compiz crashed with SIGSEGV in PlaceEntryRemote::GetResult()

Bug #742085 reported by Thad-daddyslick on 2011-03-24
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Unity
Won't Fix
Critical
Mikkel Kamstrup Erlandsen
Unity Foundations
Critical
Mikkel Kamstrup Erlandsen
dee
Critical
Mikkel Kamstrup Erlandsen
unity-2d
Critical
Unassigned
dee (Ubuntu)
Critical
Unassigned
unity (Ubuntu)
Critical
Unassigned

Bug Description

compiz crashed keyboard not working

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: libnux-0.9-0 0.9.36-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-7.38-generic 2.6.38
Uname: Linux 2.6.38-7-generic x86_64
Architecture: amd64
CrashCounter: 1
Date: Thu Mar 24 14:25:11 2011
ExecutablePath: /usr/bin/compiz
ProcCmdline: compiz --replace
ProcEnviron:
 LANGUAGE=
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0x7f1c58b8293e: mov 0x8(%rax),%edx
 PC (0x7f1c58b8293e) ok
 source "0x8(%rax)" (0x10000000c) not located in a known VMA region (needed readable region)!
 destination "%edx" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: nux
StacktraceTop:
 ?? () from /usr/lib/libdee-1.0.so.1
 ?? () from /usr/lib/libdee-1.0.so.1
 PlaceEntryRemote::GetResult(void const*, sigc::slot<void, PlaceEntry*, PlaceEntryGroup&, PlaceEntryResult&, sigc::nil, sigc::nil, sigc::nil, sigc::nil>) () from /usr/lib/compiz/libunityshell.so
 PlacesGroupController::CheckTiles() () from /usr/lib/compiz/libunityshell.so
 PlacesStyle::SetDefaultNColumns(int) () from /usr/lib/compiz/libunityshell.so
Title: compiz crashed with SIGSEGV in PlaceEntryRemote::GetResult()
UpgradeStatus: Upgraded to natty on 2011-03-20 (3 days ago)
UserGroups: adm admin audio cdrom dialout dip floppy lpadmin netdev plugdev powerdev sambashare scanner video
XsessionErrors:
 (gnome-power-manager:7551): Gtk-WARNING **: Failed to load type module: (null)
 (gnome-power-manager:7551): Gtk-WARNING **: Failed to load type module: (null)
 (nm-applet:7607): GdkPixbuf-CRITICAL **: gdk_pixbuf_composite: assertion `dest_y >= 0 && dest_y + dest_height <= dest->height' failed

StacktraceTop:
 dee_sequence_model_get_value (self=0x7f1c4c16f320, iter=0x7f1c4c42eb30, column=2) at dee-sequence-model.c:497
 dee_serializable_model_get_uint32 (self=0x7f1c4c16f320, iter=0x7f1c4c42eb30, column=2) at dee-serializable-model.c:602
 PlaceEntryRemote::GetResult (this=0x7f1c4c113390, id=0x7f1c4c42eb30, slot=...) at /build/buildd/unity-3.6.8/src/PlaceEntryRemote.cpp:611
 PlacesGroupController::CheckTiles (this=0x37eb040) at /build/buildd/unity-3.6.8/src/PlacesGroupController.cpp:219
 emit (this=<value optimized out>, n_cols=<value optimized out>) at /usr/include/sigc++-2.0/sigc++/signal.h:776

Changed in nux (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace

Compiz crashed while I was viewing the Applications menu. I believe I had just clicked the "maximize" button (lower right-hand corner).

After Compiz crash my keyboard no longer worked, hence the terse description.

visibility: private → public
affects: nux (Ubuntu) → dee (Ubuntu)

If anyone can reproduce it would be very helpful if you could attach your ~/.xsession-errors file

It appears the crash happen when dereferencing the row->len member of a GPtrArray. The code in this particular place is extremely defensive in Dee (as you can see for yourself in dee_sequence_model_get_value()) and we've just asserted that row != NULL.

This probably means that the row has been removed from the DeeSequenceModel and is being read anyway. Still requires more investigation...

Any way to reproduce this will also be most welcome.

743428 appears related (and has .xsession-errors attached); it's another case where my keyboard quit working after a crash when I was viewing Applications.

David Barth (dbarth) on 2011-03-28
affects: unity → unity-foundations
Changed in unity-foundations:
milestone: none → unity-3.8.0-beta
assignee: nobody → Mikkel Kamstrup Erlandsen (kamstrup)
importance: Undecided → High
status: New → Triaged

@Thad-daddyslick: I can see you filed a range of bugs (and very much thanks for that! :-)) where the stacktrace ends somewhere down in libdee. If there are serious issues in libdee basically nothing relating to Unity Places ought to work (for everyone, not just you) and we should be swamped in duplicates of your bugs. So I'm kinda puzzled that we don't see those tonnes of dupes.

This got me thinking if there maybe is something special about your system that trigger this? Ideas could be:

 a) Custom compiled libunity, libdee, unity, or compiz and there is an ABI mismatch somewhere giving you memory corruption
 b) You graphics (or other) driver is buggy and gives some memory corruption that for some reason is likely to manifest itself inside Dee

Alternatively
 i) there is some very elusive race condition in dee that is just much more likely to happen on your particular hardware
 ii) The Unity plugin for Compiz is accessing deleted rows from the DeeModels or messing up with the ref count on the GVariants from the models

If you have time to help get to the bottom of this you can rule out a) and b) (unless or course you know 100% that they are not the case) by:

 + Rule out a) : Run a clean install with all latest packages
 + Rule out b) : Run Unity2D (see https://wiki.ubuntu.com/Unity2D for instructions)

Omer Akram (om26er) on 2011-03-29
Changed in dee (Ubuntu):
status: New → Confirmed
Changed in unity:
status: New → Confirmed
Changed in dee:
status: New → Confirmed

I've been running upgrade daily, so I'm not really plagued with outdated packages.

My hardware configuration is probably atypical -- it's a 2007 Mac Pro with a Radeon HD 2600XT (running the open-source drivers since fglrx doesn't support the latest X yet).

I've also got a mishmash of DE's installed; this is a Kubuntu install, and I've also got GNOME 3 installed from the gnome3-team ppa. I HAVE found that Unity runs much better when I login from gdm than kdm; as of this morning logging in from kdm gives me a blank desktop and the UI never comes up, but running from gdm works fine.

No crashes as yet today (though Firefox hung trying to save a file and wouldn't respond to a kill command). If I get any, I'll file a report and then give unity-2d a shot; thanks.

Mikkel,

Take a look at 745964; it appears to be the same behavior in Unity-2d.

@Thad: I think bug #745964 looks unrelated, but thanks for the heads up

Changed in unity:
assignee: nobody → Mikkel Kamstrup Erlandsen (kamstrup)
Changed in dee:
assignee: nobody → Mikkel Kamstrup Erlandsen (kamstrup)
David Barth (dbarth) on 2011-04-04
Changed in unity-foundations:
milestone: unity-3.8.2 → unity-3.8.4

I am gonna have to mark this as Incomplete until we either a) see dupes, or b) have a reliable way to reproduce it. Without that there's not really any way to attack this. I've fine combed the code and turned up with bupkis so far.

Changed in dee:
status: Confirmed → Incomplete
Changed in unity-foundations:
status: Triaged → Incomplete
Changed in unity:
status: Confirmed → Incomplete
Changed in dee (Ubuntu):
status: Confirmed → Incomplete
Omer Akram (om26er) on 2011-04-19
Changed in unity (Ubuntu):
status: New → Incomplete
Didier Roche (didrocks) on 2011-05-31
Changed in dee:
importance: Undecided → Critical
Changed in unity:
importance: Undecided → Critical
Changed in unity-foundations:
importance: High → Critical
Changed in dee (Ubuntu):
importance: Medium → Critical
Changed in unity (Ubuntu):
importance: Undecided → Critical
Didier Roche (didrocks) on 2011-06-01
Changed in unity-2d:
importance: Undecided → Critical
Changed in unity-2d:
status: New → Invalid
Jason Smith (jassmith) on 2011-09-13
Changed in unity (Ubuntu):
status: Incomplete → Won't Fix
Changed in unity:
status: Incomplete → Won't Fix
Launchpad Janitor (janitor) wrote :

[Expired for dee (Ubuntu) because there has been no activity for 60 days.]

Changed in dee (Ubuntu):
status: Incomplete → Expired
Michal Hruby (mhr3) on 2012-07-27
Changed in dee:
status: Incomplete → Invalid
Changed in unity-foundations:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers