Bug 802903 - [abrt] gnome-shell-3.2.2.1-1.fc16: __GI___libc_malloc: Process /usr/bin/gnome-shell was killed by signal 6 (SIGABRT)
[abrt] gnome-shell-3.2.2.1-1.fc16: __GI___libc_malloc: Process /usr/bin/gnome...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: gnome-shell (Show other bugs)
16
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Owen Taylor
Fedora Extras Quality Assurance
abrt_hash:485fb63cf66f81ecaf7b0a3cb59...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-13 13:36 EDT by Dave Jeffery
Modified: 2013-02-13 15:26 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 15:26:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: dso_list (20.44 KB, text/plain)
2012-03-13 13:36 EDT, Dave Jeffery
no flags Details
File: var_log_messages (14.97 KB, text/plain)
2012-03-13 13:36 EDT, Dave Jeffery
no flags Details
File: maps (79.39 KB, text/plain)
2012-03-13 13:36 EDT, Dave Jeffery
no flags Details
File: backtrace (42.20 KB, text/plain)
2012-03-13 13:36 EDT, Dave Jeffery
no flags Details
3 Valgrind logs for Gnome Shell running under AMD/Catalyst (9.27 KB, text/x-log)
2012-03-14 11:56 EDT, Dave Jeffery
no flags Details
Valgrind log for Gnome Shell crash on AMD/Catalyst driver (22.62 KB, text/x-log)
2012-03-14 12:18 EDT, Dave Jeffery
no flags Details
.xsession-errors BEFORE a crash happens (1.54 KB, text/plain)
2012-03-16 00:53 EDT, Dave Jeffery
no flags Details
.xsession-errors AFTER a crash happens (3.42 KB, text/plain)
2012-03-16 00:54 EDT, Dave Jeffery
no flags Details
GNOME Shell Valgrind Crash log (208.46 KB, text/plain)
2012-03-18 07:36 EDT, Dave Jeffery
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 643606 None None None Never
GNOME Desktop 672374 None None None Never

  None (edit)
Description Dave Jeffery 2012-03-13 13:36:34 EDT
libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        /usr/bin/gnome-shell
comment:        Added line requested in comment 242
crash_function: __GI___libc_malloc
executable:     /usr/bin/gnome-shell
kernel:         3.2.7-1.fc16.x86_64
pid:            1800
pwd:            /home/kecskebak
reason:         Process /usr/bin/gnome-shell was killed by signal 6 (SIGABRT)
time:           Tue 13 Mar 2012 06:27:18 PM CET
uid:            1000
username:       kecskebak

backtrace:      Text file, 43209 bytes
dso_list:       Text file, 20926 bytes
maps:           Text file, 81292 bytes
var_log_messages: Text file, 15328 bytes

environ:
:XDG_VTNR=1
:XDG_SESSION_ID=2
:HOSTNAME=kecskebak.desktop
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:SHELL=/bin/bash
:TERM=dumb
:HISTSIZE=1000
:XDG_SESSION_COOKIE=86b792c4e4e55cb2af4e704c0000000b-1331659459.6840-2096302758
:GNOME_KEYRING_CONTROL=/tmp/keyring-ps9Tm8
:IMSETTINGS_MODULE=none
:USER=kecskebak
:G_SLICE=always-malloc
:USERNAME=kecskebak
:MAIL=/var/spool/mail/kecskebak
:PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/kecskebak/.local/bin:/home/kecskebak/bin
:DESKTOP_SESSION=gnome
:QT_IM_MODULE=xim
:PWD=/home/kecskebak
:XMODIFIERS=@im=none
:KDE_IS_PRELINKED=1
:GNOME_KEYRING_PID=1528
:LANG=en_US.UTF-8
:KDEDIRS=/usr
:GDMSESSION=gnome
:HISTCONTROL=ignoredups
:HOME=/home/kecskebak
:XDG_SEAT=seat0
:SHLVL=1
:LOGNAME=kecskebak
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-mKMdhwnJcO,guid=d4dc3e1c3a8a40952968d5fa00000024
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:WINDOWPATH=1
:XDG_RUNTIME_DIR=/run/user/kecskebak
:DISPLAY=:0
:XAUTHORITY=/var/run/gdm/auth-for-kecskebak-93InKE/database
:_=/usr/bin/gnome-session
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1539,unix/unix:/tmp/.ICE-unix/1539
:GPG_AGENT_INFO=/tmp/keyring-ps9Tm8/gpg:0:1
:SSH_AUTH_SOCK=/tmp/keyring-ps9Tm8/ssh
:DESKTOP_AUTOSTART_ID=101c4dc47cf4c2adf3133165945997630500000015390000

smolt_data:
:
:
:General
:=================================
:UUID: e2fdeb75-b66e-4c27-9213-15fda906d35f
:OS: Fedora release 16 (Verne)
:Default run level: Unknown
:Language: en_US.UTF-8
:Platform: x86_64
:BogoMIPS: 4990.93
:CPU Vendor: AuthenticAMD
:CPU Model: AMD A8-3820 APU with Radeon(tm) HD Graphics
:CPU Stepping: 0
:CPU Family: 18
:CPU Model Num: 1
:Number of CPUs: 4
:CPU Speed: 2500
:System Memory: 3444
:System Swap: 5503
:Vendor: MEDION
:System: MS-7748 1.0
:Form factor: Desktop
:Kernel: 3.2.7-1.fc16.x86_64
:SELinux Enabled: 1
:SELinux Policy: targeted
:SELinux Enforce: Enforcing
:MythTV Remote: Unknown
:MythTV Role: Unknown
:MythTV Theme: Unknown
:MythTV Plugin: 
:MythTV Tuner: -1
:
:
:Devices
:=================================
:(4130:5899:4130:4660) pci, pcieport, PCI/PCI, Family 12h Processor Root Port
:(4130:30721:5218:30536) pci, ahci, STORAGE, Hudson SATA Controller [AHCI mode]
:(4130:5900:4130:4660) pci, pcieport, PCI/PCI, Family 12h Processor Root Port
:(4130:30738:5218:30536) pci, xhci_hcd, USB, Hudson USB XHCI Controller
:(4130:30738:5218:30536) pci, xhci_hcd, USB, Hudson USB XHCI Controller
:(4130:5893:4130:5893) pci, None, HOST/PCI, Family 12h Processor Root Complex
:(4098:5908:5218:30536) pci, snd_hda_intel, MULTIMEDIA, N/A
:(4098:38464:5218:30536) pci, fglrx_pci, VIDEO, N/A
:(4332:33128:5218:30536) pci, r8169, ETHERNET, RTL8111/8168B PCI Express Gigabit Ethernet controller
:(4130:5912:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 6
:(4130:5892:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 4
:(4130:5913:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 7
:(4130:5910:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 5
:(4130:5889:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 1
:(4130:5888:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 0
:(4130:5891:0:0) pci, k10temp, HOST/PCI, Family 12h/14h Processor Function 3
:(4130:5890:0:0) pci, None, HOST/PCI, Family 12h/14h Processor Function 2
:(4130:5895:4130:4660) pci, pcieport, PCI/PCI, Family 12h Processor Root Port
:(4130:30731:5218:30536) pci, piix4_smbus, SERIAL, Hudson SMBus Controller
:(4130:30734:5218:30536) pci, None, PCI/ISA, Hudson LPC Bridge
:(4130:30733:5218:30536) pci, snd_hda_intel, MULTIMEDIA, Hudson Azalia Controller
:(4130:30729:5218:30536) pci, ohci_hcd, USB, Hudson USB OHCI Controller
:(4130:30735:0:0) pci, None, PCI/PCI, Hudson PCI Bridge
:(4130:30728:5218:30536) pci, ehci_hcd, USB, Hudson USB EHCI Controller
:(4130:30727:5218:30536) pci, ohci_hcd, USB, Hudson USB OHCI Controller
:(4130:30728:5218:30536) pci, ehci_hcd, USB, Hudson USB EHCI Controller
:(4130:30727:5218:30536) pci, ohci_hcd, USB, Hudson USB OHCI Controller
:(4130:5897:4130:4660) pci, pcieport, PCI/PCI, Family 12h Processor Root Port
:
:
:Filesystem Information
:=================================
:device mtpt type bsize frsize blocks bfree bavail file ffree favail
:-------------------------------------------------------------------
:/dev/mapper/vg_kecskebak-lv_root / ext4 4096 4096 13092026 11502571 11371549 3276800 3122399 3122399
:/dev/sda2 /boot ext4 1024 1024 508745 362885 337285 128016 127769 127769
:/dev/mapper/vg_kecskebak-lv_home /home ext4 4096 4096 229309656 224568991 213091999 57384960 57363910 57363910
:

xsession_errors:
:(gnome-shell:1800): folks-DEBUG: individual-aggregator.vala:305: Setting primary store IDs to defaults.
:(gnome-shell:1800): folks-DEBUG: individual-aggregator.vala:333: Primary store IDs are 'eds' and 'system'.
:(gnome-shell:1800): folks-WARNING **: Error preparing persona store 'eds:1303306881.3070.1@kecskebak.desktop': Couldn't open address book ‘1303306881.3070.1@kecskebak.desktop’: Cannot open book: Cannot process, book backend is opening
:(gnome-shell:1800): folks-WARNING **: Failed to find primary PersonaStore with type ID 'eds' and ID '1303306881.3070.1@kecskebak.desktop'.
:(gnome-shell:1800): Clutter-WARNING **: Unable to compile the GLSL shader: Fragment shader failed to compile with the following errors:
:*** glibc detected *** /usr/bin/gnome-shell: malloc(): smallbin double linked list corrupted: 0x0000000004ddbf20 ***
:/usr/lib64/gnome-shell/libgnome-shell.so[0x334d02af0c]
:/usr/bin/gnome-shell(main+0x4f1)[0x4029e1]
:/usr/bin/gnome-shell[0x402b09]
:00400000-00405000 r-xp 00000000 fd:01 160008                             /usr/bin/gnome-shell
:00604000-00605000 r--p 00004000 fd:01 160008                             /usr/bin/gnome-shell
:00605000-0060d000 rw-p 00005000 fd:01 160008                             /usr/bin/gnome-shell
:334d000000-334d09c000 r-xp 00000000 fd:01 7156                           /usr/lib64/gnome-shell/libgnome-shell.so
:334d09c000-334d29b000 ---p 0009c000 fd:01 7156                           /usr/lib64/gnome-shell/libgnome-shell.so
:334d29b000-334d29d000 r--p 0009b000 fd:01 7156                           /usr/lib64/gnome-shell/libgnome-shell.so
:334d29d000-334d2a1000 rw-p 0009d000 fd:01 7156                           /usr/lib64/gnome-shell/libgnome-shell.so
:7fd5e73db000-7fd5e73de000 r--p 00000000 fd:01 33785                      /usr/lib64/gnome-shell/Gvc-1.0.typelib
:7fd5f8064000-7fd5f806e000 r--p 00000000 fd:01 33787                      /usr/lib64/gnome-shell/St-1.0.typelib
:7fd5f809e000-7fd5f80a7000 r--p 00000000 fd:01 33786                      /usr/lib64/gnome-shell/Shell-0.1.typelib
:gnome-shell-calendar-server[1906]: Got HUP on stdin - exiting
:gnome-session[1539]: WARNING: Application 'gnome-shell.desktop' killed by signal
:(gnome-shell:3068): folks-DEBUG: individual-aggregator.vala:305: Setting primary store IDs to defaults.
:(gnome-shell:3068): folks-DEBUG: individual-aggregator.vala:333: Primary store IDs are 'eds' and 'system'.
Comment 1 Dave Jeffery 2012-03-13 13:36:40 EDT
Created attachment 569738 [details]
File: dso_list
Comment 2 Dave Jeffery 2012-03-13 13:36:43 EDT
Created attachment 569739 [details]
File: var_log_messages
Comment 3 Dave Jeffery 2012-03-13 13:36:46 EDT
Created attachment 569740 [details]
File: maps
Comment 4 Dave Jeffery 2012-03-13 13:36:48 EDT
Created attachment 569741 [details]
File: backtrace
Comment 5 Milan Bouchet-Valat 2012-03-14 09:36:22 EDT
Hey, thanks for getting this trace using G_SLICE=malloc. Would you be kind enough to get another one? We'd need you to run the Shell like this:
G_SLICE=malloc MALLOC_CHECK_2 gnome-shell --replace
or even better
G_SLICE=malloc G_DEBUG=gc-friendly valgrind --tool=memcheck gnome-shell --replace
(for the latter, you'll need to install Valgrind)

Thanks!
Comment 6 Milan Bouchet-Valat 2012-03-14 09:40:09 EDT
Hm, as I said in the other bug, the commands are rather:
G_SLICE=always-malloc MALLOC_CHECK_2 gnome-shell --replace
or
G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --tool=memcheck gnome-shell --replace
Comment 7 Dave Jeffery 2012-03-14 10:14:58 EDT
Just tried to send a backtrace using Valgrind but ABRT said reporting disabled as backtrace unusable.

Will try again later.
Comment 8 Milan Bouchet-Valat 2012-03-14 10:39:11 EDT
AFAIK, abrt shouldn't be triggered at all if you run gnome-shell in Valgrind. Even if it does, the Valgrind output is what we're interested in (not the ABRT backtrace). Can you attach it?
Comment 9 Dave Jeffery 2012-03-14 11:56:29 EDT
Created attachment 570021 [details]
3 Valgrind logs for Gnome Shell running under AMD/Catalyst

It's very difficult to get Gnome Shell to crash when running under Valgrind as the sheer volume of errors means it stops every 15 seconds or so.

Am I doing something wrong?
Comment 10 Dave Jeffery 2012-03-14 12:18:38 EDT
Created attachment 570027 [details]
Valgrind log for Gnome Shell crash on AMD/Catalyst driver

Yes! Finally managed to get a Valgrind crash log for Gnome Shell crashing in this manner.

I hope it helps! Dave
Comment 11 Milan Bouchet-Valat 2012-03-14 13:53:20 EDT
Thanks! This is full of memory errors coming from fglrx, which means it's probably AMD's fault here. ;-) This will help convince them they need to fix something.
Comment 12 Milan Bouchet-Valat 2012-03-14 13:54:56 EDT
(For reference, the master bug is probably: https://bugzilla.redhat.com/show_bug.cgi?id=702257)
Comment 13 Ray Strode [halfline] 2012-03-15 12:51:21 EDT
Those errors aren't necessarily harmful, you can imagine a graphics driver copying to memory that wasn't allocated, since it could be mapped graphics card memory.

That log shows the message:

org.gnome.Shell already exists on bus and --replace not specified

which means it didn't crash, it just didn't start since gnome-shell was already running.
Comment 14 Dave Jeffery 2012-03-15 12:56:41 EDT
If either Ray or Milan want to tell me how to output something that's more useful then if you can explain what I need to do I'll be happy to help.
Comment 15 Ray Strode [halfline] 2012-03-15 13:15:21 EDT
Well Milan's idea is pretty good.

1) sudo debuginfo-install gnome-shell
2) bring up a terminal
3) (as your user) run:
env G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --log-file=/tmp/shell.log --tool=memcheck gnome-shell --replace

Note the --replace at the end.

4) at this point things will be very slow. If you can make it crash under this very unpleasant set of circumstances then it would help track down the problem.  Unfortunately, it may be unusable.

I'd also like to know if ~/.xsession-errors has those libfolks warnings only under crash circumstances or all the time, or just that one time.
Comment 16 Ray Strode [halfline] 2012-03-15 13:37:00 EDT
Dave, what version of evolutiond-data-server are you running?
Comment 17 Milan Bouchet-Valat 2012-03-15 13:40:39 EDT
(In reply to comment #13)
> Those errors aren't necessarily harmful, you can imagine a graphics driver
> copying to memory that wasn't allocated, since it could be mapped graphics card
> memory.
Ah, didn't know that.

> That log shows the message:
> 
> org.gnome.Shell already exists on bus and --replace not specified
> 
> which means it didn't crash, it just didn't start since gnome-shell was already
> running.
Yeah, I saw that too, but I thought it was from the instance that automatically started in that terminal after Ctrl+C was hit. But indeed, gnome-shell does not restart in the same terminal in that case AFAIK.

Anyway, a trace of the crash would be good.
Comment 18 Dave Jeffery 2012-03-15 13:46:45 EDT
I'm running:

evolution-data-server-3.2.3-2.fc16 (64-bit)

In the morning I'll follow the instructions in Comment 15. I'll try and see when the libfolks warnings occur tomorrow as well.
Comment 19 Dave Jeffery 2012-03-16 00:53:21 EDT
Created attachment 570487 [details]
.xsession-errors BEFORE a crash happens

.xsession-errors BEFORE a crash happens
Comment 20 Dave Jeffery 2012-03-16 00:54:11 EDT
Created attachment 570488 [details]
.xsession-errors AFTER a crash happens

.xsession-errors AFTER a crash happens
Comment 21 Ray Strode [halfline] 2012-03-16 13:02:52 EDT
so one thing that's interesting is this message:

(gnome-shell:2467): Clutter-WARNING **: Unable to compile the GLSL shader: Fragment shader failed to compile with the following errors:
ERROR: 1:1: error(#105) #version must occur before any other statement in the program
ERROR: error(#273) 1 compilation errors.  No code generated

That's most likely coming from this line src/st/st-scroll-view-fade.c: st_scroll_view_fade_init(), where it does:

      if (clutter_feature_available (CLUTTER_FEATURE_SHADERS_GLSL))•
        {•
          shader = cogl_create_shader (COGL_SHADER_TYPE_FRAGMENT);•
          cogl_shader_source (shader, fade_glsl_shader);•
          cogl_shader_compile (shader);•
          if (!cogl_shader_is_compiled (shader))•
            {•
              gchar *log_buf = cogl_shader_get_info_log (shader);•
•
              g_warning (G_STRLOC ": Unable to compile the fade shader: %s",•
                         log_buf);•
              g_free (log_buf);•
•
              cogl_handle_unref (shader);•
              shader = COGL_INVALID_HANDLE;•
          }•
        }•

fade_glsl_shader starts like this:

static const gchar *fade_glsl_shader =•
"uniform sampler2D tex;\n"•
"uniform float height;\n"•
"uniform float width;\n"•

So it doesn't have #version at the start.  According to the spec it doesn't need it:

Version 1.10 of the language does not require shaders to include this directive, and shaders that
do not include a #version directive will be treated as targeting version 1.10.
Shaders that specify
#version 100 will be treated as targeting version 1.00 of the OpenGL ES Shading Language, but might be worth trying to add it.

It could be the warning is unrelated to the problem, or it could be the error path caused by this warning is what's causing the heap corruption.  Either way, fixing the warning isn't sufficient to fix the bug, but it's worth persuing nonetheless, I think.
Comment 22 Ray Strode [halfline] 2012-03-16 15:19:53 EDT
So one other thing you could try, Dave, if you don't mind...

as root, open up 

1) cp /usr/share/gnome-shell/theme/gnome-shell.css /usr/share/gnome-shell/theme/gnome-shell.css.original
2) sed -i -e 's/fade-offset: .*;/fade-offset: 0px;/' gnome-shell.css

then restart the shell and see if the Clutter-WARNING goes away and see if the crashes stop.
Comment 23 Dave Jeffery 2012-03-18 07:36:41 EDT
Created attachment 570882 [details]
GNOME Shell Valgrind Crash log

This is the log I received when I was running GNOME Shell under Valgrind as requested - when it crashed, I was thrown out of my desktop and, via a terminal-style screen, back to GDM.
Comment 24 Milan Bouchet-Valat 2012-03-18 07:44:39 EDT
(In reply to comment #23)
> This is the log I received when I was running GNOME Shell under Valgrind as
> requested - when it crashed, I was thrown out of my desktop and, via a
> terminal-style screen, back to GDM.
And you weren't able to get the end of the log? Looks truncated to me. I guess you did not start gnome-shell from a virtual console, but from gnome-terminal? The problem with this is that gnome-terminal got killed too (not sure why...).
Comment 25 Dave Jeffery 2012-03-18 07:52:13 EDT
Ah, sorry I didn't know about Virtual Terminals. I've just Googled them - Ctrl+Alt+F2? I'll try again now.
Comment 26 Ray Strode [halfline] 2012-03-18 23:59:12 EDT
So i don't know if this is the cause of the problem, but there is a real bug spotted by your log:

==6045== Conditional jump or move depends on uninitialised value(s)
==6045==    at 0x334C43FE6A: meta_window_actor_update_bounding_region_and_borders (meta-window-actor.c:1650)
==6045==    by 0x334C440B13: meta_window_actor_pre_paint (meta-window-actor.c:1916)
==6045==    by 0x334C436217: meta_repaint_func (compositor.c:1192)
==6045==    by 0x3184E7A314: _clutter_run_repaint_functions (clutter-main.c:2978)
==6045==    by 0x3184E7AC6C: clutter_clock_dispatch (clutter-master-clock.c:367)
==6045==    by 0x3169444ACC: g_main_context_dispatch (gmain.c:2441)
==6045==    by 0x31694452C7: g_main_context_iterate (gmain.c:3089)
==6045==    by 0x3169445814: g_main_loop_run (gmain.c:3297)
==6045==    by 0x334C456AB0: meta_run (main.c:555)
==6045==    by 0x4029E0: main (main.c:571)


Looking at the code for meta_window_actor_update_bounding_region_and_borders I see it does:

  MetaFrameBorders borders;•

  if (window->priv->frame != NULL)•
      meta_frame_calc_borders (frame, &borders);•

  /* some code here that uses borders */

  priv->last_borders = borders;•

The probem is if window->priv->frame == NULL then borders will contain bogus, uninitialized values.  I'm not sure how that would cause heap corruption, though.  It seems like it would just cause drawing artifacts /"screen dirt".

Do you have any windows you use regularly that don't have title bars?
Comment 27 Dave Jeffery 2012-03-19 00:14:15 EDT
The only instance of graphical corruption I get is in Totem. If I make a window full screen and then make the window normal size again you get some random pixels on the left hand and bottom edge of the totem window.

Before I get the crash all the title bars disappear from all my windows for about a second.

I've since realised the crash logs I got yesterday were for a different bug - video crashing in Subtitle Editor rather than the bug I was looking for. That's why the crash logs are truncated.

I tried for nearly two hours yesterday to get a good crash log when running through valgrind with no success - the bug just doesn't seem to happen when the desktop is running that slowly. Perhaps something is happening too soon - before something else has finished - and that's what's causing this crash.

I'll try again to get a good crash log for you - I'm sorry I'm making such a mess of it!
Comment 28 Ray Strode [halfline] 2012-03-19 00:31:23 EDT
Thanks for doing so much of the troubleshooting! There's this in your log, too:

==6045== Invalid read of size 8
==6045==    at 0x334C466190: meta_later_remove (util.c:914)
==6045==    by 0x334C466316: call_idle_later (util.c:834)
==6045==    by 0x3169444ACC: g_main_context_dispatch (gmain.c:2441)
==6045==    by 0x31694452C7: g_main_context_iterate (gmain.c:3089)
==6045==    by 0x3169445814: g_main_loop_run (gmain.c:3297)
==6045==    by 0x334C456AB0: meta_run (main.c:555)
==6045==    by 0x4029E0: main (main.c:571)
==6045==  Address 0x284d3d08 is 8 bytes inside a block of size 16 free'd
==6045==    at 0x4A0662E: free (vg_replace_malloc.c:366)
==6045==    by 0x316944B7E2: g_free (gmem.c:263)
==6045==    by 0x31694606BE: g_slice_free1 (gslice.c:907)
==6045==    by 0x3169461399: g_slist_delete_link (gslist.c:583)
==6045==    by 0x334C466148: meta_later_remove (util.c:919)
==6045==    by 0x334C466316: call_idle_later (util.c:834)
==6045==    by 0x3169444ACC: g_main_context_dispatch (gmain.c:2441)
==6045==    by 0x31694452C7: g_main_context_iterate (gmain.c:3089)
==6045==    by 0x3169445814: g_main_loop_run (gmain.c:3297)
==6045==    by 0x334C456AB0: meta_run (main.c:555)
==6045==    by 0x4029E0: main (main.c:571)

That invalid read is bad, it's this code here:

void•
meta_later_remove (guint later_id)•
{•
  GSList *l;•
•
  for (l = laters; l; l = l->next)•
    {•
      MetaLater *later = l->data;•
      if (later->id == later_id)•
        {•
          laters = g_slist_delete_link (laters, l);•
          /* If this was a "repaint func" later, we just let the•
           * repaint func run and get removed•
           */•
          destroy_later (later);•
        }•
    }•
}•

Somehow the laters list is getting destroyed and then later iterated through. That could be caused by or the cause of heap corruption (or both).  I'll poke and see if I see anything in the surrounding code.

I'm still curious about the answer to comment 22.
Comment 29 Ray Strode [halfline] 2012-03-19 00:43:27 EDT
oh that code snippet from comment 28 has an obvious problem in it.

g_slist_delete_link invalidates l and then l = l->next is immediately run.  This could cause all sorts of weird behavior.
Comment 30 Ray Strode [halfline] 2012-03-19 00:52:53 EDT
mind giving the test packages here a try (without valgrind to maximize the probability the bug will happen) and tell me if the bug goes away?

http://koji.fedoraproject.org/koji/taskinfo?taskID=3908111
Comment 31 Dave Jeffery 2012-03-19 01:00:12 EDT
I've just installed them - I'll reboot and see how I get on today!
Comment 32 Dave Jeffery 2012-03-19 01:08:30 EDT
Crashed almost immediately.

The backtrace is at:

https://bugzilla.redhat.com/show_bug.cgi?id=702257
Comment 33 Ray Strode [halfline] 2012-03-19 02:22:46 EDT
alright thanks.
Comment 34 Dave Jeffery 2012-03-19 02:39:47 EDT
I'm trying the suggestion in Comment 22 now - I'll let you know how I get on.
Comment 35 Dave Jeffery 2012-03-19 03:43:11 EDT
Over an hour without a single crash. Look like the CSS was the problem!
Comment 36 Dave Jeffery 2012-03-19 05:11:00 EDT
My desktop is much, much more stable since I made the change to the CSS file suggested in Comment 22. However I did get one crash, and that's logged in the original report along with the Backtrace.
Comment 37 Dave Jeffery 2012-03-19 10:40:11 EDT
After several hours use:

A single crash in several hours of use since making that CSS change. Normally I would have got between four and six crashes an hour.

Plus something odd I've noticed in addition: a game my friend wrote in Pygame is actually playable now - it was very unresponsive and slow before.

Many thanks for your help - it's so nice I don't have ABRT popping up all the time!
Comment 38 Ray Strode [halfline] 2012-03-19 11:44:48 EDT
and just to be sure, if you look at the file, the changes weren't reverted by an unintentional update?
Comment 39 Dave Jeffery 2012-03-19 11:50:09 EDT
No, it still says:

StScrollView.vfade
{
  -st-vfade-offset: 0px;
}

It was 68px before.
Comment 40 Ray Strode [halfline] 2012-03-19 16:07:17 EDT
well, I think there are two spots in the css. one that normally says 68px and one that normally says 24px.  The 24px one says 0px as well, yea?
Comment 41 Fedora End Of Life 2013-01-16 11:35:16 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 42 Fedora End Of Life 2013-02-13 15:26:24 EST
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.