GNOME Bugzilla – Bug 352444
Crashed while away from desk
Last modified: 2007-09-04 15:52:23 UTC
Steps to reproduce: 1. No idea; it did it while I wasn't looking 2. 3. Stack trace: Debugging Information: Backtrace was generated from '/usr/libexec/gnome-netstatus' (no debugging symbols found) Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1223985472 (LWP 18126)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) 0xffffe410 in __kernel_vsyscall ()
+ Trace 70835
Thread 1 (Thread -1223985472 (LWP 18126))
Other information: Ubuntu 6.06 dapper
*** Bug 361056 has been marked as a duplicate of this bug. ***
Moving to ATK.
*** Bug 362070 has been marked as a duplicate of this bug. ***
*** Bug 362682 has been marked as a duplicate of this bug. ***
Not sure these dups are valid! Note that the stack trace is bogus, no syms, so the api calls in the frames are invalid. "Thanks for the bug report. Unfortunately, that stack trace is not very useful in determining the cause of the crash. Can you get us one with debugging symbols? Please see http://live.gnome.org/GettingTraces for more information on how to do so."
Also, probably not ATK/atk! Certainly cannot tell from the stack trace... _possibly_ at-spi. or maybe gail...
*** Bug 363995 has been marked as a duplicate of this bug. ***
*** Bug 364087 has been marked as a duplicate of this bug. ***
Should we keep filing these bugs as dups while this bug is still NEEDINFO waiting for a good stack trace? Maybe one of these reporters would be able to help us get a better trace. (the ones attached to this bug, and the dups I've seen, have been bogus due to lack of symbols in key libs, so we end up with the wrong function names in the backtrace...)
*** Bug 365759 has been marked as a duplicate of this bug. ***
*** Bug 366349 has been marked as a duplicate of this bug. ***
At the opening of evolution.
*** Bug 367087 has been marked as a duplicate of this bug. ***
*** Bug 367491 has been marked as a duplicate of this bug. ***
*** Bug 367528 has been marked as a duplicate of this bug. ***
It Make me think about gajim how make this bug with sond or graphic alert (the only active programe I can see)
*** Bug 368107 has been marked as a duplicate of this bug. ***
*** Bug 369425 has been marked as a duplicate of this bug. ***
*** Bug 371030 has been marked as a duplicate of this bug. ***
*** Bug 370088 has been marked as a duplicate of this bug. ***
Created attachment 76046 [details] gnome-panel-bugreport
It crashed again. Do I need to install any packages except gnome-panel-dbg?
Hi MaXx: looks like you need at-spi-dbg and gail-dbg, the stack trace still doesn't tell us what we need. Thanks for posting it though!
*** Bug 371922 has been marked as a duplicate of this bug. ***
pasting the stacktrace provided by manumuller (thanks, CC'ing you here) at bug 352265 comment 122 and reopening this bug report here. this trace still misses atk symbols, but at least provides the critical error warning. bill, feel free to needinfo again. :-) gnome-netstatus-rapport-d-anomalies.txt: Memory status: size: 177176576 vsize: 0 resident: 177176576 share: 0 rss: 45187072 rss_rlim: 0 CPU usage: start_time: 1162582625 rtime: 0 utime: 59940 stime: 0 cutime:54383 cstime: 0 timeout: 5557 it_real_value: 0 frequency: 0 Backtrace was generated from '/usr/libexec/gnome-netstatus' (no debugging symbols found) Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1225554256 (LWP 6050)] 0xffffe410 in __kernel_vsyscall ()
+ Trace 84081
Thread 1 (Thread -1225554256 (LWP 6050))
#0 0
You had my hopes up for a minute there... :-) But no :-( The assert failure is bogus, it happens well past the point where the stack frames no longer make sense, as far as I can tell. Andre, you say: >this trace still misses atk symbols, but at least provides the critical error >warning. Do you mean the ORBit2 warning:
+ Trace 84091
I don't trust those stack frames - in any case the gail/atk ones are missing. I'm afraid I will have to NEEDINFO it again...
*** Bug 373360 has been marked as a duplicate of this bug. ***
*** Bug 374883 has been marked as a duplicate of this bug. ***
*** Bug 375286 has been marked as a duplicate of this bug. ***
*** Bug 375717 has been marked as a duplicate of this bug. ***
*** Bug 376792 has been marked as a duplicate of this bug. ***
*** Bug 377489 has been marked as a duplicate of this bug. ***
*** Bug 377894 has been marked as a duplicate of this bug. ***
*** Bug 377913 has been marked as a duplicate of this bug. ***
*** Bug 379318 has been marked as a duplicate of this bug. ***
add GNOME-a11y-bugs-EXT@sun.com to cc list
*** Bug 378550 has been marked as a duplicate of this bug. ***
*** Bug 378703 has been marked as a duplicate of this bug. ***
*** Bug 380695 has been marked as a duplicate of this bug. ***
*** Bug 380965 has been marked as a duplicate of this bug. ***
*** Bug 380716 has been marked as a duplicate of this bug. ***
Still looking for a useful stack trace for this bug...
*** Bug 381094 has been marked as a duplicate of this bug. ***
*** Bug 380760 has been marked as a duplicate of this bug. ***
*** Bug 381560 has been marked as a duplicate of this bug. ***
*** Bug 382511 has been marked as a duplicate of this bug. ***
Thanks for the bug report. Unfortunately, no stack trace is very useful in determining the cause of the crash. Can you get us one with debugging symbols? Please see http://live.gnome.org/GettingTraces for more information on how to do so. plesae install the glib, ORBit and atk packages and attach the trace to this report. thanks.
*** Bug 382490 has been marked as a duplicate of this bug. ***
Went through all the duplicates. Not find any useful trace. Most of them crashed in gnome-terminal, gnome-system-monitor when user open, maximize the window or login from screen saver. I'm keeping gnome-terminal and gnome-system-monitor running with accessibility enabled, hoping can reproduce this.
I think "gnome_accessibility_module_shutdown"s in the trace should be spi_atk_emit_eventv and spi_atk_bridge_state_event_listener.
*** Bug 383571 has been marked as a duplicate of this bug. ***
*** Bug 384308 has been marked as a duplicate of this bug. ***
Which kind of machine are you using? 32bit or 64bit?
I think the really crash point is spi_atk_emit_eventv (bridge.c:765). spi_atk_emit_eventv calls CORBA_free, and finally in orbit-object.c: do_unref, the g_assert (robj->refs < ORBIT_REFCOUNT_MAX && robj->refs > 0) causes crash. I think the reason is robj->refs is too large, currently ORBIT_REFCOUNT_MAX is 1<<20, maybe our refs exceed the number. That's why people get crash when system has run a long time. This maybe because we do not free every Accessibility_EventDetails created in spi_init_any_* .
Created attachment 78273 [details] [review] patch for review
*** Bug 385248 has been marked as a duplicate of this bug. ***
Great detective work Li! Your fix looks reasonable - did you test that the ref count on some object was increasing greatly, just to confirm your suspicion?
Created attachment 78342 [details] [review] new patch
Yes, the ref is keeping increasing, up to 400 in 5 mins when I running gnome-system-log. But I found the root cause is not at CORBA_any's ref_counts, because that object is ORBIT_REFCOUNT_STATIC (Accessibility-common.c:2044). The ref_counts will not increase when create. I found the real point is we do not unref some objects we create with spi_accessible_new. (in spi_atk_bridge_property_event_listener and spi_atk_bridge_signal_listener). So when we call bonobo_object_unref in spi_atk_emit_eventv, application crashes because the ref is too large. I made a new patch and had a little test. The ref counts keeps under 10 now.
That's great news Li, thanks again. I think you should commit the patch and mark as fixed - it's great that we can get this into the 2.17.4 release Monday!
Comment on attachment 78342 [details] [review] new patch Li: It would be great if you or someone could test this with valgrind (only available on linux I'm afraid) to make sure we're unreffing at the right places, i.e. test for double-frees.
I just ran valgrind for a while, looks fine. Committed. BTW: I am applying for the upload permission, and I will ask Glenn or Brain to upload the new tarballs this time. Have a good holiday:)
I ran valgrind too and found this: ==4724== Invalid read of size 4 ==4724== at 0x497205B: ORBit_marshal_value (corba-any.c:152) ==4724== by 0x4971FA5: ORBit_marshal_value (corba-any.c:166) ==4724== by 0x49724A8: ORBit_marshal_any (corba-any.c:374) ==4724== by 0x49721E0: ORBit_marshal_value (corba-any.c:139) ==4724== by 0x4971FA5: ORBit_marshal_value (corba-any.c:166) ==4724== by 0x4968767: orbit_small_marshal (orbit-small.c:353) ==4724== by 0x4969BD9: ORBit_small_invoke_stub (orbit-small.c:646) ==4724== by 0x4969E1D: ORBit_small_invoke_stub_n (orbit-small.c:575) ==4724== by 0x4976721: ORBit_c_stub_invoke (poa.c:2643) ==4724== by 0x5173463: Accessibility_EventListener_notifyEvent (Accessibility-stubs.c:321) ==4724== by 0x51AC980: spi_atk_emit_eventv (bridge.c:740) ==4724== by 0x51ACC92: spi_atk_bridge_exit_func (bridge.c:1263) ==4724== by 0x4B80868: exit (exit.c:75) ==4724== by 0x4B6AE63: (below main) (libc-start.c:253) ==4724== Address 0x5748CF4 is 12 bytes inside a block of size 36 free'd ==4724== at 0x4021FDA: free (vg_replace_malloc.c:233) ==4724== by 0x4AEC2C0: g_free (gmem.c:187) ==4724== by 0x496DAB4: ORBit_free_T (allocators.c:204) ==4724== by 0x496DB30: ORBit_free (allocators.c:218) ==4724== by 0x496DB9C: CORBA_free (allocators.c:143) ==4724== by 0x51AC9E7: spi_atk_emit_eventv (bridge.c:762) ==4724== by 0x51ACC47: spi_atk_bridge_exit_func (bridge.c:1257) Is this related to this patch in any way?
Oh, I think so... Thank you very much. I don't realize spi_atk_bridge_exit_func calls spi_atk_emit_eventv twice. Do you find any unexpected thing happened? A crash? The applications exit normally on my machine. It is very strange that this function should be called when application exit, but I still can't find this problem with valgrind... :( Which application did you run with valgrind?
gnome-terminal crashed on me when logging out. I ran the entire gnome-session under valgrind when this happened.
Created attachment 78463 [details] valgrind log from gnome-terminal when it crashed
Created attachment 78464 [details] gnome-session valgrind log gnome-session was the only other process that showed invalid reads from this session
Thank you Kjartan. I made a patch maybe can fix this problem. Can you help me to have a little test? I don't have build environment by my hand. Thank you again.
Created attachment 78469 [details] [review] patch to avoid double free
Still seeing some invalid reads with this patch: ==4376== Invalid read of size 1 ==4376== at 0x4006238: strlen (mc_replace_strmem.c:246) ==4376== by 0x495C6CD: CORBA_string_dup (corba-string.c:20) ==4376== by 0x4EC508B: spi_init_any_object (util.c:153) ==4376== by 0x4E8B133: spi_atk_bridge_init_object (bridge.c:1310) ==4376== by 0x4E8B4F2: spi_atk_bridge_signal_listener (bridge.c:1113) ==4376== by 0x4A3EE4D: signal_emit_unlocked_R (gsignal.c:2406) ==4376== by 0x4A40596: g_signal_emit_valist (gsignal.c:2199) ==4376== by 0x4A4333D: g_signal_emit_by_name (gsignal.c:2267) ==4376== by 0x4E5A45A: gail_toplevel_show_event_watcher (gailtoplevel.c:278) ==4376== by 0x4A3EE4D: signal_emit_unlocked_R (gsignal.c:2406) ==4376== by 0x4A40596: g_signal_emit_valist (gsignal.c:2199) ==4376== by 0x4A40758: g_signal_emit (gsignal.c:2243) ==4376== by 0x4522247: gtk_widget_show (gtkwidget.c:2222) ==4376== by 0x452B90E: gtk_window_present_with_time (gtkwindow.c:6248) ==4376== by 0x452B978: gtk_window_present (gtkwindow.c:6200) ==4376== by 0x805CBB3: terminal_app_new_terminal (terminal.c:2005) ==4376== by 0x805D76B: new_terminal_with_options (terminal.c:1433) ==4376== by 0x805E3C4: main (terminal.c:1761) ==4376== Address 0x4B01250 is 240 bytes inside a block of size 296 free'd ==4376== at 0x40054BB: realloc (vg_replace_malloc.c:306) ==4376== by 0x4998A85: FcCharSetPutLeaf (fccharset.c:142) ==4376== by 0x4998DA0: FcCharSetFindLeafCreate (fccharset.c:204) ==4376== by 0x4998DE4: FcCharSetAddLeaf (fccharset.c:343) ==4376== by 0x49998E6: FcCharSetOperate (fccharset.c:387) ==4376== by 0x49A18C5: FcFontSetSort (fcmatch.c:607) ==4376== by 0x49A1AB7: FcFontSort (fcmatch.c:836) ==4376== by 0x425635A: _vte_fc_patterns_from_pango_font_desc (vtefc.c:449) ==4376== by 0x4263E66: _vte_xft_set_text_font (vtexft.c:100) ==4376== by 0x42554C5: _vte_draw_set_text_font (vtedraw.c:216) ==4376== by 0x4247786: vte_terminal_set_font_full (vte.c:6268) ==4376== by 0x4247B7B: vte_terminal_set_font (vte.c:6297) ==4376== by 0x806CEAC: terminal_widget_set_pango_font (terminal-widget-vte.c:631) ==4376== by 0x8068F11: terminal_screen_set_font (terminal-screen.c:835) ==4376== by 0x8069230: terminal_screen_change_font (terminal-screen.c:939) ==4376== by 0x80694FF: terminal_screen_reread_profile (terminal-screen.c:576) ==4376== by 0x805CCA8: terminal_app_new_terminal (terminal.c:1971) ==4376== by 0x805D76B: new_terminal_with_options (terminal.c:1433) ==4376== by 0x805E3C4: main (terminal.c:1761)
I think this is another problem. Does the former invalid read disappear?
Yes, the former one is gone now. I don't think it crashed either, but with all the invalid reads in the log I guess that's just by pure luck.
Do you want me to file a new bug with the other invalid read?
Yes, please. Thank you.
Hi Kjartan, about the former gnome-terminal crash, did it happen only when you log out? (with gnome-terminal opening) Or it crash every time when you close gnome-terminal?
I didn't test that I'm sad to say. I could back out the latest patch and try again if you want.
Maybe I don't understand you correctly. You said "gnome-terminal crashed on me when logging out.". Does that means gnome terminal crashed when you log out, and you don't know if it will crash when you using it?
Yeah, I can retest without any patches to see if that clears things up.
*** Bug 388061 has been marked as a duplicate of this bug. ***
*** Bug 389944 has been marked as a duplicate of this bug. ***
*** Bug 388389 has been marked as a duplicate of this bug. ***
*** Bug 389344 has been marked as a duplicate of this bug. ***
*** Bug 389980 has been marked as a duplicate of this bug. ***
*** Bug 391242 has been marked as a duplicate of this bug. ***
*** Bug 391872 has been marked as a duplicate of this bug. ***
*** Bug 391693 has been marked as a duplicate of this bug. ***
*** Bug 356449 has been marked as a duplicate of this bug. ***
*** Bug 394335 has been marked as a duplicate of this bug. ***
*** Bug 395750 has been marked as a duplicate of this bug. ***
*** Bug 395800 has been marked as a duplicate of this bug. ***
*** Bug 396217 has been marked as a duplicate of this bug. ***
*** Bug 396616 has been marked as a duplicate of this bug. ***
*** Bug 396625 has been marked as a duplicate of this bug. ***
*** Bug 397274 has been marked as a duplicate of this bug. ***
*** Bug 398156 has been marked as a duplicate of this bug. ***
*** Bug 398394 has been marked as a duplicate of this bug. ***
*** Bug 400232 has been marked as a duplicate of this bug. ***
*** Bug 400452 has been marked as a duplicate of this bug. ***
*** Bug 400466 has been marked as a duplicate of this bug. ***
*** Bug 400619 has been marked as a duplicate of this bug. ***
*** Bug 401244 has been marked as a duplicate of this bug. ***
*** Bug 401280 has been marked as a duplicate of this bug. ***
*** Bug 400415 has been marked as a duplicate of this bug. ***
*** Bug 403054 has been marked as a duplicate of this bug. ***
*** Bug 356564 has been marked as a duplicate of this bug. ***
*** Bug 372990 has been marked as a duplicate of this bug. ***
*** Bug 404767 has been marked as a duplicate of this bug. ***
*** Bug 405222 has been marked as a duplicate of this bug. ***
*** Bug 405465 has been marked as a duplicate of this bug. ***
*** Bug 406136 has been marked as a duplicate of this bug. ***
*** Bug 406266 has been marked as a duplicate of this bug. ***
*** Bug 407599 has been marked as a duplicate of this bug. ***
*** Bug 408180 has been marked as a duplicate of this bug. ***
*** Bug 408840 has been marked as a duplicate of this bug. ***
*** Bug 408701 has been marked as a duplicate of this bug. ***
*** Bug 408842 has been marked as a duplicate of this bug. ***
*** Bug 366374 has been marked as a duplicate of this bug. ***
*** Bug 411881 has been marked as a duplicate of this bug. ***
*** Bug 411667 has been marked as a duplicate of this bug. ***
*** Bug 382080 has been marked as a duplicate of this bug. ***
*** Bug 413227 has been marked as a duplicate of this bug. ***
*** Bug 413678 has been marked as a duplicate of this bug. ***
*** Bug 413859 has been marked as a duplicate of this bug. ***
*** Bug 415631 has been marked as a duplicate of this bug. ***
*** Bug 414084 has been marked as a duplicate of this bug. ***
*** Bug 414462 has been marked as a duplicate of this bug. ***
*** Bug 417374 has been marked as a duplicate of this bug. ***
*** Bug 418980 has been marked as a duplicate of this bug. ***
*** Bug 413653 has been marked as a duplicate of this bug. ***
*** Bug 413605 has been marked as a duplicate of this bug. ***
*** Bug 412325 has been marked as a duplicate of this bug. ***
*** Bug 420123 has been marked as a duplicate of this bug. ***
*** Bug 420189 has been marked as a duplicate of this bug. ***
*** Bug 415996 has been marked as a duplicate of this bug. ***
*** Bug 423864 has been marked as a duplicate of this bug. ***
*** Bug 424285 has been marked as a duplicate of this bug. ***
*** Bug 424798 has been marked as a duplicate of this bug. ***
*** Bug 430256 has been marked as a duplicate of this bug. ***
*** Bug 430324 has been marked as a duplicate of this bug. ***
*** Bug 425729 has been marked as a duplicate of this bug. ***
*** Bug 428511 has been marked as a duplicate of this bug. ***
*** Bug 432248 has been marked as a duplicate of this bug. ***
*** Bug 432857 has been marked as a duplicate of this bug. ***
*** Bug 429130 has been marked as a duplicate of this bug. ***
*** Bug 431269 has been marked as a duplicate of this bug. ***
*** Bug 433214 has been marked as a duplicate of this bug. ***
*** Bug 434082 has been marked as a duplicate of this bug. ***
*** Bug 435488 has been marked as a duplicate of this bug. ***
*** Bug 435922 has been marked as a duplicate of this bug. ***
*** Bug 437251 has been marked as a duplicate of this bug. ***
*** Bug 437657 has been marked as a duplicate of this bug. ***
*** Bug 438625 has been marked as a duplicate of this bug. ***
*** Bug 440360 has been marked as a duplicate of this bug. ***
*** Bug 442875 has been marked as a duplicate of this bug. ***
*** Bug 444249 has been marked as a duplicate of this bug. ***
*** Bug 445665 has been marked as a duplicate of this bug. ***
*** Bug 441984 has been marked as a duplicate of this bug. ***
*** Bug 438793 has been marked as a duplicate of this bug. ***
*** Bug 451907 has been marked as a duplicate of this bug. ***
*** Bug 453006 has been marked as a duplicate of this bug. ***
*** Bug 449689 has been marked as a duplicate of this bug. ***
*** Bug 461257 has been marked as a duplicate of this bug. ***
*** Bug 466136 has been marked as a duplicate of this bug. ***