Bug 241122 - Plasma crashes at logout every time, corrupted malloc space detected during free
Summary: Plasma crashes at logout every time, corrupted malloc space detected during free
Status: RESOLVED DUPLICATE of bug 210769
Alias: None
Product: plasma4
Classification: Unmaintained
Component: general (show other bugs)
Version: unspecified
Platform: Compiled Sources Linux
: NOR crash
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-08 18:36 UTC by Christopher Neufeld
Modified: 2010-06-10 02:04 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Neufeld 2010-06-08 18:36:11 UTC 
Version:           unspecified (using Devel) 
OS:                Linux

I have an entirely reproducible crash in plasma.  For builds going back some weeks now, every time I log out, plasma crashes.  I suspect this may be responsible for the fact that no changes I make to the desktop (wallpaper, adding widgets, etc.) ever reappear when I log in again.  In any case, my last working build was compiled on May 8.

The backtrace of the offending thread is here:

Application: Plasma Workspace (kdeinit4), signal: Aborted
[Current thread is 1 (Thread 0x7f6323f1b700 (LWP 14869))]

...

Thread 1 (Thread 0x7f6323f1b700 (LWP 14869)):
[KCrash Handler]
#6  0x00007f6321026adb in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#7  0x00007f6321027fc0 in *__GI_abort () at abort.c:88
#8  0x00007f632105f94b in __libc_message (do_abort=2, fmt=0x7f6321106578 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#9  0x00007f6321064a1d in malloc_printerr (action=2, str=0x7f6321106680 "double free or corruption (!prev)", ptr=<value optimized out>) at malloc.c:5891
#10 0x00007f6321066736 in *__GI___libc_free (mem=0x6) at malloc.c:3626
#11 0x00007f6321055ddc in _IO_new_fclose (fp=0x167c470) at iofclose.c:88
#12 0x00007f63044f1ea4 in KHolidays::HolidayParserDriverPlan::scannerTerminate (this=0x167b470) at holidayscannerplan.lpp:311
#13 0x00007f63044e3231 in ~HolidayParserDriverPlan (this=0x167b470, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdepimlibs/kholidays/parsers/plan2/holidayparserdriverplan.cpp:61
#14 0x00007f63044ddd1e in ~Private (this=0x167b150, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdepimlibs/kholidays/holidayregion.cpp:74
#15 0x00007f63044dc690 in ~HolidayRegion (this=0x167dba0, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdepimlibs/kholidays/holidayregion.cpp:123
#16 0x00007f630471c614 in qDeleteAll<QHash<QString, KHolidays::HolidayRegion*>::const_iterator> (begin=..., end=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:322
#17 0x00007f630471c667 in qDeleteAll<QHash<QString, KHolidays::HolidayRegion*> > (c=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:330
#18 0x00007f6304719514 in ~CalendarEngine (this=0x13c99d0, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/generic/dataengines/calendar/calendarengine.cpp:46
#19 0x00007f631ae4dd45 in Plasma::DataEngineManager::unloadEngine (this=0x9b7220, name=...) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/dataenginemanager.cpp:167
#20 0x00007f631ae8ca81 in ~DataEngineConsumer (this=0xe35040, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/private/dataengineconsumer.cpp:88
#21 0x00007f631ae07eb2 in ~AppletPrivate (this=0xe35040, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/applet.cpp:2628
#22 0x00007f631ae16312 in ~Applet (this=0xf35e90, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/applet.cpp:214
#23 0x00007f631ae804fe in ~PopupApplet (this=0xf35e90, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/popupapplet.cpp:73
#24 0x00007f6306fed0f0 in ~ClockApplet (this=0xf35e90, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/libs/plasmaclock/clockapplet.cpp:178
#25 0x00007f6307214cb4 in ~Clock (this=0xf35e90, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/generic/applets/digital-clock/clock.cpp:68
#26 0x00007f631ae36243 in qDeleteAll<QList<Plasma::Applet*>::const_iterator> (begin=..., end=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:322
#27 0x00007f631ae36cad in qDeleteAll<QList<Plasma::Applet*> > (c=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:330
#28 0x00007f631ae3a2af in ~ContainmentPrivate (this=0xee3e60, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/private/containment_p.h:64
#29 0x00007f631ae34fd2 in ~Containment (this=0xe2e3e0, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/containment.cpp:144
#30 0x00007f6306dc1fc1 in ~DefaultDesktop (this=0xe2e3e0, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/desktop/containments/desktop/desktop.cpp:52
#31 0x00007f631ae426df in qDeleteAll<QList<Plasma::Containment*>::const_iterator> (begin=..., end=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:322
#32 0x00007f631ae42c59 in qDeleteAll<QList<Plasma::Containment*> > (c=...) at /usr/local/qt-4.4.0/include/QtCore/qalgorithms.h:330
#33 0x00007f631ae45cd5 in ~CoronaPrivate (this=0x78df20, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/corona.cpp:82
#34 0x00007f631ae41f98 in ~Corona (this=0x78ad60, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdelibs/plasma/corona.cpp:303
#35 0x00007f63158854ed in ~DesktopCorona (this=0x78ad60, __in_chrg=<value optimized out>) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/desktop/shell/desktopcorona.cpp:73
#36 0x00007f63158ac71a in PlasmaApp::cleanup (this=0x698ad0) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/desktop/shell/plasmaapp.cpp:349
#37 0x00007f63158accf8 in PlasmaApp::qt_metacall (this=0x698ad0, _c=QMetaObject::InvokeMetaMethod, _id=16, _a=0x7fff0263f310)
    at /home/neufeld/newX/kde/build-64/kdebase/workspace/plasma/desktop/shell/plasmaapp.moc:149
#38 0x00007f6322aca8ac in QMetaObject::activate (sender=0x698ad0, m=<value optimized out>, local_signal_index=<value optimized out>, argv=0xffffffffffffffff) at kernel/qobject.cpp:3293
#39 0x00007f6322ab8c7e in QCoreApplication::exec () at kernel/qcoreapplication.cpp:986
#40 0x00007f631588eafb in kdemain (argc=1, argv=0x68a810) at /home/neufeld/newX/kde/HEAD/kdebase/workspace/plasma/desktop/shell/main.cpp:118
#41 0x00000000004080db in launch (argc=1, _name=0x6a0008 "/usr/local/kde4/bin/plasma-desktop", args=0x6a002b "", cwd=0x0, envc=0, envs=0x6a0033 "", reset_env=false, tty=0x0, avoid_loops=false, 
    startup_id_str=0x40c33a "0") at /home/neufeld/newX/kde/HEAD/kdelibs/kinit/kinit.cpp:723
#42 0x000000000040892c in handle_launcher_request (sock=8, who=0x40c5fc "launcher") at /home/neufeld/newX/kde/HEAD/kdelibs/kinit/kinit.cpp:1215
#43 0x0000000000409278 in handle_requests (waitForPid=0) at /home/neufeld/newX/kde/HEAD/kdelibs/kinit/kinit.cpp:1408
#44 0x0000000000409cb9 in main (argc=4, argv=0x7fff026401a8, envp=0x7fff026401d0) at /home/neufeld/newX/kde/HEAD/kdelibs/kinit/kinit.cpp:1892


I can't explain the discrepancy between frames 10 and 11.  I attached to my kdeinit4 with gdb from a console, logged out, and then examined those frames.  The file pointer is correct as it gets passed into ::fclose(), the value in that frame matches what is shown in the backtrace.  Once we call _int_free (inlined? it's not in the backtrace), the pointer appears to hold the value 0x6.

I tried modifying holidayscannerplan.lpp.  I set the yyin variable to NULL after closing the file, in the hopes that it would change the nature of the error and indicate a double-close due to repeated invocations of scannerTerminate(), but that didn't happen, I still crashed the same way, with a valid FILE pointer.

I'm going to try again with MALLOC_CHECK_ set and see if I can wring any more details out of this.

Reproducible: Always

Steps to Reproduce:
Log out of a desktop session.

Actual Results:  
A crash handler window pops up after most of the session has been torn down.

Expected Results:  
Normal shutdown, including saving of the session settings for reuse on the next login.
Comment 1 Christopher Neufeld 2010-06-08 19:01:15 UTC 
Not much help from MALLOC_CHECK_=2.  The crash is in the same place, with the same backtrace, save for a slightly modified diagnostic message underneath free():

#6  0x00007fdd370d4adb in *__GI_raise (sig=<value optimized out>) at ../nptl/sys
deps/unix/sysv/linux/raise.c:67
#7  0x00007fdd370d5fc0 in *__GI_abort () at abort.c:88
#8  0x00007fdd37112a3f in malloc_printerr (action=2, str=0x7fdd371b1bab "free():
 invalid pointer", ptr=0x4993) at malloc.c:5896
#9  0x00007fdd37103ddc in _IO_new_fclose (fp=0x1680010) at iofclose.c:88
#10 0x00007fdd1a6ceea4 in KHolidays::HolidayParserDriverPlan::scannerTerminate (
this=0x167f180) at holidayscannerplan.lpp:311

I set a breakpoint in scannerTerminate() and examined the contents of *yyin before it was sent to ::fclose().  Everything there looked reasonable, it wasn't obvious stack noise, and it wasn't equal to "stdin".

I'll see if I can think of other ways to squeeze more information out of the crash.
Comment 2 Christopher Neufeld 2010-06-10 02:04:25 UTC 
This crash was ultimately caused by a bad free() operation underneath ::tzset().  It's a glibc bug.  I compiled and installed glibc-2.11, and this issue went away.  Closing as duplicate of 210769.

*** This bug has been marked as a duplicate of bug 210769 ***