Bug 894560

Summary: [abrt] PackageKit-0.8.6-1.fc18: zif_md_set_location: Process /usr/libexec/packagekitd was killed by signal 6 (SIGABRT)
Product: [Fedora] Fedora Reporter: D. Charles Pyle <dcharlespyle>
Component: PackageKitAssignee: Richard Hughes <rhughes>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: jonathan, rdieter, rhughes, rvitale, scampa.giovanni, smparrish
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:0a194115c892d6310079b76191389f27f15678d2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-10 16:53:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: build_ids
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: limits
none
File: maps
none
File: open_fds
none
File: proc_pid_status
none
File: smolt_data
none
File: var_log_messages none

Description D. Charles Pyle 2013-01-12 06:53:14 UTC 
Description of problem:
Trying to install updates using PackageKit after being notified of updates. It got about halfway through and promptly threw an error, followed by the crash you see here. As to what else caused it I do not know. At least this time it didn't corrupt the package databases like it usually does.

Version-Release number of selected component:
PackageKit-0.8.6-1.fc18

Additional info:
backtrace_rating: 4
cmdline:        /usr/libexec/packagekitd
crash_function: zif_md_set_location
executable:     /usr/libexec/packagekitd
kernel:         3.7.1-5.fc18.x86_64
remote_result:  NOTFOUND
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #6 zif_md_set_location at zif-md.c:284
 #7 zif_store_remote_parser_start_element at zif-store-remote.c:312
 #8 emit_start_element at gmarkup.c:983
 #9 g_markup_parse_context_parse at gmarkup.c:1320
 #10 zif_store_remote_parse_repomd at zif-store-remote.c:1145
 #11 zif_store_remote_process_repomd at zif-store-remote.c:1490
 #12 zif_store_remote_load_metadata at zif-store-remote.c:1676
 #13 zif_store_remote_find_package at zif-store-remote.c:3375
 #14 zif_store_find_package at zif-store.c:1761
 #15 zif_store_array_find_package at zif-store-array.c:461
Comment 1 D. Charles Pyle 2013-01-12 06:53:17 UTC 
Created attachment 677196 [details]
File: backtrace
Comment 2 D. Charles Pyle 2013-01-12 06:53:18 UTC 
Created attachment 677197 [details]
File: build_ids
Comment 3 D. Charles Pyle 2013-01-12 06:53:20 UTC 
Created attachment 677198 [details]
File: cgroup
Comment 4 D. Charles Pyle 2013-01-12 06:53:23 UTC 
Created attachment 677199 [details]
File: core_backtrace
Comment 5 D. Charles Pyle 2013-01-12 06:53:24 UTC 
Created attachment 677200 [details]
File: dso_list
Comment 6 D. Charles Pyle 2013-01-12 06:53:26 UTC 
Created attachment 677201 [details]
File: environ
Comment 7 D. Charles Pyle 2013-01-12 06:53:27 UTC 
Created attachment 677202 [details]
File: limits
Comment 8 D. Charles Pyle 2013-01-12 06:53:29 UTC 
Created attachment 677203 [details]
File: maps
Comment 9 D. Charles Pyle 2013-01-12 06:53:30 UTC 
Created attachment 677204 [details]
File: open_fds
Comment 10 D. Charles Pyle 2013-01-12 06:53:32 UTC 
Created attachment 677205 [details]
File: proc_pid_status
Comment 11 D. Charles Pyle 2013-01-12 06:53:33 UTC 
Created attachment 677206 [details]
File: smolt_data
Comment 12 D. Charles Pyle 2013-01-12 06:53:35 UTC 
Created attachment 677207 [details]
File: var_log_messages
Comment 13 Giovanni Campagna 2013-01-26 16:24:39 UTC 
I stumbed on a similar bug today, it's 100% reproducible running gpk-update-viewer with the zif backend.
My crash is in zif_md_set_checksum or zif_md_set_checksum_uncompressed, but the source of error is the same (double free or corruption).
The interesting part is that the sources look correct (the variable is initialized to NULL, freed and then set with the return value of strdup()), but it still crashes.

Attempting to use MALLOC_PERTURB_=73, I got a crash once inside g_markup_context_free() (for the context used to parse repomds), attempting to double free the string pool used for attributes.
My assumption is that glib is correct here, so the reason would be a double free of the GMarkupContext, but once again, the code seems correct.
Subsequent tests with the same value of MALLOC_PERTURB_ did not cause the segfault, going back to the previous abort.

Also, I got no crash at all under valgrind --tool=memcheck, and not even a bad memory access.
Suspecting a race (which would be invisible in valgrind), I tried helgrind and drd, but once again, I had no luck at finding the root of this problem.
Comment 14 Richard Hughes 2013-12-10 16:53:41 UTC 
In F20 and rawhide the zif backend has been replaced by hawkey.