69501 – Crash while handling many authz checks

Bug 69501 - Crash while handling many authz checks

Summary: Crash while handling many authz checks

Status:	RESOLVED FIXED

Alias:	None

Product:	PolicyKit
Classification:	Unclassified
Component:	daemon (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	David Zeuthen (not reading bugmail)
QA Contact:	David Zeuthen (not reading bugmail)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-09-18 00:50 UTC by Mantas Mikulėnas
Modified:	2015-07-02 19:38 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Mantas Mikulėnas 2013-09-18 00:50:34 UTC

Managed to crash polkit 0.111 several times. If polkitd has to do many authorization checks in a short time (e.g. someone is repeatedly calling org.freedesktop.login1.Manager.Inhibit() in a tight loop), the daemon crashes inside libmozjs-17.0 with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::ShapeTable::search (this=0x7ffff1225f80, id=id@entry=140737238840096, 
    adding=adding@entry=false)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsscope.cpp:163
163	    stored = *spp;
(gdb) thread apply all bt

Thread 7 (Thread 0x7ffff08fe700 (LWP 651529)):
#0  0x00007ffff66dc3e8 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /usr/lib/libpthread.so.0
#1  0x00007ffff738b7e5 in g_cond_wait_until () from /usr/lib/libglib-2.0.so.0
#2  0x00007ffff7321d61 in ?? () from /usr/lib/libglib-2.0.so.0
#3  0x00007ffff73222eb in g_async_queue_timeout_pop () from /usr/lib/libglib-2.0.so.0
#4  0x00007ffff7370c56 in ?? () from /usr/lib/libglib-2.0.so.0
#5  0x00007ffff73701c5 in ?? () from /usr/lib/libglib-2.0.so.0
#6  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#7  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 6 (Thread 0x7ffff10ff700 (LWP 651528)):
#0  0x00007ffff640196d in poll () from /usr/lib/libc.so.6
#1  0x00007ffff734b554 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007ffff734b9ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#3  0x000000000040ca8d in runaway_killer_thread_func (user_data=<optimized out>)
    at polkitbackendjsauthority.c:915
#4  0x00007ffff73701c5 in ?? () from /usr/lib/libglib-2.0.so.0
#5  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#6  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 5 (Thread 0x7ffff1bd2700 (LWP 651527)):
#0  0x00007ffff66dc03f in pthread_cond_wait@@GLIBC_2.3.2 () from /usr/lib/libpthread.so.0
#1  0x00007ffff525b870 in PR_WaitCondVar () from /usr/lib/libnspr4.so
#2  0x00007ffff6a2dcae in js::SourceCompressorThread::threadLoop (this=0x7ffff7fc4c78)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsscript.cpp:913
#3  0x00007ffff5260a51 in ?? () from /usr/lib/libnspr4.so
#4  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#5  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 4 (Thread 0x7ffff27d3700 (LWP 651526)):
#0  0x00007ffff639dd50 in _int_free () from /usr/lib/libc.so.6
#1  0x00007ffff699abac in js_free (p=<optimized out>) at ./dist/include/js/Utility.h:174
---Type <return> to continue, or q <return> to quit---
#2  free_ (p=<optimized out>) at ./dist/include/js/Utility.h:613
#3  freeElementsAndArray (end=0xab21a8, array=0xaabdd0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsgc.h:636
#4  js::GCHelperThread::doSweep (this=this@entry=0x7ffff7fc4ba0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsgc.cpp:3111
#5  0x00007ffff699aca6 in js::GCHelperThread::threadLoop (this=0x7ffff7fc4ba0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsgc.cpp:2959
#6  0x00007ffff5260a51 in ?? () from /usr/lib/libnspr4.so
#7  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#8  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 3 (Thread 0x7ffff2fd4700 (LWP 651525)):
#0  0x00007ffff640196d in poll () from /usr/lib/libc.so.6
#1  0x00007ffff734b554 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007ffff734b65c in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#3  0x00007ffff734b6a9 in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00007ffff73701c5 in ?? () from /usr/lib/libglib-2.0.so.0
#5  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#6  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 2 (Thread 0x7ffff37d5700 (LWP 651524)):
#0  0x00007ffff640196d in poll () from /usr/lib/libc.so.6
#1  0x00007ffff734b554 in ?? () from /usr/lib/libglib-2.0.so.0
#2  0x00007ffff734b9ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#3  0x00007ffff7927f26 in ?? () from /usr/lib/libgio-2.0.so.0
#4  0x00007ffff73701c5 in ?? () from /usr/lib/libglib-2.0.so.0
#5  0x00007ffff66d80a2 in start_thread () from /usr/lib/libpthread.so.0
#6  0x00007ffff640a43d in clone () from /usr/lib/libc.so.6

Thread 1 (Thread 0x7ffff7fa8740 (LWP 651519)):
#0  js::ShapeTable::search (this=0x7ffff1225f80, id=id@entry=140737238840096, 
    adding=adding@entry=false)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsscope.cpp:163
#1  0x00007ffff6ac6cc8 in search (adding=false, pspp=<synthetic pointer>, 
---Type <return> to continue, or q <return> to quit---
    id=140737238840096, start=<optimized out>, cx=0x7ffff111de48) at ./jsscope.h:1085
#2  js::ObjectImpl::nativeLookup (this=<optimized out>, cx=cx@entry=0x6856e0, 
    id=140737238840096)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/vm/ObjectImpl.cpp:265
#3  0x00007ffff69e4d14 in LookupPropertyWithFlagsInline (propp=..., objp=..., 
    flags=65535, id=..., obj=..., cx=0x6856e0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsobj.cpp:4051
#4  js_GetPropertyHelperInline (vp=..., getHow=<optimized out>, id_=<optimized out>, 
    receiver=..., obj=..., cx=0x6856e0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsobj.cpp:4277
#5  js::GetPropertyHelper (cx=cx@entry=0x6856e0, obj=..., obj@entry=..., id=..., 
    id@entry=..., getHow=getHow@entry=1, vp=..., vp@entry=...)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsobj.cpp:4365
#6  0x00007ffff69c309e in GetPropertyOperation (vp=..., lval=..., pc=0x69357f "5", 
    cx=0x6856e0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterpinlines.h:270
#7  js::Interpret (cx=cx@entry=0x6856e0, entryFrame=<optimized out>, 
    entryFrame@entry=0x7ffff1bd3068, interpMode=interpMode@entry=js::JSINTERP_NORMAL)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterp.cpp:2293
#8  0x00007ffff69c85bd in js::RunScript (cx=cx@entry=0x6856e0, script=<optimized out>, 
    fp=0x7ffff1bd3068)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterp.cpp:309
#9  0x00007ffff69c8841 in js::InvokeKernel (cx=cx@entry=0x6856e0, args=..., 
    construct=construct@entry=js::NO_CONSTRUCT)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterp.cpp:363
#10 0x00007ffff69c8b75 in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x6856e0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterp.h:119
#11 js::Invoke (cx=cx@entry=0x6856e0, thisv=..., fval=..., argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffcdd0, rval=rval@entry=0x7fffffffcdc0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsinterp.cpp:396
#12 0x00007ffff69378d9 in JS_CallFunctionName (cx=0x6856e0, objArg=<optimized out>, 
    name=name@entry=0x414aab "_runRules", argc=argc@entry=3, 
    argv=argv@entry=0x7fffffffcdd0, rval=rval@entry=0x7fffffffcdc0)
    at /home/grawity/pkg/abs/js/trunk/src/mozjs17.0.0/js/src/jsapi.cpp:5837
---Type <return> to continue, or q <return> to quit---
#13 0x000000000040c145 in call_js_function_with_runaway_killer (rval=0x7fffffffcdc0, 
    argv=0x7fffffffcdd0, argc=3, function_name=0x414aab "_runRules", authority=0x6530c0)
    at polkitbackendjsauthority.c:1019
#14 polkit_backend_js_authority_check_authorization_sync (_authority=<optimized out>, 
    caller=<optimized out>, subject=0x7fffec021630, user_for_subject=0x7fffec0222a0, 
    subject_is_local=1, subject_is_active=1, 
    action_id=0x93405e "org.freedesktop.login1.inhibit-block-sleep", details=0xa4d700, 
    implicit=POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED) at polkitbackendjsauthority.c:1180
#15 0x000000000040ffe7 in check_authorization_sync (authority=authority@entry=0x6530c0, 
    caller=caller@entry=0xa5d640, subject=subject@entry=0x7fffec021630, 
    action_id=action_id@entry=0x93405e "org.freedesktop.login1.inhibit-block-sleep", 
    details=details@entry=0xa4d700, 
    flags=flags@entry=POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE, 
    out_implicit_authorization=out_implicit_authorization@entry=0x7fffffffcffc, 
    checking_imply=checking_imply@entry=0, error=error@entry=0x7fffffffd000)
    at polkitbackendinteractiveauthority.c:1131
#16 0x0000000000410990 in polkit_backend_interactive_authority_check_authorization (
    authority=0x6530c0, caller=<optimized out>, subject=0x7fffec021630, 
    action_id=0x93405e "org.freedesktop.login1.inhibit-block-sleep", details=0xa4d700, 
    flags=POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE, cancellable=0x0, 
    callback=0x409870 <check_auth_cb>, user_data=0xaaa4e0)
    at polkitbackendinteractiveauthority.c:952
#17 0x0000000000409d6d in server_handle_check_authorization (invocation=0x66a550, 
    caller=0xa5d640, parameters=<optimized out>, server=0x692c20)
    at polkitbackendauthority.c:787
#18 server_handle_method_call (connection=<optimized out>, sender=<optimized out>, 
    object_path=<optimized out>, interface_name=<optimized out>, 
    method_name=<optimized out>, parameters=<optimized out>, invocation=0x66a550, 
    user_data=0x692c20) at polkitbackendauthority.c:1214
#19 0x00007ffff7918a8e in ?? () from /usr/lib/libgio-2.0.so.0
#20 0x00007ffff734b266 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#21 0x00007ffff734b5b8 in ?? () from /usr/lib/libglib-2.0.so.0
#22 0x00007ffff734b9ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#23 0x00000000004090dd in main (argc=1, argv=0x7fffffffd4a8) at polkitd.c:236
(gdb) 

On IRC before posting this report:

03:06 (walters) hm, don't see anything immediately wrong but this code is nontrivial; maybe memory corruption somewhere
03:28 (walters) ok so the GC thread is running concurrently with the main thread, which is normal, but points to a memory management issue most likely on the polkit side

polkit 0.111-1
js 17.0.0-1
glib2 2.37.7-1

Comment 1 Leho Kraav (:macmaN :lkraav) 2014-07-29 11:13:29 UTC

Lengthy discussion in https://bugzilla.redhat.com/show_bug.cgi?id=910262 which got pointed to this bug.

But yeah, polkit-0.112 dies on me on the regular and it seems to be connected to NetworkManager operations.

Comment 2 Orion Poplawski 2014-10-22 15:38:18 UTC

Seems more like memory corruption in libmozjs17:
#0  js::ShapeTable::search (this=0x7f6896e25f80, id=id@entry=140087184634656, 
    adding=adding@entry=false) at /usr/src/debug/mozjs17.0.0/js/src/jsscope.cpp:163
163         stored = *spp;
(gdb) print spp
$2 = (js::Shape **) 0x720065043a5d05
(gdb) print *spp
Cannot access memory at address 0x720065043a5d05
(gdb) list
146     Shape **
147     ShapeTable::search(jsid id, bool adding)
148     {
149         js::HashNumber hash0, hash1, hash2;
150         int sizeLog2;
151         Shape *stored, *shape, **spp, **firstRemoved;
152         uint32_t sizeMask;
153
154         JS_ASSERT(entries);
155         JS_ASSERT(!JSID_IS_EMPTY(id));
156
157         /* Compute the primary hash address. */
158         hash0 = HashId(id);
159         hash1 = HASH1(hash0, hashShift);
160         spp = entries + hash1;
161
162         /* Miss: return space for a new entry. */
163         stored = *spp;
(gdb) print entries
$6 = (js::Shape **) 0x72006500730075
(gdb) print *entries
Cannot access memory at address 0x72006500730075

Any way to run polkitd under valgrind?

Comment 3 Miloslav Trmac 2015-07-02 19:38:43 UTC

Thanks for your report.  This should be fixed in polkit-0.113; please reopen if you can still reproduce (this specific crash).

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.