Ubuntu GNOME

gjs-console assert failure: *** Error in `/usr/bin/gjs-console': free(): invalid next size (fast): 0x00007f74a804b240 ***

Bug #1418771 reported by Tim Lunn
392
This bug affects 107 people
Affects Status Importance Assigned to Milestone
Ubuntu GNOME
Fix Released
Undecided
Unassigned
Ubuntu GNOME wily "3.16"
gjs
Fix Released
Medium
gjs (Debian)
Fix Released
Unknown
gjs (Ubuntu)
Wily
Invalid
Undecided
Unassigned
tracker (Ubuntu)
Fix Released
Medium
Unassigned
Wily
Fix Released
Medium
Unassigned

Bug Description

[Impact]
gnome-documents search provider crashes due to a buffer overrun in libunistring handling.

I have also included a few other patches cherry-picked from the upstream tracker-1.4 branch, that deal with crashes mishandling gcancellables.

[Test Case]

- in one terminal run /usr/bin/gnome-documents --gapplication-service
- within 10 seconds of the above, in another terminal run dbus-send --print-reply --dest=org.gnome.Documents /org/gnome/Documents/SearchProvider org.gnome.Shell.SearchProvider2.GetInitialResultSet array:string:"search"

[Regression Potential]
 Low, these are all simple patches from the upstream stable branch

See original description
Revision history for this message
Tim Lunn (darkxst) wrote :
Revision history for this message
Ubuntu GNOME (ug-bot) wrote :

StacktraceTop:
 __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7f74d0bf9b00 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
 malloc_printerr (ptr=<optimized out>, str=0x7f74d0bf9ca0 "free(): invalid next size (fast)", action=1) at malloc.c:4996
 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
 sqlite3VdbeMemGrow (pMem=pMem@entry=0x23fd0a8, n=<optimized out>, bPreserve=bPreserve@entry=1) at sqlite3.c:61809
 vdbeMemAddTerminator (pMem=pMem@entry=0x23fd0a8) at sqlite3.c:61903

Revision history for this message
Ubuntu GNOME (ug-bot) wrote : Stacktrace.txt
Revision history for this message
Ubuntu GNOME (ug-bot) wrote : ThreadStacktrace.txt
tags: removed: need-amd64-retrace
Tim Lunn (darkxst)
information type: Private → Public
Changed in ubuntu-gnome:
milestone: none → vivid
LuoZheng (htfy96)
Changed in ubuntu-gnome:
status: New → Confirmed
Revision history for this message
Marius Gedminas (mgedmin) wrote :

(I got this crash without attempting to opt in into wayland.)

Revision history for this message
Andreas (andreas-rabus) wrote :

Annoyingly just after each new login. every day....

Revision history for this message
Curtis (curtbezault) wrote :

Only happens when I don't run startx as root (I know that it's not a good thing to do but was just checking things out.)

Revision history for this message
Eustachy Motyka (eusmotyka) wrote :

Ocure randomly (even without wayland used atall)

Revision history for this message
Edson T. Marques (edsontmarques) wrote :

Crash when I try to paste (Ctrl+V) a bitmap from clipboard to a Pidgin message.

Revision history for this message
GT (gleppert) wrote :

Occurred during Start-up of Gnome 3.16 (Ubuntu 15.04). I have not Wayland installed.

Revision history for this message
GT (gleppert) wrote :

Additional note: This bug occurs frequently, about once or twice everyday.

Revision history for this message
Kaare Baastrup (kaare-baastrup) wrote :

Same for gome 3.18

Revision history for this message
GT (gleppert) wrote :

It would be great, if a developer could have a look at this bug. It currently affects 55 people, bug heat 246 and - on my system - there are crashes of gjs everyday. Also, please not that this bug has nothing to do with Wayland. It also affects X11 users. Thanks a lot!

Revision history for this message
Bruce Pieterse (octoquad) wrote :

I'm not sure, but I think this but might be related: https://bugs.launchpad.net/ubuntu-gnome/+bug/1432068

Revision history for this message
Tim Lunn (darkxst) wrote : Re: [Bug 1418771] Re: gjs-console assert failure: *** Error in `/usr/bin/gjs-console': free(): invalid next size (fast): 0x00007f74a804b240 ***

That is likely gnome-documents search provider crashing

> On 21 Aug 2015, at 5:24 am, Bruce Pieterse <email address hidden> wrote:
>
> I'm not sure, but I think this but might be related:
> https://bugs.launchpad.net/ubuntu-gnome/+bug/1432068
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1418771
>
> Title:
> gjs-console assert failure: *** Error in `/usr/bin/gjs-console':
> free(): invalid next size (fast): 0x00007f74a804b240 ***
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-gnome/+bug/1418771/+subscriptions

Bug Watch Updater (bug-watch-updater)
Changed in gjs:
importance: Unknown → Medium
status: Unknown → Incomplete
Revision history for this message
GT (gleppert) wrote :

What does "Status incomplete" mean? Do you need any additional info?

Revision history for this message
Bruce Pieterse (octoquad) wrote :

Hi GT,

The status "incomplete" is for the upstream project gjs. The status for Ubuntu GNOME however is confirmed. The crash seems to occur when searching for an application via activities but we are currently trying to reproduce this reliably in order to provide the relevant information upstream if necessary.

Thanks

Tim Lunn (darkxst)
Changed in ubuntu-gnome:
milestone: vivid → wily
Tim Lunn (darkxst)
Changed in gjs (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in gjs (Debian):
status: Unknown → Confirmed
Revision history for this message
Marius Gedminas (mgedmin) wrote :

Steps to reproduce:

- in one terminal run /usr/bin/gnome-documents --gapplication-service
- in another terminal run dbus-send --print-reply --dest=org.gnome.Documents /org/gnome/Documents/SearchProvider org.gnome.Shell.SearchProvider2.GetInitialResultSet array:string:"search"

Note: you must run dbus-send within 10 seconds of the 1st command, because gnome-documents exits when it's idle.

Note: you can use DOCUMENTS_RUN_DEBUG=yes gnome-documents --gapplication-service in step 1 to get the crash under gdb

Revision history for this message
Marius Gedminas (mgedmin) wrote :

I ran the reproduction scenarion under valgrind and saw this:

==23172== Thread 8 pool:
==23172== Invalid write of size 1
==23172== at 0x174A56C1: tracker_parser_unaccent_nfkd_string (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-common.so.0.0.0)
==23172== by 0x1726AA02: function_sparql_unaccent (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x1791D6EE: sqlite3VdbeExec (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172== by 0x17926826: sqlite3_step (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172== by 0x1726B2FF: db_cursor_iter_next (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x1726BAB6: tracker_db_cursor_iter_next_thread (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x70A68FE: run_in_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x7092985: io_job_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x70B7D87: g_task_thread_pool_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x50FC2FD: g_thread_pool_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172== by 0x50FB964: g_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172== by 0x5E706A9: start_thread (pthread_create.c:333)
==23172== Address 0x14072b52 is 0 bytes after a block of size 2 alloc'd
==23172== at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23172== by 0x17B9D516: u8_normalize (in /usr/lib/x86_64-linux-gnu/libunistring.so.0.1.2)
==23172== by 0x1726A9F4: function_sparql_unaccent (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x1791D6EE: sqlite3VdbeExec (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172== by 0x17926826: sqlite3_step (in /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6)
==23172== by 0x1726B2FF: db_cursor_iter_next (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x1726BAB6: tracker_db_cursor_iter_next_thread (in /usr/lib/x86_64-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0)
==23172== by 0x70A68FE: run_in_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x7092985: io_job_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x70B7D87: g_task_thread_pool_thread (in /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.4600.1)
==23172== by 0x50FC2FD: g_thread_pool_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172== by 0x50FB964: g_thread_proxy (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.4600.1)
==23172==

Bug Watch Updater (bug-watch-updater)
Changed in gjs:
status: Incomplete → Fix Released
Tim Lunn (darkxst)
no longer affects: gjs (Ubuntu)
Bug Watch Updater (bug-watch-updater)
Changed in gjs (Debian):
status: Confirmed → Fix Released
Tim Lunn (darkxst)
description: updated
Changed in tracker (Ubuntu):
status: New → Fix Committed
Tim Lunn (darkxst)
Changed in tracker (Ubuntu Wily):
status: New → Triaged
importance: Undecided → Medium
Changed in tracker (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gjs (Ubuntu Wily):
status: New → Confirmed
Tim Lunn (darkxst)
Changed in gjs (Ubuntu Wily):
status: Confirmed → Invalid
Tim Lunn (darkxst)
Changed in ubuntu-gnome:
status: Confirmed → Fix Committed
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Tim, or anyone else affected,

Accepted tracker into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tracker/1.4.1-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in tracker (Ubuntu Wily):
status: Triaged → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tracker - 1.6.0-1ubuntu1

---------------
tracker (1.6.0-1ubuntu1) xenial; urgency=medium

  * Merge with Debian, remaining changes:
    + Disable libencai, libiptcdata and libstemmer support, all in Universe
    + Have tracker suggest instead of recommend tracker-gui
    + Run tests with VERBOSE=1 so we get useful output.
  * Drop git patches included in new release
  * debian/patches: Cherry-pick git crash fixes
    - 0001-libtracker-miner-Abort-async-operations-once-the-ins.patch
    - 0002-libtracker-miner-Cancel-pending-async-operations-dur.patch
    - 0003-libtracker-miner-Handle-failure-to-get-a-TrackerSpar.patch
    - 0004-Fix-buffer-overrun-in-libunistring-builds.patch (LP: #1418771)

 -- Tim Lunn <email address hidden> Sat, 24 Oct 2015 09:40:10 +1100

Changed in tracker (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Tim Lunn (darkxst) wrote :

tested as per testcase was unable to produce the crash, tagging verification-done

tags: added: verification-done
removed: verification-needed
John (throuaway)
Changed in tracker (Ubuntu Wily):
status: Fix Committed → Fix Released
Brian Murray (brian-murray)
Changed in tracker (Ubuntu Wily):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tracker - 1.4.1-1ubuntu2.1

---------------
tracker (1.4.1-1ubuntu2.1) wily; urgency=medium

  * debian/patches: Cherry-pick patches for crash fixes from upstream
    - 0003-libtracker-miner-Abort-async-operations-once-the-ins.patch,
      0004-libtracker-miner-Cancel-pending-async-operations-dur.patch,
      0005-libtracker-miner-Handle-failure-to-get-a-TrackerSpar.patch
    - 0006-Fix-buffer-overrun-in-libunistring-builds.patch (LP: #1418771)

 -- Tim Lunn <email address hidden> Sat, 24 Oct 2015 09:18:04 +1100

Changed in tracker (Ubuntu Wily):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for tracker has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Tim Lunn (darkxst)
Changed in ubuntu-gnome:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.