eog crashed with SIGSEGV in geis_dispatch_events()

Bug #830640 reported by Fyodor Pimenov on 2011-08-21
86
This bug affects 11 people
Affects Status Importance Assigned to Milestone
Geis
Medium
Stephen M. Webb
Unity Foundations
Medium
Stephen M. Webb
Nominated for Oneiric by Chase Douglas
libgrip
High
Jussi Pakkanen
libgrip (Ubuntu)
High
Jussi Pakkanen
utouch-geis (Ubuntu)
Medium
Stephen M. Webb

Bug Description

Crash after wake-up of laptop

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: eog 3.1.5-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-8.11-generic 3.0.1
Uname: Linux 3.0.0-8-generic i686
Architecture: i386
Date: Sun Aug 21 00:54:12 2011
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcCmdline: eog /home/username/Desktop/pictures/july/Camera\ album/P100702004.jpg
ProcEnviron:
 PATH=(custom, user)
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x5cfef5: cmp %eax,0x4(%esi)
 PC (0x005cfef5) ok
 source "%eax" ok
 destination "0x4(%esi)" (0x7c893028) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? () from /usr/lib/libutouch-geis.so.1
 geis_dispatch_events () from /usr/lib/libutouch-geis.so.1
 geis_event_dispatch () from /usr/lib/libutouch-geis.so.1
 ?? () from /usr/lib/libgrip.so.0
 g_io_unix_dispatch (source=0xa583b38, callback=0x46b020, user_data=0xa3f3638) at /build/buildd/glib2.0-2.29.16/./glib/giounix.c:166
Title: eog crashed with SIGSEGV in geis_dispatch_events()
UpgradeStatus: Upgraded to oneiric on 2011-08-03 (18 days ago)
UserGroups: adm admin cdrom dialout disk kmem lpadmin plugdev sambashare

Related branches

Fyodor Pimenov (fyodorp) wrote :

StacktraceTop:
 geis_backend_multiplexor_pump (mx=0x7c893024) at geis_backend_multiplexor.c:177
 geis_dispatch_events (geis=0x8072030) at geis.c:878
 geis_event_dispatch (instance=0xa510d88) at geis_v1.c:555
 ?? () from /tmp/tmpADuTHF/usr/lib/libgrip.so.0
 g_io_unix_dispatch (source=0xa583b38, callback=0x46b020, user_data=0xa3f3638) at /build/buildd/glib2.0-2.29.16/./glib/giounix.c:166

Changed in eog (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Pedro Villavicencio (pedro) wrote :

libutouch crash, reassigning.

affects: eog (Ubuntu) → utouch-geis (Ubuntu)
visibility: private → public
Chase Douglas (chasedouglas) wrote :

I just tried eog and evince, and they are both crashing on start up.

Changed in utouch-geis (Ubuntu):
importance: Medium → Critical
assignee: nobody → Stephen M. Webb (bregma)
Changed in utouch-geis (Ubuntu):
status: New → Triaged
milestone: none → ubuntu-11.10-beta-1
Changed in utouch-geis:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Stephen M. Webb (bregma)
Changed in unity-foundations:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Stephen M. Webb (bregma)
Changed in unity-foundations:
milestone: none → oneiric-beta-2
Chase Douglas (chasedouglas) wrote :

I was afraid this was hitting many people, but apparently not. I have found the memory corruption bug that is crashing eog and evince on my machine, but it looks like it requires having three or more multitouch devices connected at once. As such, I'm lowering the severity.

Changed in utouch-geis (Ubuntu):
importance: Critical → Medium
Changed in utouch-geis:
importance: Critical → Medium
Changed in unity-foundations:
importance: Critical → Medium
Changed in utouch-geis (Ubuntu):
milestone: ubuntu-11.10-beta-1 → none
Chase Douglas (chasedouglas) wrote :

Fyodor,

We pushed a commit to the utouch-grail development branch that fixes a memory corruption bug. Can you do the following to test:

$ sudo add-apt-repository ppa:utouch-team/daily
$ sudo apt-get update
$ sudo apt-get install libutouch-geis1

Test for crashing and post results here.

$ sudo ppa-purge ppa:utouch-team/daily

Thanks!

I just saw this crash and I have no multitouch devices... just a standard keyboard and mouse.

Chase: I updated using the PPA and still see the crash. I ran valgrind on eog and it crashed after reading from some freed memory. Log attached - though some of the symbols appear to be missing.

Seem to be able to reproduce by running eog multiple times from the command line.

Also saw this error once on the command line:

(eog:7799): GLib-GIO-CRITICAL **: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)

Actually it looks like it crashed after trying to write to a very suspicious address:

Address 0xaaaaaaaaaaaaaac2 is not stack'd, malloc'd or (recently) free'd

Stephen M. Webb (bregma) wrote :

The valgrind traceback shows libgrip is trying to use a geis instance it has already disposed of. I suspect the problem may lie in libgrip in this case.

I installed the dbgsym packages and ran valgrind again to get the full stack trace. Note that this is for the current oneiric packages not the PPA. I captured two crashes. Hope this helps.

Jussi Pakkanen (jpakkane) wrote :

I just pushed a fix to libgrip trunk that should fix this. Please try it out.

Stephen M. Webb (bregma) on 2011-09-19
Changed in libgrip:
assignee: nobody → Jussi Pakkanen (jpakkane)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libgrip (Ubuntu):
status: New → Confirmed
Stephen M. Webb (bregma) on 2011-09-19
affects: libgrip → libgrip (Ubuntu)
Changed in libgrip (Ubuntu):
importance: Undecided → High
status: New → In Progress
Changed in libgrip:
assignee: nobody → Jussi Pakkanen (jpakkane)
status: New → In Progress
status: In Progress → Fix Committed
importance: Undecided → High
Changed in utouch-geis:
status: Triaged → Invalid
Changed in utouch-geis (Ubuntu):
status: Triaged → Invalid
Stephen M. Webb (bregma) on 2011-09-19
Changed in libgrip:
milestone: none → 0.3.0-0ubuntu1

Is libgrip trunk in the PPA?

Stephen M. Webb (bregma) on 2011-09-19
Changed in libgrip:
milestone: 0.3.0-0ubuntu1 → 0.3.3
Chase Douglas (chasedouglas) wrote :

Chris,

We have a daily ppa which builds the latest trunk version of libgrip among other packages. It is at: ppa:utouch-team/daily. Unfortunately, there is a bug which causes the libgrip package to be built with the wrong version. I am fixing that up now and it should be resolved shortly. I'll comment again when it is ready for testing.

Chase Douglas (chasedouglas) wrote :

It took a bit longer than we thought, but Stephen Webb was able to get the daily ppa working for libgrip again. Please test it out to see if things are fixed.

Thanks!

Ted Gould (ted) on 2011-09-21
Changed in unity-foundations:
milestone: oneiric-beta-2 → oneiric-final

OK, updated from the PPA and valgrind again. Observed two different crashes:

 ==18552== Invalid write of size 4
==18552== at 0x44CA49: visible_range_changed_cb (eog-thumb-view.c:244)
==18552== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18552== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18552== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18552== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18552== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18552== by 0x41CE8E: main (main.c:168)
==18552== Address 0xaaaaaaaaaaaaaac2 is not stack'd, malloc'd or (recently) free'd
==18552==
==18552==
==18552== Process terminating with default action of signal 11 (SIGSEGV)
==18552== General Protection Fault
==18552== at 0x44CA49: visible_range_changed_cb (eog-thumb-view.c:244)
==18552== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18552== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18552== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18552== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18552== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18552== by 0x41CE8E: main (main.c:168)

AND

(eog:18609): Gtk-CRITICAL **: gtk_container_foreach: assertion `GTK_IS_CONTAINER (container)' failed
==18609== Invalid read of size 8
==18609== at 0xA5E8D44: geis_event_dispatch (in /usr/lib/libutouch-geis.so.1.2.0)
==18609== by 0x6066C8C: ??? (in /usr/lib/libgrip.so.0.302.0)
==18609== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18609== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18609== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18609== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18609== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18609== by 0x41CE8E: main (main.c:168)
==18609== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==18609==
==18609==
==18609== Process terminating with default action of signal 11 (SIGSEGV)
==18609== Access not within mapped region at address 0x0
==18609== at 0xA5E8D44: geis_event_dispatch (in /usr/lib/libutouch-geis.so.1.2.0)
==18609== by 0x6066C8C: ??? (in /usr/lib/libgrip.so.0.302.0)
==18609== by 0x8559B4C: g_main_context_dispatch (gmain.c:2441)
==18609== by 0x855A347: g_main_context_iterate.isra.21 (gmain.c:3089)
==18609== by 0x855A881: g_main_loop_run (gmain.c:3297)
==18609== by 0x63D789C: gtk_main (gtkmain.c:1367)
==18609== by 0x6E4734D: g_application_run (gapplication.c:1323)
==18609== by 0x41CE8E: main (main.c:168)

It appears there are no symbols for the PPA packages? The dbgsym packages got uninstalled when I updated to the PPA.

I compiled with debug symbols from the PPA source packages. This is a backtrace of the second crash from my post above:

Program received signal SIGSEGV, Segmentation fault.
geis_event_dispatch (instance=0x0) at geis_v1.c:555
555 geis_dispatch_events(instance->geis);
(gdb) bt
#0 geis_event_dispatch (instance=0x0) at geis_v1.c:555
#1 0x00007ffff69a1c8d in io_callback (source=<optimized out>, condition=<optimized out>, data=<optimized out>)
    at gripgesturemanager.c:944
#2 0x00007ffff4444b4d in g_main_dispatch (context=0x6cc410) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:2441
#3 g_main_context_dispatch (context=0x6cc410) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3011
#4 0x00007ffff4445348 in g_main_context_iterate (context=0x6cc410, block=<optimized out>, dispatch=1,
    self=<optimized out>) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3089
#5 0x00007ffff4445882 in g_main_loop_run (loop=0x7b3f20) at /build/buildd/glib2.0-2.29.92/./glib/gmain.c:3297
#6 0x00007ffff647578d in gtk_main () at /build/buildd/gtk+3.0-3.1.92/./gtk/gtkmain.c:1367
#7 0x00007ffff5bb034e in g_application_run (application=0x7a9670, argc=<optimized out>, argv=<optimized out>)
    at /build/buildd/glib2.0-2.29.92/./gio/gapplication.c:1323
#8 0x000000000041ce8f in main (argc=1, argv=0x7fffffffe568) at main.c:168

It seems to happen sometimes when I have more than one eog window open. I close one eog window and then click on "Previous" in another.

Chase Douglas (chasedouglas) wrote :

Unfortunately, ppas don't have pkg-create-dbgsym installed, so dbgsym packages aren't created. I have created a workaround for libgrip so that it does not strip binaries created from a daily build. The new package in the daily ppa should have debug symbols now.

I followed the instructions at http://wiki.debian.org/DebugPackage to enable debug package building for libgrip and utouch-geis, it actually turned out to be pretty easy. I posted the backtrace with symbols in #20.

I also found bug #156575 "PPA builds do not create -dbgsym packages" which seems to suggest that support for building a PPA with dbgsym packages already exists. The other eog crash I posted in #19 in visible_range_changed_cb() already had all the symbols. That write to address 0xaaaaaaaaaaaaaac2 is something that I had already seen and posted in valgrind.txt above. Since I saw it without the geis memory issues this time I wonder if it's an unrelated issue.

Stephen M. Webb (bregma) wrote :

the suspiciouos memory address could be an unrelated bug, but invalid memory accesses had a strange way about them and can manifest in unexpected ways. We will fix the libgrip bug, then see what obtains.

Chase Douglas (chasedouglas) wrote :

A new version of libgrip has been built in the daily ppa. I believe this version should fix the latest backtrace from comment #20. It is a more complete fix for the original issue. Please test again. Note that the daily build libgrip package should now have debug symbols in it.

Thanks!

Ok, it seemed a bit harder to trigger a crash this time. I did not see the crash in geis_dispatch_event. However the other crash in visible_range_changed_cb() is still there. There's also a crash which I haven't seen before in gdk_window_has_impl().

To reproduce the gdk_window_has_impl crash I do "gdb eog" in one window, and "for x in {1..10}; do eog *; sleep 1; done" in another. While the windows are opening click next/previous in the opened windows.

The gdk_window_has_impl crash looks like bug #843313

Ok I have played with this a bit more and still do not see a repeat of the geis_dispatch_events() crash. I suspect it may be fixed with the latest PPA updates.

Stephen M. Webb (bregma) wrote :

OK I'm going to go ahead and say that the visible_range_changed_cb() is an unrelated issue in eog, that the gdk_window_has_impl() issue is already reported in #843313 and should not be dealt with here, and that the original problem reported in this bug has been resolved by the latest change to libgrip.

Changed in libgrip (Ubuntu):
status: In Progress → Fix Committed
Changed in unity-foundations:
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgrip - 0.3.2-0ubuntu2

---------------
libgrip (0.3.2-0ubuntu2) oneiric; urgency=low

  * Properly handle GTK+ IO channel shutdown (LP: #830640)
 -- Chase Douglas <email address hidden> Fri, 23 Sep 2011 10:34:36 -0700

Changed in libgrip (Ubuntu):
status: Fix Committed → Fix Released
Changed in unity-foundations:
status: Fix Committed → Fix Released

visible_range_changed_cb() crash filed as bug #858197

Stephen M. Webb (bregma) on 2011-10-20
Changed in libgrip:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers