bluetooth-applet crashed with SIGSEGV in g_variant_builder_add_value()

Bug #720895 reported by Matt Zimmerman on 2011-02-17
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
DBus Menu
Fix Released
Undecided
Unassigned
libdbusmenu (Ubuntu)
High
Chris Coulson
Natty
High
Chris Coulson

Bug Description

Binary package hint: gnome-bluetooth

This looks similar to bug 716295, bug 716794 and bug 714518, but none of those generated useful stack traces. Maybe this one will be different?

This happened last night, either when I was turning on the radio kill switch or turning it off. It's hard to tell due to the timing.

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: gnome-bluetooth 2.91.2.is.2.32.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-3.30-generic 2.6.38-rc4
Uname: Linux 2.6.38-3-generic x86_64
Architecture: amd64
CrashCounter: 1
Date: Wed Feb 16 22:08:47 2011
ExecutablePath: /usr/bin/bluetooth-applet
ProcCmdline: bluetooth-applet
SegvAnalysis:
 Segfault happened at: 0x7f6b2028e962: testb $0x4,0x20(%rdi)
 PC (0x7f6b2028e962) ok
 source "$0x4" ok
 destination "0x20(%rdi)" (0x00000020) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: gnome-bluetooth
StacktraceTop:
 ?? () from /lib/libglib-2.0.so.0
 g_variant_builder_add_value () from /lib/libglib-2.0.so.0
 ?? () from /lib/libglib-2.0.so.0
 g_variant_new_va () from /lib/libglib-2.0.so.0
 g_variant_new () from /lib/libglib-2.0.so.0
Title: bluetooth-applet crashed with SIGSEGV in g_variant_builder_add_value()
UserGroups: adm admin audio cdrom dialout fuse kvm libvirtd lpadmin plugdev sambashare video

Related branches

Matt Zimmerman (mdz) wrote :

StacktraceTop:
 g_variant_is_trusted (value=0x0)
 g_variant_builder_add_value (
 ?? ()
 ?? ()
 ?? ()

Changed in gnome-bluetooth (Ubuntu):
status: New → Invalid

Thank you for your report!

However, processing it in order to get sufficient information for the
developers failed (it does not generate an useful symbolic stack trace). This
might be caused by some outdated packages which were installed on your system
at the time of the report:

shared-mime-info: installed version 0.90-0ubuntu1, latest version: 0.90-1

Please upgrade your system to the latest package versions. If you still
encounter the crash, please file a new report.

Thank you for your understanding, and sorry for the inconvenience!

tags: removed: need-amd64-retrace
Changed in gnome-bluetooth (Ubuntu):
status: Invalid → Triaged
visibility: private → public
affects: gnome-bluetooth (Ubuntu) → libdbusmenu (Ubuntu)
Sebastien Bacher (seb128) wrote :
Download full text (5.0 KiB)

Ok, running it under valgrind with libdbusmenu 0.3.98-0ubuntu2:

"==19875== at 0x46EB8D9: g_nullify_pointer (gutils.c:3543)
==19875== by 0x46385A0: weak_refs_notify (gobject.c:2231)
==19875== by 0x4695F48: g_datalist_id_set_data_full (gdataset.c:351)
==19875== by 0x4638628: g_object_real_dispose (gobject.c:896)
==19875== by 0x41DAFA0: gtk_object_dispose (gtkobject.c:426)
==19875== by 0x42ECEA3: gtk_widget_dispose (gtkwidget.c:8771)
==19875== by 0x463ABEE: g_object_run_dispose (gobject.c:945)
==19875== by 0x41DBB4D: gtk_object_destroy (gtkobject.c:406)
==19875== by 0x41BF848: gtk_menu_item_destroy (gtkmenuitem.c:566)
==19875== by 0x418FD08: gtk_image_menu_item_destroy (gtkimagemenuitem.c:312)
==19875== by 0x465348B: g_cclosure_marshal_VOID__VOID (gmarshal.c:79)
==19875== by 0x4635CA6: g_type_class_meta_marshal (gclosure.c:878)
==19875== by 0x4637351: g_closure_invoke (gclosure.c:767)
==19875== by 0x4649A48: signal_emit_unlocked_R (gsignal.c:3368)
==19875== by 0x4652B28: g_signal_emit_valist (gsignal.c:2983)
==19875== by 0x4652CC1: g_signal_emit (gsignal.c:3040)
==19875== by 0x41DAF90: gtk_object_dispose (gtkobject.c:421)
==19875== by 0x42ECEA3: gtk_widget_dispose (gtkwidget.c:8771)
==19875== by 0x41C080F: gtk_menu_item_dispose (gtkmenuitem.c:482)
==19875== by 0x463ABEE: g_object_run_dispose (gobject.c:945)
==19875== by 0x41DBB4D: gtk_object_destroy (gtkobject.c:406)
==19875== by 0x42D9706: update_node (gtkuimanager.c:2802)
==19875== by 0x42D969E: update_node (gtkuimanager.c:2785)
==19875== by 0x42D969E: update_node (gtkuimanager.c:2785)
==19875== by 0x42D969E: update_node (gtkuimanager.c:2785)
==19875== by 0x42DD5A7: gtk_ui_manager_ensure_update (gtkuimanager.c:2827)
==19875== by 0x804F009: ??? (in /usr/bin/bluetooth-applet)
==19875== by 0x41B13FE: _gtk_marshal_VOID__BOXED_BOXED (gtkmarshalers.c:1311)
==19875== by 0x4637351: g_closure_invoke (gclosure.c:767)
==19875== by 0x464A047: signal_emit_unlocked_R (gsignal.c:3252)
==19875== by 0x4652B28: g_signal_emit_valist (gsignal.c:2983)
==19875== by 0x4652CC1: g_signal_emit (gsignal.c:3040)
==19875== by 0x42A2457: gtk_tree_model_row_changed (gtktreemodel.c:1508)
==19875== by 0x42B20FD: gtk_tree_store_set_valist (gtktreestore.c:1059)
==19875== by 0x42B213E: gtk_tree_store_set (gtktreestore.c:1088)
==19875== by 0x80539B5: ??? (in /usr/bin/bluetooth-applet)
==19875== by 0x805921E: marshal_VOID__STRING_BOXED (in /usr/bin/bluetooth-applet)
==19875== by 0x4461D43: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==19875== Address 0x6e98934 is 12 bytes inside a block of size 20 free'd
==19875== at 0x40259E0: free (vg_replace_malloc.c:366)
==19875== by 0x46B9DE5: g_free (gmem.c:263)
==19875== by 0x469585C: g_datalist_clear (gdataset.c:215)
==19875== by 0x46390EF: g_object_finalize (gobject.c:902)
==19875== by 0x49E0B92: dbusmenu_menuitem_finalize (menuitem.c:346)
==19875== by 0x463896B: g_object_unref (gobject.c:2734)
==19875== by 0x49E23BF: dbusmenu_menuitem_child_delete (menuitem.c:751)
==19875== by 0x49D8F08: widget_notify_cb (parser.c:795)
==19875== by 0x4653E47: g_cclo...

Read more...

Changed in libdbusmenu (Ubuntu):
importance: Undecided → High
assignee: nobody → Ted Gould (ted)
milestone: none → natty-alpha-3
Changed in libdbusmenu (Ubuntu):
assignee: Ted Gould (ted) → Chris Coulson (chrisccoulson)
Sebastien Bacher (seb128) wrote :

seems similar to the valgrind log on bug #719591

Sebastien Bacher (seb128) wrote :

ups, the comment was meant for bug #719591 which is a crash similar to the valgrind log

Chris Coulson (chrisccoulson) wrote :

I've pushed a fix for the memory errors in bug 719591 (and shown in the valgrind log here) now, but I'm doubtful they will fix this crash. It looks like something different :(

Changed in dbusmenu:
status: New → Fix Committed
status: Fix Committed → New
Michael Terry (mterry) wrote :

This looks like someone passed a NULL string to g_variant_builder_add, but the lack of stack is making it hard to determine who.

Chris Coulson (chrisccoulson) wrote :

The original unretraced stack shows that something in libdbusmenu-gtk calls dbusmenu_menuitem_property_set_variant. The only thing in libdbusmenu-gtk calling that is dbusmenu_menuitem_property_set_shortcut, which might be something to go on

Chris Coulson (chrisccoulson) wrote :

Oh, If someone passes an invalid key to dbusmenu_menuitem_property_set_shortcut, gdk_keyval_name might return NULL, and we don't check for that. Perhaps we should add a check there, as that might cause this crash

Martin Pitt (pitti) on 2011-03-01
Changed in libdbusmenu (Ubuntu Natty):
milestone: natty-alpha-3 → ubuntu-11.04-beta-1
Ted Gould (ted) on 2011-03-01
Changed in dbusmenu:
status: New → Fix Committed
Changed in libdbusmenu (Ubuntu Natty):
status: Triaged → Fix Committed
Sebastien Bacher (seb128) wrote :

the issue has been fixed in 0.3.100 in natty

Changed in dbusmenu:
status: Fix Committed → Fix Released
Changed in libdbusmenu (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers