Bug 126397

Summary: crash resulting in forkbomb
Product: [Applications] amarok Reporter: Dima Ryazanov <dima>
Component: generalAssignee: Amarok Bugs <amarok-bugs-null>
Status: RESOLVED FIXED    
Severity: crash    
Priority: NOR    
Version First Reported In: 1.4-beta3   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Dima Ryazanov 2006-04-28 10:02:34 UTC 
Version:           1.4-beta3 (using KDE KDE 3.5.2)
Installed from:    Gentoo Packages
Compiler:          gcc version 4.0.3 (Gentoo 4.0.3, pie-8.7.8) 
OS:                Linux

I tried to pause Amarok because it started making weird noise (corrupted MP3 file, apparently). Instead, it forked about 4000 instances. (Resulting in kernel crashing because it was out of memory, X freezing, etc.)

I was using the Helix engine.

Here are some backtraces:

"Original" instances (started with "-session" argument):

0xffffe410 in __kernel_vsyscall ()
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x425cffbb in __write_nocancel () from /lib/libpthread.so.0
#2  0xb6b49cdc in PlayerControl::sendmessage () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#3  0xb6b49da8 in PlayerControl::sendscopebuf () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#4  0xb6b4c1b2 in PlayerControl::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#5  0xb6b3a326 in HelixEngine::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#6  0x447c5a92 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#7  0x447c5be7 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#8  0x4472161f in App::applySettings () from /usr/lib/libamarok.so.0
#9  0x44723017 in App::App () from /usr/lib/libamarok.so.0
#10 0x0804da7e in ?? ()
#11 0xbfdc2518 in ?? ()
#12 0xbfdc2694 in ?? ()
#13 0x08064558 in vtable for QGList ()
#14 0x08064547 in vtable for QGList ()
#15 0x00000000 in ?? ()

0xffffe410 in __kernel_vsyscall ()
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x425d003b in __read_nocancel () from /lib/libpthread.so.0
#2  0xb6ada8fd in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#3  0xb6adad7c in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#4  0xb6ab6669 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#5  0xb69f5215 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#6  0xb69ac585 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#7  0xb6b5732e in HelixSimplePlayer::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#8  0xb6b4c2c9 in PlayerControl::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#9  0xb6b3a326 in HelixEngine::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#10 0x447c5a92 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#11 0x447c5be7 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#12 0x4472161f in App::applySettings () from /usr/lib/libamarok.so.0
#13 0x44723017 in App::App () from /usr/lib/libamarok.so.0
#14 0x0804da7e in ?? ()
#15 0xbfdc2518 in ?? ()
#16 0xbfdc2694 in ?? ()
#17 0x08064558 in vtable for QGList ()
#18 0x08064547 in vtable for QGList ()
#19 0x00000000 in ?? ()

0xffffe410 in __kernel_vsyscall ()
#0  0xffffe410 in __kernel_vsyscall ()
#1  0x425d003b in __read_nocancel () from /lib/libpthread.so.0
#2  0xb6adaaad in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#3  0xb6adad5f in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#4  0xb6ab6669 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#5  0xb69f5215 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#6  0xb69ac585 in CloseEngine () from /opt/RealPlayer/common/clntcore.so
#7  0xb6b5732e in HelixSimplePlayer::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#8  0xb6b4c2c9 in PlayerControl::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#9  0xb6b3a326 in HelixEngine::init () from /usr/lib/kde3/libamarok_helixengine_plugin.so
#10 0x447c5a92 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#11 0x447c5be7 in EngineController::loadEngine () from /usr/lib/libamarok.so.0
#12 0x4472161f in App::applySettings () from /usr/lib/libamarok.so.0
#13 0x44723017 in App::App () from /usr/lib/libamarok.so.0
#14 0x0804da7e in ?? ()
#15 0xbfdc2518 in ?? ()
#16 0xbfdc2694 in ?? ()
#17 0x08064558 in vtable for QGList ()
#18 0x08064547 in vtable for QGList ()
#19 0x00000000 in ?? ()

There was also another one, in "zombie" state (so couldn't get a backtrace for it.)


The forked ones had backtraces that looked like this:

#0  0xffffe410 in __kernel_vsyscall ()
#1  0x425d0fbb in __waitpid_nocancel () from /lib/libpthread.so.0
#2  0x0804e8c5 in amaroK::Crash::crashHandler ()
#3  <signal handler called>
#4  0x42da2802 in QGListIterator::QGListIterator () from /usr/qt/3/lib/libqt-mt.so.3
#5  0x42ae7e62 in QObject::child () from /usr/qt/3/lib/libqt-mt.so.3
#6  0x0804f3a5 in Debug::indent ()
#7  0x0804dae4 in QGList::count ()
#8  0x0804dc53 in amaroK::Crash::crashHandler ()
#9  <signal handler called>
#10 0x42da2802 in QGListIterator::QGListIterator () from /usr/qt/3/lib/libqt-mt.so.3
#11 0x42ae7e62 in QObject::child () from /usr/qt/3/lib/libqt-mt.so.3
#12 0x0804f3a5 in Debug::indent ()
#13 0x0804dae4 in QGList::count ()
#14 0x0804dc53 in amaroK::Crash::crashHandler ()
#15 <signal handler called>
#16 0x42da2802 in QGListIterator::QGListIterator () from /usr/qt/3/lib/libqt-mt.so.3
#17 0x42ae7e62 in QObject::child () from /usr/qt/3/lib/libqt-mt.so.3
#18 0x0804f3a5 in Debug::indent ()
#19 0x0804dae4 in QGList::count ()
#20 0x0804dc53 in amaroK::Crash::crashHandler ()
#21 <signal handler called>
#22 0x42da2802 in QGListIterator::QGListIterator () from /usr/qt/3/lib/libqt-mt.so.3
#23 0x42ae7e62 in QObject::child () from /usr/qt/3/lib/libqt-mt.so.3
#24 0x0804f3a5 in Debug::indent ()
#25 0x0804dae4 in QGList::count ()
#26 0x0804dc53 in amaroK::Crash::crashHandler ()
#27 <signal handler called>
... more ...
#19248 0x007fff00 in ?? ()
#19249 0x007fff00 in ?? ()
#19250 0x00800000 in ?? ()
#19251 0x00800000 in ?? ()
#19252 0x00800000 in ?? ()
#19253 0x00000000 in ?? ()
Comment 1 Alexandre Oliveira 2006-06-29 05:14:23 UTC 
SVN commit 556051 by aoliveira:

don't use debug() in the crash handler at all. Some backtraces point to crashes inside of it, and crashing while handling the crash 
is no fun at all.
BUG: 126397


 M  +3 -4      crashhandler.cpp   [POSSIBLY UNSAFE: popen]


--- trunk/extragear/multimedia/amarok/src/amarokcore/crashhandler.cpp #556050:556051
@@ -11,7 +11,6 @@
 #include "amarok.h"
 #include "amarokconfig.h"
 #include "crashhandler.h"
-#include "debug.h"
 
 #include <kapplication.h> //invokeMailer()
 #include <kdeversion.h>
@@ -53,7 +52,7 @@
         static const uint SIZE = 40960; //40 KiB
         static char stdoutBuf[ SIZE ];
 
-        debug() << "Running: " << command << endl;
+        std::cout << "Running: " << command << std::endl;
 
         FILE *process = ::popen( command, "r" );
         stdoutBuf[ std::fread( static_cast<void*>( stdoutBuf ), sizeof(char), SIZE-1, process ) ] = '\0';
@@ -72,7 +71,7 @@
         if( pid <= 0 )
         {
             // we are the child process (the result of the fork)
-            debug() << "Amarok is crashing...\n";
+            std::cout << "Amarok is crashing...\n";
 
             QString subject = APP_VERSION " ";
             QString body = i18n(
@@ -177,7 +176,7 @@
 
             subject += QString("[%1]").arg( AmarokConfig::soundSystem().remove( QRegExp("-?engine") ) );
 
-            debug() << subject << endl;
+            std::cout << subject.latin1() << std::endl;
 
 
             //TODO -fomit-frame-pointer buggers up the backtrace, so detect it
Comment 2 Martin Aumueller 2006-07-25 13:40:27 UTC 
SVN commit 566098 by aumuell:

_exit if forking failed instead of trying to debug ourselves
CCBUG: 126397


 M  +7 -1      crashhandler.cpp  


--- trunk/extragear/multimedia/amarok/src/amarokcore/crashhandler.cpp #566097:566098
@@ -71,8 +71,14 @@
         // semi-decent bt - I dunno why
         const pid_t pid = ::fork();
 
-        if( pid <= 0 )
+        if( pid < 0 )
         {
+            std::cout << "forking crash reporter failed\n";
+            // continuing now can't do no good
+            _exit( 1 );
+        }
+        else if ( pid == 0 )
+        {
             // we are the child process (the result of the fork)
             std::cout << "Amarok is crashing...\n";