Bug 1836190

Summary: abrt-applet 2.14.2-1.fc33 segmentation fault in g_steal_pointer
Product: [Fedora] Fedora Reporter: Matt Fagnani <matt.fagnani>
Component: abrtAssignee: ekulik
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abrt-devel-list, ekulik, jakub, jmilan, mhabrnal, michal.toman, mkutlak, mmarusak
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: abrt-2.14.2-2.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-25 02:46:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
abrt-applet segmentation fault gdb full trace of all threads none

Description Matt Fagnani 2020-05-15 11:32:59 UTC 
Description of problem:

I've seen abrt-applet 2.14.2-1.fc33 segmentation fault when booting the Fedora Rawhide KDE Plasma spin live image KDE-Live-x86_64-Rawhide-20200513.n.0.iso.
The abrt-applet crash appeared to happen when NetworkManager was starting an ethernet connection. The crash was shown in coredumpctl and the journal. The segmentation fault might've been due to an invalid pointer pp=0x30 in g_steal_pointer based on the coredumpctl gdb output. The command was /usr/bin/abrt-applet --gapplication-service , and it was run automatically during boot. I can give the gdb output after I reboot as the core file is now inaccessible due to other crashes. abrt-applet had the same crash when I selected Sleep from the Application menu, but the core files were truncated or unavailable.

I ran valgrind --log-file=valgrind-abrt-applet-2.txt /usr/bin/abrt-applet --gapplication-service & I selected Sleep from the Application menu.
The valgrind report showed an invalid read and segmentation fault in g_steal_pointer at gmem.h:206 at an address 0x30 which wasn't in the mapped region of the process.

==16480== Memcheck, a memory error detector
==16480== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==16480== Using Valgrind-3.16.0.GIT and LibVEX; rerun with -h for copyright info
==16480== Command: /usr/bin/abrt-applet --gapplication-service
==16480== Parent PID: 14720
==16480== 
--16480-- WARNING: unhandled amd64-linux syscall: 315
--16480-- You may be able to write your own handler.
--16480-- Read the file README_MISSING_SYSCALL_OR_IOCTL.
--16480-- Nevertheless we consider this a bug.  Please report
--16480-- it at http://valgrind.org/support/bug_reports.html.
==16480== Invalid read of size 8
==16480==    at 0x10EF9B: g_steal_pointer (gmem.h:206)
==16480==    by 0x10EF9B: process_deferred_queue (abrt-applet-application.c:87)
==16480==    by 0x4B7B47A: g_idle_dispatch (gmain.c:5755)
==16480==    by 0x4B7F7AE: g_main_dispatch (gmain.c:3309)
==16480==    by 0x4B7F7AE: g_main_context_dispatch (gmain.c:3974)
==16480==    by 0x4B7FB37: g_main_context_iterate.constprop.0 (gmain.c:4047)
==16480==    by 0x4B7FC02: g_main_context_iteration (gmain.c:4108)
==16480==    by 0x49D374C: g_application_run (gapplication.c:2559)
==16480==    by 0x10D45C: main (abrt-applet-main.c:24)
==16480==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
==16480== 
==16480== 
==16480== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==16480==  Access not within mapped region at address 0x30
==16480==    at 0x10EF9B: g_steal_pointer (gmem.h:206)
==16480==    by 0x10EF9B: process_deferred_queue (abrt-applet-application.c:87)
==16480==    by 0x4B7B47A: g_idle_dispatch (gmain.c:5755)
==16480==    by 0x4B7F7AE: g_main_dispatch (gmain.c:3309)
==16480==    by 0x4B7F7AE: g_main_context_dispatch (gmain.c:3974)
==16480==    by 0x4B7FB37: g_main_context_iterate.constprop.0 (gmain.c:4047)
==16480==    by 0x4B7FC02: g_main_context_iteration (gmain.c:4108)
==16480==    by 0x49D374C: g_application_run (gapplication.c:2559)
==16480==    by 0x10D45C: main (abrt-applet-main.c:24)
==16480==  If you believe this happened as a result of a stack
==16480==  overflow in your program's main thread (unlikely but
==16480==  possible), you can try to increase the size of the
==16480==  main thread stack using the --main-stacksize= flag.
==16480==  The main thread stack size used in this run was 8388608.
==16480== 
==16480== HEAP SUMMARY:
==16480==     in use at exit: 371,277 bytes in 5,996 blocks
==16480==   total heap usage: 165,320 allocs, 159,324 frees, 14,618,743 bytes allocated
==16480== 
==16480== LEAK SUMMARY:
==16480==    definitely lost: 95 bytes in 2 blocks
==16480==    indirectly lost: 0 bytes in 0 blocks
==16480==      possibly lost: 3,960 bytes in 28 blocks
==16480==    still reachable: 340,794 bytes in 5,759 blocks
==16480==                       of which reachable via heuristic:
==16480==                         length64           : 2,160 bytes in 42 blocks
==16480==                         newarray           : 1,904 bytes in 39 blocks
==16480==         suppressed: 20 bytes in 1 blocks
==16480== Rerun with --leak-check=full to see details of leaked memory
==16480== 
==16480== For lists of detected and suppressed errors, rerun with: -s
==16480== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)


Version-Release number of selected component (if applicable):
abrt-gui-2.14.2-1.fc33.x86_64
glib2-2.64.2-2.fc33.x86_64

How reproducible:
I've seen these abrt-applet crashes most of the time when booting or putting the system to sleep with abrt-gui-2.14.2-1.fc33.x86_64.

Steps to Reproduce:
1. boot the Fedora Rawhide KDE Plasma spin live image KDE-Live-x86_64-Rawhide-20200513.n.0.iso downloaded from https://koji.fedoraproject.org/koji/buildinfo?buildID=1506671 A network connection might be needed for the crash to occur
2. If the abrt-applet crash isn't shown in coredumpctl, select the Application menu > Leave / Power > Sleep
3.

Actual results:
abrt-applet 2.14.2-1.fc33 segmentation faulted in g_steal_pointer

Expected results:
No crashes would happen.

Additional info:
These abrt-applet crashes didn't appear with abrt-2.14.1-1.fc33 or earlier.
Comment 1 ekulik 2020-05-15 11:39:36 UTC 
Thanks for the report and investigation. I have a couple of ideas as to what the cause might be.
Comment 2 Matt Fagnani 2020-05-15 12:34:25 UTC 
Created attachment 1688905 [details]
abrt-applet segmentation fault gdb full trace of all threads

I got an abrt-applet full core file after I selected Sleep then resumed the system. The crash has been more common when sleeping/resuming than when booting. The relevant coredumpctl gdb output showed the segmentation fault in g_steal_pointer at /usr/include/glib-2.0/glib/gmem.h:206 with the invalid pointers pp=0x30 and ptr=0x30. 

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055fe23dc5f9b in g_steal_pointer (pp=0x30) at /usr/include/glib-2.0/glib/gmem.h:206
206       ref = *ptr;
[Current thread is 1 (Thread 0x7fe5e85e1ac0 (LWP 1697))]

(gdb) bt full
#0  0x000055fe23dc5f9b in g_steal_pointer (pp=0x30) at /usr/include/glib-2.0/glib/gmem.h:206
        ptr = 0x30
        ref = <optimized out>
        self = 0x0
        problems = 0x0
#1  process_deferred_queue (user_data=user_data@entry=0x0) at abrt-applet-application.c:87
        self = 0x0
        problems = 0x0
#2  0x00007fe5e865447b in g_idle_dispatch
    (source=source@entry=0x55fe251d3d30, callback=0x55fe23dc5f90 <process_deferred_queue>, user_data=0x0) at ../glib/gmain.c:5755
        again = <optimized out>
#3  0x00007fe5e86587af in g_main_dispatch (context=0x55fe251ab9f0) at ../glib/gmain.c:3309
        dispatch = <optimized out>
        prev_source = 0x0
        was_in_call = <optimized out>
        user_data = 0x0
        callback = 0x55fe23dc5f90 <process_deferred_queue>
        cb_funcs = 0x7fe5e872f280 <g_source_callback_funcs>
        cb_data = 0x55fe251ee650
        need_destroy = <optimized out>
        source = 0x55fe251d3d30
        current = 0x55fe251a4990
        i = 0
--Type <RET> for more, q to quit, c to continue without paging--c
        __func__ = "g_main_dispatch"
#4  g_main_context_dispatch (context=0x55fe251ab9f0) at ../glib/gmain.c:3974
#5  0x00007fe5e8658b38 in g_main_context_iterate (context=context@entry=0x55fe251ab9f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4047
        max_priority = 200
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x55fe25193880
#6  0x00007fe5e8658c03 in g_main_context_iteration (context=context@entry=0x55fe251ab9f0, may_block=may_block@entry=1) at ../glib/gmain.c:4108
        retval = <optimized out>
#7  0x00007fe5e887b74d in g_application_run (application=0x55fe2522d090 [AbrtAppletApplication], argc=-105053068, argv=<optimized out>) at ../gio/gapplication.c:2559
        arguments = 0x55fe25193880
        status = 0
        context = 0x55fe251ab9f0
        acquired_context = <optimized out>
        __func__ = "g_application_run"
#8  0x000055fe23dc445d in main (argc=2, argv=0x7ffcf9bd05d8) at abrt-applet-main.c:24
        application = 0x55fe2522d090

The g_steal_pointer function is passed pp=0x30 I guess by process_deferred_queue at abrt-applet-application.c:87 which it assigns to *ptr. The segmentation fault happened at line 206 where ref is assigned *ptr.

(gdb) l
201     g_steal_pointer (gpointer pp)
202     {
203       gpointer *ptr = (gpointer *) pp;
204       gpointer ref;
205
206       ref = *ptr;
207       *ptr = NULL;
208
209       return ref;
210     }

I'm attaching the full trace of all threads.
Comment 3 ekulik 2020-05-15 13:53:56 UTC 
https://github.com/abrt/abrt/pull/1489

Seems that I forgot to pass the instance pointer to one of the signal handlers… Specifically, the crashes will happen during connectivity changes.
Comment 4 Fedora Update System 2020-05-22 06:07:58 UTC 
FEDORA-2020-81b7399a06 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-81b7399a06
Comment 5 Fedora Update System 2020-05-23 04:36:24 UTC 
FEDORA-2020-81b7399a06 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-81b7399a06`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-81b7399a06

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-05-25 02:46:53 UTC 
FEDORA-2020-81b7399a06 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.