unity-panel-service crashed with SIGSEGV in window_menu_get_entries()

Bug #1294545 reported by Александр Найдёнов
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
indicator-appmenu (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

crash occurred immediately after the unlock screen

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: indicator-appmenu 13.01.0+14.04.20140318-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-18.38-generic 3.13.6
Uname: Linux 3.13.0-18-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.13.3-0ubuntu1
Architecture: i386
CurrentDesktop: Unity
Date: Wed Mar 19 12:49:30 2014
ExecutablePath: /usr/lib/unity/unity-panel-service
InstallationDate: Installed on 2014-02-04 (42 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha i386 (20140203)
ProcCmdline: /usr/lib/unity/unity-panel-service
SegvAnalysis:
 Segfault happened at: 0xb57208f9 <window_menu_get_entries+9>: mov 0x44(%eax),%eax
 PC (0xb57208f9) ok
 source "0x44(%eax)" (0x00000044) not located in a known VMA region (needed readable region)!
 destination "%eax" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: indicator-appmenu
StacktraceTop:
 window_menu_get_entries () from /usr/lib/indicators3/7/libappmenu.so
 ?? () from /usr/lib/indicators3/7/libappmenu.so
 ?? () from /usr/lib/i386-linux-gnu/libindicator3.so.7
 indicator_object_set_visible () from /usr/lib/i386-linux-gnu/libindicator3.so.7
 ?? () from /usr/lib/indicators3/7/libappmenu.so
Title: unity-panel-service crashed with SIGSEGV in window_menu_get_entries()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

Related branches

Revision history for this message
Александр Найдёнов (alexn83) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 window_menu_get_entries (wm=0x943b668) at window-menu.c:141
 get_entries (io=0x938f848) at indicator-appmenu.c:682
 get_all_entries (io=io@entry=0x938f848) at ../../../libindicator/indicator-object.c:554
 indicator_object_set_visible (io=0x938f848, visible=visible@entry=1) at ../../../libindicator/indicator-object.c:881
 switch_default_app (iapp=0x938f848, newdef=0x943b668, active_window=0x9af5240) at indicator-appmenu.c:974

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : StacktraceSource.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in indicator-appmenu (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
information type: Private → Public
Revision history for this message
Charles Kerr (charlesk) wrote :

> #0 0xb57208f9 in window_menu_get_entries (wm=0x943b668) at window-menu.c:141
> class = 0x0

> window_menu_get_entries (WindowMenu * wm)
> {
> WindowMenuClass * class = WINDOW_MENU_GET_CLASS(wm);
>
> if (class->get_entries != NULL) {

So at a basic level, we could prevent this crash by adding input-sanitize safeguards (eg, g_return_val_if_fail (IS_WINDOW_MENU(wm))) to WindowMenu's public-facing functions.

I'd like to know where this bad WindowMenu pointer is coming from though...

Revision history for this message
Charles Kerr (charlesk) wrote :

IndicatorAppmenu.desktop_menu is the bad pointer being passed in. It's a weak reference -- the ref is owned by the IndicatorAppmenu.apps hashtable.

The user's log shows a lot of bamf errors and 0 window ids being thrown around. It looks like we could harden indicator-appmenu.c's menu unregister code: the current logic discards the windowid passed into register_window and instead returns the one for wm->get_xid(). Also, the wm is unrefed even if menus_destroyed() hit a g_return_if_fail(). These work fine when things are sane, but we should fail more gracefully when we're getting lots of ``Failed to fetch xid'' messages in the log too.

Charles Kerr (charlesk)
Changed in indicator-appmenu (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package indicator-appmenu - 13.01.0+14.04.20140320-0ubuntu1

---------------
indicator-appmenu (13.01.0+14.04.20140320-0ubuntu1) trusty; urgency=low

  [ Charles Kerr ]
  * Don't dereference a NULL WindowMenu pointer. (LP: #1294545)
 -- Ubuntu daily release <email address hidden> Thu, 20 Mar 2014 09:03:45 +0000

Changed in indicator-appmenu (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.