notification-daemon crashed with SIGSEGV in strcmp()

Bug #131227 reported by Kevin Morey on 2007-08-09
682
This bug affects 16 people
Affects Status Importance Assigned to Milestone
notification-daemon (Ubuntu)
High
Michael Vogt
Jaunty
High
Michael Vogt

Bug Description

Binary package hint: notification-daemon

TEST CASE:
1. use the stock jaunty version of notification-daemon
2. run killall notification-daemon; /usr/lib/notification-daemon/notification-daemon in a terminal
3. run:
gconftool --type string -s /apps/notification-daemon/theme standard ; notify-send lala; gconftool --type string -s /apps/notification-daemon/theme ubuntu; notify-send lala; sleep 10; gconftool --type string -s /apps/notification-daemon/theme standard ; notify-send lala; gconftool --type string -s /apps/notification-daemon/theme ubuntu; notify-send lala
in a different terminal
4. verify that it the terminal with the original notification-daemon eixsts with "Segmentation fault"
5. install notification-daemon from jaunty-proposed
6. repeat steps 2,3
7. verify that no "segmentation fault" message is there and notification-daemon in the terminal is still running

It seems I can reproduce it sometimes with rhythmbox as it uses notifications for track changes when it is minimized to tray.

1. Change /apps/notification-daemon/theme from "ubuntu" to ""
2. Change tracks in rhythmbox via the context menu of the tray icon
3. notification-daemon crashes, but when it restarts it appears to work correctly with the blue notification theme

I also got it to crash again by changing the gconf value back from "" to "ubuntu". Once it reloads the notifications display fine.

ProblemType: Crash
Architecture: i386
Date: Wed Aug 8 23:52:23 2007
DistroRelease: Ubuntu 7.10
ExecutablePath: /usr/lib/notification-daemon/notification-daemon
NonfreeKernelModules: nvidia
Package: notification-daemon 0.3.7-1ubuntu5
PackageArchitecture: i386
ProcCmdline: /usr/lib/notification-daemon/notification-daemon
ProcCwd: /
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: notification-daemon
StacktraceTop:
 strcmp () from /lib/tls/i686/cmov/libc.so.6
 g_str_equal () from /usr/lib/libglib-2.0.so.0
 g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
 g_intern_static_string () from /usr/lib/libglib-2.0.so.0
 sexy_url_label_get_type () from /usr/lib/libsexy.so.2
Title: notification-daemon crashed with SIGSEGV in strcmp()
Uname: Linux kmorey 2.6.22-9-generic #1 SMP Fri Aug 3 00:50:37 GMT 2007 i686 GNU/Linux
UserGroups: adm admin audio cdrom dialout dip floppy kqemu lpadmin netdev plugdev powerdev scanner video

Kevin Morey (kevin-morey) wrote :

StacktraceTop:strcmp () from /lib/tls/i686/cmov/libc.so.6
IA__g_str_equal (v1=0xb725d714, v2=0xb724d714) at /build/buildd/glib2.0-2.13.7/glib/gstring.c:77
IA__g_hash_table_lookup (hash_table=0x8057a00, key=0xb724d714) at /build/buildd/glib2.0-2.13.7/glib/ghash.c:252
IA__g_intern_static_string (string=0xb724d714 "SexyUrlLabel") at /build/buildd/glib2.0-2.13.7/glib/gdataset.c:625
sexy_url_label_get_type () at sexy-url-label.c:97

Changed in notification-daemon:
importance: Undecided → Medium
Ara Pulido (ara) wrote :

I am getting also this error with the Pop Up notifications settings in Jaunty.

I will raise the importance here to High, because this is very likely to affect users in Jaunty.

Steps to reproduce in Jaunty

1. Open the PopUp Notifications Settings application (in the Settings menu)
2. Click on Preview the selected theme
3. You get the error
4. Further clicking on Preview, works correctly.

Changed in notification-daemon:
importance: Medium → High
status: New → Confirmed
Ara Pulido (ara) wrote :

I am marking this bug as public. It does not contain any sensitive information.

Pedro Villavicencio (pedro) wrote :

yes that's pretty easy to reproduce, just click on preview on the notification-properties dialog. Michael may you have a look to it? thanks.

Changed in notification-daemon:
assignee: nobody → mvo
status: Confirmed → Triaged

This bug occurs when chaning the settings of the notification deamon. It had during me testing Ubuntu 9.04 Alpha 3

Benjamin Fogel (benjaminfogel) wrote :

I have a similar prolem to Ara, but further clicking simply throwns more of these errors.

Casey Greene (casey-s-greene) wrote :

Same bug -- Easy to duplicate.

Preferences -> Pop-Up Notifications

Theme: Ubuntu Theme
Click Preview -- Crash happens

Theme: Standard Theme
Click Preview -- Notification Works

Gabriele Monti (psicus78) wrote :

automatically reported bug

For me it fails when I select Standard Theme in Pop-up notifications.

Nio (vs-nicolas-ubuntu) wrote :

Same in Ubuntu 9.04 Alpha 4....

Kestal (thinkdevoid) wrote :

This has been occurring for me since its been introduced. I can easily confirm this.. ubuntu theme or default one.

Though, when I do click it a second time (After the crash message) it works.

Can Hantas (canhantas) wrote :

I can report the same for me as Kestal. I crashes on live cd and clean install (alpha4).
It crashes with ubuntu theme or default.
As Kestal reported when I click second time it works.

Changed in notification-daemon:
assignee: mvo → antonio-litterio-gmail

I solved this bus.
The problem was the incorrect delete previous theme when this change.. in daemon application "notification_daemon"
I noticed that it crash when change theme and i have found the problem in notification_daemon in engine.
The problem it is:
when change theme in function "theme_changed_cb" delete the current theme, but when timeout event start is cleared again.
I removed the "theme_engine_unref" in function "theme_changed_cb" because will be removed from timeout.

link the patch

Gracias por la ayuda Antonio.

Saludos!

2009/2/7 Antonio Litterio <email address hidden>

> I solved this bus.
> The problem was the incorrect delete previous theme when this change.. in
> daemon application "notification_daemon"
> I noticed that it crash when change theme and i have found the problem in
> notification_daemon in engine.
> The problem it is:
> when change theme in function "theme_changed_cb" delete the current theme,
> but when timeout event start is cleared again.
> I removed the "theme_engine_unref" in function "theme_changed_cb" because
> will be removed from timeout.
>
> link the patch
>
> ** Attachment added: "notification_daemon-fix-strcmp.patch"
>
> http://launchpadlibrarian.net/22082369/notification_daemon-fix-strcmp.patch
>
> --
> notification-daemon crashed with SIGSEGV in strcmp()
> https://bugs.launchpad.net/bugs/131227
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "notification-daemon" source package in Ubuntu: Triaged
>
> Bug description:
> Binary package hint: notification-daemon
>
> It seems I can reproduce it sometimes with rhythmbox as it uses
> notifications for track changes when it is minimized to tray.
>
> 1. Change /apps/notification-daemon/theme from "ubuntu" to ""
> 2. Change tracks in rhythmbox via the context menu of the tray icon
> 3. notification-daemon crashes, but when it restarts it appears to work
> correctly with the blue notification theme
>
> I also got it to crash again by changing the gconf value back from "" to
> "ubuntu". Once it reloads the notifications display fine.
>
> ProblemType: Crash
> Architecture: i386
> Date: Wed Aug 8 23:52:23 2007
> DistroRelease: Ubuntu 7.10
> ExecutablePath: /usr/lib/notification-daemon/notification-daemon
> NonfreeKernelModules: nvidia
> Package: notification-daemon 0.3.7-1ubuntu5
> PackageArchitecture: i386
> ProcCmdline: /usr/lib/notification-daemon/notification-daemon
> ProcCwd: /
> ProcEnviron:
>
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> Signal: 11
> SourcePackage: notification-daemon
> StacktraceTop:
> strcmp () from /lib/tls/i686/cmov/libc.so.6
> g_str_equal () from /usr/lib/libglib-2.0.so.0
> g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
> g_intern_static_string () from /usr/lib/libglib-2.0.so.0
> sexy_url_label_get_type () from /usr/lib/libsexy.so.2
> Title: notification-daemon crashed with SIGSEGV in strcmp()
> Uname: Linux kmorey 2.6.22-9-generic #1 SMP Fri Aug 3 00:50:37 GMT 2007
> i686 GNU/Linux
> UserGroups: adm admin audio cdrom dialout dip floppy kqemu lpadmin netdev
> plugdev powerdev scanner video
>

--
Jorge Andrés Rabanal Arabach

Josh Holland (jshholland) wrote :

Happens to me in alpha 4 in a VM. Clicking on preview a second time makes it work though.

Midnitte (midnitte) wrote :

Ah, Indeed thanks for the info. Just wanted to see how it looked and was
disappointed with that error, but it works now thank you. :)

On Sun, Feb 8, 2009 at 11:22 AM, Josh Holland <email address hidden>wrote:

> Happens to me in alpha 4 in a VM. Clicking on preview a second time
> makes it work though.
>
> --
> notification-daemon crashed with SIGSEGV in strcmp()
> https://bugs.launchpad.net/bugs/131227
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Changed in notification-daemon:
status: Triaged → Fix Released
Changed in notification-daemon:
status: Fix Released → Fix Committed
Tchalvak (tchalvak) wrote :

Not sure what the procedure is, here. How do we go about testing whether the patch worked for us? Wait for the next alpha/beta, or will it eventually go into the repository and we'll get it as an update, or what.

 Tchalvak you're right, I wring. I put what return "confirmed" or "In progress"? excuse yet.

Changed in notification-daemon:
status: Fix Committed → Confirmed
Martin Olsson (mnemo) wrote :

It should remain as confirmed for now I think. The next step is to apply the patch to the ubuntu package and use that to create a debdiff. The debdiff should the be attached to this bug and then you subscribe ubuntu-main-sponsors or ubuntu-universe-sponsors as appropriate and request sponsorship (these guys will update it to ubuntu repo and then it will arrive as a normal update).

Details on these two remaining steps is available here:
https://wiki.ubuntu.com/PackagingGuide/Recipes/Debdiff
https://wiki.ubuntu.com/SponsorshipProcess

PS. Note that if you can get the patch applied upstream, that's great because it makes it easier to convince ubuntu sponsors that it's the "appropriate way to fix the bug" and it also makes sure that we will never hit this bug again in the future. DS.

Also, for a general overview of bugfixing in ubuntu, check out this page:
https://wiki.ubuntu.com/MOTU/TODO/Bugs

Thanks for working on this patch Antonio, keep up the good work!!

Changed in notification-daemon:
assignee: antonio-litterio-gmail → nobody
Changed in notification-daemon:
milestone: none → ubuntu-9.04-beta

Ok I have follow the guidelines, and I attached the correct patch.
Thanks Martin and all for the help.

Changed in notification-daemon:
assignee: nobody → ubuntu-main-sponsors
Changed in notification-daemon:
assignee: ubuntu-main-sponsors → mvo
Sebastien Bacher (seb128) wrote :

did somebody send the change to the upstream bug tracker? what do you think about the change mvo, that's a crash which gets quite some duplicates

Piotr Stefanczyk (sashx) wrote :

After update it works good.

Michael Vogt (mvo) wrote :

Thanks for your patch!

I seems like with the patch applied the memory of active_engine is never freed. I think while this fixes the crash, its not the right fix.

Alexander Sack (asac) wrote :

yes, this patch is probably wrong. Most likely its a not cancelled dbus call/signal subscription.

Alexander Sack (asac) wrote :

unsubscribing main sponsors; please re-subscribe if you have the right patch.

Yes they have right, this patch not destroy old engine.
But probably I found the problem. I noticed that the daemon crash when the function "destroy_engine" it is call from "gtk_widget_destroy" in function "_notify_timeout_destroy".
If you comment the "g_module_close(engine->module)" in "destroy_engine" function, the daemon not crash and free memory engine, but probably the "GModule *module" is not closed properly.

Ok, look at this solution...I had to add a new function used to destroy properly notification gtk_widget (nw) and engine.
I noticed that the problem was in an uncorrected closure of a G_Modules after the destruction of the widget.
Practically the daemon destroys engine, in particular "engine->module", when it is already used by the notification pop-up.
The correct way to destroy engine is this:
 -) Destroy notification pop-up by calling "gtk_distroy_widget".
 -) Decrease value of "engine->ref_count" and if it is equal to zero, unload engine->module and destroy engine.

Currently the daemon works in this modality:
 -) It calls the invokes the destruction of a notification pop-up by calling "gtk_destroy_widget", but with this event is also called "theme_engine_unref".
 -) It decreases value of "engine->ref_count" and if it is equal to zero, it unloads "engine->module" and destroys "engine".
 -) It ends the destruction of a notification pop-up.

The daemon unloads engine->module when it is still in use by gtk_widget. I wrote the function that follows the correct way for to destroy widget and eventually engine.
This function, called theme_destroy_widget, will be called in daemon.c when it is requested the destruction of widget in function _notify_timeout_destroy.

Michael Vogt (mvo) on 2009-03-19
Changed in notification-daemon (Ubuntu Jaunty):
status: Confirmed → In Progress
Michael Vogt (mvo) wrote :
Download full text (4.4 KiB)

Thanks for your patch, I tested it, but I can still trigger the crash with:

$ notify-send lala ; sleep 5; gconftool -t string -s /apps/notification-daemon/theme standard ; notify-send lala; gconftool -t string -s /apps/notification-daemon/theme ubuntu; sleep 10; notify-send lala

(sometimes this needs to be run a couple of times). The backtrace:
(gdb) bt full
#0 0x00007fd1f9b356a0 in strcmp () from /lib/libc.so.6
No symbol table info available.
#1 0x00007fd1fa0a1149 in IA__g_str_equal (v1=0x7fd1f164a5d8,
    v2=0x7fd1ef52d5d8) at /build/buildd/glib2.0-2.20.0/glib/gstring.c:77
No locals.
#2 0x00007fd1fa06ed59 in IA__g_hash_table_lookup (hash_table=0x1409450,
    key=0x7fd1ef52d5d8) at /build/buildd/glib2.0-2.20.0/glib/ghash.c:213
 node = <value optimized out>
 node_index = 3169
 __PRETTY_FUNCTION__ = "IA__g_hash_table_lookup"
#3 0x00007fd1fa068b25 in IA__g_intern_static_string (
    string=0x7fd1ef52d5d8 "SexyUrlLabel")
    at /build/buildd/glib2.0-2.20.0/glib/gdataset.c:625
 quark = <value optimized out>
 result = (
    const gchar *) 0x7fd1f9e2fa10 "AWAVAUATUSH\211�H\203�\bdD\213,%\220"
#4 0x00007fd1ef52b458 in sexy_url_label_get_type () from /usr/lib/libsexy.so.2
No symbol table info available.
#5 0x00007fd1ef52ba29 in sexy_url_label_new () from /usr/lib/libsexy.so.2
No symbol table info available.
#6 0x00007fd1f1851296 in create_notification ()
   from /usr/lib/notification-daemon-1.0/engines/libubuntu.so
No symbol table info available.
#7 0x0000000000406dad in theme_create_notification (
    url_clicked_cb=0x4058f0 <url_clicked_cb>) at engines.c:183
 engine = (ThemeEngine *) 0x1756a00
 nw = <value optimized out>
#8 0x000000000040487c in notify_daemon_notify_handler (daemon=0x15f0860,
    app_name=0x7fd1ef52d5d8 "SexyUrlLabel", id=0, icon=0x1588d10 "",
    summary=0x1588d60 "lala", body=0x1588e50 "", actions=0x177b740,
    hints=0x15fd280, timeout=-1, context=0x1756870) at daemon.c:1093
 priv = (NotifyDaemonPrivate *) 0x15f0880
 nt = (NotifyTimeout *) 0x0
 nw = (GtkWindow *) 0x4082a0
 use_pos_data = <value optimized out>
 new_notification = <value optimized out>
 x = <value optimized out>
 y = <value optimized out>
 window_xid = <value optimized out>
 return_id = <value optimized out>
 sender = <value optimized out>
 sound_file = <value optimized out>
 sound_enabled = <value optimized out>
 __PRETTY_FUNCTION__ = "notify_daemon_notify_handler"
#9 0x00000000004061fc in dbus_glib_marshal_notification_daemon_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (closure=0x7fff042d0030,
    return_value=<value optimized out>, n_param_values=<value optimized out>,
    param_values=0x176ee00, invocation_hint=<value optimized out>,
    marshal_data=0x404830) at notificationdaemon-dbus-glue.h:100
 data1 = (gpointer) 0x15f0860
 data2 = <value optimized out>
 __PRETTY_FUNCTION__ = "dbus_glib_marshal_notification_daemon_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER"
#10 0x00007fd1fbe9e12b in ?? () from /usr/lib/libdbus-glib-1.so.2
No symbol table info available.
#11 0x00007fd1fbc70081 in ?? () from /lib/libdbus-1.so.3
No symbol table info available.
#12 0x00007fd1fbc62966 in dbus_connection_dispatch () fr...

Read more...

Michael Vogt (mvo) wrote :

I looked a bit into it and it seems to be unreleated to the patch. I sponsor the patch now, it fixes the problem at hand. A alternative approach would be to use "g_timeout_add()" in the destroy_engine() code and have a "really_destory_engine()" function that is run on the next gtk_main_loop and does the g_module_close() and g_free(engine). But your approach should be fine as well.

Thanks!
 Michael

Michael Vogt (mvo) wrote :

Ok, sorry. even with the patch I can still reproduce the problem when running /usr/bin/notification-properties and switching themes while they are displayed.

Michael Vogt (mvo) wrote :

I modified the patch a bit because there is already a theme_destroy_notification () function so no need to have a additional one. But the effect is the same, one crash fixed, but still crashing in SexyUrl label. I suspect its a bug in libsexy because using a stock GtkLabel does not seem to crash.

Changed in notification-daemon (Ubuntu Jaunty):
status: In Progress → Incomplete
Michael Vogt (mvo) wrote :

I commited the patch to
lp:~ubuntu-desktop/notification-daemon/ubuntu

but the crash is still not fixed in this version :/

Michael Vogt (mvo) wrote :

It might be worthwhile to convert the code to use "GtkLinkButton" and see if that fixes the problem.

Steve Langasek (vorlon) on 2009-03-19
Changed in notification-daemon:
milestone: ubuntu-9.04-beta → none
Steve Langasek (vorlon) on 2009-04-09
Changed in notification-daemon (Ubuntu Jaunty):
milestone: none → jaunty-updates
Michael Vogt (mvo) on 2009-04-22
Changed in notification-daemon (Ubuntu Jaunty):
status: Incomplete → Fix Committed
description: updated
Michael Vogt (mvo) wrote :

I uploaded a fixed version (that works for me and survives the "TEST CASE") into my PPA at:
deb http://ppa.launchpad.net/mvo/ubuntu jaunty main

Feedback is welcome.

Michael Vogt (mvo) wrote :

Just for the record, the removal of "Wl,--as-needed" is also required, otherwise the daemon crashes when it loads libsexy. The reason seems to be that libsexy is not mapped into memory from the daemon. So when the theme engine module is loaded it maps libsexy and registers with the gobject system. Now when the engine changes the module is unloaded and a new one is loaded. This contains also libsexy but mapped to a different adress. It seems that this confuses the gobject system and the crash happens. As a workaround removing --as-needed will have libsexy linked against the daemon itself.

Martin Pitt (pitti) wrote :

Accepted notification-daemon into jaunty-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in notification-daemon (Ubuntu):
milestone: jaunty-updates → none
tags: added: verification-needed
Steve Beattie (sbeattie) wrote :

I am able to reproduce this crash with the version of notification-daemon in jaunty, 0.4.0-0ubuntu3, and can confirm that the version of notification-daemon in jaunty-proposed, 0.4.0-0ubuntu4, does not crash, despite running a similar for-loop that mvo posted, which caused the released version to crash consistently after one loop. Other testing of notifications (urgency, time, icons, etc) didn't show any regressions introduced by the version in jaunty-proposed.

Marking verification-done.

tags: added: verification-done
removed: verification-needed
Steve Beattie (sbeattie) wrote :

Eek, of course, immediately after I did that, I managed to cause it to crash; if I do:

  gconftool --type string -s /apps/notification-daemon/theme standard && sleep 2 && notify-send -t 10000 "lala" && gconftool --type string -s /apps/notification-daemon/theme ubuntu && sleep 2 && notify-send -t 10000 "lala"

and wait for the notification of each style to be on display and then close both, notification-daemon will segfault again. I'm leaving this as verification-done, because the version in jaunty-proposed does improve the situation and does not introduce regressions, but ideally this crash would get fixed as well.

Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package notification-daemon - 0.4.0-0ubuntu4

---------------
notification-daemon (0.4.0-0ubuntu4) jaunty-proposed; urgency=low

  * debian/patches/09_change_themes_crash_rev1.patch resolve (LP: #131227)
    - fix crash when changing themes (based on the patch from
      Antonio Litterio, many thanks)
  * debian/rules:
    - build without "-Wl,--as-needed" to avoid another crash releated
      to loading/unloading libsexy from the themes (LP: #131227)

 -- Michael Vogt <email address hidden> Wed, 22 Apr 2009 13:19:20 +0200

Changed in notification-daemon (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

copied to karmic

Changed in notification-daemon (Ubuntu):
status: Fix Committed → Fix Released
tags: added: iso-testing
To post a comment you must log in.