97094406f7d1b9654bfbd926-x86.cache-2
b60de000-b60df000 r--s 00000000 08:01 297817     /var/cache/fontconfig/75a2cd575a62c63e802c11411fb87c37-x86.cache-2
b60df000-b60e1000 r--s 00000000 08:01 297816     /var/cache/fontconfig/9c0624108b9a2ae8552f664125be8356-x86.cache-2
b60e1000-b60e7000 r--s 00000000 08:01 297815     /var/cache/fontconfig/6d41288fd70b0be22e8c3a91e032eec0-x86.cache-2
b60e7000-b60e9000 r--s 00000000 08:01 297814     /var/cache/fontconfig/de156ccd2eddbdc19d37a45b8b2aac9c-x86.cache-2
b60e9000-b60eb000 r--s 00000000 08:01 297813     /var/cache/fontconfig/da1bd5ca8443ffe22927a23ce431d198-x86.cache-2
b60eb000-b60f3000 r--s 00000000 08:01 297812     /var/cache/fontconfig/e3de0de479f42330eadf588a55fb5bf4-x86.cache-2
b60f3000-b60f9000 r--s 00000000 08:01 297811     /var/cache/fontconfig/0f34bcd4b6ee430af32735b75db7f02b-x86.cache-2
b60f9000-b60fa000 r--s 00000000 08:01 297810     /var/cache/fontconfig/4794a0821666d79190d59a36cb4f44b5-x86.cache-2
b60fa000-b60fc000 r--s 00000000 08:01 297809     /var/cache/fontconfig/de9486f0b47a4d768a594cb4198cb1c6-x86.cache-2
b60fc000-b6102000 r--s 00000000 08:01 297808     /var/cache/fontconfig/d52a8644073d54c13679302ca1180695-x86.cache-2
b6102000-b6105000 r--s Aborted (core dumped)

Revision history for this message

J.M. Hardin (jmhardin) wrote on 2007-12-31:

#7

Download full text (5.2 KiB)

I'm also getting the crash on Gutsy, sometimes after running it for a while, sometimes after simply launching the program. I ran it from the Terminal and after a couple of manual wallpaper changes it crashed, outputting the following:

*** glibc detected *** wallpaper-tray: malloc(): memory corruption: 0x080e1db0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7260636]
/lib/tls/i686/cmov/libc.so.6(__libc_malloc+0x90)[0xb7261fc0]
/usr/lib/libglib-2.0.so.0(g_malloc+0x36)[0xb7376af6]
/usr/lib/libglib-2.0.so.0(g_strdup+0x39)[0xb738ec19]
/usr/lib/libgconf-2.so.4(gconf_value_set_string+0x1d)[0xb7d2665d]
/usr/lib/libgconf-2.so.4(gconf_engine_set_string+0xa1)[0xb7d2c931]
/usr/lib/libgconf-2.so.4(gconf_client_set_string+0xad)[0xb7d3014d]
wallpaper-tray(f_set_rand_wallpaper+0x234)[0x804ee14]
/usr/lib/libgtk-x11-2.0.so.0(_gtk_marshal_BOOLEAN__BOXED+0x5e)[0xb7a5132e]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x122)[0xb7410772]
/usr/lib/libgobject-2.0.so.0[0xb7421323]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0xb742260f]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xb7422a09]
/usr/lib/libgtk-x11-2.0.so.0[0xb7b6fc08]
/usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0x14f)[0xb7a4a4bf]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x307)[0xb7a4b6d7]
/usr/lib/libgdk-x11-2.0.so.0[0xb7798b9a]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x17c)[0xb736f11c]
/usr/lib/libglib-2.0.so.0[0xb737255f]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb7372909]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a4bb34]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb720c050]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 08:01 1745579 /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 08:01 1745579 /usr/bin/wallpaper-tray
08051000-08161000 rw-p 08051000 00:00 0 [heap]
b6900000-b6921000 rw-p b6900000 00:00 0
b6921000-b6a00000 ---p b6921000 00:00 0
b6af2000-b6b52000 rw-s 00000000 00:09 16154688 /SYSV00000000 (deleted)
b6bac000-b6bb6000 r-xp 00000000 08:01 977286 /lib/libgcc_s.so.1
b6bb6000-b6bb7000 rw-p 0000a000 08:01 977286 /lib/libgcc_s.so.1
b6bc9000-b6be5000 r--p 00000000 08:01 344833 /usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf
b6be5000-b6be7000 r-xp 00000000 08:01 537849 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6be7000-b6be8000 rw-p 00001000 08:01 537849 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6be8000-b6beb000 r--s 00000000 08:01 539952 /var/cache/fontconfig/5e10083637a12ecd1bff191eb66bfa2f-x86.cache-2
b6beb000-b6bed000 r--s 00000000 08:01 539951 /var/cache/fontconfig/603b2eb47209ddb3c5269b217a306167-x86.cache-2
b6bed000-b6bf3000 r--s 00000000 08:01 538866 /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b6bf3000-b6bf6000 r--s 00000000 08:01 1368193 /var/cache/fontconfig/e383d7ea5fbe662a33d9b44caf393297-x86.cache-2
b6bf6000-b6bf9000 r--s 00000000 08:01 539573 /var/cache/fontconfig/a46337af8a0b4c9b317ad981ec3bdf87-x86.cache-2
b6bf9000-b6bfa000 r--s 00000000 08:01 539943 /var/cache/fontconfig/1b70ff56935fd37e75520e134628df26...

I'm also getting the crash on Gutsy, sometimes after running it for a while, sometimes after simply launching the program. I ran it from the Terminal and after a couple of manual wallpaper changes it crashed, outputting the following:

*** glibc detected *** wallpaper-tray: malloc(): memory corruption: 0x080e1db0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7260636]
/lib/tls/i686/cmov/libc.so.6(__libc_malloc+0x90)[0xb7261fc0]
/usr/lib/libglib-2.0.so.0(g_malloc+0x36)[0xb7376af6]
/usr/lib/libglib-2.0.so.0(g_strdup+0x39)[0xb738ec19]
/usr/lib/libgconf-2.so.4(gconf_value_set_string+0x1d)[0xb7d2665d]
/usr/lib/libgconf-2.so.4(gconf_engine_set_string+0xa1)[0xb7d2c931]
/usr/lib/libgconf-2.so.4(gconf_client_set_string+0xad)[0xb7d3014d]
wallpaper-tray(f_set_rand_wallpaper+0x234)[0x804ee14]
/usr/lib/libgtk-x11-2.0.so.0(_gtk_marshal_BOOLEAN__BOXED+0x5e)[0xb7a5132e]
/usr/lib/libgobject-2.0.so.0(g_closure_invoke+0x122)[0xb7410772]
/usr/lib/libgobject-2.0.so.0[0xb7421323]
/usr/lib/libgobject-2.0.so.0(g_signal_emit_valist+0x68f)[0xb742260f]
/usr/lib/libgobject-2.0.so.0(g_signal_emit+0x29)[0xb7422a09]
/usr/lib/libgtk-x11-2.0.so.0[0xb7b6fc08]
/usr/lib/libgtk-x11-2.0.so.0(gtk_propagate_event+0x14f)[0xb7a4a4bf]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main_do_event+0x307)[0xb7a4b6d7]
/usr/lib/libgdk-x11-2.0.so.0[0xb7798b9a]
/usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x17c)[0xb736f11c]
/usr/lib/libglib-2.0.so.0[0xb737255f]
/usr/lib/libglib-2.0.so.0(g_main_loop_run+0x1a9)[0xb7372909]
/usr/lib/libgtk-x11-2.0.so.0(gtk_main+0xb4)[0xb7a4bb34]
wallpaper-tray(main+0x344)[0x804d344]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb720c050]
wallpaper-tray[0x804bb81]
======= Memory map: ========
08048000-08050000 r-xp 00000000 08:01 1745579    /usr/bin/wallpaper-tray
08050000-08051000 rw-p 00007000 08:01 1745579    /usr/bin/wallpaper-tray
08051000-08161000 rw-p 08051000 00:00 0          [heap]
b6900000-b6921000 rw-p b6900000 00:00 0 
b6921000-b6a00000 ---p b6921000 00:00 0 
b6af2000-b6b52000 rw-s 00000000 00:09 16154688   /SYSV00000000 (deleted)
b6bac000-b6bb6000 r-xp 00000000 08:01 977286     /lib/libgcc_s.so.1
b6bb6000-b6bb7000 rw-p 0000a000 08:01 977286     /lib/libgcc_s.so.1
b6bc9000-b6be5000 r--p 00000000 08:01 344833     /usr/share/fonts/truetype/liberation/LiberationSans-Regular.ttf
b6be5000-b6be7000 r-xp 00000000 08:01 537849     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6be7000-b6be8000 rw-p 00001000 08:01 537849     /usr/lib/pango/1.6.0/modules/pango-basic-fc.so
b6be8000-b6beb000 r--s 00000000 08:01 539952     /var/cache/fontconfig/5e10083637a12ecd1bff191eb66bfa2f-x86.cache-2
b6beb000-b6bed000 r--s 00000000 08:01 539951     /var/cache/fontconfig/603b2eb47209ddb3c5269b217a306167-x86.cache-2
b6bed000-b6bf3000 r--s 00000000 08:01 538866     /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-x86.cache-2
b6bf3000-b6bf6000 r--s 00000000 08:01 1368193    /var/cache/fontconfig/e383d7ea5fbe662a33d9b44caf393297-x86.cache-2
b6bf6000-b6bf9000 r--s 00000000 08:01 539573     /var/cache/fontconfig/a46337af8a0b4c9b317ad981ec3bdf87-x86.cache-2
b6bf9000-b6bfa000 r--s 00000000 08:01 539943     /var/cache/fontconfig/1b70ff56935fd37e75520e134628df26-x86.cache-2
b6bfa000-b6bfb000 r--s 00000000 08:01 539941     /var/cache/fontconfig/fd9505950c048a77dc4b710eb6a628ed-x86.cache-2
b6bfb000-b6bfd000 r--s 00000000 08:01 539937     /var/cache/fontconfig/ddc79d3ea06a7c6ffa86ede85f3bb5df-x86.cache-2
b6bfd000-b6bfe000 r--s 00000000 08:01 539933     /var/cache/fontconfig/6edd069ccec3ba28096b368c434fa861-x86.cache-2
b6bfe000-b6bff000 r--s 00000000 08:01 539931     /var/cache/fontconfig/e7071f4a29fa870f4323321c154eba04-x86.cache-2
b6bff000-b6c00000 r--s 00000000 08:01 539930     /var/cache/fontconfig/a2ab74764b07279e7c36ddb1d302cf26-x86.cache-2
b6c00000-b6c04000 r--s 00000000 08:01 539920     /var/cache/fontconfig/921a30a17f0be15c70ac14043cb7a739-x86.cache-2
b6c04000-b6c05000 r--s 00000000 08:01 539919     /var/cache/fontconfig/c69f04ab05004e31a6d5e715764f16d8-x86.cache-2
b6c05000-b6c20000 r--s 00000000 08:01 539918     /var/cache/fontconfig/4ca92cf76c0cf3dfa7f011127eff595d-x86.cache-2
b6c20000-b6c3c000 r--s 00000000 08:01 539914     /var/cache/fontconfig/6abf76b0b4cc7192703d8431ac929b75-x86.cache-2
b6c3c000-b6c5a000 r--s 00000000 08:01 539911     /var/cache/fontconfig/f408d08d2fce062ab660f628db78bf96-x86.cache-2
b6c5a000-b6c5b000 r--s 00000000 08:01 539909     /var/cache/fontconfig/4c73fe0c47614734b17d736dbde7580a-x86.cache-2
b6c5b000-b6c5d000 r--s 00000000 08:01 539908     /var/cache/fontconfig/646addb8444faa74ee138aa00ab0b6a0-x86.cache-2
b6c5d000-b6c60000 r--s 00000000 08:01 539900     /var/cache/fontconfig/a755afe4a08bf5b97852ceb7400b47bc-x86.cache-2
b6c60000-b6c61000 r--s 00000000 08:01 539899     /var/cache/fontconfig/7ee55724f82591cb35c3d9771e9e69ed-x86.cache-2
b6c61000-b6c63000 r--s 00000000 08:01 539893     /var/cache/fontconfig/20bd79ad97094406f7d1b9654Aborted (core dumped)

HARDWARE INFO
Running Ubuntu Gutsy with GNOME 2.20.1 and the 2.6.22-14-generic kernel
I have a 2.20GHz Celeron with 748.7 MB of RAM
My video card is an Nvidia GeForce2 MX 100/200 with 64 MB RAM using the 96.43.01 drivers (installed with Envy 0.9.8 due to BSD issues with drivers installed from both the Restricted Drivers manager and the newer Envy (at the time of my reinstall in 2 December)

Daniel T Chen (crimsun) on 2008-09-30

Changed in wallpaper-tray:
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2009-03-13:

#8

Wallpaper-tray has been completely rewritten in C++ and is now a panel applet. This new version is now in Jaunty (9.04). Can this issue be reproduced with the new version?

Changed in wallpaper-tray:
status:	Confirmed → Incomplete

Revision history for this message

AquaQuieta (aqua-quieta) wrote on 2009-09-02:

#9

Download full text (3.9 KiB)

I was experiencing this in Hardy Heron, and it was very annoying, so I decided to do something about it and try my hand at debugging it. So I installed the source package, compiled it and ran it through GDB. Sure enough it segfaulted after changing a few wallpapers. Output was very similar to the above, but the line that caught my attention was:

#6 0x0804ee7a in f_set_rand_wallpaper (button=0x82b0768, user_data=0x0) at wp_tray_util.c:371

Looking at line 371 of wp_tray_util.c:

free(sz_randfile);

So it appears that freeing this memory is causing the segfault. That pointer contains the full path of the randomly selected wallpaper, and the memory gets allocated in a function (in the same source file) called f_get_dir_entry.
It took me a while to figure it out, because it seemed to be happening randomly, but eventually I discovered that the
bug is definitely in the f_get_dir_entry function. The problem resides in this block of code:

                // found the target yet?^M
                if(*p_dir_trgt == 0)^M
                {^M
                        // malloc a new string^M
                        *sz_dir_trgt = (gchar *)malloc(100);^M
                        ^M
                        getcwd(*sz_dir_trgt, 100);^M
^M
                        // copy the target string^M
                        strncat(*sz_dir_trgt, "/", 100);^M
                        strncat(*sz_dir_trgt, entry->d_name, 100);^M
                }// end if^M

There are 2 problems with this code that I see. The first is a buffer overflow, the cause of the segfault: only 100 characters are being allocated for the file name. That might be fine if it were just the file name, but this is the full path. So if the full path is longer than 100 characters, there is a problem. The directory I am using is almost 90 characters long by itself!!!Sure enough, it crashed every time the randomly selected filename was over 100 characters, but worked fine when the path is under 100 characters. Altering the code above and replacing 100 wherever it occurs with 1024 fixes the problem for me.

The second problem is the way the author is using strncat. Using strncat to try and prevent a buffer overflow was a good idea, but he is calling it multiple times. The 3rd parameter to strncat is the max bytes to copy, not the max size of the buffer. So he allocates 100 bytes, the fills some of those bytes with the current directory and a trailing slash, and then fills some more with the actual file name. However, if the path + trailing slash is 99 characters long (for example), strncat will still happily append up to 100 characters on the end of the string when he copies the filename. Basically, in the last strncat , the max bytes shouldn't be a static value, but should subtract the current length of the string from the number of allocated bytes.

I'd be interested to know if this fixes the problems for others. I can never tell if my problem is the exact same as the one other people are describing. To repeat my fix on your computer (assumes you have build-essentials installed):

apt-get build-dep wallpaper-tray
apt-get source wallpaper-tray

cd wallpaper-tray-0.4.6/src/

Edit the "wp_tray_util....

I was experiencing this in Hardy Heron, and it was very annoying, so I decided to do something about it and try my hand at debugging it. So I installed the source package, compiled it and ran it through GDB. Sure enough it segfaulted after changing a few wallpapers. Output was very similar to the above, but the line that caught my attention was:

#6  0x0804ee7a in f_set_rand_wallpaper (button=0x82b0768, user_data=0x0) at wp_tray_util.c:371

Looking at line 371 of wp_tray_util.c:

free(sz_randfile);

So it appears that freeing this memory is causing the segfault. That pointer contains the full path of the randomly selected wallpaper, and the memory gets allocated in a function (in the same source file) called  f_get_dir_entry.
It took me a while to figure it out, because it seemed to be happening randomly, but eventually I discovered that the
bug is definitely in the  f_get_dir_entry function. The problem resides in this block of code:

// found the target yet?^M
                if(*p_dir_trgt == 0)^M
                {^M
                        // malloc a new string^M
                        *sz_dir_trgt = (gchar *)malloc(100);^M
                        ^M
                        getcwd(*sz_dir_trgt, 100);^M
^M
                        // copy the target string^M
                        strncat(*sz_dir_trgt, "/", 100);^M
                        strncat(*sz_dir_trgt, entry->d_name, 100);^M
                }// end if^M

There are 2 problems with this code that I see. The first is a buffer overflow, the cause of the segfault: only 100 characters are being allocated for the file name. That might be fine if it were just the file name, but this is the full path. So if the full path is longer than 100 characters, there is a problem. The directory I am using is almost 90 characters long by itself!!!Sure enough, it crashed every time the randomly selected filename was over 100 characters, but worked fine when the path is under 100 characters. Altering the code above and replacing 100  wherever it occurs with 1024 fixes the problem for me.

The second problem is the way the author is using strncat. Using strncat to try and prevent a buffer overflow was a good  idea, but he is calling it multiple times. The 3rd parameter to strncat is the max bytes to copy, not the max size of the buffer.  So he allocates 100 bytes, the fills some of those bytes with the current directory and a trailing slash, and then fills some more with the actual file name. However, if the path + trailing slash is 99 characters long (for example), strncat will still happily append up to 100 characters on the end of the string when he copies the filename. Basically, in the last strncat , the max bytes shouldn't be a static value, but should subtract the current length of the string from the number of allocated bytes.
 
I'd be interested to know if this fixes the problems for others. I can never tell if my problem is the exact same as the one other people are describing. To repeat my fix on your computer (assumes you have build-essentials installed):

apt-get build-dep wallpaper-tray
apt-get source wallpaper-tray

cd wallpaper-tray-0.4.6/src/

Edit the  "wp_tray_util.c"  file with your favorite text editor. Find the lines of code I mentioned above (right around line 125), and replace every "100" with "1024". Save and exit the editor.

Then change to the main source directory ( wallpaper-tray-0.4.6 ), compile:
./configure
make

This won't install the compiled files though. You can run the newly compiled version of the program from the command line to test it out. Its under the "src" directory, its called "wp_tray" .

If anyone knows how to to get this information upstream, please do. I would provide a diff, but I don't have time right now to do it properly ( I made a lot of changes to my source file to print out debugging messages, so I'd have to redo it all on my end to get a diff with just the relevant changes.)

I hope this helps somebody, enjoy :)

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2009-09-02:

#10

As I mentioned above, the version of wallpaper-tray since Jaunty has been completely rewritten in C++. AFAIK, upstream doesn't support the old version any more. If there is positive feedback and someone produces a proper patch, we could try to do a SRU for Hardy.

Changed in wallpaper-tray (Ubuntu):
status:	Incomplete → Fix Released
Changed in wallpaper-tray (Ubuntu Hardy):
importance:	Undecided → Medium
status:	New → Confirmed

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2014-11-23:

#11

Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix".

Changed in wallpaper-tray (Ubuntu Hardy):
status:	Confirmed → Won't Fix

Ubuntu
wallpaper-tray package

wallpapertray crashes when changing wallpaper

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Affects		Status	Importance	Assigned to	Milestone
	wallpaper-tray (Ubuntu)	Fix Released	Medium	Unassigned
	Hardy	Won't Fix	Medium	Unassigned

Ubuntuwallpaper-tray package

wallpapertray crashes when changing wallpaper

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
wallpaper-tray package