SIGSEGV in dbus_address_entry_get_value()

Bug #395216 reported by Amit on 2009-07-03
This bug affects 17 people
Affects Status Importance Assigned to Milestone
Won't Fix
Fix Released
dbus (Ubuntu)
gvfs (Ubuntu)
Ubuntu Desktop Bugs

Bug Description

Binary package hint: evolution-data-server

using ubuntu 9.10

ProblemType: Crash
Architecture: i386
Date: Fri Jul 3 19:15:52 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/lib/evolution/evolution-data-server-2.28
NonfreeKernelModules: nvidia
Package: evolution-data-server 2.27.3-0ubuntu2
ProcCmdline: /usr/lib/evolution/evolution-data-server-2.28 --oaf-activate-iid=OAFIID:GNOME_Evolution_DataServer_CalFactory:1.2 --oaf-ior-fd=28
ProcVersionSignature: Ubuntu 2.6.31-1.14-generic
 Segfault happened at: 0xb1da6d <dbus_address_entry_get_value+109>: mov 0x8(%esi),%eax
 PC (0x00b1da6d) ok
 source "0x8(%esi)" (0x00000021) not located in a known VMA region (needed readable region)!
 destination "%eax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: evolution-data-server
 dbus_address_entry_get_value () from /lib/
 ?? () from /lib/
 ?? () from /lib/
 ?? () from /lib/
 ?? () from /usr/lib/gio/modules/
Title: evolution-data-server-2.28 crashed with SIGSEGV in dbus_address_entry_get_value()
Uname: Linux 2.6.31-1-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Related branches

Amit (amitprobable) wrote :

StacktraceTop:dbus_address_entry_get_value (entry=0x90997e0,
_dbus_transport_open (entry=0x90997e0, error=0xb7cfe838)
_dbus_connection_open_internal (
internal_bus_get (type=DBUS_BUS_SESSION,
g_daemon_vfs_init (vfs=0x9086f50) at gdaemonvfs.c:300

Changed in evolution-data-server (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
affects: evolution-data-server (Ubuntu) → dbus (Ubuntu)
Download full text (8.3 KiB)

Filed in Launchpad:

#0 0x00b1da6d in dbus_address_entry_get_value (entry=0x90997e0,
    key=0xb48e72 "guid") at dbus-address.c:256
 values = (DBusList *) 0x64697567
 keys = (DBusList *) 0x19
#1 0x00b3bb30 in _dbus_transport_open (entry=0x90997e0, error=0xb7cfe838)
    at dbus-transport.c:362
 transport = (DBusTransport *) 0x0
 expected_guid_orig = <value optimized out>
 expected_guid = <value optimized out>
 tmp_error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0,
  dummy3 = 0, dummy4 = 0, dummy5 = 0, padding1 = 0x0}
#2 0x00b267be in _dbus_connection_open_internal (
    address=<value optimized out>, shared=<value optimized out>, error=0x0)
    at dbus-connection.c:1726
 connection = (DBusConnection *) 0x0
 entries = (DBusAddressEntry **) 0x909aa30
 tmp_error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0,
  dummy3 = 0, dummy4 = 0, dummy5 = 0, padding1 = 0x0}
 first_error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0,
  dummy3 = 0, dummy4 = 0, dummy5 = 0, padding1 = 0x0}
 len = 1
 i = 0
#3 0x00b21d4c in internal_bus_get (type=DBUS_BUS_SESSION,
    private=<value optimized out>, error=0x0) at dbus-bus.c:430
 address = 0xb48e72 "guid"
 connection = (DBusConnection *) 0x1
 bd = <value optimized out>
 __FUNCTION__ = "internal_bus_get"
#4 0x08ae61a8 in g_daemon_vfs_init (vfs=0x9086f50) at gdaemonvfs.c:300
 mappers = (GType *) 0xb7cfe998
 n_mappers = <value optimized out>
 schemes = <value optimized out>
 mount_types = <value optimized out>
 mapper = <value optimized out>
 modules = (GList *) 0xd06ff4
 i = 2588565
 __PRETTY_FUNCTION__ = "g_daemon_vfs_init"
#5 0x007b636f in IA__g_type_create_instance (type=151616368)
    at /build/buildd/glib2.0-2.21.2/gobject/gtype.c:1674
 node = (TypeNode *) 0x9097b70
 instance = (GTypeInstance *) 0x9086f50
 class = (GTypeClass *) 0x90996b8
 i = 0
 total_size = <value optimized out>
#6 0x00799d08 in g_object_constructor (type=151616368,
    n_construct_properties=0, construct_params=0x0)
    at /build/buildd/glib2.0-2.21.2/gobject/gobject.c:1338
 object = (GObject *) 0x0
#7 0x0079a88c in IA__g_object_newv (object_type=151616368, n_parameters=0,
    parameters=0x0) at /build/buildd/glib2.0-2.21.2/gobject/gobject.c:1215
 nqueue = (GObjectNotifyQueue *) 0x1
 object = <value optimized out>
 class = (GObjectClass *) 0x90996b8
 unref_class = (GObjectClass *) 0x90996b8
 slist = <value optimized out>
 n_total_cparams = <value optimized out>
 n_cparams = 0
 n_oparams = 0
 n_cvalues = <value optimized out>
 clist = (GList *) 0x0
 newly_constructed = -1211110392
 i = <value optimized out>
 __PRETTY_FUNCTION__ = "IA__g_object_newv"
#8 0x0079b4c2 in IA__g_object_new_valist (object_type=151616368,
    first_property_name=0x0, var_args=0xb7cfed48 "6M")
    at /build/buildd/glib2.0-2.21.2/gobject/gobject.c:1278
 params = (GParameter *) 0x10
 name = <value optimized out>
 object = <value optimized out>
 n_params = <value optimized out>
 n_alloced_params = 151609832
 __PRETTY_FUNCTION__ = "IA__g_object_new_valist"
#9 0x0079b63e in IA__g_object_new (object_type=151616368,
    at /build/buildd/glib2.0-2.21.2/gobject/gobject.c:1060
 __PRETTY_FUNCTION__ = "IA__g_objec...


Ok, multiple levels of fun in this bug. The first thing to notice is that we're running in a non-main thread (created for processing ORBit requests it looks like?). Inside there we drop into some Evolution code, and then we happen to be the first caller of IA__g_vfs_get_default.'s an interesting thing to note:

static void
g_daemon_vfs_init (GDaemonVfs *vfs)
  vfs->async_bus = dbus_bus_get_private (DBUS_BUS_SESSION, NULL);
  if (g_thread_supported ())
    dbus_threads_init_default ();

Seems wrong, because that means if dbus_threads_init_default hasn't been called before now, the call to dbus_bus_get_private won't be locked. So this is a possible race condition between a worker thread and a main thread, but may or may not be the cause of the crash. I suspect it's not, but we should fix gvfs anyways.

Now hmmm...assuming gdb hasn't lost its marbles due to gcc optimization,

keys = (DBusList *) 0x19

just looks wrong. However in a quick review of this code I'm not seeing anything obviously wrong, though dbus_parse_address isn't the simplest function in the world.

Anyways I'll submit a patch for gvfs.

summary: - evolution-data-server-2.28 crashed with SIGSEGV in
- dbus_address_entry_get_value()
+ SIGSEGV in dbus_address_entry_get_value()
Changed in dbus (Ubuntu):
status: New → Triaged
visibility: private → public
Changed in dbus:
status: Unknown → Confirmed
Changed in dbus:
status: Confirmed → In Progress

At least part of this bug is being caused by a bug in GVfs:

Changed in gvfs:
status: Unknown → Fix Released
Changed in gvfs (Ubuntu):
importance: Undecided → Low
status: New → Fix Committed
assignee: nobody → Ubuntu Desktop Bugs (desktop-bugs)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gvfs - 1.3.4-0ubuntu1

gvfs (1.3.4-0ubuntu1) karmic; urgency=low

  * New upstream version:
    - ftp: Make large FTP transfers work
    - gphoto: use udev instead of hal
    - Fix build on FreeBSD
    - Bugs fixed: 588187, 589915, 573994, 590793, 576229, 589434
      (lp: #403223, #404490, #291259, #364084, #395216)
  * debian/patches/02-port-gphoto2-backend-and-monitor-to-gudev.patch:
    - the change is in the new version
  * debian/patches/90_relibtoolize.patch:
    - new version update

 -- Sebastien Bacher <email address hidden> Mon, 10 Aug 2009 22:24:25 +0200

Changed in gvfs (Ubuntu):
status: Fix Committed → Fix Released
Changed in dbus:
importance: Unknown → Medium
Changed in gvfs:
importance: Unknown → Medium
Changed in dbus:
importance: Medium → Unknown
Changed in dbus:
importance: Unknown → Medium

I'm going to assume this was fallout from "libdbus isn't actually thread-safe".

Changed in dbus:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.