unity-2d-places crashed with SIGSEGV in QScriptValue::call()

Bug #836498 reported by Roman Zonov on 2011-08-29
82
This bug affects 9 people
Affects Status Importance Assigned to Milestone
unity-2d
Critical
Olivier Tilloy
unity-2d (Ubuntu)
Critical
Unassigned

Bug Description

System was started

ProblemType: Crash
DistroRelease: Ubuntu 11.10
Package: unity-2d-places 4.2.0-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-9.14-generic-pae 3.0.3
Uname: Linux 3.0.0-9-generic-pae i686
Architecture: i386
Date: Mon Aug 29 11:37:22 2011
ExecutablePath: /usr/bin/unity-2d-places
ProcCmdline: unity-2d-places
ProcEnviron:
 PATH=(custom, no user)
 LANG=ru_RU.UTF-8
 SHELL=/bin/bash
SegvAnalysis:
 Segfault happened at: 0xb5ed1583 <_ZN12QScriptValue4callERKS_RK5QListIS_E+1155>: mov %edi,0x1c(%edx)
 PC (0xb5ed1583) ok
 source "%edi" ok
 destination "0x1c(%edx)" (0x00000035) not located in a known VMA region (needed writable region)!
SegvReason: writing NULL VMA
Signal: 11
SourcePackage: unity-2d
StacktraceTop:
 QScriptValue::call(QScriptValue const&, QList<QScriptValue> const&) () from /usr/lib/i386-linux-gnu/libQtScript.so.4
 ?? () from /usr/lib/i386-linux-gnu/libQtDeclarative.so.4
 ?? () from /usr/lib/i386-linux-gnu/libQtDeclarative.so.4
 ?? () from /usr/lib/i386-linux-gnu/libQtDeclarative.so.4
 ?? () from /usr/lib/i386-linux-gnu/libQtDeclarative.so.4
Title: unity-2d-places crashed with SIGSEGV in QScriptValue::call()
UpgradeStatus: Upgraded to oneiric on 2011-08-24 (4 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare

Related branches

Roman Zonov (roman2861) wrote :

StacktraceTop:
 registerScriptValue (value=<optimized out>, this=<optimized out>) at api/qscriptengine_p.h:617
 initFrom (value=..., this=<optimized out>) at api/qscriptengine_p.h:695
 scriptValueFromJSCValue (value=<optimized out>, this=<optimized out>) at api/qscriptengine_p.h:646
 QScriptValue::call (this=0xa726eec, thisObject=..., args=...) at api/qscriptvalue.cpp:1611
 QDeclarativeQtScriptExpression::eval (this=0xa981ae0, secondaryScope=0xa726eec, isUndefined=0x0) at qml/qdeclarativeexpression.cpp:479

Changed in unity-2d (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Robert Roth (evfool) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

visibility: private → public
Changed in unity-2d (Ubuntu):
status: New → Confirmed
Changed in unity-2d:
importance: Undecided → Critical
status: New → Incomplete
Changed in unity-2d (Ubuntu):
status: Confirmed → Incomplete
Changed in unity-2d:
status: Incomplete → Confirmed
Changed in unity-2d (Ubuntu):
status: Incomplete → Confirmed
Changed in unity-2d:
milestone: none → 4.10
Changed in unity-2d:
milestone: 4.10 → none
Changed in unity-2d (Ubuntu):
importance: Medium → Critical
Florian Boucault (fboucault) wrote :

Happened last on 2011-09-16 Unity 2D 4.8.0-0ubuntu1

Haggai Eran (haggai-eran) wrote :

This happens to me when running under a Hebrew locale on 4.12.0-0ubuntu1. I've attached detailed apport traces to bug #886710, which launchpad detected as a duplicate of this bug.

Haggai Eran (haggai-eran) wrote :

Hi,

I've noticed that I can prevent places from crashing by removing the line:
> dashView.active = false
In the onClicked handler of TileVertical.qml.

Gerry Boland (gerboland) wrote :

> I've noticed that I can prevent places from crashing by removing the line:
> > dashView.active = false
> In the onClicked handler of TileVertical.qml.

Interesting! How did you come to this conclusion? Was the crash occurring when you clicked on an item in the grid of icons?

Haggai Eran (haggai-eran) wrote :

Yes, the crash occurs when I click on an item in the grid. I can reproduce it by clicking the "More Apps" button and then clicking on one of the applications.

I came to this conclusion by adding prints to the onClicked handler, and seeing that it crashed before the handler is complete. It didn't crash right after the dashView deactivation line, but removing the other line (the line sending the activation to the lens) didn't have any effect on the crash, while removing the dashView deactivation stopped places from crashing.

Gerry Boland (gerboland) wrote :

Very good, thank you the help!

I'll investigate to see what consequence removing that line will have.

But crashing QML shouldn't be possible, so I'm sure the Qt guys will be interested in this.

Changed in unity-2d:
assignee: nobody → Gerry Boland (gerboland)
Gerry Boland (gerboland) wrote :

Removing that line isn't a great fix, as it makes the Dash hide when you click on an icon to run an application. Otherwise you have to wait for the new application to take focus before the Dash goes away.

I can reproduce this with Hebrew locale. Am digging now.

Gerry Boland (gerboland) wrote :

Crash backtrace

Haggai Eran (haggai-eran) wrote :

For some reason your backtrace is different than the one in the bug report, and the one I had.

Gerry Boland (gerboland) wrote :

You're right. I managed to reproduce more than 2 different stack traces clicking on a Grid Icon in RTL dash. I added this one for reference.

It does appear from the backtrace that I'm dragging & dropping an icon in this case, not just clicking. Yet in both cases, I don't see why.

Gerry Boland (gerboland) on 2011-11-08
Changed in unity-2d:
assignee: Gerry Boland (gerboland) → Olivier Tilloy (osomon)
Olivier Tilloy (osomon) wrote :

I can reliably reproduce the crash when running unity-2d-places with LANGUAGE=he_IL.utf8.

Olivier Tilloy (osomon) wrote :

I can also reproduce independently from the locale used (tested with en_GB.utf-8 and fr_FR.utf-8) if I make the call to QApplication::setLayoutDirection(Qt::RightToLeft) not conditional (in src/libunity-2d-private/unity2dapplication.cpp).

Olivier Tilloy (osomon) wrote :

I have removed the other components (unity-2d-panel and unity-2d-launcher) from the equation by making sure they are not running and commenting out the code that forces the launcher to be visible when the dash is shown.
I can still reproduce the issue reliably.

Olivier Tilloy (osomon) wrote :

I have narrowed down the root cause to setting the source of the pageLoader to "" in the dashView.onActiveChanged handler (dash.qml, line 58).
If I comment out this instruction the crash doesn’t happen. Same if I delay it by one millisecond using a timer.

There is obviously a race condition at play on the pageLoader or its children that only manifests itself when the layout is mirrored. I’m still digging.

Olivier Tilloy (osomon) wrote :

I have managed to isolate the bug and to write a simple QML test case that reproduces it. I filed https://bugreports.qt.nokia.com/browse/QTBUG-22776 to track the issue. This will hopefully be fixed soon in Qt.
In the meantime I think our best option is to delay resetting the loader’s source by 1 millisecond using a Timer. I’ll make sure this workaround is documented so that it can be removed in due course when the bug is fixed in Qt.

Changed in unity-2d:
status: Confirmed → In Progress
Olivier Tilloy (osomon) on 2011-11-16
Changed in unity-2d:
milestone: none → 4.14
Haggai Eran (haggai-eran) wrote :

I can confirm the workaround. Thanks!
Is there a chance this workaround will be backported to oneiric?

Olivier Tilloy (osomon) wrote :

Thanks for the feedback Haggai.
Yes, it is quite likely that this fix, if approved, will be backported to Oneiric with an SRU.

Changed in unity-2d:
status: In Progress → Fix Committed
Gerry Boland (gerboland) on 2011-11-19
Changed in unity-2d:
milestone: 4.14 → 5.2
Didier Roche (didrocks) on 2012-01-12
Changed in unity-2d:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package unity-2d - 5.2.0-0ubuntu1

---------------
unity-2d (5.2.0-0ubuntu1) precise; urgency=low

  [ Didier Roche ]
  * New upstream release:
    - Select quicklist items with just one right click (LP: #688830)
    - Launcher - Dragging and dropping a running application in to the Trash
      should quit the application and (if the app is pinned to the Launcher)
      un-pin the application from the Launcher (LP: #870143)
    - Dash - "See more..." line should be base-aligned with section header
      (LP: #748101)
    - right click on the dash icon should display a list of the lenses
      (LP: #868452)
    - Top Bar - rename the "Desktop" title in the Top Bar (displayed when no
      window has focus) to "Ubuntu Desktop" (LP: #869873)
    - Application title on quicklist should be bold (or more visible)
      (LP: #900400)
    - unity-2d-launcher crashed with SIGSEGV when opening a folder on a CD
      (LP: #831868)
    - unity-2d-places crashed with SIGSEGV in QScriptValue::call()
      (LP: #836498)
    - unity-2d-launcher crashed with SIGSEGV in geis_finish() (LP: #850893)
    - unity-2d-places crashed with SIGABRT in raise() (LP: #857575)
    - unity-2d-launcher crashed with SIGSEGV in exit() (LP: #859596)
    - [spread] layout broken since bzr revision 799 of lp:unity-2d
      (LP: #900895)
    - [workspace switcher] keyboard navigation of workspace switcher broken
      for accessibility (LP: #744978)
    - [spread] workspace switcher performance is poor, especially on low
      powered CPUs (LP: #745764)
    - Launcher - the rendering of the BFB and Lens squircle does not match the
      design (LP: #838708)
    - [dash] Huge performance hit when scrolling search results with
      accessibility enabled (LP: #862956)
    - DBUS_STARTER_ADDRESS and DBUS_STARTER_BUS_TYPE aren't always unset from
      environment making gedit and possibly others fail to start (LP: #873027)
    - Win Key can not be disabled in Unity-2d (LP: #873580)
    - [dash] Unity-2d dash very slow to open (LP: #881756)
    - [tests] LauncherViewTest hanging (LP: #894380)
    - [tests] Unit tests failing due to lack of Xserver (LP: #894381)
    - [launcher] Alt+F1 broken: does not give the focus to the launcher's
      content (LP: #901505)
    - [tests] Add Automated User Experience testing (LP: #903495)
    - [workspace switcher] Performance can be poor when using the opengl
      backend because of window texture sizes that are not limited
      (LP: #808716)
    - [dash] no way to unmaximize (LP: #860400)
    - [launcher] In non-composite mode, background is black (LP: #879288)
    - [dash] Unity 2D shows 'Search' instead of 'Run Command' on ALT + F2
      (LP: #883392)
    - [launcher] Removing icon from launcher makes it hide immediately
      (LP: #884410)
    - OpenGL disabled regardless of use-opengl setting (LP: #887957)
    - if libdir does not equal lib (LP: #888164)
    - [launcher] Launcher stuck open while mouse moved to left corner of panel
      (LP: #892004)
    - [dash] Long results label are truncated instead of elided and a few
      pixels of the next line is visible (LP: #901491)
    - [launcher] Dash icon missing...

Read more...

Changed in unity-2d (Ubuntu):
status: Confirmed → Fix Released
Changed in unity-2d:
status: Fix Released → Fix Committed
Changed in unity-2d:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers