| Summary: | gnome-session crashed with SIGSEGV in g_str_hash() | ||
|---|---|---|---|
| Product: | upower | Reporter: | Chris Coulson <chrisccoulson> |
| Component: | general | Assignee: | Richard Hughes <richard> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | Linux (All) | ||
| URL: | https://bugs.edge.launchpad.net/ubuntu/+source/devicekit-power/+bug/426501 | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
dbus-monitor --system
devkit-power-daemon --verbose |
||
Created attachment 29356 [details]
devkit-power-daemon --verbose
Tracking in https://bugzilla.redhat.com/show_bug.cgi?id=520960, I've fixed this earlier today. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 29355 [details] dbus-monitor --system Some users are seeing simultaneous crashes in gnome-power-manager and gnome-session when disconnecting some USB devices. Both crashes have a similar stacktrace. The crash can be triggered by doing the following steps with the device: 1) Insert, 2) Remove, 3) Insert, 4) Remove - crash #0 IA__g_str_hash (v=0x0) at /build/buildd/glib2.0-2.21.6/glib/gstring.c:99 p = (const signed char *) 0x0 h = <value optimized out> #1 0xb772bf97 in g_hash_table_remove_internal (hash_table=0x81d1920, key=0x0, notify=1) at /build/buildd/glib2.0-2.21.6/glib/ghash.c:195 node = <value optimized out> node_index = <value optimized out> __PRETTY_FUNCTION__ = "g_hash_table_remove_internal" #2 0xb781696c in IA__g_cclosure_marshal_VOID__STRING (closure=0x81a4250, return_value=0x0, n_param_values=2, param_values=0x8225ad8, invocation_hint=0xbfd13030, marshal_data=0x8070130) at /build/buildd/glib2.0-2.21.6/gobject/gmarshal.c:496 data1 = (gpointer) 0x81e1388 data2 = (gpointer) 0x81c4880 __PRETTY_FUNCTION__ = "IA__g_cclosure_marshal_VOID__STRING" #3 0xb78afc54 in marshal_dbus_message_to_g_marshaller (closure=0x81a4250, return_value=0x0, n_param_values=3, param_values=0x81c4a80, invocation_hint=0xbfd13030, marshal_data=0x0) at dbus-gproxy.c:1680 value_array = <value optimized out> c_marshaller = ( GSignalCMarshaller) 0x805007c <g_cclosure_marshal_VOID__STRING@plt> proxy = (DBusGProxy *) 0x81e1388 __PRETTY_FUNCTION__ = "marshal_dbus_message_to_g_marshaller" #4 0xb78080f2 in IA__g_closure_invoke (closure=0x81a4250, return_value=0x0, n_param_values=3, param_values=0x81c4a80, invocation_hint=0xbfd13030) at /build/buildd/glib2.0-2.21.6/gobject/gclosure.c:767 marshal = ( GClosureMarshal) 0xb78afa80 <marshal_dbus_message_to_g_marshaller> marshal_data = (gpointer) 0x0 __PRETTY_FUNCTION__ = "IA__g_closure_invoke" #5 0xb781eaf8 in signal_emit_unlocked_R (node=<value optimized out>, detail=<value optimized out>, instance=0x81e1388, emission_return=0x0, instance_and_params=0x81c4a80) at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:3247 tmp = (Handler *) 0xb784c200 handler = (Handler *) 0x81a0ca0 accumulator = (SignalAccumulator *) 0x0 emission = {next = 0x0, instance = 0x81e1388, ihint = { signal_id = 142, detail = 727, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 4} class_closure = (GClosure *) 0x0 handler_list = (Handler *) 0xb784c200 return_accu = <value optimized out> accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}} signal_id = 142 max_sequential_handler_number = 140 return_value_altered = 0 #6 0xb781fedd in IA__g_signal_emit_valist (instance=0x81e1388, signal_id=142, detail=727, var_args=0xbfd131f4 "ôß\211·82Ñ¿\202O\210·") at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:2980 signal_return_type = 4 node = (SignalNode *) 0x81e7aa8 i = <value optimized out> n_params = 2 __PRETTY_FUNCTION__ = "IA__g_signal_emit_valist" #7 0xb7820396 in IA__g_signal_emit (instance=0x81e1388, signal_id=142, detail=727) at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:3037 No locals. #8 0xb78b0e85 in dbus_g_proxy_manager_filter (connection=0x81eb148, message=0x821d678, user_data=0x81f5910) at dbus-gproxy.c:1733 proxy = (DBusGProxy *) 0x81e1388 tri = <value optimized out> full_list = (GSList *) 0x82022c8 tmp = (GSList *) 0x82022c8 sender = 0x81e1388 "\030c\036\b\004" __PRETTY_FUNCTION__ = "dbus_g_proxy_manager_filter" #9 0xb786ccad in dbus_connection_dispatch (connection=0x81eb148) at dbus-connection.c:4446 filter = (DBusMessageFilter *) 0x0 next = (DBusList *) 0x81e9ce0 message = (DBusMessage *) 0x821d678 link = <value optimized out> filter_list_copy = (DBusList *) 0x81e8db8 message_link = <value optimized out> result = <value optimized out> status = <value optimized out> __FUNCTION__ = "dbus_connection_dispatch" #10 0xb78a771d in message_queue_dispatch (source=0x81f54e0, callback=0, user_data=0x0) at dbus-gmain.c:101 connection = (DBusConnection *) 0x81eb148 #11 0xb7739e58 in IA__g_main_context_dispatch (context=0x81c8fb0) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:1960 No locals. #12 0xb773d700 in g_main_context_iterate (context=0x81c8fb0, block=<value optimized out>, dispatch=1, self=0x81afd88) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:2591 max_priority = 0 timeout = 0 some_ready = 1 nfds = <value optimized out> allocated_nfds = <value optimized out> fds = <value optimized out> __PRETTY_FUNCTION__ = "g_main_context_iterate" #13 0xb773db6f in IA__g_main_loop_run (loop=0x81fba90) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:2799 self = (GThread *) 0x81afd88 __PRETTY_FUNCTION__ = "IA__g_main_loop_run" #14 0xb7b8c5e9 in IA__gtk_main () at /build/buildd/gtk+2.0-2.17.10/gtk/gtkmain.c:1205 tmp_list = (GList *) 0x81ac990 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x81a0b40 loop = (GMainLoop *) 0x81fba90 #15 0x0806223b in main (argc=1, argv=0xbfd13694) at main.c:524 sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {0 <repeats 32 times>}}, sa_flags = 0, sa_restorer = 0x80735e9 <__libc_csu_init+25>} error = (GError *) 0x0 display_str = <value optimized out> manager = <value optimized out> client_store = (GsmStore *) 0x81ac990 xsmp_server = (GsmXsmpServer *) 0x81a0b40 signal_handler = (GdmSignalHandler *) 0x81e3b40 override_autostart_dirs = (char **) 0x0 default_session_key = 0x0 entries = {{long_name = 0x8077aa7 "autostart", short_name = 97 'a', flags = 0, arg = G_OPTION_ARG_STRING_ARRAY, arg_data = 0x8083ad4, description = 0x8077d80 "Override standard autostart directories", arg_description = 0x0}, {long_name = 0x8077ab1 "default-session-key", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_STRING, arg_data = 0x8083ad0, description = 0x8077da8 "GConf key used to lookup default session", arg_description = 0x0}, {long_name = 0x8077ac5 "debug", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x8083ac8, description = 0x8077acb "Enable debugging code", arg_description = 0x0}, {long_name = 0x8077ae1 "failsafe", short_name = 102 'f', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x8083acc, description = 0x8077dd4 "Do not load user-specified applications", arg_description = 0x0}, {long_name = 0x807b5df "version", short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x8083ac4, description = 0x8077aea "Version of this application", arg_description = 0x0}, {long_name = 0x0, short_name = 0 '\0', flags = 0, arg = G_OPTION_ARG_NONE, arg_data = 0x0, description = 0x0, arg_description = 0x0}} The crash is proceeded by the following messages in ~/.xsession-errors: (gnome-power-manager:17805): devkit-power-gobject-CRITICAL **: dkp_device_get_object_path: assertion `DKP_IS_DEVICE (device)' failed gnome-session[17622]: devkit-power-gobject-CRITICAL: dkp_device_get_object_path: assertion `DKP_IS_DEVICE (device)' failed I asked the reporter to run gnome-session with G_DEBUG=fatal_criticals, and he got this backtrace: Program received signal SIGTRAP, Trace/breakpoint trap. IA__g_logv (log_domain=<value optimised out>, log_level=G_LOG_LEVEL_CRITICAL, format=0xb77e7ca1 "%s: assertion `%s' failed", args1=0xbf85fc2c "U\301\a\b{\273\a\b\320\17\366\267\210\361\234\b\240\1{\267") at /build/buildd/glib2.0-2.21.6/glib/gmessages.c:512 512 /build/buildd/glib2.0-2.21.6/glib/gmessages.c: No such file or directory. in /build/buildd/glib2.0-2.21.6/glib/gmessages.c #0 IA__g_logv (log_domain=<value optimised out>, log_level=G_LOG_LEVEL_CRITICAL, format=0xb77e7ca1 "%s: assertion `%s' failed", args1=0xbf85fc2c "U\301\a\b{\273\a\b\320\17\366\267\210\361\234\b\240\1{\267") at /build/buildd/glib2.0-2.21.6/glib/gmessages.c:512 #1 0xb77aff96 in IA__g_log (log_domain=0x807b5c3 "devkit-power-gobject", log_level=G_LOG_LEVEL_CRITICAL, format=0xb77e7ca1 "%s: assertion `%s' failed") at /build/buildd/glib2.0-2.21.6/glib/gmessages.c:526 #2 0xb77b01fb in IA__g_return_if_fail_warning ( log_domain=0x807b5c3 "devkit-power-gobject", pretty_function=0x807c155 "dkp_device_get_object_path", expression=0x807bb7b "DKP_IS_DEVICE (device)") at /build/buildd/glib2.0-2.21.6/glib/gmessages.c:541 #3 0x08071a89 in dkp_device_get_object_path () #4 0x0807017b in dkp_device_removed_cb () #5 0xb788296c in IA__g_cclosure_marshal_VOID__STRING (closure=0x89c79e8, return_value=0x0, n_param_values=2, param_values=0x89f7040, invocation_hint=0xbf85fe40, marshal_data=0x8070130) at /build/buildd/glib2.0-2.21.6/gobject/gmarshal.c:496 #6 0xb791bc54 in marshal_dbus_message_to_g_marshaller (closure=0x89c79e8, return_value=0x0, n_param_values=3, param_values=0x89a3548, invocation_hint=0xbf85fe40, marshal_data=0x0) at dbus-gproxy.c:1680 #7 0xb78740f2 in IA__g_closure_invoke (closure=0x89c79e8, return_value=0x0, n_param_values=3, param_values=0x89a3548, invocation_hint=0xbf85fe40) at /build/buildd/glib2.0-2.21.6/gobject/gclosure.c:767 #8 0xb788aaf8 in signal_emit_unlocked_R (node=<value optimised out>, detail=<value optimised out>, instance=0x89bdc78, emission_return=0x0, instance_and_params=0x89a3548) at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:3247 #9 0xb788bedd in IA__g_signal_emit_valist (instance=0x89bdc78, signal_id=142, detail=714, var_args=0xbf860004 "\364\237\220\267H") at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:2980 #10 0xb788c396 in IA__g_signal_emit (instance=0x89bdc78, signal_id=142, detail=714) at /build/buildd/glib2.0-2.21.6/gobject/gsignal.c:3037 #11 0xb791ce85 in dbus_g_proxy_emit_remote_signal (connection=0x89cde40, message=0x89c6c00, user_data=0x89c7d30) at dbus-gproxy.c:1733 #12 dbus_g_proxy_manager_filter (connection=0x89cde40, message=0x89c6c00, user_data=0x89c7d30) at dbus-gproxy.c:1300 #13 0xb78d8cad in dbus_connection_dispatch () from /lib/libdbus-1.so.3 #14 0xb791371d in message_queue_dispatch (source=0x89c7900, callback=0, user_data=0x0) at dbus-gmain.c:101 #15 0xb77a5e58 in g_main_dispatch (context=0x89a4fb0) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:1960 #16 IA__g_main_context_dispatch (context=0x89a4fb0) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:2513 #17 0xb77a9700 in g_main_context_iterate (context=0x89a4fb0, block=<value optimised out>, dispatch=1, self=0x898bd88) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:2591 #18 0xb77a9b6f in IA__g_main_loop_run (loop=0x89e15c0) at /build/buildd/glib2.0-2.21.6/glib/gmain.c:2799 #19 0xb7bf85e9 in IA__gtk_main () at /build/buildd/gtk+2.0-2.17.10/gtk/gtkmain.c:1205 #20 0x0806223b in main (argc=1, argv=0xbf8604a4) at main.c:524 What seems to be happening is that dkp_client_get_device returns NULL for the device just removed because it doesn't exist in the hash table. This probably shouldn't make the client crash anyway. I asked the reporter to monitor the system bus when inserting and removing his device. The interesting bits are summarized below, and show that there is a DeviceAdded the first time the device is connected, then a DeviceRemoved when it is disconnected, but there is no DeviceAdded signal when the device is reconnected. When the device is removed for the second time, the DeviceRemoved triggers the crash because the device does not exist in the hash table in the client. signal sender=:1.813 -> dest=(null destination) serial=52 path=/org/freedesktop/DeviceKit/Power; interface=org.freedesktop.DeviceKit.Power; member=DeviceAdded string "/org/freedesktop/DeviceKit/Power/devices/keyboard_5_2" ---- signal sender=:1.813 -> dest=(null destination) serial=59 path=/org/freedesktop/DeviceKit/Power; interface=org.freedesktop.DeviceKit.Power; member=DeviceRemoved string "/org/freedesktop/DeviceKit/Power/devices/keyboard_5_2" ---- signal sender=:1.813 -> dest=(null destination) serial=60 path=/org/freedesktop/DeviceKit/Power; interface=org.freedesktop.DeviceKit.Power; member=DeviceRemoved string "/org/freedesktop/DeviceKit/Power/devices/keyboard_5_2" I also asked the reporter to run the daemon with --verbose to capture the output when he does this (attached). This shows that when the device is connected for the second time, it is treated as a change event because it still appears in the device list. This is why there is no second DeviceAdded signal: TI:19:32:22 TH:0xa04cb78 FI:dkp-daemon.c FN:dkp_daemon_uevent_signal_handler_cb,879 - remove /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1 *** WARNING *** TI:19:32:22 TH:0xa04cb78 FI:dkp-device.c FN:dkp_device_removed,383 - do something here? TI:19:32:26 TH:0xa04cb78 FI:dkp-daemon.c FN:dkp_daemon_uevent_signal_handler_cb,876 - add /sys/devices/pci0000:00/0000:00:1a.1/usb4/4-1 TI:19:32:26 TH:0xa04cb78 FI:dkp-daemon.c FN:dkp_daemon_device_add,819 - treating add event as change event on /org/freedesktop/DeviceKit/Power/devices/keyboard_4_1 TI:19:32:26 TH:0xa04cb78 FI:dkp-daemon.c FN:dkp_daemon_device_changed,674 - changed /org/freedesktop/DeviceKit/Power/devices/keyboard_4_1 I haven't debugged this any further yet, but I suspect that the DkpDevice is not finalized when the device is removed the first time.