728458 – segfault at panel_addto_query_applets

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 728458 - segfault at panel_addto_query_applets

Summary: segfault at panel_addto_query_applets

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libbonobo
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756082
TreeView+	depends on / blocked

Reported:	2011-08-05 08:18 UTC by Lubos Kocman
Modified:	2012-06-20 14:22 UTC (History)
CC List:	2 users (show)
Fixed In Version:	libbonobo-2.24.2-5.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 14:22:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
output of gconftool -R /apps/panel (12.61 KB, text/plain) 2011-08-05 08:18 UTC, Lubos Kocman	no flags	Details
bonobo server file (35.87 KB, text/plain) 2011-08-05 08:28 UTC, Lubos Kocman	no flags	Details
applet itself (67.84 KB, application/octet-stream) 2011-08-05 08:30 UTC, Lubos Kocman	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0908	0	normal	SHIPPED_LIVE	libbonobo bug fix update	2012-06-19 20:46:47 UTC

Description Lubos Kocman 2011-08-05 08:18:55 UTC

Created attachment 516844 [details]
output of gconftool -R /apps/panel

Description of problem:

I've made clean install of one of latest nightly builds of el62x64.

This problem first occured after entering dialog with listed available plugins (afair I haven't added any)

Version-Release number of selected component (if applicable):

gnome-panel-2.30.2-14.el6.x86_64
glib2-2.22.5-6.el6.x86_64
glibc-2.12-1.34.el6.x86_64
libbonobo-2.24.2-4.el6.x86_64

How reproducible:

happens always on following configuration (see gconftool2 output)

Steps to Reproduce:
1. get same gnome-panel settings
2. right-click on the gnome-panel
3. gnome-panel crashes immediately
  
Actual results:

(gdb) continue
Continuing.
Detaching after fork from child process 11169.

Program received signal SIGSEGV, Segmentation fault.
panel_addto_query_applets (dialog=0x1228480) at panel-addto.c:429
429		for (i = 0; i < applet_list->_length; i++) {
(gdb) print applet_list->_length
Cannot access memory at address 0x4
(gdb) print applet_list
$1 = (Bonobo_ServerInfoList *) 0x0
(gdb) bt
#0  panel_addto_query_applets (dialog=0x1228480) at panel-addto.c:429
#1  panel_addto_make_applet_model (dialog=0x1228480) at panel-addto.c:544
#2  panel_addto_present_applets (dialog=0x1228480) at panel-addto.c:927
#3  0x000000000046755d in panel_addto_present (item=<value optimized out>, 
    panel_widget=0x1129080) at panel-addto.c:1476
#4  0x00000037a0a0bb3e in IA__g_closure_invoke (closure=0x11d27d0, 
    return_value=0x0, n_param_values=1, param_values=0x122a600, 
    invocation_hint=0x7ffff68f4e30) at gclosure.c:767
#5  0x00000037a0a20e23 in signal_emit_unlocked_R (node=<value optimized out>, 
    detail=0, instance=0x12e9450, emission_return=0x0, 
    instance_and_params=0x122a600) at gsignal.c:3247
#6  0x00000037a0a220af in IA__g_signal_emit_valist (
    instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7ffff68f5020) at gsignal.c:2980
#7  0x00000037a0a225f3 in IA__g_signal_emit (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3037
#8  0x00000037a507dcce in IA__gtk_widget_activate (widget=0x12e9450)
    at gtkwidget.c:4806
#9  0x00000037a4f64bdd in IA__gtk_menu_shell_activate_item (
    menu_shell=0x129c7e0, menu_item=0x12e9450, 
    force_deactivate=<value optimized out>) at gtkmenushell.c:1139
#10 0x00000037a4f6688a in gtk_menu_shell_button_release (widget=0x129c7e0, 
---Type <return> to continue, or q <return> to quit---
    event=<value optimized out>) at gtkmenushell.c:678
#11 0x00000037a4f53ef3 in _gtk_marshal_BOOLEAN__BOXED (closure=0x10b2a60, 
    return_value=0x7ffff68f5370, n_param_values=<value optimized out>, 
    param_values=0x1224150, invocation_hint=<value optimized out>, 
    marshal_data=<value optimized out>) at gtkmarshalers.c:84
#12 0x00000037a0a0bb3e in IA__g_closure_invoke (closure=0x10b2a60, 
    return_value=0x7ffff68f5370, n_param_values=2, param_values=0x1224150, 
    invocation_hint=0x7ffff68f5330) at gclosure.c:767
#13 0x00000037a0a209ed in signal_emit_unlocked_R (node=<value optimized out>, 
    detail=0, instance=0x129c7e0, emission_return=0x7ffff68f54c0, 
    instance_and_params=0x1224150) at gsignal.c:3285
#14 0x00000037a0a21f4a in IA__g_signal_emit_valist (
    instance=<value optimized out>, signal_id=<value optimized out>, 
    detail=<value optimized out>, var_args=0x7ffff68f5520) at gsignal.c:2990
#15 0x00000037a0a225f3 in IA__g_signal_emit (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>)
    at gsignal.c:3037
#16 0x00000037a5076b2f in gtk_widget_event_internal (widget=0x129c7e0, 
    event=0x12b86b0) at gtkwidget.c:4775
#17 0x00000037a4f4ac6a in IA__gtk_propagate_event (widget=0x129c7e0, 
    event=0x12b86b0) at gtkmain.c:2417
#18 0x00000037a4f4bddc in IA__gtk_main_do_event (event=0x12b86b0)
    at gtkmain.c:1622
---Type <return> to continue, or q <return> to quit---
#19 0x00000037a825fffc in gdk_event_dispatch (source=<value optimized out>, 
    callback=<value optimized out>, user_data=<value optimized out>)
    at gdkevents-x11.c:2372
#20 0x000000379e638f0e in g_main_dispatch (context=0x10ae3d0) at gmain.c:1960
#21 IA__g_main_context_dispatch (context=0x10ae3d0) at gmain.c:2513
#22 0x000000379e63c938 in g_main_context_iterate (context=0x10ae3d0, block=1, 
    dispatch=1, self=<value optimized out>) at gmain.c:2591
#23 0x000000379e63cd55 in IA__g_main_loop_run (loop=0x11c2b10) at gmain.c:2799
#24 0x00000037a4f4c2c7 in IA__gtk_main () at gtkmain.c:1218
#25 0x0000000000422da5 in main (argc=1, argv=0x7ffff68f59b8) at main.c:139






Expected results:

no segfault should appear


Additional info:

there is no clock nor notification area nor workspaces on the panel after the crash

Comment 1 Lubos Kocman 2011-08-05 08:28:42 UTC

Created attachment 516847 [details]
bonobo server file

-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   /usr/lib/bonobo/servers/netbenefits.server

Comment 2 Lubos Kocman 2011-08-05 08:30:37 UTC

Created attachment 516848 [details]
applet itself

ls -laZ /usr/bin/rsu.py 
-rwxr-xr-x. lkocman users unconfined_u:object_r:user_home_t:s0 /usr/bin/rsu.py

Not sure if exactly this revision of applet works but it fits needs to reproduce this issue

Comment 4 Lubos Kocman 2011-08-05 08:32:44 UTC

The problem happens only with bonobo server file in /usr/lib/bonobo/servers.

Reproducible in selinux permissive mode.

Comment 7 RHEL Program Management 2011-08-05 08:47:42 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 9 RHEL Program Management 2011-08-05 09:07:43 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 10 Lubos Kocman 2011-08-05 10:17:41 UTC

So here what I've found:

Following two constructions in bonobo server file is causing the crash:

<b>
<a>
</b>

or 

<b/>
<a>

Seems like single unfinished tag <a> (in combination with some other finished tag <b></b> crashes gnome-panel. Following constructions works fine:

<a>

or 

<b>
<a/>
</b>

Probably a low priority, but gnome-panel shouldn't crash in any case.

Final reproducer:

1. echo "<b><a></b>" > /usr/lib/bonobo/servers/test.server
2. pkill gnome-panel
3. right-click -> Add to panel
4. echo "<b/>" > /usr/lib/bonobo/servers/test.server
5. repeat steps 2. and 3.

Comment 11 Lubos Kocman 2011-08-05 10:18:42 UTC

Correction of step 4

4. echo "<b/><a>" > /usr/lib/bonobo/servers/test.server

Comment 12 Ray Strode [halfline] 2011-08-05 15:28:35 UTC

thanks for doing the investigative work on this.

Comment 15 Ray Strode [halfline] 2012-03-01 19:43:37 UTC

so this is actually a bonobo-activation-server bug which is in a different component, libbonobo. that component isn't on the approved components list, but I assume it shouldn't be a problem to just do a swapsie with gnome-panel since this is the only gnome-panel bug.

Comment 21 errata-xmlrpc 2012-06-20 14:22:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0908.html

Note You need to log in before you can comment on or make changes to this bug.