GNOME Bugzilla – Bug 782761
segfault in libgweather causes gnome-shell crash
Last modified: 2017-06-05 04:41:44 UTC
##0 0x00007fdb501f063b in _gweather_location_update_weather_location Particularly bad issue because the segfault tears down the wayland session and drops back to the gdm prompt. On Xorg, gnome-shell is restarted without too much interruption. Probably a bit gnome-shell's fault too for not isolating better.. anyway. The issue doesn't happen all the time, but when it happens I can reproduce it a couple of times - maybe a few hours. The segfault actually happens in _gweather_location_update_weather_location "loc->yahoo_id = g_strdup (yahoo_id);" (gdb's line count is a bit off) because l->yahoo_id on line 1100 is almost-but-not-null: 0x8 to be exact I haven't found out the cause of this though. I can't see any initializations where the memory isn't zeroed out (g_slice_new0 is used) or buffer overflows.. Stack trace: #(gloc=0x55d4f2746cd0, loc=loc@entry=0x55d4f4378068) at gweather-location.c:1103 ##1 0x00007fdb501e5466 in gweather_info_set_location_internal (info=<optimized #out>, location=<optimized out>) at gweather-weather.c:2026 ##2 0x00007fdb98ba8233 in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 ##3 0x00007fdb98ba9dbe in g_object_new_valist () at #/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 ##4 0x00007fdb98baa061 in g_object_new () at #/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 ##5 0x00007fdb501e9858 in _gweather_info_new_clone (other=<optimized out>) at #gweather-weather.c:2205 ##6 0x00007fdb501ec996 in parse_forecast_xml_new (body=<optimized out>, #master_info=0x55d4f1acb4b0) at weather-yrno.c:475 ##7 0x00007fdb501ec996 in yrno_finish_new (session=<optimized out>, #msg=0x55d4f4cf2550, user_data=<optimized out>) at weather-yrno.c:572 ##8 0x00007fdb399f4e8e in () at /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1 ##9 0x00007fdb399f5812 in () at /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1 ##10 0x00007fdb399f58c6 in () at /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1 ##11 0x00007fdb988c922a in g_main_context_dispatch () at #/lib/x86_64-linux-gnu/libglib-2.0.so.0 ##12 0x00007fdb988c95e0 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 ##13 0x00007fdb988c9902 in g_main_loop_run () at #/lib/x86_64-linux-gnu/libglib-2.0.so.0 ##14 0x00007fdb9a0838ec in meta_run () at #/usr/lib/x86_64-linux-gnu/libmutter-0.so.0 ##15 0x000055d4f01d21a7 in main ()
Looks like the ref count on the "world" (root glocation) expired (0): (gdb) up
+ Trace 237497
$10 = (GWeatherInfoPrivate *) 0x5647556ba200 (gdb) print priv->location $11 = {name = 0x564754337990, code = 0x5647546d17c0, zone = 0x564754056010, yahoo_id = 0x564754056030, radar = 0x56475418d6f0, latlon_valid = 0, latitude = 0, longitude = 0, country_code = 0x0, tz_hint = 0x0} (gdb) print priv->glocation $12 = (GWeatherLocation *) 0x564752fa8d00 (gdb) print priv->glocation->ref_count $13 = 100 (gdb) print *priv->glocation->children $17 = (GWeatherLocation *) 0x564752fa8db0 (gdb) print (*priv->glocation->children)->level $27 = GWEATHER_LOCATION_WORLD (gdb) print (*priv->glocation->children)->parent $30 = (GWeatherLocation *) 0x0 (gdb) print (*priv->glocation->children)->ref_count $32 = 0
Created attachment 352364 [details] [review] Fix refcounting bug in GWeatherInfo The return value of find_by_station_code() is transfer none, but GWeatherInfo would take ownership of it.
*** Bug 781433 has been marked as a duplicate of this bug. ***