gnome-settings-daemon crashed with signal 5 in gkbd_keyboard_drawing_new_dialog()

P.S. crash occurs actually when you click on "Show current Layout" in the dropdown menu.

I found the same thing as Luigi reported yesterday.

Same problem on amd64 architecture

could be bug https://bugzilla.gnome.org/show_bug.cgi?id=628854

Thank you for your bug report, is that still an issue with the recent update?

bug #630245 seems similar, it could be a libgnomekbd or libxklavier issue

The crash seems to not happen there with the current version but valgrind lists errors in the keyboard.so code which seem to be due to the indicator change since a build without it doesn't have those

I've just updated everything, and it still crashes if I click on "Show current layout", specifically the window decorator gets knocked off and the applet disappears from the panel. After logging off it goes back to normal though.

Having just dist-upgraded every package a few minutes ago, I'm seeing the same problem when clicking on "Show current layout".

Affects me as well, running latest updates.

Same bug "appears" today (right now) after partial distribution update (Ubuntu 10.10 beta1), when I've clicked "show current layout" in keyboard applet.

StacktraceTop:
 gkbd_keyboard_drawing_new_dialog (group=0,
 apply_xkb_settings () at gsd-keyboard-xkb.c:734
 g_cclosure_marshal_VOID__VOID ()
 g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
 ?? () from /usr/lib/libgobject-2.0.so.0

So, I'm seeing these invalid reads in the keyboard plugin:

==4294== Invalid read of size 1
==4294== at 0x4C29732: strcmp (mc_replace_strmem.c:426)
==4294== by 0x640AD28: g_str_equal (gstring.c:115)
==4294== by 0x63D7E6A: g_hash_table_insert_internal (ghash.c:401)
==4294== by 0x13BE70E5: popup_menu_set_group (gsd-keyboard-xkb.c:376)
==4294== by 0x13BE7C84: apply_xkb_settings (gsd-keyboard-xkb.c:543)
==4294== by 0x13BE8377: gsd_keyboard_xkb_init (gsd-keyboard-xkb.c:1123)
==4294== by 0x13BE651A: start_keyboard_idle_cb (gsd-keyboard-manager.c:399)
==4294== by 0x63E67E1: g_main_context_dispatch (gmain.c:2119)
==4294== by 0x63EA747: g_main_context_iterate (gmain.c:2750)
==4294== by 0x63EAC54: g_main_loop_run (gmain.c:2958)
==4294== by 0x4F7AA46: gtk_main (gtkmain.c:1237)
==4294== by 0x404299: main (main.c:502)
==4294== Address 0x1aa7d3a1 is 1 bytes inside a block of size 4 free'd
==4294== at 0x4C27D71: free (vg_replace_malloc.c:366)
==4294== by 0x13BE7104: popup_menu_set_group (gsd-keyboard-xkb.c:392)
==4294== by 0x13BE7C84: apply_xkb_settings (gsd-keyboard-xkb.c:543)
==4294== by 0x13BE8377: gsd_keyboard_xkb_init (gsd-keyboard-xkb.c:1123)
==4294== by 0x13BE651A: start_keyboard_idle_cb (gsd-keyboard-manager.c:399)
==4294== by 0x63E67E1: g_main_context_dispatch (gmain.c:2119)
==4294== by 0x63EA747: g_main_context_iterate (gmain.c:2750)
==4294== by 0x63EAC54: g_main_loop_run (gmain.c:2958)
==4294== by 0x4F7AA46: gtk_main (gtkmain.c:1237)
==4294== by 0x404299: main (main.c:502)

It is most likely the key for that particular node pointing to free'd memory.

This is happening here in popup_menu_set_group:

         for (g = 0; g < g_strv_length (shortnames);g++) {
          gpointer pcounter = NULL;
          gchar *prev_layout_name = NULL;
          int counter = 0;

          if (g < g_strv_length (shortnames)) {
           if (xkl_engine_get_features (engine) &
               XKLF_MULTIPLE_LAYOUTS_SUPPORTED) {
            gchar *longname = (gchar *) g_slist_nth_data (current_kbd_config.layouts_variants, g);
            gchar *variant_name;
            if (!gkbd_keyboard_config_split_items (longname, &lname, &variant_name))
             /* just in case */
             lname = longname;

            /* make it freeable */
            lname = g_strdup (lname);

            if (shortnames != NULL) {
             gchar *shortname = shortnames[g];
             if (shortname != NULL && *shortname != '\0') {
              /* drop the long name */
              g_free (lname);
              lname = g_strdup (shortname);
             }
            }
           } else {
            lname = g_strdup (longnames[g]);
           }
          }
          if (lname == NULL)
           lname = g_strdup ("");

          /* Process layouts with repeating description */
          if (g_hash_table_lookup_extended (ln2cnt_map, lname, (gpointer *) & prev_layout_name, &pcounter)) {
           /* "next" same description */
           counter = GPOINTER_TO_INT (pcounter);
                                guide = "XXX1";
          }
1--> g_hash_table_insert (ln2cnt_map, lname, GINT_TO_POINTER (counter+1))...

Actually, I'm also seeing the crash here with the current version too, and that seems unrelated to the invalid memory access above

The crash is a missing gtkbuilder file from the default install. Reassigning to libgnomekbd

The fix is uploaded now:

libgnomekbd (2.31.5-0ubuntu3) maverick; urgency=low

  * Fix LP: #630239 - gnome-settings-daemon crashed with signal 5 in
    gkbd_keyboard_drawing_new_dialog(). Move show-layout.ui from
    gkbd-capplet to libgnomekbd-common and add appropriate replaces
    - update debian/gkbd-capplet.install
    - update debian/libgnomekbd-common.install
    - update debian/control{.in}
 -- Chris Coulson <email address hidden> Tue, 14 Sep 2010 18:57:13 +0100