libreport version: 2.0.10 abrt_version: 2.0.10 backtrace_rating: 4 cmdline: scanimage -d hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10 -T crash_function: ipConvert executable: /usr/bin/scanimage kernel: 3.5.2-1.fc17.x86_64 pid: 3235 pwd: /home/jlayton remote_result: NOTFOUND time: Wed 22 Aug 2012 09:30:38 AM EDT uid: 4447 username: jlayton backtrace: Text file, 51741 bytes dso_list: Text file, 4396 bytes maps: Text file, 20277 bytes build_ids: :d897c6286d20d2db78676afa9e61a1e81cf0ea98 :f4f9ce91c43285df84177f9684a3e7f190a0aae1 :ecad3f852f36e91716e85a1cfcc410e83db0976b :6086bff484a49cc8b80cb714d7e83a6391394800 :e33424e3e1e1c8d372e3e80a72b600e921338cef :d32cbeacfd9f41e3cd29b697dd111f44a2d9c127 :6668de624a10d486a3484d5b4921f87b1e77d36c :9b7c051733f6f1bbd546b57be58d6bba29086c0c :8684c263c015cc816174994f5e3fb389a7710a66 :a2d5b50b07df0fb9c52fcc682c6121d3e7276249 :85f1ee13cb2a594156e616ab074c3b1dd9663d90 :a625841a963b5765aa9c0b4f827a8235f2697ccc :789de8b5a51ab3356ece9e82780b3d4ee8273d23 :e99c86eb3485e54972f176ba34d78396596de7af :e45258c755689bf1d66580f1c9a3f9d4d3f26235 :3a2c9c74c41f6d1f13895d0f3ba5c65ba871f25b :6880802db4dbe99bf291c5ca4e33a98ed02059fe :f4c064df8745dff15466d705fb049138f9a5c949 :591c7ebbd3f4b573e01caf6e462b01a226faa9cf :6be87969bc38cd5d7b82ce0feb9b78a31dbccaee :cbb8a8e0998ebc35f3394e942b5bf90d19d90fc5 :fb86c3a448f22bd68843d5aa0b35e74d20629e85 :91db217984786e7dd727627632e7699a9e4a8634 :67792c148d2b8f13f6732c9367e926c26d7376c5 :bd8122f882828961ac02630eab89c3581ea8a025 :e6d2c36ca6221d9165cedd73a58526abbecd0506 :509ab5da5cfd9e8b3d37d85f9fc0707ad560d6c4 :b4e246b843a06bdcdd83bf253c7cd7a9d1ffd5e9 :d804f8ee47797da9213a92f00cd095ecada8d79f :4700b597a867b8e918d9c3d6cae159294f4c9606 :822e9b3523e8312240f41a25722d539bc77ed436 :3934b7aeda6f9a2b409dfb07de9a0900cd6e5346 :fccd8f7781a764ba7069834f21c49538dc7d0e0e :1ea7561fba5154063438cbe4e71767f6b80d3708 :de8c831546cc2e29d52aa2407737062f1eaae64e :0671be41da6eca600d62d788baf4ab994bd4396f :3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb :5f038f3fb1b1571769e7c9b79e025fe328052950 :137ce33e99dff4cf33f9835c815b1b6860445a50 :e19c058cd9cc629bd8792247219685adc3d45a0c :999c6a40954a490f10496b3a9aac8346fbfd7e92 :ebc779125d37b2b0595730b6d78d477fe7b6bc53 :da0831cf9c551543fbc94e797a102a57a30e790f :bb24e56b33c8ddbf1a0475454e5afaf578448db3 :90ef8b6de22b2a7ead0aca01f4dfa719d5c9aca2 :e3f83e6ed76d65ff9d0d4aa5fcc7bf0c6bfaaadd :1ec2a7bb430f6ec982e05dce422ee2ad7ca535af :f227cfd2550b8b9e1a725173e990f88be82dcb3a :e2f8ba3db2c86456528fe1f09829c62263d0fdee cgroup: :9:perf_event:/ :8:blkio:/ :7:net_cls:/ :6:freezer:/ :5:devices:/ :4:memory:/ :3:cpuacct,cpu:/ :2:cpuset:/ :1:name=systemd:/user/jlayton/2 comment: :I'm no longer able to use this scanner. I first noticed it with xsane which segfaults whenever I try to use it, but am now able to reproduce a similar segfault with scanimage -T, like so: : : $ scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T : :...opening the bug against sane-backends but I think the real bug is in hplip/libsane-hpaio. core_backtrace: :fccd8f7781a764ba7069834f21c49538dc7d0e0e 0xa8eb ipConvert libhpip.so.0 - :3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb 0xa25b - libsane-hpaio.so.1 - :3c2f4c93f0d43fe1f31b4f757f7cdae53c8dd9eb 0xc376 soapht_start libsane-hpaio.so.1 - :90ef8b6de22b2a7ead0aca01f4dfa719d5c9aca2 0x34f5 main [pie] - environ: :XDG_VTNR=1 :SSH_AGENT_PID=1544 :XDG_SESSION_ID=2 :HOSTNAME=tlielax.poochiereds.net :IMSETTINGS_INTEGRATE_DESKTOP=yes :GPG_AGENT_INFO=/run/user/jlayton/keyring-ENhgT5/gpg:0:1 :TERM=xterm :SHELL=/bin/bash :HISTSIZE=1000 :XDG_SESSION_COOKIE=b8ede719fc84aa73fbefbae40000000b-1345636776.502606-875639263 :GJS_DEBUG_OUTPUT=stderr :WINDOWID=39893602 :GNOME_KEYRING_CONTROL=/run/user/jlayton/keyring-ENhgT5 :QTDIR=/usr/lib64/qt-3.3 :QTINC=/usr/lib64/qt-3.3/include :'GJS_DEBUG_TOPICS=JS ERROR;JS LOG' :IMSETTINGS_MODULE=none :QT_GRAPHICSSYSTEM_CHECKED=1 :USER=jlayton :LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:*.pdf=00;33:*.ps=00;33:*.ps.gz=00;33:*.txt=00;33:*.patch=00;33:*.diff=00;33:*.log=00;33:*.tex=00;33:*.xls=00;33:*.xlsx=00;33:*.ppt=00;33:*.pptx=00;33:*.rtf=00;33:*.doc=00;33:*.docx=00;33:*.odt=00;33:*.ods=00;33:*.odp=00;33:*.xml=00;33:*.epub=00;33:*.abw=00;33:*.htm=00;33:*.html=00;33:*.shtml=00;33:*.wpd=00;33: :SSH_AUTH_SOCK=/run/user/jlayton/keyring-ENhgT5/ssh :SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1418,unix/unix:/tmp/.ICE-unix/1418 :PATH=/home/jlayton/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/usr/kerberos/sbin:/usr/sbin:/sbin :MAIL=/var/spool/mail/jlayton :DESKTOP_SESSION=cinnamon :QT_IM_MODULE=xim :PWD=/home/jlayton :XMODIFIERS=@im=none :EDITOR=vim :GNOME_KEYRING_PID=1414 :LANG=en_US.UTF-8 :KDE_IS_PRELINKED=1 :KDEDIRS=/usr :GDMSESSION=cinnamon :HISTCONTROL=ignoredups :KRB5CCNAME=FILE:/tmp/krb5cc_4447_vaPHiY :XDG_SEAT=seat0 :HOME=/home/jlayton :SHLVL=2 :GNOME_DESKTOP_SESSION_ID=this-is-deprecated :LOGNAME=jlayton :QTLIB=/usr/lib64/qt-3.3/lib :DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-kp3ewGcVul,guid=e79195fed9f9139024105daa0000001a :'LESSOPEN=||/usr/bin/lesspipe.sh %s' :WINDOWPATH=1 :XDG_RUNTIME_DIR=/run/user/jlayton :DISPLAY=:0 :QT_PLUGIN_PATH=/usr/lib64/kde4/plugins:/usr/lib/kde4/plugins :GTK_IM_MODULE=gtk-im-context-simple :XAUTHORITY=/var/run/gdm/auth-for-jlayton-vuXoFW/database :COLORTERM=gnome-terminal :_=/usr/bin/scanimage limits: :Limit Soft Limit Hard Limit Units :Max cpu time unlimited unlimited seconds :Max file size unlimited unlimited bytes :Max data size unlimited unlimited bytes :Max stack size 8388608 unlimited bytes :Max core file size 0 unlimited bytes :Max resident set unlimited unlimited bytes :Max processes 1024 127972 processes :Max open files 1024 4096 files :Max locked memory 65536 65536 bytes :Max address space unlimited unlimited bytes :Max file locks unlimited unlimited locks :Max pending signals 127972 127972 signals :Max msgqueue size 819200 819200 bytes :Max nice priority 0 0 :Max realtime priority 0 0 :Max realtime timeout unlimited unlimited us open_fds: :0:/dev/pts/5 :pos: 0 :flags: 0100002 :1:/dev/pts/5 :pos: 0 :flags: 0100002 :2:/dev/pts/5 :pos: 0 :flags: 0100002 :3:socket:[733896] :pos: 0 :flags: 02004002 :4:socket:[739780] :pos: 0 :flags: 02 :5:socket:[739776] :pos: 0 :flags: 02000002 :6:socket:[739807] :pos: 0 :flags: 02004002 smolt_data: : : :General :================================= :UUID: eaf43253-08e4-4dc1-a25b-f9f28bfafd3f :OS: Fedora release 17 (Beefy Miracle) :Default run level: Unknown :Language: en_US.UTF-8 :Platform: x86_64 :BogoMIPS: 6186.05 :CPU Vendor: GenuineIntel :CPU Model: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz :CPU Stepping: 7 :CPU Family: 6 :CPU Model Num: 42 :Number of CPUs: 4 :CPU Speed: 3101 :System Memory: 16028 :System Swap: 10047 :Vendor: Unknown :System: :Form factor: Desktop :Kernel: 3.5.2-1.fc17.x86_64 :SELinux Enabled: 1 :SELinux Policy: targeted :SELinux Enforce: Enforcing :MythTV Remote: Unknown :MythTV Role: Unknown :MythTV Theme: Unknown :MythTV Plugin: :MythTV Tuner: -1 : : :Devices :================================= :(4147:404:32902:8219) pci, xhci_hcd, USB, uPD720200 USB 3.0 Host Controller :(32902:7202:32902:8219) pci, i801_smbus, SERIAL, 6 Series/C200 Series Chipset Family SMBus Controller :(32902:7190:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 4 :(32902:7184:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 1 :(32902:7236:32902:8219) pci, lpc_ich, PCI/ISA, Z68 Express Chipset Family LPC Controller :(4098:26808:5963:5250) pci, radeon, VIDEO, Juniper [Radeon HD 5700 Series] :(32902:7192:32902:8219) pci, pcieport, PCI/PCI, 6 Series/C200 Series Chipset Family PCI Express Root Port 5 :(32902:7200:32902:8219) pci, snd_hda_intel, MULTIMEDIA, 6 Series/C200 Series Chipset Family High Definition Audio Controller :(32902:5379:32902:8219) pci, e1000e, ETHERNET, 82579V Gigabit Network Connection :(4098:43608:5963:43608) pci, snd_hda_intel, MULTIMEDIA, Juniper HDMI Audio [Radeon HD 5700 Series] :(4739:34962:32902:8219) pci, None, PCI/PCI, N/A :(4358:13315:32902:8219) pci, firewire_ohci, FIREWIRE, VT6315 Series Firewire Controller :(32902:7170:32902:8219) pci, ahci, STORAGE, 6 Series/C200 Series Chipset Family 6 port SATA AHCI Controller :(32902:7213:32902:8219) pci, ehci_hcd, USB, 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 :(32902:7206:32902:8219) pci, ehci_hcd, USB, 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 :(32902:256:32902:8219) pci, None, HOST/PCI, 2nd Generation Core Processor Family DRAM Controller :(32902:7226:32902:8219) pci, mei, SIMPLE, 6 Series/C200 Series Chipset Family MEI Controller #1 :(32902:257:32902:8219) pci, pcieport, PCI/PCI, Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port : : :Filesystem Information :================================= :device mtpt type bsize frsize blocks bfree bavail file ffree favail :------------------------------------------------------------------- :/dev/mapper/vg_tlielax-lv_root / ext4 4096 4096 12901535 8847145 8191785 3276800 3045753 3045753 :/dev/md1 /boot ext4 1024 1024 495524 290581 264997 128016 127605 127605 :/dev/mapper/vg_tlielax-lv_tmp /tmp ext4 4096 4096 1032112 996880 944452 262144 261822 261822 :/dev/mapper/vg_tlielax-lv_home /home ext4 4096 4096 25803080 21444124 20133404 6553600 6439893 6439893 :/dev/mapper/vg_tlielax-lv_local WITHHELD ext4 4096 4096 12901535 10176972 9521612 3276800 3276782 3276782 : var_log_messages: :Aug 22 09:30:28 tlielax scanimage: bb_soapht.c 294: unknowned element=19732256 :Aug 22 09:30:38 tlielax kernel: [ 5488.284940] scanimage[3235] general protection ip:7fee3c7458eb sp:7fffb20c0c70 error:0 in libhpip.so.0.0.1[7fee3c73b000+25000] :Aug 22 09:30:38 tlielax abrt[3236]: Saved core dump of pid 3235 (/usr/bin/scanimage) to /var/spool/abrt/ccpp-2012-08-22-09:30:38-3235 (4239360 bytes)
Created attachment 606278 [details] File: backtrace
Created attachment 606279 [details] File: maps
Created attachment 606280 [details] File: dso_list
*** Bug 817922 has been marked as a duplicate of this bug. ***
FWIW, downgrading to libsane-hpaio-3.11.12-2.fc17.x86_64 resolves the problem.
The crash happens here in ip/ipmain.c:791: HANDLE_TO_PTR (hJob, g); This macro is defined in ip/ipdefs.h: #define HANDLE_TO_PTR(hJob_macpar, inst_macpar) \ do { \ inst_macpar = (void*)hJob_macpar; \ INSURE (inst_macpar->dwValidChk == CHECK_VALUE); \ } while (0) I guess that dereferencing inst_macpar->dwValidChk segfaults, but that's just a hunch. Changing component to hplip.
The value of hJob=0x2207615113064131 doesn't look like a correct pointer value. It also has the exactly same value in backtrace in bug #817922. Anyway, the trace to the crash is: scan/sane/soapht.c::soapht_start() | \/ scan/sane/soapht.c::get_ip_data(ps) | \/ ip/ipmain.c::ipConvert(hJob=ps->ip_handle) | \/ ip/ipdefs.h::HANDLE_TO_PTR(hJob, g) and it's strange that the HANDLE_TO_PTR crashed in ipConvert(), while it was called a few times before in soapht_start() (in ipSetDefaultInputTraits(ps->ip_handle) or ipResultMask(ps->ip_handle)) and I can't find any trace of ps->ip_handle being changed between these calls.
Jeff, could you try running scanimage under valgrind? 1. First, install hplip-debuginfo: yum --enablerepo=updates-debuginfo install hplip-debuginfo 2. Then run valgrind: valgrind scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T When I run it here I see two warnings about http_read() -- but they wouldn't cause what you're seeing so they can be ignored. What output do you get?
Here's what I get: $ valgrind scanimage -d 'hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10' -T ==7689== Memcheck, a memory error detector ==7689== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==7689== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==7689== Command: scanimage -d hpaio:/net/HP_LaserJet_CM1415fnw?ip=192.168.1.10 -T ==7689== ==7689== Conditional jump or move depends on uninitialised value(s) ==7689== at 0x1211359B: get_tag (xml.c:72) ==7689== by 0x1210FAB7: parse_scan_elements (bb_soapht.c:230) ==7689== by 0x12111ED6: get_scanner_elements (bb_soapht.c:682) ==7689== by 0x1211227E: bb_open (bb_soapht.c:790) ==7689== by 0x7B8E922: soapht_open (soapht.c:504) ==7689== by 0x7B86FAA: sane_hpaio_open (hpaio.c:338) ==7689== by 0x4C44422: sane_dll_open (dll.c:1199) ==7689== by 0x10A4B0: main (scanimage.c:1998) ==7689== ==7689== Conditional jump or move depends on uninitialised value(s) ==7689== at 0x121135B3: get_tag (xml.c:74) ==7689== by 0x1210FAB7: parse_scan_elements (bb_soapht.c:230) ==7689== by 0x12111ED6: get_scanner_elements (bb_soapht.c:682) ==7689== by 0x1211227E: bb_open (bb_soapht.c:790) ==7689== by 0x7B8E922: soapht_open (soapht.c:504) ==7689== by 0x7B86FAA: sane_hpaio_open (hpaio.c:338) ==7689== by 0x4C44422: sane_dll_open (dll.c:1199) ==7689== by 0x10A4B0: main (scanimage.c:1998) ==7689== ==7689== Invalid read of size 4 ==7689== at 0x7DB28EB: ipConvert (ipmain.c:791) ==7689== by 0x7B8D25A: get_ip_data (soapht.c:188) ==7689== by 0x7B8F375: soapht_start (soapht.c:1052) ==7689== by 0x10B4F4: main (scanimage.c:1541) ==7689== Address 0x2207615113065265 is not stack'd, malloc'd or (recently) free'd ==7689== ==7689== ==7689== Process terminating with default action of signal 11 (SIGSEGV) ==7689== General Protection Fault ==7689== at 0x7DB28EB: ipConvert (ipmain.c:791) ==7689== by 0x7B8D25A: get_ip_data (soapht.c:188) ==7689== by 0x7B8F375: soapht_start (soapht.c:1052) ==7689== by 0x10B4F4: main (scanimage.c:1541) ==7689== ==7689== HEAP SUMMARY: ==7689== in use at exit: 764,785 bytes in 13,953 blocks ==7689== total heap usage: 31,262 allocs, 17,309 frees, 2,054,057 bytes allocated ==7689== ==7689== LEAK SUMMARY: ==7689== definitely lost: 4,484 bytes in 2 blocks ==7689== indirectly lost: 0 bytes in 0 blocks ==7689== possibly lost: 0 bytes in 0 blocks ==7689== still reachable: 760,301 bytes in 13,951 blocks ==7689== suppressed: 0 bytes in 0 blocks ==7689== Rerun with --leak-check=full to see details of leaked memory ==7689== ==7689== For counts of detected and suppressed errors, rerun with: -v ==7689== Use --track-origins=yes to see where uninitialised values come from ==7689== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 2 from 2) Segmentation fault (core dumped)
From a naive look at this code, it looks like get_ip_data passed in a bogus (maybe uninitialized?) hJob pointer to ipConvert. That seems to come from ps->ip_handle (where ps is the struct soap_session). I assume that the soap_session gets allocated in create_session() and should therefore be initialized to 0 there. From there, it looks like that should get set in ipOpen via: IP_MEM_ALLOC (sizeof(INST) + nClientData, g); *phJob = g; ...while the code is pretty wrapper-heavy and hard to follow, I don't see any obvious bugs. Perhaps something else is scribbling over this value?
(In reply to comment #10) > Perhaps something else is scribbling over this value? Seems to. From this code: ipResultMask(ps->ip_handle, IP_PARSED_HEADER); while (1) { ret = get_ip_data(ps, NULL, 0, NULL); ... // nothing touches ps->ip_handle here } it must be something in get_ip_data, because the ipResultMask(ps->ip_handle,...) also calls HANDLE_TO_PTR(hJob, g) and it's OK. get_ip_data() calls bb_get_image_data(ps) which is a function from dynamically loaded plugin. I think this could be the source of the ps->ip_handle ravaging.
(In reply to comment #11) > bb_get_image_data(ps) which is a function from dynamically loaded plugin If I read the bb_load() in soapht.c correctly the plugin should be /usr/share/hplip/scan/plugins/bb_soapht.so which is not provided by any package. It's the proprietary plugin, installed via hp-plugin, so there's nothing we can do here, except reporting it upstream.
Good call -- there must have been some sort of subtle ABI breakage between hplip-3.11 and 3.12 I reran hp-check-plugin and it downloaded a newer version of the binary goop which doesn't cause the segfault. I think we can close this as NOTABUG. Now if I just had some way to monitor whether their binary junk was out of date without needing some stupid tray icon, I'd be set... Thanks for the help!
Now that I look, I think the main problem was that I had the 3.11 version of the plugin, which didn't work correctly with the 3.12 open-source parts. I wonder if we should have some sort of check in the postinstall scriptlet that looks for that sort of incompatibility?
Reported upstream: https://bugs.launchpad.net/hplip/+bug/1048691