Bug 75571

Summary: random pid 1 crash on rawhide systemd-210-2.fc21.x86_64
Product: systemd Reporter: Yanko Kaneti <yaneti>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: normal    
Priority: medium CC: alexander, kalevlember, systemd
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Backtrace from the core

Description Yanko Kaneti 2014-02-27 11:40:33 UTC 
Created attachment 94811 [details]
Backtrace from the core

Can't really reproduce this. Have the core still..
Comment 1 Zbigniew Jedrzejewski-Szmek 2014-02-28 04:30:39 UTC 
Seems like memory corruption. It seems that the unit would have to have been freed previously or otherwise overwritten. Strange.
Comment 2 Kalev Lember 2014-02-28 16:01:00 UTC 
I've seen similar PID 1 crashes on rawhide with the same systemd package version as the original reporter. A short debugging session seems to point to uninitialized memory in u->type:

Core was generated by `/usr/lib/systemd/systemd --switched-root --system --deserialize 20'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007eff009acbdb in raise (sig=sig@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
37	  return INLINE_SYSCALL (tgkill, 3, pid, THREAD_GETMEM (THREAD_SELF, tid),
Missing separate debuginfos, use: debuginfo-install audit-libs-2.3.4-1.fc21.x86_64 libattr-2.4.47-5.fc21.x86_64 libseccomp-2.1.1-2.fc21.x86_64 pcre-8.34-3.fc21.x86_64 zlib-1.2.8-4.fc21.x86_64
(gdb) bt
#0  0x00007eff009acbdb in raise (sig=sig@entry=11) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
#1  0x00007eff021023ec in crash.2510 (sig=11) at ../src/core/main.c:151
#2  <signal handler called>
#3  0x00007eff0212788a in manager_invoke_notify_message (m=m@entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698, buf=buf@entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.", n=n@entry=39)
    at ../src/core/manager.c:1335
#4  0x00007eff02127b39 in manager_dispatch_notify_fd.part.9 (userdata=0x7eff02ed82a0) at ../src/core/manager.c:1405
#5  0x00007eff02155bb1 in source_dispatch (s=0x7eff02f00820) at ../src/libsystemd/sd-event/sd-event.c:1861
#6  0x00007eff021577a0 in sd_event_run (e=0x7eff02ed8750, timeout=<optimized out>) at ../src/libsystemd/sd-event/sd-event.c:2117
#7  0x00007eff0211de14 in manager_loop (m=0x7eff02ed82a0) at ../src/core/manager.c:1844
#8  0x00007eff020b4c9c in main (argc=5, argv=0x7fff9b697c98) at ../src/core/main.c:1693
(gdb) frame 3
#3  0x00007eff0212788a in manager_invoke_notify_message (m=m@entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698, buf=buf@entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.", n=n@entry=39)
    at ../src/core/manager.c:1335
1335	        if (UNIT_VTABLE(u)->notify_message)
(gdb) p u
$1 = (Unit *) 0x7eff03111c60
(gdb) # UNIT_VTABLE is defined as: UNIT_VTABLE(u) unit_vtable[(u)->type]
(gdb) p unit_vtable[(u)->type]
Cannot access memory at address 0x7eff06e81be0
(gdb) p (u)->type
$2 = 10054536
(gdb) # 10054536 is clearly garbage
(gdb) p *u
$3 = {manager = 0x7eff02ee3070, type = 10054536, load_state = 32511, merged_into = 0x4fa3, id = 0x0, instance = 0x0, names = 0x0, dependencies = {0x7eff030ab8b8, 0x7eff030ab8d8, 0x0 <repeats 22 times>}, 
  requires_mounts_for = 0x0, description = 0x0, documentation = 0x0, fragment_path = 0x0, source_path = 0x0, dropin_paths = 0x0, fragment_mtime = 0, source_mtime = 0, dropin_mtime = 0, job = 0x0, 
  nop_job = 0x0, job_timeout = 41, refs = 0x7eff030ab8a0, conditions = 0x0, condition_timestamp = {realtime = 139633732794608, monotonic = 41}, inactive_exit_timestamp = {realtime = 0, monotonic = 0}, 
  active_enter_timestamp = {realtime = 21474836479, monotonic = 0}, active_exit_timestamp = {realtime = 0, monotonic = 41}, inactive_enter_timestamp = {realtime = 0, monotonic = 0}, cgroup_path = 0x0, 
  cgroup_realized_mask = (unknown: 0), cgroup_subtree_mask = (unknown: 0), cgroup_members_mask = (unknown: 0), slice = {unit = 0x0, refs_next = 0x7eff02f2fc70, refs_prev = 0x0}, units_by_type_next = 0x0, 
  units_by_type_prev = 0x29, has_requires_mounts_for_next = 0x0, has_requires_mounts_for_prev = 0x0, load_queue_next = 0x0, load_queue_prev = 0x0, dbus_queue_next = 0x0, dbus_queue_prev = 0x0, 
  cleanup_queue_next = 0x0, cleanup_queue_prev = 0x0, gc_queue_next = 0x0, gc_queue_prev = 0x0, cgroup_queue_next = 0x7eff03111ea8, cgroup_queue_prev = 0x7eff030ab8a0, pids = 0x79, gc_marker = 0, 
  deserialized_job = 0, load_error = 0, unit_file_state = UNIT_FILE_ENABLED, stop_when_unneeded = true, default_dependencies = false, refuse_manual_start = false, refuse_manual_stop = false, 
  allow_isolate = false, on_failure_job_mode = JOB_FAIL, ignore_on_isolate = false, ignore_on_snapshot = false, condition_result = false, transient = false, in_load_queue = false, in_dbus_queue = false, 
  in_cleanup_queue = false, in_gc_queue = false, in_cgroup_queue = false, sent_dbus_new_signal = false, no_gc = false, in_audit = false, cgroup_realized = false, cgroup_members_mask_valid = false, 
  cgroup_subtree_mask_valid = false}
Comment 3 Lennart Poettering 2014-03-06 04:10:20 UTC 
Fixed in git.
Comment 4 Steven Noonan 2014-03-06 18:26:09 UTC 
Lennart: in which commit, please?

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.