Bug 1185585

Summary: anaconda crashes after continuing from language selection screen
Product: [Fedora] Fedora Reporter: Chris Murphy <bugzilla>
Component: gtk3Assignee: Matthias Clasen <mclasen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: anaconda-maint-list, awilliam, bugzilla, ccecchi, danofsatx, g.kaviyarasu, jonathan, mclasen, robatino, satellitgo, vanmeeuwen+fedora, vpodzime
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: gtk3-3.15.9-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-03 04:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043121    
Attachments:
Description Flags
journal i686
none
journal2 none

Description Chris Murphy 2015-01-24 22:56:09 UTC 
Created attachment 983832 [details]
journal i686

Description of problem:
Anaconda on this boot.iso build coredumps after clicking "continue" from the welcome/language selection screen.

https://kojipkgs.fedoraproject.org/mash/rawhide-20150124/rawhide/i386/os/images/boot.iso


Version-Release number of selected component (if applicable):
anaconda 22.16-1

How reproducible:
Always


Steps to Reproduce:
1. Boot, then click continue


Actual results:

Screen goes black. systemd-coredump spins for a while, and records a coredump attributed to anaconda.
Comment 1 David Shea 2015-01-26 17:30:45 UTC 
Crash appears to be happening in gtk

Stack trace of thread 997:
                                                 #0  0x00000000b77cebac __kernel_vsyscall (linux-gate.so.1)
                                                 #1  0x00000000b73f4137 raise (libc.so.6)
                                                 #2  0x00000000b73f5a09 abort (libc.so.6)
                                                 #3  0x00000000b743dd39 free_check (libc.so.6)
                                                 #4  0x00000000b74414c2 __libc_free (libc.so.6)
                                                 #5  0x00000000b6db49c2 g_free (libglib-2.0.so.0)
                                                 #6  0x00000000b2e5f600 _gtk_allocated_bitmask_free (libgtk-3.so.0)
                                                 #7  0x00000000b2e5f66e gtk_allocated_bitmask_shrink (libgtk-3.so.0)
                                                 #8  0x00000000b2ef6f74 gtk_css_static_style_new_update (libgtk-3.so.0)
                                                 #9  0x00000000b3067b89 update_properties (libgtk-3.so.0)
                                                 #10 0x00000000b306aeec _gtk_style_context_validate (libgtk-3.so.0)
                                                 #11 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #12 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #13 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #14 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #15 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #16 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #17 0x00000000b306ae22 _gtk_style_context_validate (libgtk-3.so.0)
                                                 #18 0x00000000b2ece455 gtk_container_idle_sizer (libgtk-3.so.0)
                                                 #19 0x00000000b6eb8669 g_cclosure_marshal_VOID__VOIDv (libgobject-2.0.so.0)
                                                 #20 0x00000000b6eb6b4d _g_closure_invoke_va (libgobject-2.0.so.0)
                                                 #21 0x00000000b6ed306c g_signal_emit_valist (libgobject-2.0.so.0)
                                                 #22 0x00000000b6ed3dd5 g_signal_emit_by_name (libgobject-2.0.so.0)
                                                 #23 0x00000000b2cbd076 gdk_frame_clock_paint_idle (libgdk-3.so.0)
                                                 #24 0x00000000b2ca9e26 gdk_threads_dispatch (libgdk-3.so.0)
                                                 #25 0x00000000b6daf442 g_timeout_dispatch (libglib-2.0.so.0)
                                                 #26 0x00000000b6dae8d3 g_main_context_dispatch (libglib-2.0.so.0)
                                                 #27 0x00000000b6daec98 g_main_context_iterate.isra.29 (libglib-2.0.so.0)
                                                 #28 0x00000000b6daf023 g_main_loop_run (libglib-2.0.so.0)
                                                 #29 0x00000000b2faa23d gtk_main (libgtk-3.so.0)
                                                 #30 0x00000000b7026f7a ffi_call_SYSV (libffi.so.6)
                                                 #31 0x00000000b7026a0a ffi_call (libffi.so.6)
                                                 #32 0x00000000b6f64c6c pygi_invoke_c_callable (_gi.so)
                                                 #33 0x00000000b6f657d4 _function_cache_invoke_real (_gi.so)
                                                 #34 0x00000000b6f6681e pygi_function_cache_invoke (_gi.so)
                                                 #35 0x00000000b6f6542c pygi_callable_info_invoke (_gi.so)
                                                 #36 0x00000000b6f65483 _wrap_g_callable_info_invoke (_gi.so)
                                                 #37 0x00000000b6f58db5 _callable_info_call (_gi.so)
                                                 #38 0x00000000b7642765 PyObject_Call (libpython2.7.so.1.0)
                                                 #39 0x00000000b76e3387 PyEval_EvalFrameEx (libpython2.7.so.1.0)
                                                 #40 0x00000000b76e5205 PyEval_EvalFrameEx (libpython2.7.so.1.0)
                                                 #41 0x00000000b76e645a PyEval_EvalCodeEx (libpython2.7.so.1.0)
                                                 #42 0x00000000b76e65b4 PyEval_EvalCode (libpython2.7.so.1.0)
                                                 #43 0x00000000b76ffbab run_mod (libpython2.7.so.1.0)
                                                 #44 0x00000000b7701040 PyRun_FileExFlags (libpython2.7.so.1.0)
                                                 #45 0x00000000b7702433 PyRun_SimpleFileExFlags (libpython2.7.so.1.0)
                                                 #46 0x00000000b7702998 PyRun_AnyFileExFlags (libpython2.7.so.1.0)
                                                 #47 0x00000000b7714d61 Py_Main (libpython2.7.so.1.0)
                                                 #48 0x0000000008048578 main (python2.7)
                                                 #49 0x00000000b73de6fe __libc_start_main (libc.so.6)
                                                 #50 0x000000000804859e _start (python2.7)
Comment 2 Matthias Clasen 2015-02-13 22:36:10 UTC 
*** Bug 1192020 has been marked as a duplicate of this bug. ***
Comment 3 Chris Murphy 2015-02-18 04:08:46 UTC 
Created attachment 992988 [details]
journal2

journalctl -x -o short-monotonic

Still happens with default boot params, as well as with 'enforcing=0 nodmodeset' and attempting to do a VNC installation.
https://kojipkgs.fedoraproject.org/mash/branched-20150217/22/i386/os/images/boot.iso
kernel-3.20.0-0.rc0.git6.1.fc22.i686
Comment 4 Chris Murphy 2015-02-18 04:18:23 UTC 
Same stack trace as previously reported. I also see "[  385.738820] localhost systemd-coredump[1788]: Process 1120 (anaconda) of user 0 dumped core." But I'm not finding the core dump file in /var, where would it be and is it even written out somewhere on netinstalls?

Hardware is rather old!

01:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] RV250/M9 GL [Mobility FireGL 9000/Radeon 9000] [1002:4c66] (rev 02) (prog-if 00 [VGA controller])
	Subsystem: Dell Device [1028:011d]
	Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop+ ParErr- Stepping+ SERR+ FastB2B- DisINTx-
	Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Latency: 32 (2000ns min), Cache Line Size: 32 bytes
	Interrupt: pin A routed to IRQ 11
	Region 0: Memory at e8000000 (32-bit, prefetchable) [size=128M]
	Region 1: I/O ports at c000 [size=256]
	Region 2: Memory at fcff0000 (32-bit, non-prefetchable) [size=64K]
	[virtual] Expansion ROM at fc000000 [disabled] [size=128K]
	Capabilities: [58] AGP version 2.0
		Status: RQ=48 Iso- ArqSz=0 Cal=0 SBA+ ITACoh- GART64- HTrans- 64bit- FW+ AGP3- Rate=x1,x2,x4
		Command: RQ=32 ArqSz=0 Cal=0 SBA+ AGP+ GART64- 64bit- FW- Rate=x4
	Capabilities: [50] Power Management version 2
		Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot-,D3cold-)
		Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
	Kernel driver in use: radeon
	Kernel modules: radeon
Comment 5 Vratislav Podzimek 2015-02-18 10:04:53 UTC 
(In reply to Chris Murphy from comment #4)
> Same stack trace as previously reported. I also see "[  385.738820]
> localhost systemd-coredump[1788]: Process 1120 (anaconda) of user 0 dumped
> core." But I'm not finding the core dump file in /var, where would it be and
> is it even written out somewhere on netinstalls?
> 
> Hardware is rather old!
This doesn't seem to be HW dependent. It's just a bug (segfault) in 32bit Gtk triggered by hovering over the "Continue" button for which anaconda is using the "suggested-action" CSS class.
Comment 6 Fedora Blocker Bugs Application 2015-02-18 18:38:07 UTC 
Proposed as a Blocker for 22-alpha by Fedora user chrismurphy using the blocker tracking app because:

 When using a dedicated installer image, the installer must be able to complete an installation using the text, graphical and VNC installation interfaces. (This is a showstopper.)
Comment 7 Adam Williamson 2015-02-18 20:37:24 UTC 
Hum, I feel vaguely like we already had a bug for this? But anyway, +1, showstopper for 32-bit images.
Comment 8 Dan Mossor [danofsatx] 2015-02-23 17:57:10 UTC 
Discussed at today's blocker review meeting [1].

AcceptedBlocker Alpha - This bug is a clear violation of the Alpha criterion: "When using a dedicated installer image, the installer must be able to complete an installation using the text, graphical and VNC installation interfaces."

http://meetbot.fedoraproject.org/fedora-blocker-review/2015-02-23/
Comment 9 Matthias Clasen 2015-02-24 18:09:33 UTC 
I fail to even get a 32bit live image to boot.

Tried with https://kojipkgs.fedoraproject.org//work/tasks/2668/9052668/Fedora-Live-Workstation-i686-22-20150224.iso

It doesn't get beyond plymouth in either gnome-boxes or virt-manager.
Can't really investigate under these circumstances.
Comment 10 Adam Williamson 2015-02-24 20:59:51 UTC 
I believe that's likely due to https://bugzilla.redhat.com/show_bug.cgi?id=1195905 . Note that you may also hit an intermittent failure during early boot with recent images: that's https://bugzilla.redhat.com/show_bug.cgi?id=1195899 .

I'm trying to identify a live image that avoids at least the libinput bug and ideally also the kernel bug, but runs into this bug. I'm also not sure if the bug even happens from a live image - all the reports seem to have been from boot.iso.
Comment 11 Adam Williamson 2015-02-24 21:23:41 UTC 
This bug seems limited to the boot.iso images, somehow. I've tested several bootable 32-bit lives (02-07, 02-10, 02-21) and could not reproduce the bug with any of them. So there's something about the installer environment that's related to it. Something that's stripped by lorax? Something about running on whatever bare WM anaconda runs, rather than running in GNOME?
Comment 12 Chris Murphy 2015-02-24 21:24:46 UTC 
(In reply to Adam Williamson (Red Hat) from comment #10)
> I'm also not sure
> if the bug even happens from a live image - all the reports seem to have
> been from boot.iso.

For me, never happens with live, always happens with boot.iso.
Comment 13 David Shea 2015-02-24 21:25:43 UTC 
The problem is calling free() on an invalid pointer, so the difference is that anaconda runs with MALLOC_PERTURB_ set.
Comment 14 Fedora Update System 2015-02-25 02:53:15 UTC 
gtk3-3.15.9-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/gtk3-3.15.9-1.fc22
Comment 15 Fedora Update System 2015-02-25 15:15:26 UTC 
Package gtk3-3.15.9-1.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gtk3-3.15.9-1.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2553/gtk3-3.15.9-1.fc22
then log in and leave karma (feedback).
Comment 16 Chris Murphy 2015-02-28 02:38:51 UTC 
I no longer run into this with server boot.iso TC7 i686. Problem appears to be fixed.
Comment 17 Fedora Update System 2015-03-03 04:20:30 UTC 
gtk3-3.15.9-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.