unity-panel-service crashed with SIGABRT in __kernel_vsyscall()

Bug #741726 reported by dmiranda on 2011-03-24
140
This bug affects 24 people
Affects Status Importance Assigned to Milestone
DBus Menu
Fix Released
Undecided
Unassigned
Unity
Invalid
Undecided
Unassigned
Unity Foundations
Undecided
Ted Gould
libdbusmenu (Ubuntu)
Medium
Unassigned
unity (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: unity

Appmenu crashes when using kile

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: unity 3.6.8-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.38-7.38-generic 2.6.38
Uname: Linux 2.6.38-7-generic i686
NonfreeKernelModules: wl
Architecture: i386
CompizPlugins: [core,bailer,detection,composite,opengl,compiztoolbox,decor,move,place,grid,resize,session,vpswitch,imgpng,regex,gnomecompat,mousepoll,wall,animation,expo,workarounds,ezoom,staticswitcher,fade,scale,unityshell]
CompositorRunning: compiz
CrashCounter: 1
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1024x600
 edid-base64: AP///////wANrwcQAAAAAAMTAQOAFgx4Cs9FkFlXlSkfUFQAAAABAQEBAQEBAQEBAQEBAQEBLBUAakFYNCBtSH0A3n0AAAAYAAAA/gBOMTAxTDYtTDAxCiAgAAAA/gBDTU8KICAgICAgICAgAAAA/gBOMTAxTDYtTDAxCiAgAMQ=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: Off
 modes:
 edid-base64:
Date: Thu Mar 24 10:42:14 2011
DistUpgraded: Log time: 2011-03-07 19:02:00.546826
DistroCodename: natty
DistroVariant: ubuntu
ExecutablePath: /usr/lib/unity/unity-panel-service
GraphicsCard:
 Intel Corporation N10 Family Integrated Graphics Controller [8086:a011] (prog-if 00 [VGA controller])
   Subsystem: Samsung Electronics Co Ltd Device [144d:c072]
   Subsystem: Samsung Electronics Co Ltd Device [144d:c072]
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
InstallationMedia_: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
InstallationMedia__: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
MachineType: SAMSUNG ELECTRONICS CO., LTD. N150P/N210P/N220P
ProcCmdline: /usr/lib/unity/unity-panel-service
ProcEnviron:
 SHELL=/bin/bash
 LANGUAGE=pt_BR:pt_PT:en_US:en
 LANG=pt_BR.UTF-8
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.38-7-generic root=UUID=f6741db8-8d59-4add-9c44-db1b6ce0751e ro quiet splash vt.handoff=7
ProcVersionSignature_: Ubuntu 2.6.38-7.38-generic 2.6.38
ProcVersionSignature__: Ubuntu 2.6.38-7.38-generic 2.6.38
Renderer: Unknown
Signal: 6
SourcePackage: unity
StacktraceTop:
 __kernel_vsyscall ()
 raise () from /lib/i386-linux-gnu/libc.so.6
 abort () from /lib/i386-linux-gnu/libc.so.6
 g_assertion_message () from /lib/i386-linux-gnu/libglib-2.0.so.0
 g_assertion_message_expr () from /lib/i386-linux-gnu/libglib-2.0.so.0
Title: unity-panel-service crashed with SIGABRT in __kernel_vsyscall()
UpgradeStatus: Upgraded to natty on 2011-03-08 (16 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
dmi.bios.date: 04/30/2010
dmi.bios.vendor: Phoenix Technologies Ltd.
dmi.bios.version: 01KY.M008.20100430.RHU
dmi.board.asset.tag: SAMSUNG
dmi.board.name: N150P/N210P/N220P
dmi.board.vendor: SAMSUNG ELECTRONICS CO., LTD.
dmi.board.version: Not Applicable
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: SAMSUNG ELECTRONICS CO., LTD.
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLtd.:bvr01KY.M008.20100430.RHU:bd04/30/2010:svnSAMSUNGELECTRONICSCO.,LTD.:pnN150P/N210P/N220P:pvrNotApplicable:rvnSAMSUNGELECTRONICSCO.,LTD.:rnN150P/N210P/N220P:rvrNotApplicable:cvnSAMSUNGELECTRONICSCO.,LTD.:ct10:cvrN/A:
dmi.product.name: N150P/N210P/N220P
dmi.product.version: Not Applicable
dmi.sys.vendor: SAMSUNG ELECTRONICS CO., LTD.
version.compiz: compiz 1:0.9.4git20110322-0ubuntu5
version.libdrm2: libdrm2 2.4.23-1ubuntu5
version.libgl1-mesa-glx: libgl1-mesa-glx 7.10.1-0ubuntu3
version.xserver-xorg: xserver-xorg 1:7.6~3ubuntu11
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.0-0ubuntu4
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.14.0-4ubuntu4
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20110107+b795ca6e-0ubuntu6

Related branches

dmiranda (dmiranda) wrote :

StacktraceTop:
 __kernel_vsyscall ()
 raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 abort () at abort.c:92
 g_assertion_message (domain=0xc946e6 "GLib", file=0xcdc7f0 "/build/buildd/glib2.0-2.28.4/./glib/gvarianttypeinfo.c", line=186, func=0xcdca70 "g_variant_type_info_check", message=<value optimized out>) at /build/buildd/glib2.0-2.28.4/./glib/gtestutils.c:1358
 g_assertion_message_expr (domain=0xc946e6 "GLib", file=0xcdc7f0 "/build/buildd/glib2.0-2.28.4/./glib/gvarianttypeinfo.c", line=186, func=0xcdca70 "g_variant_type_info_check", expr=0xcdc7b9 "0 <= index && index < 24") at /build/buildd/glib2.0-2.28.4/./glib/gtestutils.c:1369

Changed in unity (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
visibility: private → public
Michael Terry (mterry) wrote :

So Ted asked me to look at this, in the hopes another set of eyeballs would help.

I'm leery that the linked branch will do much. The type of the properties is already checked in get_properties_callback(). And the g_variant_iter_loop() format_string argument in the stack trace is "v}" which is clearly wrong. Looks like memory got corrupted somewhere upstack rather than unexpected variants in the properties list.

There aren't that many near opportunities for memory corruption. The 'data' argument to the function seems to be correctly ref'd before the callback is setup so it seems to be valid memory for the dbusmenu_menuitem_properties_list() call. That would leave get_properties_callback()...

What about line 604?

601 GVariant * child = g_variant_get_child_value(params, 0);
602 GVariantIter iter;
603 g_variant_iter_init(&iter, child);
604 g_variant_unref(child);
605 while ((child = g_variant_iter_next_value(&iter)) != NULL) {

Seems suspicious to unref the child there, since the docs say the iter is only valid as long as child is.

Additionally, though this wouldn't cause the crash, on line 1381, the "have_error == FALSE" check should be moved up to the surrounding "properties != NULL" check; otherwise you'll leak the first key/value pair if have_error is TRUE.

David Barth (dbarth) wrote :

This is a "ted + mterry" thing, ie Michael seems to have a patch for it, but there may be a dbusmenu side as well.

Changed in unity-foundations:
assignee: nobody → Ted Gould (ted)
Changed in unity:
assignee: nobody → Michael Terry (mterry)
milestone: none → 3.8.2
Changed in unity-foundations:
milestone: none → unity-3.8.0-beta
Changed in libdbusmenu (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-11.04-beta-1
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libdbusmenu - 0.4.0-0ubuntu2

---------------
libdbusmenu (0.4.0-0ubuntu2) natty; urgency=low

  * Cherry picked fix for potential memory issues to fix unity-panel-service
     crashed with SIGABRT in __kernel_vsyscall() (LP: #741726)
 -- Ken VanDine <email address hidden> Mon, 28 Mar 2011 14:56:59 -0400

Changed in libdbusmenu (Ubuntu):
status: Triaged → Fix Released
Changed in unity (Ubuntu):
status: New → Fix Released
Michael Terry (mterry) on 2011-03-30
Changed in unity:
assignee: Michael Terry (mterry) → nobody
status: New → Invalid
Changed in dbusmenu:
status: New → Fix Committed
Ted Gould (ted) on 2011-03-31
Changed in dbusmenu:
status: Fix Committed → Fix Released
David Barth (dbarth) on 2011-04-04
Changed in unity-foundations:
status: New → Fix Released
Changed in unity (Ubuntu):
status: Fix Released → Invalid
importance: Medium → Undecided
To post a comment you must log in.