Bug 480954 – metacity crashed with SIGSEGV in g_list_length()

Bug 480954 - metacity crashed with SIGSEGV in g_list_length()


Summary:	metacity crashed with SIGSEGV in g_list_length()

Status:	RESOLVED INVALID

Product:	metacity
Classification:	Other
Component:	general
Version:	2.20.x
Hardware:	Other Linux

Importance:	High critical
Target Milestone:	2.21.2
Assigned To:	Metacity maintainers list
QA Contact:	Metacity maintainers list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2007-09-27 13:44 UTC by Sebastien Bacher
Modified:	2008-07-13 23:03 UTC (History)
CC List:	1 user (show)

See Also:
GNOME target:	---
GNOME version:	2.19/2.20

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Sebastien Bacher 2007-09-27 13:44:01 UTC

The bug has been opened on https://bugs.launchpad.net/ubuntu/+source/metacity/+bug/145282

"Binary package hint: metacity

I was just working.

ProblemType: Crash
Architecture: amd64
...
Package: metacity 1:2.20.0-0ubuntu1
...

+ Trace 165918

#0 IA__g_list_length
at /build/buildd/glib2.0-2.14.1/glib/glist.c line 481
#1 do_screen_and_xinerama_relative_constraints
at constraints.c line 1046
#2 do_all_constraints
at constraints.c line 237
#3 meta_window_constrain
at constraints.c line 299
#4 meta_window_move_resize_internal
at window.c line 3136
#5 meta_window_move_resize
at window.c line 3510
#6 idle_move_resize
at window.c line 3578
#7 IA__g_main_context_dispatch
at /build/buildd/glib2.0-2.14.1/glib/gmain.c line 2061
#8 g_main_context_iterate
at /build/buildd/glib2.0-2.14.1/glib/gmain.c line 2694
#9 IA__g_main_loop_run
at /build/buildd/glib2.0-2.14.1/glib/gmain.c line 2898
#10 main
at main.c line 392

Comment 1 Thomas Thurman 2007-12-10 03:50:43 UTC

This is going to be a tough one to track down if we can't reproduce it.

The relevant piece of GLib code says:

471 	  	  	guint
472 	  	  	g_list_length (GList *list)
473 	  	  	{
474 	  	  	  guint length;
475 	  	  	
476 	  	  	  length = 0;
477 	  	  	  while (list)
478 	  	  	  {
479 	  	  	    length++;
480 	  	  	    list = list->next;
481 	  	  	  }
482 	  	  	
483 	  	  	  return length;
484 	  	  	}

According to the stack trace, length==0, but you can see from the above that the only things that can happen while length==0 are the local variable "list" being checked for being null, and the function returning zero. In particular it is impossible to dereference "list" while length==0 (though perhaps there's some funky caching thing going on).

Can you reproduce this bug? What were you actually doing, not moving windows around or switching between windows or anything? Were you just typing away, or were you not touching the computer at all?

Comment 2 Thomas Thurman 2008-07-13 23:03:30 UTC

Oops, made a comment on Launchpad last night that should have been here too:

FWIW, the call to g_list_length here is pretty useless except if you have logging on. We should probably remove it unless you do, and save a few cycles. On the other hand, it wouldn't fix this crash, since it's not *really* a problem with g_list_length but with the rectangle list containing a pointer outside the segment. We can't tell what that rectangle list was, since that depends on what called do_screen_and_xinerama_relative_constraints(), and that information's been optimised away. Unless we can find out more, we're going to have to close this for lack of information.

I did actually add a check for verbose mode yesterday, so that the log message's size and content are not calculated unless it'll be used, and hence g_list_length won't be called.  This closes the presenting problem.  But we still have the difficulty that the presenting problem can only have been caused by a degenerate list, which would have caused problems further down the line, and the real problem would have been finding where this list went bad.  However, we can't do that unless we can replicate, and we've only had one report of this problem.  Hence, I'm closing this as INVALID.  However, if this happens again, let us know.

Note You need to log in before you can comment on or make changes to this bug.