Bug 778615 – gnome-control-center crashes in libnm/nm-object.c:handle_property_changed

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 778615 - gnome-control-center crashes in libnm/nm-object.c:handle_property_changed


Summary:	gnome-control-center crashes in libnm/nm-object.c:handle_property_changed


Status:	RESOLVED FIXED

Product:	NetworkManager
Classification:	Platform
Component:	general
Version:	1.6.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Duplicates:	778403 778810 782245 (view as bug list)
Depends on:
Blocks:	nm-review

Reported:	2017-02-14 17:07 UTC by Emilio Pozuelo Monfort
Modified:	2017-05-07 16:16 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
[PATCH] libnm: disconnect signal from D-Bus proxies on dispose (3.75 KB, patch) 2017-02-16 17:58 UTC, Beniamino Galvani	none	Details \| Review

Description Emilio Pozuelo Monfort 2017-02-14 17:07:17 UTC

NetworkManager 1.6.0, gnome-control-center 3.22.1

gnome-control-center crashes when switching from the main panel and the network panel after a while. The gdb backtrace varies from different runs, but always goes through  Running under valgrind I get an invalid read in libnm:

emilio@tatooine:~$ valgrind --tool=memcheck gnome-control-center
==30420== Memcheck, a memory error detector
==30420== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30420== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==30420== Command: gnome-control-center
==30420== 
==30420== Conditional jump or move depends on uninitialised value(s)
==30420==    at 0x4C32EA6: rawmemchr (vg_replace_strmem.c:1402)
==30420==    by 0xC976391: _IO_str_init_static_internal (strops.c:41)
==30420==    by 0xC969B66: vsscanf (iovsscanf.c:40)
==30420==    by 0xC9642D6: sscanf (sscanf.c:32)
==30420==    by 0x17D58E4A: ??? (in /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0)
==30420==    by 0x17D59182: ??? (in /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0)
==30420==    by 0x17D5CBF8: drmGetDevice (in /usr/lib/x86_64-linux-gnu/libdrm.so.2.4.0)
==30420==    by 0x1FA38286: ??? (in /usr/lib/x86_64-linux-gnu/libGL.so.1.2.0)
==30420==    by 0x1FA37644: ??? (in /usr/lib/x86_64-linux-gnu/libGL.so.1.2.0)
==30420==    by 0x1FA0B978: ??? (in /usr/lib/x86_64-linux-gnu/libGL.so.1.2.0)
==30420==    by 0x1FA06F10: glXQueryVersion (in /usr/lib/x86_64-linux-gnu/libGL.so.1.2.0)
==30420==    by 0x1694BE00: ??? (in /usr/lib/x86_64-linux-gnu/libcogl.so.20.4.2)
==30420== 
==30420== Conditional jump or move depends on uninitialised value(s)
==30420==    at 0xB6438CD: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB62A874: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB62AE7F: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB62BF59: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB62C311: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB5D1950: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB61A5FB: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB5D9BF3: ??? (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xB5CC2E0: cairo_mask (in /usr/lib/x86_64-linux-gnu/libcairo.so.2.11400.8)
==30420==    by 0xA2A737B: mask_surface_repeat (gtkcssshadowvalue.c:391)
==30420==    by 0xA2A74B2: gtk_css_shadow_value_finish_drawing (gtkcssshadowvalue.c:422)
==30420==    by 0xA2A841D: draw_shadow_side (gtkcssshadowvalue.c:883)
==30420==    by 0xA2A841D: _gtk_css_shadow_value_paint_box (gtkcssshadowvalue.c:1002)
==30420== 
==30420== Invalid read of size 8
==30420==    at 0xBEADB4D: g_type_instance_get_private (gtype.c:4714)
==30420==    by 0x9973A2E: handle_property_changed (nm-object.c:671)
==30420==    by 0x99741D8: properties_changed (nm-object.c:757)
==30420==    by 0x1F577037: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0x1F576A99: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0xBE887AD: g_cclosure_marshal_generic (gclosure.c:1490)
==30420==    by 0xBE87F74: g_closure_invoke (gclosure.c:804)
==30420==    by 0xBE99F81: signal_emit_unlocked_R (gsignal.c:3635)
==30420==    by 0xBEA2BCB: g_signal_emit_valist (gsignal.c:3391)
==30420==    by 0xBEA345A: g_signal_emit_by_name (gsignal.c:3487)
==30420==    by 0xBBB9944: signal_cb (gdbusobjectmanagerclient.c:1049)
==30420==    by 0xBB9A523: emit_signal_instance_in_idle_cb (gdbusconnection.c:3705)
==30420==  Address 0x320cb4d0 is 176 bytes inside a block of size 208 free'd
==30420==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==30420==    by 0xBEAB651: g_type_free_instance (gtype.c:1937)
==30420==    by 0xC0E9A9A: g_ptr_array_foreach (garray.c:1502)
==30420==    by 0xC0E9B2F: ptr_array_free (garray.c:1088)
==30420==    by 0x9966E4F: dispose (nm-device-wifi.c:771)
==30420==    by 0xBE8CC04: g_object_unref (gobject.c:3148)
==30420==    by 0x22B7D0: ??? (in /usr/bin/gnome-control-center)
==30420==    by 0xBE8CC79: g_object_unref (gobject.c:3185)
==30420==    by 0xA4556E2: _gtk_tree_data_list_free (gtktreedatalist.c:52)
==30420==    by 0xC12FC35: g_sequence_foreach_range (gsequence.c:323)
==30420==    by 0xA3404B0: gtk_list_store_finalize (gtkliststore.c:565)
==30420==    by 0xBE8CC79: g_object_unref (gobject.c:3185)
==30420==  Block was alloc'd at
==30420==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==30420==    by 0xC11AE08: g_malloc (gmem.c:94)
==30420==    by 0xC133342: g_slice_alloc (gslice.c:1025)
==30420==    by 0xC13396D: g_slice_alloc0 (gslice.c:1051)
==30420==    by 0xBEAB388: g_type_create_instance (gtype.c:1839)
==30420==    by 0xBE8D1FA: g_object_new_internal (gobject.c:1783)
==30420==    by 0xBE8F10D: g_object_new_valist (gobject.c:2042)
==30420==    by 0xBE8F3B0: g_object_new (gobject.c:1626)
==30420==    by 0x995A152: obj_nm_for_gdbus_object (nm-client.c:2112)
==30420==    by 0x995AA8B: objects_created (nm-client.c:2164)
==30420==    by 0x995B081: init_sync (nm-client.c:2283)
==30420==    by 0xBB43B66: g_initable_new_valist (ginitable.c:228)
==30420== 

(gnome-control-center:30420): GLib-GObject-CRITICAL **: g_type_instance_get_private: assertion 'instance != NULL && instance->g_class != NULL' failed
==30420== Invalid read of size 8
==30420==    at 0x9973B32: handle_property_changed (nm-object.c:681)
==30420==    by 0x99741D8: properties_changed (nm-object.c:757)
==30420==    by 0x1F577037: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0x1F576A99: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0xBE887AD: g_cclosure_marshal_generic (gclosure.c:1490)
==30420==    by 0xBE87F74: g_closure_invoke (gclosure.c:804)
==30420==    by 0xBE99F81: signal_emit_unlocked_R (gsignal.c:3635)
==30420==    by 0xBEA2BCB: g_signal_emit_valist (gsignal.c:3391)
==30420==    by 0xBEA345A: g_signal_emit_by_name (gsignal.c:3487)
==30420==    by 0xBBB9944: signal_cb (gdbusobjectmanagerclient.c:1049)
==30420==    by 0xBB9A523: emit_signal_instance_in_idle_cb (gdbusconnection.c:3705)
==30420==    by 0xC1156A9: g_main_dispatch (gmain.c:3203)
==30420==    by 0xC1156A9: g_main_context_dispatch (gmain.c:3856)
==30420==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
==30420== 
==30420== 
==30420== Process terminating with default action of signal 11 (SIGSEGV)
==30420==  Access not within mapped region at address 0x10
==30420==    at 0x9973B32: handle_property_changed (nm-object.c:681)
==30420==    by 0x99741D8: properties_changed (nm-object.c:757)
==30420==    by 0x1F577037: ffi_call_unix64 (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0x1F576A99: ffi_call (in /usr/lib/x86_64-linux-gnu/libffi.so.6.0.4)
==30420==    by 0xBE887AD: g_cclosure_marshal_generic (gclosure.c:1490)
==30420==    by 0xBE87F74: g_closure_invoke (gclosure.c:804)
==30420==    by 0xBE99F81: signal_emit_unlocked_R (gsignal.c:3635)
==30420==    by 0xBEA2BCB: g_signal_emit_valist (gsignal.c:3391)
==30420==    by 0xBEA345A: g_signal_emit_by_name (gsignal.c:3487)
==30420==    by 0xBBB9944: signal_cb (gdbusobjectmanagerclient.c:1049)
==30420==    by 0xBB9A523: emit_signal_instance_in_idle_cb (gdbusconnection.c:3705)
==30420==    by 0xC1156A9: g_main_dispatch (gmain.c:3203)
==30420==    by 0xC1156A9: g_main_context_dispatch (gmain.c:3856)
==30420==  If you believe this happened as a result of a stack
==30420==  overflow in your program's main thread (unlikely but
==30420==  possible), you can try to increase the size of the
==30420==  main thread stack using the --main-stacksize= flag.
==30420==  The main thread stack size used in this run was 8388608.

Example gdb backtrace:

GLib:ERROR:/build/glib2.0-m2w47E/glib2.0-2.50.2/./glib/ghash.c:373:g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)

Thread 1 "gnome-control-c" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt

+ Trace 237141

#0 __GI_raise
at ../sysdeps/unix/sysv/linux/raise.c line 58
#1 __GI_abort
at abort.c line 89
#2 g_assertion_message
#3 g_assertion_message_expr
at ././glib/gtestutils.c line 2455
#4 g_hash_table_lookup_node
at ././glib/ghash.c line 373
#5 g_hash_table_lookup
at ././glib/ghash.c line 1147
#6 handle_property_changed
at libnm/nm-object.c line 682
#7 properties_changed
at libnm/nm-object.c line 757
#8 ffi_call_unix64
#9 ffi_call
#14 <emit signal 0x7ffff0ed0f0c "g-properties-changed" on instance 0x55555632cb40 [NMDBusDeviceWifiProxy]>
at ././gobject/gsignal.c line 3487
#15 signal_cb
at ././gio/gdbusobjectmanagerclient.c line 1049
#16 emit_signal_instance_in_idle_cb
at ././gio/gdbusconnection.c line 3705
#17 g_main_dispatch
at ././glib/gmain.c line 3203
#18 g_main_context_dispatch
at ././glib/gmain.c line 3856
#19 g_main_context_iterate
at ././glib/gmain.c line 3929
#20 g_main_context_iteration
at ././glib/gmain.c line 3990
#21 g_application_run
at ././gio/gapplication.c line 2381
#22 main


Other backtraces at https://bugs.debian.org/854810 and https://bugs.debian.org/854561

Comment 1 Beniamino Galvani 2017-02-16 14:17:37 UTC

I can reproduce the crash using gnome-control-center 3.22.1 on Fedora 25 and NM from git master

Comment 2 Beniamino Galvani 2017-02-16 17:58:54 UTC

Created attachment 345984 [details] [review]
[PATCH] libnm: disconnect signal from D-Bus proxies on dispose

Comment 3 Thomas Haller 2017-02-16 19:05:41 UTC

lgtm

Comment 4 Lubomir Rintel 2017-02-18 09:08:45 UTC

looks good

Comment 5 Beniamino Galvani 2017-02-18 09:35:37 UTC

Applied to master:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=5ae3db75158b2a5d71ea7027fe12638a3d243a4e

nm-1-6:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-6&id=0429753dab39c245f280c47ee269d88cf92d7061

Comment 6 Bastien Nocera 2017-03-10 18:15:01 UTC

*** Bug 778810 has been marked as a duplicate of this bug. ***

Comment 7 Bastien Nocera 2017-03-13 14:02:33 UTC

*** Bug 778403 has been marked as a duplicate of this bug. ***

Comment 8 Bastien Nocera 2017-05-07 14:53:57 UTC

*** Bug 782245 has been marked as a duplicate of this bug. ***

Comment 9 Bastien Nocera 2017-05-07 16:16:50 UTC

*** Bug 782245 has been marked as a duplicate of this bug. ***