Bug 584991 - [abrt] crash in system-config-printer-1.1.18-2.fc12 when pressing "Reset" on number of copies
[abrt] crash in system-config-printer-1.1.18-2.fc12 when pressing "Reset" on ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: system-config-printer (Show other bugs)
12
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
abrt_hash:6d612da01e4603072752565de05...
:
Depends On:
Blocks: 608070
  Show dependency treegraph
 
Reported: 2010-04-22 16:35 EDT by ewc
Modified: 2010-07-26 22:53 EDT (History)
2 users (show)

See Also:
Fixed In Version: system-config-printer-1.1.19-3.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 608070 (view as bug list)
Environment:
Last Closed: 2010-07-26 22:53:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: backtrace (19.62 KB, text/plain)
2010-04-22 16:35 EDT, ewc
no flags Details
generated under valgrind (160.38 KB, text/plain)
2010-04-23 13:02 EDT, ewc
no flags Details

  None (edit)
Description ewc 2010-04-22 16:35:20 EDT
abrt 1.0.8 detected a crash.

architecture: i686
Attached file: backtrace
cmdline: python /usr/share/system-config-printer/system-config-printer.py
component: system-config-printer
executable: /usr/bin/python
kernel: 2.6.32.11-99.fc12.i686
package: system-config-printer-1.1.18-2.fc12
rating: 4
reason: Process /usr/bin/python was killed by signal 11 (SIGSEGV)
release: Fedora release 12 (Constantine)

How to reproduce
-----
1.Change Job Options on default printer to 30 copies
2.Print job
3.Click "Reset" on number of copies to return value to 1
4.Click "Apply"
5.Close printer properties window - abrt notification appears
Comment 1 ewc 2010-04-22 16:35:25 EDT
Created attachment 408441 [details]
File: backtrace
Comment 2 Jiri Popelka 2010-04-23 03:46:45 EDT
I was not able to reproduce the crash.
Are you able to reproduce it again ?
Comment 3 ewc 2010-04-23 09:21:57 EDT
Yes but not always, problem seems to occur about 8 out of 10 times. abrt reports an error (notification icon appears), but does not generate a new traceback. This is within a print job involving 14 batches of 30 copies each and I have done testing by resetting after every send to printer.

The problem never occurs when changing number of printed copies from 1 to 30, but only appears when pressing "reset" and then either "apply" or "okay". I have not tried rolling number back down from 30 to 1 (and my print job is done so I won't have the opportunity to test that).

At times, the problem appears at authentication time (the Authentication window opens but does not complete, stays grey), then Authentication, Printer Properties, and Printer Configuration windows all close with abrt notification. Other times Authentication window does not appear at all (there is a timeout for this? which has not been reached?), but other two windows close with abrt notification. Yet other times, number of copy change appears to work okay in Printer Properties window and I can close that window okay, but then abrt notification occurs when I close Printer Configuration window.
Comment 4 Tim Waugh 2010-04-23 11:52:08 EDT
Let's try running it under valgrind.  Please run this from a terminal window:

valgrind --log-file=valgrind.txt python \
  /usr/share/system-config-printer/system-config-printer.py

(Warning -- it will be slow!)

Please attach the valgrind.txt file even if you can't get it to crash in the same way.

(I've tried running it under valgrind here and don't see anything unusual...)
Comment 5 ewc 2010-04-23 13:02:39 EDT
Created attachment 408676 [details]
generated under valgrind

Ran under valgrind 3 times: changed number of copies from 1 to 30, clicked "ok", then re-opened Printer Properties window, clicked "reset" then "ok". Then closed Printer Configuration window. No crashes. Each time, content/length of valgrind.txt was different.

Because three valgrind.txt files were different and no crash, and because crashes occurred when resetting copies back to 1 from 30, I ran Printer Configuration the usual way (from control panel) to change number of copies from 1 to 30. Then I ran Printer Configuration again but under valgrind to reset copies from 30 to 1. Got request for authorization both times, with no crash. Valgrind.txt file attached is output from this last run.

I have renamed output files from each of the earlier runs and can supply them if required.
Comment 6 Tim Waugh 2010-05-19 11:47:08 EDT
OK, so this is quite noisy because some parts of Python always seem to generate warnings with valgrind.  But there are some interesting bits, which I found by searching for 'cups.so'.  Here is one:

==10425== Invalid write of size 1
==10425==    at 0xAFDC3C: _IO_default_xsputn (in /lib/libc-2.11.1.so)
==10425==    by 0xAD02ED: vfprintf (in /lib/libc-2.11.1.so)
==10425==    by 0xB82AC6: __vsprintf_chk (in /lib/libc-2.11.1.so)
==10425==    by 0xB82A0C: __sprintf_chk (in /lib/libc-2.11.1.so)
==10425==    by 0x580D0CF: ??? (in /usr/lib/python2.6/site-packages/cups.so)
==10425==    by 0x7DE8089: PyCFunction_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DA780C: PyObject_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E42FF7: PyEval_EvalFrameEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E45EE9: PyEval_EvalCodeEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DD4387: ??? (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DA780C: PyObject_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E42FF7: PyEval_EvalFrameEx (in /usr/lib/libpython2.6.so.1.0)
==10425==  Address 0x75be753 is 0 bytes after a block of size 11 alloc'd
==10425==    at 0x4005BDC: malloc (vg_replace_malloc.c:195)
==10425==    by 0x580D091: ??? (in /usr/lib/python2.6/site-packages/cups.so)
==10425==    by 0x7DE8089: PyCFunction_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DA780C: PyObject_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E42FF7: PyEval_EvalFrameEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E45EE9: PyEval_EvalCodeEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DD4387: ??? (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DA780C: PyObject_Call (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E42FF7: PyEval_EvalFrameEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7E45EE9: PyEval_EvalCodeEx (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DD4387: ??? (in /usr/lib/libpython2.6.so.1.0)
==10425==    by 0x7DA780C: PyObject_Call (in /usr/lib/libpython2.6.so.1.0)

Unfortunately you didn't have system-config-printer-debuginfo installed, or else valgrind decided not to find any symbols for cups.so, so we just have this:

==10425==    at 0xAFDC3C: _IO_default_xsputn (in /lib/libc-2.11.1.so)
==10425==    by 0xAD02ED: vfprintf (in /lib/libc-2.11.1.so)
==10425==    by 0xB82AC6: __vsprintf_chk (in /lib/libc-2.11.1.so)
==10425==    by 0xB82A0C: __sprintf_chk (in /lib/libc-2.11.1.so)
==10425==    by 0x580D0CF: ??? (in /usr/lib/python2.6/site-packages/cups.so)

But luckily there are only two places in pycups that use sprintf, and I found a bug in one of them. :-)

The bug was like this:

const char *const suffix = "-default";
...
optionlen = strlen (option);
p = malloc (optionlen + sizeof (suffix) + 1);
memcpy (p, option, optionlen);
sprintf (p + optionlen, suffix);

Here, suffix should have been declared like this:

const char const suffix[] = "-default";

i.e. an automatic array, where sizeof(suffix) tells us the string length.  As it was declared as a pointer, sizeof() just tells us the size of a pointer.  Coincidentally, the string length (8) is the same as the pointer size on the architecture I'm using here (x86_64), so it wasn't possible for me to reproduce the error.  You're using a 32-bit platform though, so our malloc size is 4 bytes too short.

I've built a system-config-printer package incorporating this fix.  Could you please give it a go?  Fetch all the packages for your architecture and then run:

yum update --nogpgcheck system-config-printer*1.1.19-2.fc12*

http://koji.fedoraproject.org/koji/buildinfo?buildID=174174
Comment 7 Tim Waugh 2010-06-25 11:14:15 EDT
*ping*
Comment 8 Tim Waugh 2010-06-25 12:25:00 EDT
Setting this to modified in the absence of other feedback.
Comment 9 ewc 2010-06-25 12:46:00 EDT
Hi Tim. Sorry for the delay, work keep getting in the way.

I tried the update but get this message:
--snip--
No Match for argument: system-config-printer*1.1.19-2.fc12*
No package system-config-printer*1.1.19-2.fc12* available.
No Packages marked for Update
--snip--
Comment 10 Jiri Popelka 2010-06-25 16:37:39 EDT
I'm not sure where the problem is but here's my procedure:

Download all i686 packages from
http://koji.fedoraproject.org/koji/buildinfo?buildID=174174
into empty directory, go into that directory and run
yum --nogpgcheck localupdate *.rpm
Comment 11 ewc 2010-06-25 17:17:19 EDT
Thanks for holding my hand Jiri.

updated system-config-printer from 1.1.18-2.fc12 to 1.1.19-2.fc12 and now cannot make it crash after ten to twelve tries.
Comment 12 Fedora Update System 2010-06-28 12:21:44 EDT
system-config-printer-1.1.19-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-3.fc12
Comment 13 Fedora Update System 2010-06-29 11:31:45 EDT
system-config-printer-1.1.19-3.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-printer'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/system-config-printer-1.1.19-3.fc12
Comment 14 Fedora Update System 2010-07-26 22:52:25 EDT
system-config-printer-1.1.19-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.