Unity crashes when entering a term including "emu" in the home lens

Bug #1239381 reported by Jakob Mühldorfer on 2013-10-13
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Pango
Expired
High
Unity
Fix Released
Critical
Brandon Schaefer
7.1
Fix Released
Critical
Brandon Schaefer
unity (Ubuntu)
Critical
Brandon Schaefer
Saucy
Critical
Brandon Schaefer

Bug Description

Unity version 7.1.2. on Ubuntu 13.10 daily build 2013-10-13

To reproduce:
-Make sure an Internet connection is working
-Start the Unity Dash, in the home lens
-Enter a term including " emu"
-Unity crashes

ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: unity 7.1.2+13.10.20131011-0ubuntu1
ProcVersionSignature: Ubuntu 3.11.0-12.19-generic 3.11.3
Uname: Linux 3.11.0-12-generic x86_64
NonfreeKernelModules: nvidia
.proc.driver.nvidia.gpus.0: Error: [Errno 21] Is a directory: '/proc/driver/nvidia/gpus/0'
.proc.driver.nvidia.registry: Binary: ""
.proc.driver.nvidia.version:
 NVRM version: NVIDIA UNIX x86_64 Kernel Module 319.60 Wed Sep 25 14:28:26 PDT 2013
 GCC version: gcc version 4.8.1 (Ubuntu/Linaro 4.8.1-10ubuntu8)
.tmp.unity.support.test.0:

ApportVersion: 2.12.5-0ubuntu2
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: compiz
CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0'
CompositorUnredirectFSW: true
Date: Sun Oct 13 17:50:58 2013
DistUpgraded: Fresh install
DistroCodename: saucy
DistroVariant: ubuntu
DkmsStatus: nvidia-319-updates, 319.60, 3.11.0-12-generic, x86_64: installed
GraphicsCard:
 NVIDIA Corporation GK106 [GeForce GTX 660] [10de:11c0] (rev a1) (prog-if 00 [VGA controller])
   Subsystem: CardExpert Technology Device [10b0:11c0]
InstallationDate: Installed on 2013-10-13 (0 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Beta amd64 (20131013)
JockeyStatus:
 kmod:nvidia_319_updates - nvidia_319_updates (Proprietär, Aktiviert, Nicht benutzt)
 kmod:nvidia_304 - NVIDIA binary Xorg driver, kernel module and VDPAU library (Proprietär, Deaktiviert, Nicht benutzt)
 kmod:nvidia_304_updates - NVIDIA binary Xorg driver, kernel module and VDPAU library (Proprietär, Deaktiviert, Nicht benutzt)
 kmod:nvidia_319 - NVIDIA binary Xorg driver, kernel module and VDPAU library (Proprietär, Deaktiviert, Nicht benutzt)
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
MarkForUpload: True
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.11.0-12-generic root=UUID=c1338261-d55c-4a44-87e4-cb7a961b0a27 ro quiet splash
SourcePackage: unity
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/03/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: P2.20
dmi.board.name: Z87 Pro3
dmi.board.vendor: ASRock
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP2.20:bd07/03/2013:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnZ87Pro3:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: To Be Filled By O.E.M.
dmi.product.version: To Be Filled By O.E.M.
dmi.sys.vendor: To Be Filled By O.E.M.
version.compiz: compiz 1:0.9.10+13.10.20131011-0ubuntu1
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.46-1
version.libgl1-mesa-dri: libgl1-mesa-dri 9.2.1-1ubuntu3
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental 9.2.1-1ubuntu3
version.libgl1-mesa-glx: libgl1-mesa-glx 9.2.1-1ubuntu3
version.nvidia-graphics-drivers: nvidia-graphics-drivers N/A
version.xserver-xorg-core: xserver-xorg-core 2:1.14.3-3ubuntu1
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.7.3-0ubuntu3.1
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:7.2.0-0ubuntu10
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.904-0ubuntu2
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.9-2ubuntu1
xserver.bootTime: Sun Oct 13 17:29:03 2013
xserver.configfile: default
xserver.devices:
 input Power Button KEYBOARD, id 6
 input Power Button KEYBOARD, id 7
 input Logitech USB Gaming Mouse MOUSE, id 8
 input Chicony Saitek Eclipse II Keyboard KEYBOARD, id 9
 input Chicony Saitek Eclipse II Keyboard KEYBOARD, id 10
xserver.errors:
 Failed to load /usr/lib/xorg/modules/libglamoregl.so: /usr/lib/xorg/modules/libglamoregl.so: undefined symbol: _glapi_tls_Context
 Failed to load module "glamoregl" (loader failed, 7)
 open /dev/fb0: No such file or directory
xserver.logfile: /var/log/Xorg.0.log
xserver.outputs:

xserver.version: 2:1.14.3-3ubuntu1

Related branches

Dave Gilbert (ubuntu-treblig) wrote :

Trivially repeatable here on a 64bit Saucy install

Changed in unity (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
description: updated
Sasa Paporovic (melchiaros) wrote :

lol shortest reproducing ever. Yes, it crashes!

Dave Gilbert (ubuntu-treblig) wrote :

backtrace shows a 'free(): invalid next size (fast)' somewhere below libpango called from unity::dash::ResultRendererTile::LoadText

#3 0x00007f7a095a9996 in malloc_printerr (ptr=0x54ab030, str=0x7f7a096b08e0 "free(): invalid next size (fast)", action=3)
 at malloc.c:4923
        buf = "00000000054ab030"
        cp = <optimised out>
#4 _int_free (av=<optimised out>, p=0x54ab020, have_lock=0) at malloc.c:3779
        size = <optimised out>
        fb = <optimised out>
        nextchunk = <optimised out>
        nextsize = <optimised out>
        nextinuse = <optimised out>
        prevsize = <optimised out>
        bck = <optimised out>
        fwd = <optimised out>
        errstr = <optimised out>
        locked = <optimised out>
        __func__ = "_int_free"
#5 0x00007f79e6b7f407 in ?? () from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
No symbol table info available.
#6 0x00007f79e6b7f6f8 in ?? () from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
No symbol table info available.
#7 0x00007f79e6b9230a in ?? () from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
No symbol table info available.
#8 0x00007f79e6b94720 in pango_layout_get_iter () from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
No symbol table info available.
#9 0x00007f79e6b9987c in pango_renderer_draw_layout () from /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0
No symbol table info available.
#10 0x00007f79e6dc525a in ?? () from /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0
No symbol table info available.
#11 0x00007f79e7ff71ed in unity::dash::ResultRendererTile::LoadText(unity::dash::Result const&) () from /usr/lib/compiz/li
bunityshell.so

Dave Gilbert (ubuntu-treblig) wrote :
Download full text (7.6 KiB)

here with some dbgsym's installed - not sure I believe some of the values though, and anyway if it's an allocation problem might not help anyway, but still might be useful to someone

(gdb) bt full
#0 0x00007f7a0955ff77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
        resultvar = 0
        pid = 2046
        selftid = 2046
#1 0x00007f7a095635e8 in __GI_abort () at abort.c:90
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7fff74eefbca, sa_sigaction = 0x7fff74eefbca}, sa_mask = {__val = {
              6, 140162120737932, 2, 140735155207134, 2, 140162120726900, 1, 140162120737928, 3, 140735155207108, 12,
              140162120737932, 2, 140735155207920, 18, 140735155209680}}, sa_flags = 80, sa_restorer = 0x7}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f7a0959d4fb in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7f7a096b0740 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff74ef05e0, reg_save_area = 0x7fff74ef04f0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff74ef05e0, reg_save_area = 0x7fff74ef04f0}}
        fd = 2
        on_2 = <optimised out>
        list = <optimised out>
        nlist = <optimised out>
        cp = <optimised out>
        written = <optimised out>
#3 0x00007f7a095a9996 in malloc_printerr (ptr=0x54ab030, str=0x7f7a096b08e0 "free(): invalid next size (fast)",
    action=3) at malloc.c:4923
        buf = "00000000054ab030"
        cp = <optimised out>
#4 _int_free (av=<optimised out>, p=0x54ab020, have_lock=0) at malloc.c:3779
        size = <optimised out>
        fb = <optimised out>
        nextchunk = <optimised out>
        nextsize = <optimised out>
        nextinuse = <optimised out>
        prevsize = <optimised out>
        bck = <optimised out>
        fwd = <optimised out>
        errstr = <optimised out>
        locked = <optimised out>
        __func__ = "_int_free"
#5 0x00007f79e6b7f407 in insert_run (line=line@entry=0x2fd0940, state=state@entry=0x7fff74ef0850,
    run_item=run_item@entry=0x381c940, last_run=last_run@entry=1)
    at /build/buildd/pango1.0-1.32.5/./pango/pango-layout.c:3288
        run = 0x7f79b0001200
#6 0x00007f79e6b7f6f8 in process_item (layout=layout@entry=0x53354d0, line=line@entry=0x2fd0940,
    state=state@entry=0x7fff74ef0850, force_fit=force_fit@entry=1, no_break_at_end=no_break_at_end@entry=0)
    at /build/buildd/pango1.0-1.32.5/./pango/pango-layout.c:3393
        item = 0x381c940
        width = <optimised out>
        length = <optimised out>
        i = <optimised out>
        processing_new_item = <optimised out>
#7 0x00007f79e6b9230a in process_line (state=0x7fff74ef0850, layout=0x53354d0)
    at /build/buildd/pango1.0-1.32.5/./pango/pango-layout.c:3651
        old_remaining_width = -1
        item = 0x381c940
        result = <optimised out>
        old_num_chars = 8
        first_item_in_line = 0
        have_break = 0
        break_remaining_width = 0
        break_start_offset = 0
        break_link = 0x0
        wrapped = 0...

Read more...

Changed in unity (Ubuntu):
importance: Medium → Critical
Stephen M. Webb (bregma) wrote :

Here's a traceback with a little more information.

*** Error in `compiz': free(): invalid next size (fast): 0x0000000002c834b0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x80996)[0x7fe48073c996]
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0(+0xe407)[0x7fe46129a407]
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0(+0xe6f8)[0x7fe46129a6f8]
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0(+0x2130a)[0x7fe4612ad30a]
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0(pango_layout_get_iter+0x80)[0x7fe4612af720]
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0(pango_renderer_draw_layout+0xdc)[0x7fe4612b487c]
/usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0(+0x825a)[0x7fe4614e025a]
/usr/lib/compiz/libunityshell.so(unity::dash::ResultRendererTile::LoadText(unity::dash::Result const&)+0x26d)[0x7fe4627121ed]
/usr/lib/compiz/libunityshell.so(unity::dash::ResultViewGrid::DoLazyLoad()+0x2da)[0x7fe462719c0a]
/usr/lib/libunity-core-6.0.so.8(unity::glib::Source::SourceCallback(void*)+0x1a)[0x7fe460a1288a]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x146)[0x7fe47f00b3a6]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x486f8)[0x7fe47f00b6f8]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_loop_run+0x6a)[0x7fe47f00bafa]
/usr/lib/libcompiz_core.so.ABI-20130415(compiz::private_screen::EventManager::startEventLoop(_XDisplay*)+0xab)[0x7fe480fded7b]
compiz(main+0x91)[0x401971]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7fe4806ddde5]
compiz[0x4019bc]

Changed in unity:
status: New → Triaged
importance: Undecided → Critical
milestone: none → 7.2.1
Stephen M. Webb (bregma) wrote :

This crash is evidently triggered when an attempt is made to render Burmese results, and there seems to be difficulty rendering certain combining characters from the Burmese codepage. For example, လးျဖဴ

Changed in unity:
assignee: nobody → Brandon Schaefer (brandontschaefer)
Changed in unity (Ubuntu):
assignee: nobody → Brandon Schaefer (brandontschaefer)
status: Confirmed → In Progress
Changed in unity:
status: Triaged → In Progress

*Note* The branch linked for unity will just be a workaround. The overall problem is in pango/harfbuzz. I need to make a small example to demo the problem.

PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:unity at revision None, scheduled for release in unity, milestone 7.2.0

Changed in unity:
status: In Progress → Fix Committed
Changed in unity (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu Saucy):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package unity - 7.1.2+14.04.20131106.1-0ubuntu1

---------------
unity (7.1.2+14.04.20131106.1-0ubuntu1) trusty; urgency=low

  [ Ted Gould ]
  * Clean up NIH Errors so they don't get reported on exit. (LP:
    #1236720)

  [ Brandon Schaefer ]
  * Workaround for now, replace all blacklisted chars in the results
    name with a '?'. So we can still render all the results with out a
    crash. This needs to be fixed in pango/harfbuzz. (LP: #1239381)
  * Get the current char before moving on to the next char!.

  [ Marco Trevisan (Treviño) ]
  * UnityScreen: also redraw the HudView if it has not been fully
    damaged. (LP: #1240322)
  * OverlayRenderer: only and correctly initialize the BGLayer when not
    on GLSL codepath Make sure we set the initial bg_layer_ value to the
    average color, and do this only if really needed. (LP: #1232726)
  * Launcher: desaturate the inactive icons when in Spread mode. (LP:
    #1238892, #1238638)
  * LauncherIcon: add MultiMonitor quirks support A quirk can be now set
    for all monitors or for just one. (LP: #1051913, #1215738, #1240750,
    #1240737)
  * UnityScreen: CreateSuperNewAction with Shift and Numpad for launcher
    This fixes the bug that caused Super+Shift+KP_x not to work as it
    should. (LP: #1240806)
  * AnimationUtils: add Start, Skip and SetValue methods These allows to
    start an animation, to skip it or to just set its value. The
    templates now are more intelligent and we define the values that can
    assume just once, by specializing a StartValueForDirection function.
  * Support libxpathselect1.4. (LP: #1243529)
  * LauncherIcon: use nux::Animation for each Quirk property Update
    Launcher and Icons code accordingly, get rid of the timespec. Remove
    unneded Quirks, reduce redraws and update tests.
  * Invalidate the Icon Centers when the monitor layout changes, so we
    make sure that if an icon center is set, then the icon is available
    on that monitor. Added GetCenterForMonitor that allows to retrieve
    the nearest valid icon center for a given monitor, and in this way
    we can get the best icon that can handle a window minimization. (LP:
    #767752)

  [ Lars Uebernickel ]
  * panel-service.c: don't warn about unknown image type unnecessarily
    Don't warn about indicators that explicitely don't have an image
    set. However, continue warning when the set image is of an unknown
    type.

  [ Chris Townsend ]
  * Instead of using NeedSoftRedraw(), use QueueDraw() for the Launcher
    and Panel to force a redraw to fix issue where leaving a full screen
    unredirected window would not redraw the Launcher and Panel. (LP:
    #1240595)

  [ Eleni Maria Stea ]
  * Added --compiz-path parameter to the unity startup script. It allows
    us to start unity with custom builds of compiz (not only
    /usr/bin/compiz) like that: ./unity --compiz-path
    custom_compiz_build_directory/bin/compiz --replace ccp.

  [ Francis Ginther ]
  * Reverting support for libxpathselect1.4. (LP: #1245988)

  [ Łukasz 'sil2100' Zemczak ]
  * DebugDBusInterface: add support to libxpathselect-1.4 Some cleanups
    and reworking of glib::Variant and debug::...

Read more...

Changed in unity (Ubuntu):
status: Fix Committed → Fix Released
Luc Bruninx (luc2005) wrote :

Also crash with "wri" and "syn" when LibreOffice Writer is running on my Saucy 13.10 x86-64/nvidia.

It seems that key words of 3 letters cause crashing. "writer" cause no crash, for example, but "wri" crash.

But don't crash when "unity-lens-friends", "unity-lens-photos" and "unity-lens-viodeo" are removed.

Dave Gilbert (ubuntu-treblig) wrote :

Luc: I can confirm the crash with 'wri' on Saucy, but not on Trusty.
The backtrace on saucy looks similar to me to this bug.

That seems resonable. "wri" Must be pulling in some suggestions from one of those lenses that is causing the crash. It was happening more in trusty, as it pulls from more lenses. Ill look into backporting the workaround asap!

Changed in unity (Ubuntu Saucy):
assignee: nobody → Brandon Schaefer (brandontschaefer)
importance: Undecided → Critical
status: Confirmed → In Progress
Changed in pango:
importance: Unknown → High
status: Unknown → New
no longer affects: unity/7.0
Changed in unity:
status: Fix Committed → Fix Released
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:unity/7.1 at revision None, scheduled for release in unity, milestone 7.1.2

Changed in unity:
status: Fix Released → Fix Committed
Changed in unity:
status: Fix Committed → Fix Released
Changed in unity (Ubuntu Saucy):
status: In Progress → Fix Committed
Changed in unity:
milestone: 7.2.1 → 7.2.0
Changed in unity:
status: Fix Released → Fix Committed
Stephen M. Webb (bregma) wrote :

Fix Released in Unity Unity 7.2.0.

Changed in unity:
status: Fix Committed → Fix Released
Changed in unity (Ubuntu Saucy):
status: Fix Committed → Invalid
Changed in pango:
status: New → Confirmed
Changed in pango:
status: Confirmed → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.