Ubuntu
notify-osd package

notify-osd sefaults in bubble_get_id() trying to access an unrefed object

Bug #1189281 reported by Angel Guzman Maeso
100
This bug affects 9 people
Affects Status Importance Assigned to Milestone
notify-osd (Ubuntu)
Fix Released
High
Lars Karlitski

Bug Description

This crash happens sometimes when a Liferea sends a bubble notify what needs bubble private checking data (probably a bad or invalid bubble notify identifier). This is probably a duplicate of #1181324 I am filling this report just in case that the stacktrace helps to debug more info about the problem.

ProblemType: Crash
DistroRelease: Ubuntu 13.10
Package: notify-osd 0.9.35daily13.05.30-0ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-13.23-generic 3.8.3
Uname: Linux 3.8.0-13-generic i686
ApportVersion: 2.10.2-0ubuntu1
Architecture: i386
CrashCounter: 1
Date: Mon Jun 10 01:10:43 2013
DesktopSession: 'ubuntu'
ExecutablePath: /usr/lib/i386-linux-gnu/notify-osd
GtkTheme: 'Ambiance'
IconTheme: 'ubuntu-mono-dark'
InstallationDate: Installed on 2013-02-03 (126 days ago)
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
MachineType: Acer Aspire 5943G
MarkForUpload: True
ProcCmdline: /usr/lib/i386-linux-gnu/notify-osd
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.8.0-13-generic root=UUID=7f18d659-ec06-4afe-b3be-13b15de376b2 ro quiet splash vt.handoff=7
RelatedPackageVersions:
 xserver-xorg 1:7.7+1ubuntu4
 libgl1-mesa-glx 9.1.3-0ubuntu2
 libdrm2 2.4.45-2ubuntu1
 xserver-xorg-video-intel 2:2.21.9-0ubuntu1
 xserver-xorg-video-ati 1:7.1.0-0ubuntu2
SegvAnalysis:
 Segfault happened at: 0x8056a87 <bubble_get_id+23>: cmp %eax,(%edx)
 PC (0x08056a87) ok
 source "%eax" ok
 destination "(%edx)" (0xaaaaaaaa) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: notify-osd
StacktraceTop:
 bubble_get_id ()
 stack_notify_handler ()
 dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER ()
 ?? () from /usr/lib/i386-linux-gnu/libdbus-glib-1.so.2
 ?? () from /lib/i386-linux-gnu/libdbus-1.so.3
Title: notify-osd crashed with SIGSEGV in bubble_get_id()
UpgradeStatus: Upgraded to saucy on 2013-02-03 (126 days ago)
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
dmi.bios.date: 05/07/2010
dmi.bios.vendor: Acer
dmi.bios.version: V1.06
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: Aspire 5943G
dmi.board.vendor: Acer
dmi.board.version: V1.06
dmi.chassis.type: 10
dmi.chassis.vendor: Acer
dmi.chassis.version: V1.06
dmi.modalias: dmi:bvnAcer:bvrV1.06:bd05/07/2010:svnAcer:pnAspire5943G:pvrV1.06:rvnAcer:rnAspire5943G:rvrV1.06:cvnAcer:ct10:cvrV1.06:
dmi.product.name: Aspire 5943G
dmi.product.version: V1.06
dmi.sys.vendor: Acer

See original description

Related branches

lp:~larsu/notify-osd/fix-1189281
PS Jenkins bot (community): Approve (continuous-integration)
Mirco Müller (community): Approve
Sebastien Bacher: Pending requested
Diff: 74 lines (+12/-6)
2 files modified
src/display.c (+6/-3)
src/stack.c (+6/-3)
lp:ubuntu/saucy-proposed/notify-osd
Revision history for this message
Angel Guzman Maeso (shakaran) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 bubble_get_id (self=self@entry=0x8a71ac0) at bubble.c:3100
 stack_notify_handler (self=0x8b032a0, app_name=0x8b32f90 "liferea", id=0, icon=0x8b33bc0 "liferea", summary=0x8b33bd0 "Actualizaci\303\263n", body=0x8a63d90 "<b>JS CodeBlocks</b> has <b>25</b> updates", actions=0x8b33be8, hints=0x8b00640, timeout=-1, context=0x8b33c60) at stack.c:776
 dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (closure=0xbfab4e08, return_value=0x0, n_param_values=10, param_values=0x8b33c88, invocation_hint=0x0, marshal_data=0x8063f50 <stack_notify_handler>) at stack-glue.h:102
 invoke_object_method (message=0x8b35a30, connection=0x8a6e0b8, method=0x8070960 <dbus_glib_stack_methods>, object_info=0x8070944 <dbus_glib_stack_object_info>, object=0x8b032a0) at dbus-gobject.c:1899
 object_registration_message (connection=0x8a6e0b8, message=message@entry=0x8b35a30, user_data=user_data@entry=0x8a9ef00) at dbus-gobject.c:2161

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in notify-osd (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Angel Guzman Maeso (shakaran)
information type: Private → Public
summary: - notify-osd crashed with SIGSEGV in bubble_get_id()
+ notify-osd crashed with SIGSEGV while checking bubble private mode
+ G_TYPE_INSTANCE_GET_PRIVATE in bubble_get_id()
Revision history for this message
Angel Guzman Maeso (shakaran) wrote : Re: notify-osd crashed with SIGSEGV while checking bubble private mode G_TYPE_INSTANCE_GET_PRIVATE in bubble_get_id()
Download full text (3.7 KiB)

I am doing a small analisys of the problem (if helps to developers to get fixed soon in someway)

Notify osd get a OS error code "4" that stands for "Interrupted system call" in dmesg, the relevant info:

[952920.665441] notify-osd[12820]: segfault at aaaaaaaa ip 08056a87 sp bfc97b10 error 4 in notify-osd[8048000+32000]

The StacktraceTop revealed by apport seems that the crash cames from bubble_get_id function in bubble.c, line 3100:

StacktraceTop:
 bubble_get_id (self=self@entry=0x8a71ac0) at bubble.c:3100
 stack_notify_handler (self=0x8b032a0, app_name=0x8b32f90 "liferea", id=0, icon=0x8b33bc0 "liferea", summary=0x8b33bd0 "Actualizaci\303\263n", body=0x8a63d90 "<b>JS CodeBlocks</b> has <b>25</b> updates", actions=0x8b33be8, hints=0x8b00640, timeout=-1, context=0x8b33c60) at stack.c:776
 dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (closure=0xbfab4e08, return_value=0x0, n_param_values=10, param_values=0x8b33c88, invocation_hint=0x0, marshal_data=0x8063f50 <stack_notify_handler>) at stack-glue.h:102
 invoke_object_method (message=0x8b35a30, connection=0x8a6e0b8, method=0x8070960 <dbus_glib_stack_methods>, object_info=0x8070944 <dbus_glib_stack_object_info>, object=0x8b032a0) at dbus-gobject.c:1899
 object_registration_message (connection=0x8a6e0b8, message=message@entry=0x8b35a30, user_data=user_data@entry=0x8a9ef00) at dbus-gobject.c:2161

The app that seems to crash notify osd is Liferea, so I am relating this bug with Liferea project too.

The portion code affected is:

guint
bubble_get_id (Bubble* self)
{
 if (!self || !IS_BUBBLE (self))
  return 0;

 return GET_PRIVATE (self)->id;
}

The GET_PRIVATE macro is a alias for:

#define GET_PRIVATE(o) \
  (G_TYPE_INSTANCE_GET_PRIVATE ((o), BUBBLE_TYPE, BubblePrivate))

The crash happens in register comparation as shows:

=> 0x8056a87 <bubble_get_id+23>: cmp %eax,(%edx)
   0x8056a89 <bubble_get_id+25>: je 0x8056aa8 <bubble_get_id+56>
   0x8056a8b <bubble_get_id+27>: mov %eax,0x4(%esp)
   0x8056a8f <bubble_get_id+31>: mov %ebx,(%esp)
   0x8056a92 <bubble_get_id+34>: call 0x8052690 <g_type_check_instance_is_a@plt>
   0x8056a97 <bubble_get_id+39>: test %eax,%eax
   0x8056a99 <bubble_get_id+41>: jne 0x8056aa8 <bubble_get_id+56>
   0x8056a9b <bubble_get_id+43>: add $0x18,%esp
   0x8056a9e <bubble_get_id+46>: xor %eax,%eax
   0x8056aa0 <bubble_get_id+48>: pop %ebx
   0x8056aa1 <bubble_get_id+49>: ret
   0x8056aa2 <bubble_get_id+50>: lea 0x0(%esi),%esi
   0x8056aa8 <bubble_get_id+56>: call 0x8053680 <bubble_get_type>
   0x8056aad <bubble_get_id+61>: mov %ebx,(%esp)
   0x8056ab0 <bubble_get_id+64>: mov %eax,0x4(%esp)
   0x8056ab4 <bubble_get_id+68>: call 0x8052140 <g_type_instance_get_private@plt>

In concrete during G_TYPE_INSTANCE_GET_PRIVATE

https://developer.gnome.org/gobject/stable/gobject-Type-Information.html#G-TYPE-INSTANCE-GET-PRIVATE:CAPS

This function "Gets the private structure for a particular type. The private structure must have been registered in the class_init function with g_type_class_add_private()."

I check that BubblePrivate it is registered in bubble.c, funcion bubble_class_init(), line 21...

Read more...

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in notify-osd (Ubuntu):
status: New → Confirmed
Sebastien Bacher (seb128)
Changed in notify-osd (Ubuntu):
importance: Medium → High
affects: liferea → notify-osd
summary: - notify-osd crashed with SIGSEGV while checking bubble private mode
- G_TYPE_INSTANCE_GET_PRIVATE in bubble_get_id()
+ notify-osd sefaults in bubble_get_id() trying to access an unrefed
+ object
Changed in notify-osd:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

valgrind log:

"==21810== Invalid read of size 4
==21810== at 0x8056A81: bubble_get_id (bubble.c:3100)
==21810== by 0x8064432: stack_notify_handler (stack.c:785)
==21810== by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810== by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810== by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810== by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810== by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810== by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810== by 0x4D85934: (below main) (libc-start.c:260)
==21810== Address 0x660aae0 is 160 bytes inside a block of size 184 free'd
==21810== at 0x402AC38: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==21810== by 0x4C5640F: g_free (gmem.c:197)
==21810== by 0x4C6CEFA: g_slice_free1 (gslice.c:1124)
==21810== by 0x4BE7ECC: g_type_free_instance (gtype.c:1932)
==21810== by 0x4BC950A: g_object_unref (gobject.c:3202)
==21810== by 0x8063D2D: stack_layout (display.c:308)
==21810== by 0x806455E: stack_notify_handler (stack.c:772)
==21810== by 0x806275C: dbus_glib_marshal_stack_VOID__STRING_UINT_STRING_STRING_STRING_BOXED_BOXED_INT_POINTER (stack-glue.h:102)
==21810== by 0x42410B5: object_registration_message (dbus-gobject.c:1899)
==21810== by 0x4279417: ??? (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x426A45C: dbus_connection_dispatch (in /lib/i386-linux-gnu/libdbus-1.so.3.7.3)
==21810== by 0x423DF0C: message_queue_dispatch (dbus-gmain.c:90)
==21810== by 0x4C505CD: g_main_context_dispatch (gmain.c:3058)
==21810== by 0x4C50977: g_main_context_iterate.isra.21 (gmain.c:3705)
==21810== by 0x4C50DDA: g_main_loop_run (gmain.c:3899)
==21810== by 0x4D85934: (below main) (libc-start.c:260)"

The issue is:

* the stack_notify_handler code does:

" stack_layout (self);
 }

 if (bubble)
  dbus_g_method_return (context, bubble_get_id (bubble));"

* stack_layout() does:

" if (dnd_dont_disturb_user ()
     && (! bubble_is_urgent (bubble)))
...
  g_object_unref (bubble);"

* so basically in the case where the bubble is not displayed the object is unrefed, but bubble is not set to NULL which makes if (bubble) not work as intended.

Not sure we can set bubble to NULL after the unref though since stack_allocate_slot() has code that g_object_ref() bubble objects, so it seems their ref count can be > 1 and it would be wrong to do bubble = NULL before the ref reachs 0...

Revision history for this message
Sebastien Bacher (seb128) wrote :

Lars said he would have a go at fixing that one, thanks!

Changed in notify-osd (Ubuntu):
assignee: nobody → Lars Uebernickel (larsu)
Revision history for this message
Angel Guzman Maeso (shakaran) wrote :

I speak in IRC with macslow and pitti and seb128 that was more or less the last conclusion that I get after see stack_layout and dnd mode.

The bubble is not getting displayed by dnd (Dont disturb mode), in my case, because dnd_has_one_fullscreen_window function is returning true, but I don't have fullscreen windows (just a laptop with a external screen plugged) and any screen is in full screen mode. It seems a problem detecting the status from libwnck libraty:

gboolean
dnd_has_one_fullscreen_window (void)
{
 gboolean result;

 WnckScreen *screen = wnck_screen_get_default ();
 wnck_screen_force_update (screen);
 WnckWorkspace *workspace = wnck_screen_get_active_workspace (screen);
 GList *list = wnck_screen_get_windows (screen);
 GList *item = g_list_find_custom (list, workspace, (GCompareFunc) is_fullscreen_cb);
 result = item != NULL;
#ifdef HAVE_WNCK_SHUTDOWN
 wnck_shutdown ();
#endif
 return result;
}

The line result = item != NULL is getting a true value (1), but it probably doesn't mean that it is a really fullscreen window value, maybe needs more specific (I don't anything about how libwnck works, I am only reading a bit today in spare time)

I mine the code with gwarning() calls (I also use gdb in the process) and it seems that it gets a bubble id 0, then it gets to 1, and it crash after dnd mode g_unref().

** (notify-osd:12603): WARNING **: Bubble id 0
** (notify-osd:12603): WARNING **: Stack push buble
** (notify-osd:12603): WARNING **: Bubble id: 0
** (notify-osd:12603): WARNING **: Bubble layout
** (notify-osd:12603): WARNING **: stack layout selecting bubble
** (notify-osd:12603): WARNING **: bubble: 0x80c42c0
** (notify-osd:12603): WARNING **: pre dnd mode
** (notify-osd:12603): WARNING **: dnd_is_online_presence_dnd: 0
** (notify-osd:12603): WARNING **: dnd_is_xscreensaver_active: 0
** (notify-osd:12603): WARNING **: dnd_is_screensaver_active: 0
** (notify-osd:12603): WARNING **: dnd_is_screensaver_inhibited: 0
** (notify-osd:12603): WARNING **: dnd_has_one_fullscreen_window: 1
** (notify-osd:12603): WARNING **: entering dnd
** (notify-osd:12603): WARNING **: bubble: 0x80c42c0
** (notify-osd:12603): WARNING **: Bubble id: 1
** (notify-osd:12603): WARNING **: Bubble id: 1
** (notify-osd:12603): WARNING **: stack layout selecting bubble
** (notify-osd:12603): WARNING **: bubble: (nil)
** (notify-osd:12603): WARNING **: Bubble dbus
CRASH

Revision history for this message
Angel Guzman Maeso (shakaran) wrote :

I can confirm that the fix in branch lp:~larsu/notify-osd/fix-1189281 fixes the crash, but it still doesn't display the notification bubble (probably still remains the wrong behaviour with in dnd_has_one_fullscreen_window function for don't disturbe mode)

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:notify-osd at revision 466, scheduled for release in notify-osd, milestone Unknown

Changed in notify-osd:
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package notify-osd - 0.9.35daily13.06.12-0ubuntu1

---------------
notify-osd (0.9.35daily13.06.12-0ubuntu1) saucy; urgency=low

  [ Lars Uebernickel ]
  * Don't crash when an application is fullscreen when a notification
    arrives. (LP: #1189281)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 466
 -- Ubuntu daily release <email address hidden> Wed, 12 Jun 2013 00:02:38 +0000

Changed in notify-osd (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Angel Guzman Maeso (shakaran) wrote :

Still remains the issue about missing bubble notifications when dnd_has_one_fullscreen_window fails to detect the fullscreen mode.

I think that it is important because the user could lost info about notifications for that. Should I fill a separate report only for that?

Revision history for this message
Sebastien Bacher (seb128) wrote :

you should report a new bug about your issue, that has nothing to do with this segfault. It seems to be a design decision to me, if you watch a movie you probably don't want notifications to go over your video...

Matthew Paul Thomas (mpt)
no longer affects: notify-osd
To post a comment you must log in.