ubiquity crashed with SIGSEGV in GtkNode::MatchStringProperty()

Bug #1254996 reported by Jean-Baptiste Lallement on 2013-11-26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
autopilot-gtk (Ubuntu)
Martin Pitt

Bug Description

Crashed during autopilot test with latest image [1]

1. Download Trusty Ubuntu Desktop iso
2. bzr branch lp:ubiquity ubiquity.trunk
3. cd ubiquity.trunk/autopilot/ubiquity-autopilot-runner
4. ./run-ubiquity-test --sdl ~/iso/ubuntu/trusty-desktop-amd64.iso
5. Wait until it crashes

[1] https://jenkins.qa.ubuntu.com/job/ubiquity_ap-ubuntu_devel_daily-test_english_default/ARCH=i386,label=rabisu/

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: ubiquity 2.17.0
ProcVersionSignature: Ubuntu 3.12.0-4.10-generic 3.12.1
Uname: Linux 3.12.0-4-generic x86_64
ApportVersion: 2.12.7-0ubuntu1
Architecture: amd64
CasperVersion: 1.336ubuntu1
Date: Tue Nov 26 08:43:53 2013
ExecutablePath: /usr/lib/ubiquity/bin/ubiquity
ExecutableTimestamp: 1383058884
InstallCmdLine: boot=casper DEBCONF_DEBUG=developer -- debconf/priority=critical locale=en_US console-setup/ask_detect=false console-setup/layoutcode=us noprompt console=ttyS0,115200
InterpreterPath: /usr/bin/python3.3
LiveMediaBuild: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20131125)
ProcCmdline: /usr/bin/python3 /usr/lib/ubiquity/bin/ubiquity --autopilot
ProcCwd: /home/ubuntu/ubiquity-autopilot/autopilot
 PATH=(custom, no user)
 Segfault happened at: 0x7f2337181d10 <_ZNK7GtkNode19MatchStringPropertyERKSsS1_+208>: mov (%rbx),%r12
 PC (0x7f2337181d10) ok
 source "(%rbx)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%r12" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: ubiquity
 GtkNode::MatchStringProperty(std::string const&, std::string const&) const () from /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libautopilot.so
 xpathselect::XPathQueryPart::Matches(std::shared_ptr<xpathselect::Node const> const&) const () from /usr/lib/x86_64-linux-gnu/libxpathselect.so.1.4
 SelectNodes () from /usr/lib/x86_64-linux-gnu/libxpathselect.so.1.4
 GetNodesThatMatchQuery(std::string const&) () from /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libautopilot.so
 Introspect(std::string const&) () from /usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libautopilot.so
Title: ubiquity crashed with SIGSEGV in GtkNode::MatchStringProperty()
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Jean-Baptiste Lallement (jibel) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubiquity (Ubuntu):
status: New → Confirmed
Jean-Baptiste Lallement (jibel) wrote :

setting to critical because it blocks automated installer testing

affects: ubiquity (Ubuntu) → autopilot (Ubuntu)
Changed in autopilot (Ubuntu):
status: Confirmed → New
importance: Undecided → Critical
status: New → Confirmed
description: updated

 GtkNode::MatchStringProperty (this=0x37e9218, name=..., value=...) at /build/buildd/autopilot-gtk-1.4+14.04.20131106.1/lib/GtkNode.cpp:304
 xpathselect::XPathQueryPart::Matches (this=this@entry=0x3801120, node=...) at /build/buildd/xpathselect-1.4+14.04.20131106.1/lib/xpathquerypart.h:68
 SearchTreeForNode (next_match=..., start_points=...) at /build/buildd/xpathselect-1.4+14.04.20131106.1/lib/xpathselect.cpp:68
 xpathselect::SelectNodes (root=..., query=...) at /build/buildd/xpathselect-1.4+14.04.20131106.1/lib/xpathselect.cpp:112
 GetNodesThatMatchQuery (query_string=...) at /build/buildd/autopilot-gtk-1.4+14.04.20131106.1/lib/Introspection.cpp:114

tags: removed: need-duplicate-check
tags: removed: need-amd64-retrace
Martin Pitt (pitti) on 2013-11-26
affects: autopilot (Ubuntu) → autopilot-gtk (Ubuntu)
Martin Pitt (pitti) wrote :

For the record, I cannot reproduce this with today's (20131126) trusty image, but I do get it with 20131125. The stack trace unfortunately does not show the actual property name and value, but the interesting bit is that it happens at the closing } of GtkNode::MatchStringProperty(). That means it crashes when destructing an object, and this function only has one C++ object: the std::string dest_value (everything else is C).

I can't say I understand the reason. string's = assignment does copy the C string, so unreffing the variant after it is valid. The string should then get auto-freed at the end of the function.

When I replace the temporary std:string with a simple g_strcmp0(), the crash seems to go away. Jean-Baptiste, Dan Chapman, and I ran the ubiquity tests several times in exactly the same environment but with this libautopilot-gtk patch, and they all succeeded.

It's nagging me that I don't understand the real cause, but this is both a simplification and also avoids unnecessarily copying the string, so let's get this in.

Martin Pitt (pitti) on 2013-11-26
Changed in autopilot-gtk (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package autopilot-gtk - 1.4+14.04.20131128.1-0ubuntu1

autopilot-gtk (1.4+14.04.20131128.1-0ubuntu1) trusty; urgency=low

  [ Martin Pitt ]
  * Drop generated GDBus sources from bzr and generate them during
  * Avoid unnecessary string duplication when matching properties. This
    also fixes a rare crash when cleaning up the temporary string
    object. (LP: #1254996)

  [ Mathieu Trudel-Lapierre ]
  * Fix source format: make it 1.0.

  [ Timo Jyrinki ]
  * Wrap-and-sort dependencies, remove trailing whitespace.

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 62
 -- Ubuntu daily release <email address hidden> Thu, 28 Nov 2013 10:03:59 +0000

Changed in autopilot-gtk (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers