Bug 850826

Summary: [abrt] sane-backends-1.0.22-11.fc17: ipConvert: Process /usr/bin/scanimage was killed by signal 11 (SIGSEGV)
Product: [Fedora] Fedora Reporter: Jeff Layton <jlayton>
Component: hplipAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: jpopelka, nphilipp, steved, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:95b98c5120410bc4167676aba4594ae3d78b6a32
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-04 14:25:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: maps
none
File: dso_list none

Description Jeff Layton 2012-08-22 13:40:23 UTC
libreport version: 2.0.10
abrt_version:   2.0.10
backtrace_rating: 4
cmdline:        scanimage -d hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10 -T
crash_function: ipConvert
executable:     /usr/bin/scanimage
kernel:         3.5.2-1.fc17.x86_64
pid:            3235
pwd:            /home/jlayton
remote_result:  NOTFOUND
time:           Wed 22 Aug 2012 09:30:38 AM EDT
uid:            4447
username:       jlayton

backtrace:      Text file, 51741 bytes
dso_list:       Text file, 4396 bytes
maps:           Text file, 20277 bytes

build_ids:
:d897c6286d20d2db78676afa9e61a1e81cf0ea98
:f4f9ce91c43285df84177f9684a3e7f190a0aae1
:ecad3f852f36e91716e85a1cfcc410e83db0976b
:6086bff484a49cc8b80cb714d7e83a6391394800
:e33424e3e1e1c8d372e3e80a72b600e921338cef
:d32cbeacfd9f41e3cd29b697dd111f44a2d9c127
:6668de624a10d486a3484d5b4921f87b1e77d36c
:9b7c051733f6f1bbd546b57be58d6bba29086c0c
:8684c263c015cc816174994f5e3fb389a7710a66
:a2d5b50b07df0fb9c52fcc682c6121d3e7276249
:85f1ee13cb2a594156e616ab074c3b1dd9663d90
:a625841a963b5765aa9c0b4f827a8235f2697ccc
:789de8b5a51ab3356ece9e82780b3d4ee8273d23
:e99c86eb3485e54972f176ba34d78396596de7af
:e45258c755689bf1d66580f1c9a3f9d4d3f26235
:3a2c9c74c41f6d1f13895d0f3ba5c65ba871f25b
:6880802db4dbe99bf291c5ca4e33a98ed02059fe
:f4c064df8745dff15466d705fb049138f9a5c949
:591c7ebbd3f4b573e01caf6e462b01a226faa9cf
:6be87969bc38cd5d7b82ce0feb9b78a31dbccaee
:cbb8a8e0998ebc35f3394e942b5bf90d19d90fc5
:fb86c3a448f22bd68843d5aa0b35e74d20629e85
:91db217984786e7dd727627632e7699a9e4a8634
:67792c148d2b8f13f6732c9367e926c26d7376c5
:bd8122f882828961ac02630eab89c3581ea8a025
:e6d2c36ca6221d9165cedd73a58526abbecd0506
:509ab5da5cfd9e8b3d37d85f9fc0707ad560d6c4
:b4e246b843a06bdcdd83bf253c7cd7a9d1ffd5e9
:d804f8ee47797da9213a92f00cd095ecada8d79f
:4700b597a867b8e918d9c3d6cae159294f4c9606
:822e9b3523e8312240f41a25722d539bc77ed436
:3934b7aeda6f9a2b409dfb07de9a0900cd6e5346
:fccd8f7781a764ba7069834f21c49538dc7d0e0e
:1ea7561fba5154063438cbe4e71767f6b80d3708
:de8c831546cc2e29d52aa2407737062f1eaae64e
:0671be41da6eca600d62d788baf4ab994bd4396f
:3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb
:5f038f3fb1b1571769e7c9b79e025fe328052950
:137ce33e99dff4cf33f9835c815b1b6860445a50
:e19c058cd9cc629bd8792247219685adc3d45a0c
:999c6a40954a490f10496b3a9aac8346fbfd7e92
:ebc779125d37b2b0595730b6d78d477fe7b6bc53
:da0831cf9c551543fbc94e797a102a57a30e790f
:bb24e56b33c8ddbf1a0475454e5afaf578448db3
:90ef8b6de22b2a7ead0aca01f4dfa719d5c9aca2
:e3f83e6ed76d65ff9d0d4aa5fcc7bf0c6bfaaadd
:1ec2a7bb430f6ec982e05dce422ee2ad7ca535af
:f227cfd2550b8b9e1a725173e990f88be82dcb3a
:e2f8ba3db2c86456528fe1f09829c62263d0fdee

cgroup:
:9:perf_event:/
:8:blkio:/
:7:net_cls:/
:6:freezer:/
:5:devices:/
:4:memory:/
:3:cpuacct,cpu:/
:2:cpuset:/
:1:name=systemd:/user/jlayton/2

comment:
:I'm no longer able to use this scanner. I first noticed it with xsane which segfaults whenever I try to use it, but am now able to reproduce a similar segfault with scanimage -T, like so:
:
:    $ scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T
:
:...opening the bug against sane-backends but I think the real bug is in hplip/libsane-hpaio.

core_backtrace:
:fccd8f7781a764ba7069834f21c49538dc7d0e0e 0xa8eb ipConvert libhpip.so.0 -
:3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb 0xa25b - libsane-hpaio.so.1 -
:3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb 0xc376 soapht_start libsane-hpaio.so.1 -
:90ef8b6de22b2a7ead0aca01f4dfa719d5c9aca2 0x34f5 main [pie] -

environ:
:XDG_VTNR=1
:SSH_AGENT_PID=1544
:XDG_SESSION_ID=2
:HOSTNAME=tlielax.poochiereds.net
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:GPG_AGENT_INFO=/run/user/jlayton/keyring-ENhgT5/gpg:0:1
:TERM=xterm
:SHELL=/bin/bash
:HISTSIZE=1000
:XDG_SESSION_COOKIE=b8ede719fc84aa73fbefbae40000000b-1345636776.502606-875639263
:GJS_DEBUG_OUTPUT=stderr
:WINDOWID=39893602
:GNOME_KEYRING_CONTROL=/run/user/jlayton/keyring-ENhgT5
:QTDIR=/usr/lib64/qt-3.3
:QTINC=/usr/lib64/qt-3.3/include
:'GJS_DEBUG_TOPICS=JS ERROR;JS LOG'
:IMSETTINGS_MODULE=none
:QT_GRAPHICSSYSTEM_CHECKED=1
:USER=jlayton
:LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:*.pdf=00;33:*.ps=00;33:*.ps.gz=00;33:*.txt=00;33:*.patch=00;33:*.diff=00;33:*.log=00;33:*.tex=00;33:*.xls=00;33:*.xlsx=00;33:*.ppt=00;33:*.pptx=00;33:*.rtf=00;33:*.doc=00;33:*.docx=00;33:*.odt=00;33:*.ods=00;33:*.odp=00;33:*.xml=00;33:*.epub=00;33:*.abw=00;33:*.htm=00;33:*.html=00;33:*.shtml=00;33:*.wpd=00;33:
:SSH_AUTH_SOCK=/run/user/jlayton/keyring-ENhgT5/ssh
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1418,unix/unix:/tmp/.ICE-unix/1418
:PATH=/home/jlayton/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/usr/kerberos/sbin:/usr/sbin:/sbin
:MAIL=/var/spool/mail/jlayton
:DESKTOP_SESSION=cinnamon
:QT_IM_MODULE=xim
:PWD=/home/jlayton
:XMODIFIERS=@im=none
:EDITOR=vim
:GNOME_KEYRING_PID=1414
:LANG=en_US.UTF-8
:KDE_IS_PRELINKED=1
:KDEDIRS=/usr
:GDMSESSION=cinnamon
:HISTCONTROL=ignoredups
:KRB5CCNAME=FILE:/tmp/krb5cc_4447_vaPHiY
:XDG_SEAT=seat0
:HOME=/home/jlayton
:SHLVL=2
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:LOGNAME=jlayton
:QTLIB=/usr/lib64/qt-3.3/lib
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-kp3ewGcVul,guid=e79195fed9f9139024105daa0000001a
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:WINDOWPATH=1
:XDG_RUNTIME_DIR=/run/user/jlayton
:DISPLAY=:0
:QT_PLUGIN_PATH=/usr/lib64/kde4/plugins:/usr/lib/kde4/plugins
:GTK_IM_MODULE=gtk-im-context-simple
:XAUTHORITY=/var/run/gdm/auth-for-jlayton-vuXoFW/database
:COLORTERM=gnome-terminal
:_=/usr/bin/scanimage

limits:
:Limit                     Soft Limit           Hard Limit           Units     
:Max cpu time              unlimited            unlimited            seconds   
:Max file size             unlimited            unlimited            bytes     
:Max data size             unlimited            unlimited            bytes     
:Max stack size            8388608              unlimited            bytes     
:Max core file size        0                    unlimited            bytes     
:Max resident set          unlimited            unlimited            bytes     
:Max processes             1024                 127972               processes 
:Max open files            1024                 4096                 files     
:Max locked memory         65536                65536                bytes     
:Max address space         unlimited            unlimited            bytes     
:Max file locks            unlimited            unlimited            locks     
:Max pending signals       127972               127972               signals   
:Max msgqueue size         819200               819200               bytes     
:Max nice priority         0                    0                    
:Max realtime priority     0                    0                    
:Max realtime timeout      unlimited            unlimited            us        

open_fds:
:0:/dev/pts/5
:pos:	0
:flags:	0100002
:1:/dev/pts/5
:pos:	0
:flags:	0100002
:2:/dev/pts/5
:pos:	0
:flags:	0100002
:3:socket:[733896]
:pos:	0
:flags:	02004002
:4:socket:[739780]
:pos:	0
:flags:	02
:5:socket:[739776]
:pos:	0
:flags:	02000002
:6:socket:[739807]
:pos:	0
:flags:	02004002

smolt_data:
:
:
:General
:=================================
:UUID: eaf43253-08e4-4dc1-a25b-f9f28bfafd3f
:OS: Fedora release 17 (Beefy Miracle)
:Default run level: Unknown
:Language: en_US.UTF-8
:Platform: x86_64
:BogoMIPS: 6186.05
:CPU Vendor: GenuineIntel
:CPU Model: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
:CPU Stepping: 7
:CPU Family: 6
:CPU Model Num: 42
:Number of CPUs: 4
:CPU Speed: 3101
:System Memory: 16028
:System Swap: 10047
:Vendor: Unknown
:System:  
:Form factor: Desktop
:Kernel: 3.5.2-1.fc17.x86_64
:SELinux Enabled: 1
:SELinux Policy: targeted
:SELinux Enforce: Enforcing
:MythTV Remote: Unknown
:MythTV Role: Unknown
:MythTV Theme: Unknown
:MythTV Plugin: 
:MythTV Tuner: -1
:
:
:Devices
:=================================
:(4147:404:32902:8219) pci, xhci_hcd, USB, uPD720200 USB 3.0 Host Controller
:(32902:7202:32902:8219) pci, i801_smbus, SERIAL, 6 Series/C200 Series Chipset Family SMBus Controller
:(32902:7190:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 4
:(32902:7184:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 1
:(32902:7236:32902:8219) pci, lpc_ich, PCI/ISA, Z68 Express Chipset Family LPC Controller
:(4098:26808:5963:5250) pci, radeon, VIDEO, Juniper [Radeon HD 5700 Series]
:(32902:7192:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 5
:(32902:7200:32902:8219) pci, snd_hda_intel, MULTIMEDIA, 6 Series/C200 Series Chipset Family High Definition Audio Controller
:(32902:5379:32902:8219) pci, e1000e, ETHERNET, 82579V Gigabit Network Connection
:(4098:43608:5963:43608) pci, snd_hda_intel, MULTIMEDIA, Juniper HDMI Audio [Radeon HD 5700 Series]
:(4739:34962:32902:8219) pci, None, PCI/PCI, N/A
:(4358:13315:32902:8219) pci, firewire_ohci, FIREWIRE, VT6315 Series Firewire Controller
:(32902:7170:32902:8219) pci, ahci, STORAGE, 6 Series/C200 Series Chipset Family 6 port SATA AHCI Controller
:(32902:7213:32902:8219) pci, ehci_hcd, USB, 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2
:(32902:7206:32902:8219) pci, ehci_hcd, USB, 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1
:(32902:256:32902:8219) pci, None, HOST/PCI, 2nd Generation Core Processor Family DRAM Controller
:(32902:7226:32902:8219) pci, mei, SIMPLE, 6 Series/C200 Series Chipset Family MEI Controller #1
:(32902:257:32902:8219) pci, pcieport, PCI/PCI, Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port
:
:
:Filesystem Information
:=================================
:device mtpt type bsize frsize blocks bfree bavail file ffree favail
:-------------------------------------------------------------------
:/dev/mapper/vg_tlielax-lv_root / ext4 4096 4096 12901535 8847145 8191785 3276800 3045753 3045753
:/dev/md1 /boot ext4 1024 1024 495524 290581 264997 128016 127605 127605
:/dev/mapper/vg_tlielax-lv_tmp /tmp ext4 4096 4096 1032112 996880 944452 262144 261822 261822
:/dev/mapper/vg_tlielax-lv_home /home ext4 4096 4096 25803080 21444124 20133404 6553600 6439893 6439893
:/dev/mapper/vg_tlielax-lv_local WITHHELD ext4 4096 4096 12901535 10176972 9521612 3276800 3276782 3276782
:

var_log_messages:
:Aug 22 09:30:28 tlielax scanimage: bb_soapht.c 294: unknowned element=19732256
:Aug 22 09:30:38 tlielax kernel: [ 5488.284940] scanimage[3235] general protection ip:7fee3c7458eb sp:7fffb20c0c70 error:0 in libhpip.so.0.0.1[7fee3c73b000+25000]
:Aug 22 09:30:38 tlielax abrt[3236]: Saved core dump of pid 3235 (/usr/bin/scanimage) to /var/spool/abrt/ccpp-2012-08-22-09:30:38-3235 (4239360 bytes)

Comment 1 Jeff Layton 2012-08-22 13:40:30 UTC
Created attachment 606278 [details]
File: backtrace

Comment 2 Jeff Layton 2012-08-22 13:40:32 UTC
Created attachment 606279 [details]
File: maps

Comment 3 Jeff Layton 2012-08-22 13:40:34 UTC
Created attachment 606280 [details]
File: dso_list

Comment 4 Jeff Layton 2012-08-22 13:41:14 UTC
*** Bug 817922 has been marked as a duplicate of this bug. ***

Comment 5 Jeff Layton 2012-08-23 19:23:51 UTC
FWIW, downgrading to libsane-hpaio-3.11.12-2.fc17.x86_64 resolves the problem.

Comment 6 Nils Philippsen 2012-08-24 09:18:07 UTC
The crash happens here in ip/ipmain.c:791:

    HANDLE_TO_PTR (hJob, g);

This macro is defined in ip/ipdefs.h:

#define HANDLE_TO_PTR(hJob_macpar, inst_macpar)             \
do {                                                        \
    inst_macpar = (void*)hJob_macpar;                       \
    INSURE (inst_macpar->dwValidChk == CHECK_VALUE);        \
} while (0)

I guess that dereferencing inst_macpar->dwValidChk segfaults, but that's just a hunch. Changing component to hplip.

Comment 7 Jiri Popelka 2012-08-24 15:37:14 UTC
The value of hJob=0x2207615113064131 doesn't look like a correct pointer value.
It also has the exactly same value in backtrace in bug #817922.

Anyway, the trace to the crash is:

scan/sane/soapht.c::soapht_start()
                       |
                      \/
scan/sane/soapht.c::get_ip_data(ps)
                       |
                      \/
ip/ipmain.c::ipConvert(hJob=ps->ip_handle)
                       |
                      \/
ip/ipdefs.h::HANDLE_TO_PTR(hJob, g)

and it's strange that the HANDLE_TO_PTR crashed in ipConvert(),
while it was called a few times before in soapht_start() (in ipSetDefaultInputTraits(ps->ip_handle) or ipResultMask(ps->ip_handle))
and I can't find any trace of ps->ip_handle being changed between these calls.

Comment 8 Tim Waugh 2012-08-29 15:58:37 UTC
Jeff, could you try running scanimage under valgrind?

1. First, install hplip-debuginfo:

yum --enablerepo=updates-debuginfo install hplip-debuginfo

2. Then run valgrind:

valgrind scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T

When I run it here I see two warnings about http_read() -- but they wouldn't cause what you're seeing so they can be ignored.

What output do you get?

Comment 9 Jeff Layton 2012-09-04 11:41:10 UTC
Here's what I get:

$ valgrind scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T
==7689== Memcheck, a memory error detector
==7689== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==7689== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==7689== Command: scanimage -d hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10 -T
==7689== 
==7689== Conditional jump or move depends on uninitialised value(s)
==7689==    at 0x1211359B: get_tag (xml.c:72)
==7689==    by 0x1210FAB7: parse_scan_elements (bb_soapht.c:230)
==7689==    by 0x12111ED6: get_scanner_elements (bb_soapht.c:682)
==7689==    by 0x1211227E: bb_open (bb_soapht.c:790)
==7689==    by 0x7B8E922: soapht_open (soapht.c:504)
==7689==    by 0x7B86FAA: sane_hpaio_open (hpaio.c:338)
==7689==    by 0x4C44422: sane_dll_open (dll.c:1199)
==7689==    by 0x10A4B0: main (scanimage.c:1998)
==7689== 
==7689== Conditional jump or move depends on uninitialised value(s)
==7689==    at 0x121135B3: get_tag (xml.c:74)
==7689==    by 0x1210FAB7: parse_scan_elements (bb_soapht.c:230)
==7689==    by 0x12111ED6: get_scanner_elements (bb_soapht.c:682)
==7689==    by 0x1211227E: bb_open (bb_soapht.c:790)
==7689==    by 0x7B8E922: soapht_open (soapht.c:504)
==7689==    by 0x7B86FAA: sane_hpaio_open (hpaio.c:338)
==7689==    by 0x4C44422: sane_dll_open (dll.c:1199)
==7689==    by 0x10A4B0: main (scanimage.c:1998)
==7689== 
==7689== Invalid read of size 4
==7689==    at 0x7DB28EB: ipConvert (ipmain.c:791)
==7689==    by 0x7B8D25A: get_ip_data (soapht.c:188)
==7689==    by 0x7B8F375: soapht_start (soapht.c:1052)
==7689==    by 0x10B4F4: main (scanimage.c:1541)
==7689==  Address 0x2207615113065265 is not stack'd, malloc'd or (recently) free'd
==7689== 
==7689== 
==7689== Process terminating with default action of signal 11 (SIGSEGV)
==7689==  General Protection Fault
==7689==    at 0x7DB28EB: ipConvert (ipmain.c:791)
==7689==    by 0x7B8D25A: get_ip_data (soapht.c:188)
==7689==    by 0x7B8F375: soapht_start (soapht.c:1052)
==7689==    by 0x10B4F4: main (scanimage.c:1541)
==7689== 
==7689== HEAP SUMMARY:
==7689==     in use at exit: 764,785 bytes in 13,953 blocks
==7689==   total heap usage: 31,262 allocs, 17,309 frees, 2,054,057 bytes allocated
==7689== 
==7689== LEAK SUMMARY:
==7689==    definitely lost: 4,484 bytes in 2 blocks
==7689==    indirectly lost: 0 bytes in 0 blocks
==7689==      possibly lost: 0 bytes in 0 blocks
==7689==    still reachable: 760,301 bytes in 13,951 blocks
==7689==         suppressed: 0 bytes in 0 blocks
==7689== Rerun with --leak-check=full to see details of leaked memory
==7689== 
==7689== For counts of detected and suppressed errors, rerun with: -v
==7689== Use --track-origins=yes to see where uninitialised values come from
==7689== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 2 from 2)
Segmentation fault (core dumped)

Comment 10 Jeff Layton 2012-09-04 12:22:10 UTC
From a naive look at this code, it looks like get_ip_data passed in a bogus (maybe uninitialized?) hJob pointer to ipConvert. That seems to come from ps->ip_handle (where ps is the struct soap_session). I assume that the soap_session gets allocated in create_session() and should therefore be initialized to 0 there.

From there, it looks like that should get set in ipOpen via:

    IP_MEM_ALLOC (sizeof(INST) + nClientData, g);
    *phJob = g;

...while the code is pretty wrapper-heavy and hard to follow, I don't see any obvious bugs. Perhaps something else is scribbling over this value?

Comment 11 Jiri Popelka 2012-09-04 13:14:39 UTC
(In reply to comment #10)
> Perhaps something else is scribbling over this value?

Seems to.

From this code:

ipResultMask(ps->ip_handle, IP_PARSED_HEADER);
while (1) {
  ret = get_ip_data(ps, NULL, 0, NULL);
  ... // nothing touches ps->ip_handle here
}

it must be something in get_ip_data, because the ipResultMask(ps->ip_handle,...)
also calls HANDLE_TO_PTR(hJob, g) and it's OK.

get_ip_data() calls bb_get_image_data(ps) which is a function from dynamically loaded plugin. I think this could be the source of the ps->ip_handle ravaging.

Comment 12 Jiri Popelka 2012-09-04 13:42:19 UTC
(In reply to comment #11)
> bb_get_image_data(ps) which is a function from dynamically loaded plugin

If I read the bb_load() in soapht.c correctly the plugin should be /usr/share/hplip/scan/plugins/bb_soapht.so which is not provided by any package. It's the proprietary plugin, installed via hp-plugin, so there's nothing we can do here, except reporting it upstream.

Comment 13 Jeff Layton 2012-09-04 14:25:05 UTC
Good call -- there must have been some sort of subtle ABI breakage between hplip-3.11 and 3.12

I reran hp-check-plugin and it downloaded a newer version of the binary goop which doesn't cause the segfault. I think we can close this as NOTABUG.

Now if I just had some way to monitor whether their binary junk was out of date without needing some stupid tray icon, I'd be set...

Thanks for the help!

Comment 14 Jeff Layton 2012-09-04 15:53:41 UTC
Now that I look, I think the main problem was that I had the 3.11 version of the plugin, which didn't work correctly with the 3.12 open-source parts. I wonder if we should have some sort of check in the postinstall scriptlet that looks for that sort of incompatibility?

Comment 15 Tim Waugh 2012-09-10 15:24:38 UTC
Reported upstream:
  https://bugs.launchpad.net/hplip/+bug/1048691