Ubuntu
packagekit package

packagekit segfaulting every time new updates are retrieved

Bug #696686 reported by Juliano Ravasi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Opinion
Undecided
Unassigned
packagekit (Ubuntu)
Opinion
Undecided
Unassigned

Bug Description

Binary package hint: packagekit

Starting yesterday (Jan 02, 2011), packagekitd is segfaulting every time the list of updates is retrieved (via kpackagekit). dmesg shows:

packagekitd[4163]: segfault at 7f862defd004 ip 00007f735ec12e3a sp 00007f735e9bcae0 error 4 in libpk_backend_aptcc.so[7f735ebf7000+38000]
packagekitd[4458]: segfault at 7fd0dff40004 ip 00007fbe14ddce3a sp 00007fbe14b86ae0 error 4 in libpk_backend_aptcc.so[7fbe14dc1000+38000]
packagekitd[4489]: segfault at 7f201f0a5004 ip 00007f0d4fdbae3a sp 00007f0d4fb64ae0 error 4 in libpk_backend_aptcc.so[7f0d4fd9f000+38000]
packagekitd[9056]: segfault at 7f11f2ae3004 ip 00007eff237f8e3a sp 00007eff235a2ae0 error 4 in libpk_backend_aptcc.so[7eff237dd000+38000]
packagekitd[11324]: segfault at 7f4bceb2b004 ip 00007f38ff840e3a sp 00007f38ff5eaae0 error 4 in libpk_backend_aptcc.so[7f38ff825000+38000]

packagekit-backend-aptcc:
  Installed: 0.6.8-0ubuntu3.1
  Candidate: 0.6.8-0ubuntu3.1
  Version table:
 *** 0.6.8-0ubuntu3.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.6.8-0ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ maverick/main amd64 Packages

The crash report in /var/crash is attached.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: packagekit-backend-aptcc 0.6.8-0ubuntu3.1
ProcVersionSignature: Ubuntu 2.6.35-24.42-generic 2.6.35.8
Uname: Linux 2.6.35-24-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Mon Jan 3 02:06:17 2011
InstallationMedia: Kubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101008)
SourcePackage: packagekit

Revision history for this message
Juliano Ravasi (jravasi) wrote :
Revision history for this message
Matthias Klumpp (ximion) wrote :

This might be related to a bug which was fixed in PK 0.6.10 - I'll check this out when I'm back home.
Could you please run packagekitd in GDB?
$ sudo -s
$ killall packagekitd
$ gdb
$ file /usr/lib/packagekit/packagekitd
$ run
...and try fetching the package list again?

tags: added: pk-backend-aptcc
Revision history for this message
Juliano Ravasi (jravasi) wrote :
Download full text (6.8 KiB)

Matthias, thanks for your attention. Running in GDB gives:

~# gdb /usr/lib/packagekit/packagekitd
GNU gdb (GDB) 7.2-ubuntu
... {{gdb copyright blah blah suppressed}} ...
Reading symbols from /usr/lib/packagekit/packagekitd...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/lib/packagekit/packagekitd
[Thread debugging using libthread_db enabled]
[New Thread 0x7ffff38b4700 (LWP 9338)]
Reading package lists... Done
Building dependency tree
Reading state information... Done
[Thread 0x7ffff38b4700 (LWP 9338) exited]
[New Thread 0x7ffff38b4700 (LWP 9347)]
Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en
Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US
... {{apt update stuff suppressed}} ...
Ign http://download.virtualbox.org/virtualbox/debian/ maverick/non-free Translation-en
Ign http://download.virtualbox.org/virtualbox/debian/ maverick/non-free Translation-en_US
Reading package lists... Done
[Thread 0x7ffff38b4700 (LWP 9347) exited]
[New Thread 0x7ffff38b4700 (LWP 9401)]
[Thread 0x7ffff38b4700 (LWP 9401) exited]
[New Thread 0x7ffff38b4700 (LWP 9426)]
[Thread 0x7ffff38b4700 (LWP 9426) exited]
[New Thread 0x7ffff38b4700 (LWP 9427)]
[Thread 0x7ffff38b4700 (LWP 9427) exited]
[New Thread 0x7ffff38b4700 (LWP 9428)]
[Thread 0x7ffff38b4700 (LWP 9428) exited]
[New Thread 0x7ffff38b4700 (LWP 9429)]
[Thread 0x7ffff38b4700 (LWP 9429) exited]
[New Thread 0x7ffff38b4700 (LWP 9430)]
[Thread 0x7ffff38b4700 (LWP 9430) exited]
[New Thread 0x7ffff38b4700 (LWP 9432)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff38b4700 (LWP 9432)]
0x00007ffff3b09e3a in aptcc::emit_package(pkgCache::PkgIterator const&, pkgCache::VerIterator const&, unsigned long, PkInfoEnum) ()
   from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
(gdb) backtrace
#0 0x00007ffff3b09e3a in aptcc::emit_package(pkgCache::PkgIterator const&, pkgCache::VerIterator const&, unsigned long, PkInfoEnum) ()
   from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#1 0x00007ffff3b0be2e in aptcc::emit_packages(std::vector<std::pair<pkgCache::PkgIterator, pkgCache::VerIterator>, std::allocator<std::pair<pkgCache::PkgIterator, pkgCache::VerIterator> > >&, unsigned long, PkInfoEnum) () from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#2 0x00007ffff3b1c74c in ?? () from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#3 0x00007ffff5e377e4 in ?? () from /lib/libglib-2.0.so.0
#4 0x00007ffff7284971 in start_thread (arg=<value optimized out>) at pthread_create.c:304
#5 0x00007ffff583392d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6 0x0000000000000000 in ?? ()
(gdb) info locals
No symbol table info available.
(gdb) disasse
Dump of assembler code for function _ZN5aptcc12emit_packageERKN8pkgCache11PkgIteratorERKNS0_11VerIteratorEm10PkInfoEnum:
   0x00007ffff3b09de0 <+0>: mov %rbx,-0x30(%rsp)
   0x00007ffff3b09de5 <+5>: mov %rbp,-0x28(%rsp)
   0x00007ffff3b09dea <+10>: mov %r8d,%ebx
   0x00007ffff3b09ded <+13>: mov %r12,-0x20(%rsp)
   0x00007ffff3b09df2 <+18>: mov %r14,-0x10(%rsp)
   0x00007ffff3b09df7 <+23>: mov %rsi,%r12
   0x00007f...

Read more...

Revision history for this message
Daniel Nicoletti (dantti) wrote :

Thanks, this bug seems to be related to https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/691474
Can you please update packagekit-backend-aptcc (0.6.8-0ubuntu3.2) and see if it still happens?

Thanks

Revision history for this message
Juliano Ravasi (jravasi) wrote :

Still no good. I just updated:

packagekit-backend-aptcc:
  Installed: 0.6.8-0ubuntu3.2
  Candidate: 0.6.8-0ubuntu3.2
  Version table:
 *** 0.6.8-0ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ maverick-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     0.6.8-0ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ maverick/main amd64 Packages

And it is still segfaulting:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff38b4700 (LWP 4062)]
0x00007ffff3b09e38 in aptcc::emit_package(pkgCache::PkgIterator const&, pkgCache::VerIterator const&, unsigned long, PkInfoEnum) ()
   from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
(gdb) bt
#0 0x00007ffff3b09e38 in aptcc::emit_package(pkgCache::PkgIterator const&, pkgCache::VerIterator const&, unsigned long, PkInfoEnum) ()
   from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#1 0x00007ffff3b0be2e in aptcc::emit_packages(std::vector<std::pair<pkgCache::PkgIterator, pkgCache::VerIterator>, std::allocator<std::pair<pkgCache::PkgIterator, pkgCache::VerIterator> > >&, unsigned long, PkInfoEnum) () from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#2 0x00007ffff3b1c79c in ?? () from /usr/lib/packagekit-backend/libpk_backend_aptcc.so
#3 0x00007ffff5e377e4 in ?? () from /lib/libglib-2.0.so.0
#4 0x00007ffff7284971 in start_thread (arg=<value optimized out>) at pthread_create.c:304
#5 0x00007ffff583392d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#6 0x0000000000000000 in ?? ()

Revision history for this message
Juliano Ravasi (jravasi) wrote :

I found and installed the debug symbols at http://ddebs.ubuntu.com/pool/main/p/packagekit/packagekit-backend-aptcc-dbgsym_0.6.8-0ubuntu3.2_amd64.ddeb .

Then I got this little better backtrace.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff38b4700 (LWP 6187)]
0x00007ffff3b09e38 in Section (this=0x7f4e80, pkg=..., ver=..., filters=4,
    state=PK_INFO_ENUM_AVAILABLE) at /usr/include/apt-pkg/cacheiterators.h:207
207 inline const char *Section() const {return S->Section == 0?0:Owner->StrP + S->Section;};
(gdb) bt
#0 0x00007ffff3b09e38 in Section (this=0x7f4e80, pkg=..., ver=..., filters=4,
    state=PK_INFO_ENUM_AVAILABLE) at /usr/include/apt-pkg/cacheiterators.h:207
#1 aptcc::emit_package (this=0x7f4e80, pkg=..., ver=..., filters=4,
    state=PK_INFO_ENUM_AVAILABLE) at apt.cpp:265
#2 0x00007ffff3b0be2e in aptcc::emit_packages (this=0x7f4e80, output=..., filters=4,
    state=PK_INFO_ENUM_UNKNOWN) at apt.cpp:371
#3 0x00007ffff3b1c79c in backend_search_files_thread (backend=<value optimized out>)
    at pk-backend-aptcc.cpp:905
#4 0x00007ffff5e377e4 in ?? () from /lib/libglib-2.0.so.0
#5 0x00007ffff7284971 in start_thread (arg=<value optimized out>) at pthread_create.c:304
#6 0x00007ffff583392d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#7 0x0000000000000000 in ?? ()
(gdb) print *this
value has been optimized out
(gdb) print S
value has been optimized out
(gdb) print S->Section
value has been optimized out
(gdb) print Owner
value has been optimized out
(gdb) print Owner->StrP
value has been optimized out

(gdb) up
#1 aptcc::emit_package (this=0x7f4e80, pkg=..., ver=..., filters=4,
    state=PK_INFO_ENUM_AVAILABLE) at apt.cpp:265
265 }
(gdb) l
260 if (state == PK_INFO_ENUM_UNKNOWN) {
261 if (pkg->CurrentState == pkgCache::State::Installed) {
262 state = PK_INFO_ENUM_INSTALLED;
263 } else {
264 state = PK_INFO_ENUM_AVAILABLE;
265 }
266 }
267
268 if (filters != 0) {
269 std::string str = ver.Section();

(gdb) print ver
$1 = (
    const pkgCache::VerIterator &) @0x800920: {<pkgCache::Iterator<pkgCache::Version, pkgCache::VerIterator>> = {<std::iterator<std::forward_iterator_tag, pkgCache::Version, long, pkgCache::Version*, pkgCache::Version&>> = {<No data fields>}, _vptr.Iterator = 0x7ffff5dc99d0,
    S = 0x8012c3387000, Owner = 0x7f96b0}, <No data fields>}
(gdb) print ver.S
$2 = (pkgCache::Version *) 0x8012c3387000
(gdb) print *ver.S
Cannot access memory at address 0x8012c3387000

Similar memory address. 0x8012c3387000 is outside any memory mapping in the packagekitd process. So, What is this "S" member inside pkgCache::Version, and how this strange pointer got into there? Now is up to someone who actually understands the aptcc code.

Revision history for this message
Matthias Klumpp (ximion) wrote :

Does this issue still occur with the latest PackageKit in Natty? If so, could you please install PK from my PPA and check agains PK == 0.6.14 too?
I still don't know why I can't reproduce this crash...

Changed in packagekit (Ubuntu):
status: New → Incomplete
Revision history for this message
Juliano Ravasi (jravasi) wrote :

Matthias, I can't reproduce this bug anymore after I used apt-get clean and did some other cleanup in other parts of apt (keyring, sources, etc). The bug may or may not have been fixed, but I don't have the environment to reproduce it anymore (even if my environment was broken before the cleanup, apt still shouldn't segfault). The only clue now is the detailed inspection I provided in comment #6.

Feel free to close this bug.

Revision history for this message
Matthias Klumpp (ximion) wrote :

I'm leaving this bug in "Opinion" state. I think this is a bug in APT itself, reading a broken cache, but that's just a guess. If this issue happens again, we'll have this backtrace here for more information.
Thanks for your work!

Changed in packagekit (Ubuntu):
status: Incomplete → Opinion
Changed in apt (Ubuntu):
status: New → Opinion
Revision history for this message
Julian Andres Klode (juliank) wrote :

Given that the iterator points outside of the cache, this seems to be a duplicate of bug 16467

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.