GNOME Bugzilla – Bug 323847
segfault in evolution-exchange-storage inside g_type_instance_get_private
Last modified: 2006-01-17 11:19:33 UTC
I don't what caused this: I keep evolution and evolution-exchange-storage (compiled with -g via Garnome 2.12.2) running permanently in a debugger and this morning found that evolution-exchange-storage had segfaulted sometime during the weekend. I am filing it as bug in Connector, but it might as well be a bug in libsoup. Please reassign as you see fit. Versions (Garnome 2.12.2): - libsoup-2.2.7 - glib-2.8.4 - evolution-exchange-2.4.2 The last debug messages in the console window were: ** (evolution-exchange-storage:10402): WARNING **: renew_subscription: 401 Unauthorized ** (evolution-exchange-storage:10402): WARNING **: renew_subscription: 401 Unauthorized ** (evolution-exchange-storage:10402): WARNING **: renew_subscription: 401 Unauthorized ** (evolution-exchange-storage:10402): WARNING **: renew_subscription: 0 (null) The information I have is what I could gather from the debugger session. Stack backtrace: C g_type_instance_get_private, FP=bfffc6b8 C io_read, FP=bfffc6f8 C g_cclosure_marshal_VOID__VOID, FP=bfffc728 C g_closure_invoke, FP=bfffc788 C signal_emit_unlocked_R, FP=bfffc8a8 C g_signal_emit_valist, FP=bfffcb28 C g_signal_emit, FP=bfffcb48 C socket_read_watch, FP=bfffcb78 C g_io_unix_dispatch, FP=bfffcba8 C g_main_dispatch, FP=bfffcbf8 C g_main_context_dispatch, FP=bfffcc28 C g_main_context_iterate, FP=bfffcc98 C g_main_loop_run, FP=bfffccd8 C bonobo_main, FP=bfffccf8 C main, FP=bfffcd88 __libc_start_main, FP=bfffcda8 "instance_node" == 0x2e6c6574 in function g_type_instance_get_private() of glib-2.8.4/gobject/gtype.c is invalid, causing the segfault at: instance_node = lookup_type_node_I (class->g_type); => if (G_UNLIKELY (!instance_node || !instance_node->is_instantiatable)) class->g_type is 0x2e6c6574, passed to this function: static inline TypeNode* lookup_type_node_I (register GType utype) { if (utype > G_TYPE_FUNDAMENTAL_MAX) return (TypeNode*) (utype & ~TYPE_ID_MASK); else return static_fundamental_type_nodes[utype >> G_TYPE_FUNDAMENTAL_SHIFT]; } glib-2.8.4/gobject/gtype.h:#define G_TYPE_FUNDAMENTAL_MAX (255 << G_TYPE_FUNDAMENTAL_SHIFT) glib-2.8.4/gobject/gtype.h:#define G_TYPE_FUNDAMENTAL_SHIFT (2) glib-2.8.4/gobject/gtype.c:#define TYPE_ID_MASK ((GType) ((1 << G_TYPE_FUNDAMENTAL_SHIFT) - 1)) -> G_TYPE_FUNDAMENTAL_MAX = 1020 < class->g_type -> the first branch is taken Indeed, evalutating the "utype & ~TYPE_ID_MASK" results in the invalid 0x2e6c6574. Apparently class->g_type is invalid. It was pointed to by the SoupMessage "msg" in io_read() from libsoup-2.2.7/libsoup/soup-message-io.c Expression: *(msg) Address: 0x083ea740 Type: SoupMessage Window Status: Title: msg - io_read - 3.2 Language: C Valid in Scope: io_read (Subroutine) soup-message-io.c (File) libsoup-2.2.so.8 (Image) Compiled in Scope: io_read (Subroutine) soup-message-io.c (File) libsoup-2.2.so.8 (Image) UPC Phase: UPC Addr: ------------------------------------------ Field Type Value parent GObject (Struct) g_type_instance GTypeInstance (Struct) g_class GTypeClass * 0x0890f158 -> (GTypeClass) ref_count guint volatile 0x0890f1a8 (143716776) qdata GData * 0x00000000 method $string const * 0x40711a7a -> "SUBSCRIBE" status_code guint 0x00000000 (0) reason_phrase $string const * 0x00000000 request SoupDataBuffer (Struct) owner SoupOwnership SOUP_BUFFER_SYSTEM_OWNED (0) body $string * 0x00000000 length guint 0x00000000 (0) request_headers GHashTable * 0x083ea7b8 -> (GHashTable) response SoupDataBuffer (Struct) owner SoupOwnership SOUP_BUFFER_SYSTEM_OWNED (0) body $string * 0x00000000 length guint 0x00000000 (0) response_headers GHashTable * 0x0890f160 -> (GHashTable) status SoupMessageStatus SOUP_MESSAGE_STATUS_FINISHED (4)
patrick: Thanks for reporting bug. When you observe this crash, type 'thread apply all bt' at gdb prompt. Paste the stack traces here.
I'm not using gdb, but will provide a stack backtrace of all threads if it happens again.
description looks similar to http://bugzilla.gnome.org/show_bug.cgi?id=323533
It happened again over the weekend, but with a different segfault location this time. The console output was the same and g_type_instance_get_private() is involved again. The output in the console window was: ------------------------ ** (evolution-exchange-storage:22883): WARNING **: renew_subscription: 401 Unauthorized ** (evolution-exchange-storage:22883): WARNING **: renew_subscription: 0 (null) (evolution-exchange-storage:22883): GLib-GObject-WARNING **: instance of invalid non-instantiatable type `<invalid>' ------------------------ The first line appeared 17 times. Stack backtraces: Stack Trace thread #0 C io_write, FP=bfffc7f8 C g_cclosure_marshal_VOID__VOID, FP=bfffc828 C g_closure_invoke, FP=bfffc888 C signal_emit_unlocked_R, FP=bfffc9a8 C g_signal_emit_valist, FP=bfffcc28 C g_signal_emit, FP=bfffcc48 C socket_write_watch, FP=bfffcc78 C g_io_unix_dispatch, FP=bfffcca8 C g_main_dispatch, FP=bfffccf8 C g_main_context_dispatch, FP=bfffcd28 C g_main_context_iterate, FP=bfffcd98 C g_main_loop_run, FP=bfffcdd8 C bonobo_main, FP=bfffcdf8 C main, FP=bfffce88 __libc_start_main, FP=bfffcea8 Stack Trace thread #1 PC: ffffe002, FP=41a6d774 __poll, FP=41a6d774 C g_main_context_poll, FP=41a6d7a4 C g_main_context_iterate, FP=41a6d824 C g_main_loop_run, FP=41a6d864 C link_io_thread_fn, FP=41a6d884 C g_thread_create_proxy, FP=41a6d8b4 start_thread, FP=41a6d8d4 Expression: *(msg) Address: 0x08227880 Type: SoupMessage Field Type Value parent GObject (Struct) g_type_instance GTypeInstance (Struct) g_class GTypeClass * 0x08382d88 -> (GTypeClass) ref_count guint volatile 0x08230d48 (136514888) qdata GData * 0x00000000 method $string const * 0x40711a7a -> "SUBSCRIBE" status_code guint 0x00000000 (0) reason_phrase $string const * 0x00000000 request SoupDataBuffer (Struct) owner SoupOwnership SOUP_BUFFER_SYSTEM_OWNED (0) body $string * 0x00000000 length guint 0x00000000 (0) request_headers GHashTable * 0x082278f8 -> (GHashTable) response SoupDataBuffer (Struct) owner SoupOwnership SOUP_BUFFER_SYSTEM_OWNED (0) body $string * 0x00000000 length guint 0x00000000 (0) response_headers GHashTable * 0x08227948 -> (GHashTable) status SoupMessageStatus SOUP_MESSAGE_STATUS_FINISHED (4) ----------------------- Looking at the source I see: static void io_write (SoupSocket *sock, SoupMessage *msg) { SoupMessagePrivate *priv = SOUP_MESSAGE_GET_PRIVATE (msg); ==> SoupMessageIOData *io = priv->io_data; priv == NULL ./desktop/libsoup/work/main.d/libsoup-2.2.7/libsoup/soup-message-private.h:#define SOUP_MESSAGE_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), SOUP_TYPE_MESSAGE, SoupMessagePrivate)) ./platform/glib/work/main.d/glib-2.8.4/gobject/gtype.h:#define G_TYPE_INSTANCE_GET_PRIVATE(instance, g_type, c_type) ((c_type*) g_type_instance_get_private ((GTypeInstance*) (instance), (g_type)))
See http://live.gnome.org/GettingTraces for getting the stack traces. looks similar to 324487
> See http://live.gnome.org/GettingTraces for getting the stack traces. Does that mean that you won't accept stack backtraces which are generated by other debuggers? I know how to use gdb, but at least the one one my desktop machine is less stable than TotalView so that I cannot use it the way I use TotalView now (by monitoring permanently and interactively investigating a crash). What information do you need that I haven't provided yet? > looks similar to 324487 Yes, I agree.
*** This bug has been marked as a duplicate of 324487 ***