Bug 728458 - segfault at panel_addto_query_applets
Summary: segfault at panel_addto_query_applets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libbonobo
Version: 6.2
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-08-05 08:18 UTC by Lubos Kocman
Modified: 2012-06-20 14:22 UTC (History)
2 users (show)

Fixed In Version: libbonobo-2.24.2-5.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 14:22:47 UTC


Attachments (Terms of Use)
output of gconftool -R /apps/panel (12.61 KB, text/plain)
2011-08-05 08:18 UTC, Lubos Kocman
no flags Details
bonobo server file (35.87 KB, text/plain)
2011-08-05 08:28 UTC, Lubos Kocman
no flags Details
applet itself (67.84 KB, application/octet-stream)
2011-08-05 08:30 UTC, Lubos Kocman
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0908 normal SHIPPED_LIVE libbonobo bug fix update 2012-06-19 20:46:47 UTC

Description Lubos Kocman 2011-08-05 08:18:55 UTC
Created attachment 516844 [details]
output of gconftool -R /apps/panel

Description of problem:

I've made clean install of one of latest nightly builds of el62x64.

This problem first occured after entering dialog with listed available plugins (afair I haven't added any)

Version-Release number of selected component (if applicable):

gnome-panel-2.30.2-14.el6.x86_64
glib2-2.22.5-6.el6.x86_64
glibc-2.12-1.34.el6.x86_64
libbonobo-2.24.2-4.el6.x86_64

How reproducible:

happens always on following configuration (see gconftool2 output)

Steps to Reproduce:
1. get same gnome-panel settings
2. right-click on the gnome-panel
3. gnome-panel crashes immediately
  
Actual results:

(gdb) continue
Continuing.
Detaching after fork from child process 11169.

Program received signal SIGSEGV, Segmentation fault.
panel_addto_query_applets (dialog=0x1228480) at panel-addto.c:429
429		for (i = 0; i < applet_list->_length; i++) {
(gdb) print applet_list->_length
Cannot access memory at address 0x4
(gdb) print applet_list
$1 = (Bonobo_ServerInfoList *) 0x0
(gdb) bt
#0  panel_addto_query_applets (dialog=0x1228480) at panel-addto.c:429
#1  panel_addto_make_applet_model (dialog=0x1228480) at panel-addto.c:544
#2  panel_addto_present_applets (dialog=0x1228480) at panel-addto.c:927
#3  0x000000000046755d in panel_addto_present (item=<value optimized out>, 
    panel_widget=0x1129080) at panel-addto.c:1476
#4  0x00000037a0a0bb3e in IA__g_closure_invoke (closure=0x11d27d0, 
    return_value=0x0, n_param_values=1, param_values=0x122a600, 
    invocation_hint=0x7ffff68f4e30) at gclosure.c:767
#5  0x00000037a0a20e23 in signal_emit_unlocked_R (node=<value optimized out>, 
    detail=0, instance=0x12e9450, emission_return=0x0, 
    instance_and_params=0x122a600) at gsignal.c:3247
#6  0x00000037a0a220af in IA__g_signal_emit_valist (
    instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7ffff68f5020) at gsignal.c:2980
#7  0x00000037a0a225f3 in IA__g_signal_emit (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3037
#8  0x00000037a507dcce in IA__gtk_widget_activate (widget=0x12e9450)
    at gtkwidget.c:4806
#9  0x00000037a4f64bdd in IA__gtk_menu_shell_activate_item (
    menu_shell=0x129c7e0, menu_item=0x12e9450, 
    force_deactivate=<value optimized out>) at gtkmenushell.c:1139
#10 0x00000037a4f6688a in gtk_menu_shell_button_release (widget=0x129c7e0, 
---Type <return> to continue, or q <return> to quit---
    event=<value optimized out>) at gtkmenushell.c:678
#11 0x00000037a4f53ef3 in _gtk_marshal_BOOLEAN__BOXED (closure=0x10b2a60, 
    return_value=0x7ffff68f5370, n_param_values=<value optimized out>, 
    param_values=0x1224150, invocation_hint=<value optimized out>, 
    marshal_data=<value optimized out>) at gtkmarshalers.c:84
#12 0x00000037a0a0bb3e in IA__g_closure_invoke (closure=0x10b2a60, 
    return_value=0x7ffff68f5370, n_param_values=2, param_values=0x1224150, 
    invocation_hint=0x7ffff68f5330) at gclosure.c:767
#13 0x00000037a0a209ed in signal_emit_unlocked_R (node=<value optimized out>, 
    detail=0, instance=0x129c7e0, emission_return=0x7ffff68f54c0, 
    instance_and_params=0x1224150) at gsignal.c:3285
#14 0x00000037a0a21f4a in IA__g_signal_emit_valist (
    instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7ffff68f5520) at gsignal.c:2990
#15 0x00000037a0a225f3 in IA__g_signal_emit (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3037
#16 0x00000037a5076b2f in gtk_widget_event_internal (widget=0x129c7e0, 
    event=0x12b86b0) at gtkwidget.c:4775
#17 0x00000037a4f4ac6a in IA__gtk_propagate_event (widget=0x129c7e0, 
    event=0x12b86b0) at gtkmain.c:2417
#18 0x00000037a4f4bddc in IA__gtk_main_do_event (event=0x12b86b0)
    at gtkmain.c:1622
---Type <return> to continue, or q <return> to quit---
#19 0x00000037a825fffc in gdk_event_dispatch (source=<value optimized out>, 
    callback=<value optimized out>, user_data=<value optimized out>)
    at gdkevents-x11.c:2372
#20 0x000000379e638f0e in g_main_dispatch (context=0x10ae3d0) at gmain.c:1960
#21 IA__g_main_context_dispatch (context=0x10ae3d0) at gmain.c:2513
#22 0x000000379e63c938 in g_main_context_iterate (context=0x10ae3d0, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2591
#23 0x000000379e63cd55 in IA__g_main_loop_run (loop=0x11c2b10) at gmain.c:2799
#24 0x00000037a4f4c2c7 in IA__gtk_main () at gtkmain.c:1218
#25 0x0000000000422da5 in main (argc=1, argv=0x7ffff68f59b8) at main.c:139






Expected results:

no segfault should appear


Additional info:

there is no clock nor notification area nor workspaces on the panel after the crash

Comment 1 Lubos Kocman 2011-08-05 08:28:42 UTC
Created attachment 516847 [details]
bonobo server file

-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   /usr/lib/bonobo/servers/netbenefits.server

Comment 2 Lubos Kocman 2011-08-05 08:30:37 UTC
Created attachment 516848 [details]
applet itself

ls -laZ /usr/bin/rsu.py 
-rwxr-xr-x. lkocman users unconfined_u:object_r:user_home_t:s0 /usr/bin/rsu.py

Not sure if exactly this revision of applet works but it fits needs to reproduce this issue

Comment 4 Lubos Kocman 2011-08-05 08:32:44 UTC
The problem happens only with bonobo server file in /usr/lib/bonobo/servers.

Reproducible in selinux permissive mode.

Comment 7 RHEL Product and Program Management 2011-08-05 08:47:42 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 9 RHEL Product and Program Management 2011-08-05 09:07:43 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 10 Lubos Kocman 2011-08-05 10:17:41 UTC
So here what I've found:

Following two constructions in bonobo server file is causing the crash:

<b>
<a>
</b>

or 

<b/>
<a>

Seems like single unfinished tag <a> (in combination with some other finished tag <b></b> crashes gnome-panel. Following constructions works fine:

<a>

or 

<b>
<a/>
</b>

Probably a low priority, but gnome-panel shouldn't crash in any case.

Final reproducer:

1. echo "<b><a></b>" > /usr/lib/bonobo/servers/test.server
2. pkill gnome-panel
3. right-click -> Add to panel
4. echo "<b/>" > /usr/lib/bonobo/servers/test.server
5. repeat steps 2. and 3.

Comment 11 Lubos Kocman 2011-08-05 10:18:42 UTC
Correction of step 4

4. echo "<b/><a>" > /usr/lib/bonobo/servers/test.server

Comment 12 Ray Strode [halfline] 2011-08-05 15:28:35 UTC
thanks for doing the investigative work on this.

Comment 15 Ray Strode [halfline] 2012-03-01 19:43:37 UTC
so this is actually a bonobo-activation-server bug which is in a different component, libbonobo. that component isn't on the approved components list, but I assume it shouldn't be a problem to just do a swapsie with gnome-panel since this is the only gnome-panel bug.

Comment 21 errata-xmlrpc 2012-06-20 14:22:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0908.html


Note You need to log in before you can comment on or make changes to this bug.