Bug 1048499

Summary: [abrt] liferea: enclosure_list_view_load(): liferea killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Carlos Manso <chiecc>
Component: lifereaAssignee: Steven M. Parrish <smparrish>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: emmanuel, pebolle, smparrish, yaneti
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/9a77d4c090ac2b07722be4b0cfcc2036028b78cf
Whiteboard: abrt_hash:0ee4afe268808a924bf188af2f520465f60077f0
Fixed In Version: liferea-1.10.6-1.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-07 06:28:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Carlos Manso 2014-01-04 17:35:08 UTC 
Description of problem:
Just launching it.

Version-Release number of selected component:
liferea-1.10.3-1.fc20

Additional info:
reporter:       libreport-2.1.10
backtrace_rating: 4
cmdline:        liferea
crash_function: enclosure_list_view_load
executable:     /usr/bin/liferea
kernel:         3.12.5-302.fc20.x86_64
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (7 frames)
 #0 enclosure_list_view_load at enclosure_list_view.c:248
 #1 itemview_select_item at itemview.c:189
 #2 liferea_shell_create at liferea_shell.c:1361
 #3 on_app_activate at main.c:87
 #8 g_application_activate at gapplication.c:1414
 #9 g_application_real_local_command_line at gapplication.c:499
 #10 g_application_run at gapplication.c:1585
Comment 1 Carlos Manso 2014-01-04 17:35:14 UTC 
Created attachment 845427 [details]
File: backtrace
Comment 2 Carlos Manso 2014-01-04 17:35:16 UTC 
Created attachment 845428 [details]
File: cgroup
Comment 3 Carlos Manso 2014-01-04 17:35:18 UTC 
Created attachment 845429 [details]
File: core_backtrace
Comment 4 Carlos Manso 2014-01-04 17:35:21 UTC 
Created attachment 845430 [details]
File: dso_list
Comment 5 Carlos Manso 2014-01-04 17:35:23 UTC 
Created attachment 845431 [details]
File: environ
Comment 6 Carlos Manso 2014-01-04 17:35:25 UTC 
Created attachment 845432 [details]
File: exploitable
Comment 7 Carlos Manso 2014-01-04 17:35:29 UTC 
Created attachment 845433 [details]
File: limits
Comment 8 Carlos Manso 2014-01-04 17:35:36 UTC 
Created attachment 845434 [details]
File: maps
Comment 9 Carlos Manso 2014-01-04 17:35:39 UTC 
Created attachment 845435 [details]
File: open_fds
Comment 10 Carlos Manso 2014-01-04 17:35:41 UTC 
Created attachment 845436 [details]
File: proc_pid_status
Comment 11 Carlos Manso 2014-01-04 17:35:46 UTC 
Created attachment 845437 [details]
File: var_log_messages
Comment 12 Paul Bolle 2014-01-27 16:38:40 UTC 
0) Still reproducible with liferea-1.10.5-1.fc20.x86_64

1) I installed liferea-debuginfo, ran liferea from gdb and peeked and poked liferea a bit. It turns out this seems to be enough to work around this segmentation fault:

    l itemview_select_item
    break 188 if ivp->enclosureView == 0
    commands
    jump 193
    end
    r

Ie, set this conditional breakpoint:
    (gdb) info break
    Num     Type           Disp Enb Address            What
    1       breakpoint     keep y   0x0000000000441cbd in itemview_select_item 
                                                   at itemview.c:188
    	stop only if ivp->enclosureView == 0
	breakpoint already hit 1 time
        jump 193

2) See, somehow we end up with a NULL ivp->enclosureView in itemview_select_item(). I haven't investigated whether that means something went awry before or that we have to add a
    if (ivp->enclosureView) 

test here somewhere. To be continued, perhaps ...
Comment 13 Yanko Kaneti 2014-01-27 17:15:05 UTC 
I've filed an upstream report although I can't reproduce it.
https://sourceforge.net/p/liferea/bugs/1137/
Comment 14 Paul Bolle 2014-01-27 19:43:36 UTC 
(In reply to Yanko Kaneti from comment #13)
> I've filed an upstream report although I can't reproduce it.

Neither can I anymore. Now that I've passed this bump using gdb liferea runs just fine. Maybe there's still an item in one of the feeds that triggers this bug, maybe not. This might be hard to trigger from now on. We'll see...
Comment 15 Paul Bolle 2014-01-29 23:53:50 UTC 
(In reply to Paul Bolle from comment #14)
> Neither can I anymore.

0) The crash is back!

1) So let's look at the code I fiddled with when using gdb:

void
itemview_select_item (itemPtr item)
{
        [...]

        if (item)
                enclosure_list_view_load (ivp->enclosureView, item);
        else
                enclosure_list_view_hide (ivp->enclosureView);

        item_history_add (item->id);
}

But the "if (item)" test is bogus, because all callers of itemview_select_item() test for a non-NULL item beforehand. So that test will always evaluate to true. Moreover, if a NULL item would have been passed to this function we'd crashed at "item_history_add (item->id)" (NULL dereference).

2) So, it's quite likely the code should actually read:

void
itemview_select_item (itemPtr item)
{
        [...]

        if (ivp->enclosureView)
                enclosure_list_view_load (ivp->enclosureView, item);

        item_history_add (item->id);
}

Which is what my gdb breakpoint and command basically did.

3) Does upstream track updates to this report?
Comment 16 Paul Bolle 2014-01-30 00:20:22 UTC 
(In reply to Paul Bolle from comment #15) 
> 2) So, it's quite likely the code should actually read:
> 
> void
> itemview_select_item (itemPtr item)
> {
>         [...]
> 
>         if (ivp->enclosureView)
>                 enclosure_list_view_load (ivp->enclosureView, item);
> 
>         item_history_add (item->id);
> }
> 
> Which is what my gdb breakpoint and command basically did.

To which I should add that it's obviously wrong to call enclosure_list_view_load() with a NULL first argument (ie, to call it with a NULL ivp->enclosureView). So now I'm certain itemview_select_item() should be changed this way.

Unless, of course, this all indicates there's a more basic problem here. In that case someone may figure out how we can ensure itemview_select_item() isn't called while ivp->enclosureView is NULL.

Anyhow, in the mean time we have a clearly correct fix for a crash that seems to be regularly hit. Do I need to submit the trivial patch to - at least for the mean time - fix this in Fedora?
Comment 17 Fedora Update System 2014-02-25 01:21:50 UTC 
liferea-1.10.6-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/liferea-1.10.6-1.fc20
Comment 18 Fedora Update System 2014-02-26 13:58:40 UTC 
Package liferea-1.10.6-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing liferea-1.10.6-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3117/liferea-1.10.6-1.fc20
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2014-03-07 06:28:26 UTC 
liferea-1.10.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.