Bug 317952 - crash on insertion of usb wireless keyboard receiver, recursion in Solid::Backends::UPower::UPowerDevice::{product,description} smashes stack
Summary: crash on insertion of usb wireless keyboard receiver, recursion in Solid::Bac...
Status: RESOLVED FIXED
Alias: None
Product: solid
Classification: Unmaintained
Component: libsolid-upower (show other bugs)
Version: 4.10.1
Platform: Fedora RPMs Linux
: NOR crash
Target Milestone: 4.11
Assignee: Lukáš Tinkl
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-06 22:36 UTC by James Hogan
Modified: 2013-08-10 14:11 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In: 4.11
Sentry Crash Report:


Attachments
Updated backtrace with full amarok debug symbols installed (6.53 KB, text/plain)
2013-04-08 20:04 UTC, James Hogan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description James Hogan 2013-04-06 22:36:35 UTC
Inserting a Logitech k400 Wireless Touch Keyboard USB receiver causes Amarok to immediately crash.

gdb post mortem:
* A seg fault is triggered by a stack push instruction with stack pointer on a page boundary.
* backtrace has 116153 frames, the majority of which are alternating between Solid::Backends::UPower::UPowerDevice::product and Solid::Backends::UPower::UPowerDevice::description

I'm assuming it's an amarok bug due to misuse of solid since I didn't see anything else crash and the recursion seems quite blatant, however I haven't looked deeply so could well be wrong.

Reproducible: Always

Steps to Reproduce:
1. Start Amarok
2. Insert  Logitech K400 Wireless Touch Keyboard USB  receiver
Actual Results:  
Amarok immediately crashes without showing kde crash dialog (presumably due to lack of usable stack for handling signal).

Expected Results:  
nothing noticeable as far as I know

$ amarok --version
Qt: 4.8.4
KDE Development Platform: 4.10.1
Amarok: 2.7.0

gdb backtrace:
#0  0x0000003f9607f454 in __GI___libc_malloc (bytes=42) at malloc.c:2914
#1  0x00000038d5ec0775 in QString::QString (this=0x7fff09eaa0b0, size=5) at tools/qstring.cpp:1141
#2  0x00000038d5faee91 in QUtf8::convertToUnicode (chars=<optimized out>, len=<optimized out>, state=0x0) at codecs/qutfcodec.cpp:183
#3  0x00000038d5faf251 in QUtf8Codec::convertToUnicode (this=<optimized out>, chars=<optimized out>, len=<optimized out>, state=<optimized out>)
    at codecs/qutfcodec.cpp:532
#4  0x00000038d5ec653d in toUnicode (state=0x0, length=<optimized out>, in=<optimized out>, this=0x188a680)
    at ../../src/corelib/codecs/qtextcodec.h:116
#5  QString::fromAscii_helper (str=<optimized out>, size=<optimized out>) at tools/qstring.cpp:3880
#6  0x0000003998c9ee8d in QString (ch=0x3998cc34d2 "Type", this=0x7fff09eaa0d0) at /usr/include/QtCore/qstring.h:419
#7  Solid::Backends::UPower::UPowerDevice::queryDeviceInterface (this=0x3009e70, type=@0x7fff09eaa11c: Solid::DeviceInterface::AcAdapter)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:80
#8  0x0000003998c9ed68 in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:101
#9  0x0000003998c9eba8 in Solid::Backends::UPower::UPowerDevice::product (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:149
#10 0x0000003998c9ed9c in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:106
<long snip>
#116118 0x0000003998c9ed9c in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:106
#116119 0x0000003998c9eba8 in Solid::Backends::UPower::UPowerDevice::product (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:149
#116120 0x0000003998c9ed9c in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:106
#116121 0x0000003998c9eba8 in Solid::Backends::UPower::UPowerDevice::product (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:149
#116122 0x0000003998c9ed9c in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:106
#116123 0x0000003998c9eba8 in Solid::Backends::UPower::UPowerDevice::product (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:149
#116124 0x0000003998c424f6 in Solid::Device::product (this=<optimized out>) at /usr/src/debug/kdelibs-4.10.1/solid/solid/device.cpp:133
#116125 0x00007f915505859f in MediaDeviceCache::slotAddSolidDevice(QString const&) () from /lib64/libamaroklib.so.1
#116126 0x00000038d5f8cdef in QMetaObject::activate (sender=0x1d890c0, m=<optimized out>, local_signal_index=<optimized out>, argv=
    0x7fff0a6a3cf0) at kernel/qobject.cpp:3539
#116127 0x0000003998c435d2 in Solid::DeviceNotifier::deviceAdded (this=this@entry=0x1d890c0, _t1=...)
    at /usr/src/debug/kdelibs-4.10.1/x86_64-redhat-linux-gnu/solid/solid/devicenotifier.moc:100
#116128 0x0000003998c4460b in Solid::DeviceManagerPrivate::_k_deviceAdded (this=0x1d890c0, udi=...)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/devicemanager.cpp:189
#116129 0x00000038d5f8cdef in QMetaObject::activate (sender=0x1d8bd90, m=<optimized out>, local_signal_index=<optimized out>, argv=
    0x7fff0a6a3ed0) at kernel/qobject.cpp:3539
#116130 0x0000003998c589c2 in Solid::Ifaces::DeviceManager::deviceAdded (this=<optimized out>, _t1=...)
    at /usr/src/debug/kdelibs-4.10.1/x86_64-redhat-linux-gnu/solid/solid/ifaces/devicemanager.moc:100
#116131 0x00000038d5f8cdef in QMetaObject::activate (sender=0x1d8bda8, m=<optimized out>, local_signal_index=<optimized out>, argv=
    0x7fff0a6a4270) at kernel/qobject.cpp:3539
#116132 0x00000038d7e37691 in QDBusInterfacePrivate::metacall (this=0x1d90370, c=<optimized out>, id=2, argv=0x7fff0a6a4270)
    at qdbusinterface.cpp:278
#116133 0x00000038d7e230b3 in QDBusConnectionPrivate::deliverCall (this=0x1d8beb0, object=0x1d8bda8, msg=..., metaTypes=..., slotIdx=7)
    at qdbusintegrator.cpp:951
#116134 0x00000038d5f8c2ce in QObject::event (this=0x1d8bda8, e=<optimized out>) at kernel/qobject.cpp:1194
#116135 0x00000038d65ca5ac in QApplicationPrivate::notify_helper (this=this@entry=0x18f8140, receiver=receiver@entry=0x1d8bda8, e=e@entry=
    0x309a1b0) at kernel/qapplication.cpp:4562
#116136 0x00000038d65cea2a in QApplication::notify (this=0x7fff0a6a6fd0, receiver=0x1d8bda8, e=0x309a1b0) at kernel/qapplication.cpp:4423
#116137 0x00000039978473b6 in KApplication::notify (this=0x7fff0a6a6fd0, receiver=0x1d8bda8, event=0x309a1b0)
    at /usr/src/debug/kdelibs-4.10.1/kdeui/kernel/kapplication.cpp:311
#116138 0x00000038d5f779ce in QCoreApplication::notifyInternal (this=0x7fff0a6a6fd0, receiver=receiver@entry=0x1d8bda8, event=event@entry=
    0x309a1b0) at kernel/qcoreapplication.cpp:946
#116139 0x00000038d5f7b481 in sendEvent (event=0x309a1b0, receiver=0x1d8bda8) at kernel/qcoreapplication.h:231
#116140 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x178e7d0) at kernel/qcoreapplication.cpp:1570
#116141 0x00000038d5fa5e63 in sendPostedEvents () at kernel/qcoreapplication.h:236
#116142 postEventSourceDispatch (s=0x1906870) at kernel/qeventdispatcher_glib.cpp:279
#116143 0x0000003f98047825 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#116144 0x0000003f98047b58 in ?? () from /lib64/libglib-2.0.so.0
#116145 0x0000003f98047c14 in g_main_context_iteration () from /lib64/libglib-2.0.so.0
#116146 0x00000038d5fa5ff6 in QEventDispatcherGlib::processEvents (this=0x178fd10, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#116147 0x00000038d666a5ee in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:207
#116148 0x00000038d5f7671f in QEventLoop::processEvents (this=this@entry=0x7fff0a6a4bf0, flags=...) at kernel/qeventloop.cpp:149
#116149 0x00000038d5f769a8 in QEventLoop::exec (this=0x7fff0a6a4bf0, flags=...) at kernel/qeventloop.cpp:204
#116150 0x00000038d5f7b798 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1218
#116151 0x00000000004090ba in ?? ()
#116152 0x0000003f96021735 in __libc_start_main (main=0x402310, argc=2, ubp_av=0x7fff0a6a7138, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fff0a6a7128) at libc-start.c:226
#116153 0x000000000040bb8d in _start ()

(gdb) disas
Dump of assembler code for function __GI___libc_malloc:
   0x0000003f9607f450 <+0>:     push   %rbp
   0x0000003f9607f451 <+1>:     mov    %rdi,%rbp
=> 0x0000003f9607f454 <+4>:     push   %rbx

(gdb) p $rsp
$3 = (void *) 0x7fff09eaa000

(gdb) frame 10
#10 0x0000003998c9ed9c in Solid::Backends::UPower::UPowerDevice::description (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:106
106             return product();
(gdb) l
101         if (queryDeviceInterface(Solid::DeviceInterface::AcAdapter))
102             return QObject::tr("A/C Adapter");
103         else if (queryDeviceInterface(Solid::DeviceInterface::Battery))
104             return QObject::tr("%1 Battery", "%1 is battery technology").arg(batteryTechnology());
105         else
106             return product();
107     }
108
109     QString UPowerDevice::batteryTechnology() const
110     {
(gdb) down
#9  0x0000003998c9eba8 in Solid::Backends::UPower::UPowerDevice::product (this=0x3009e70)
    at /usr/src/debug/kdelibs-4.10.1/solid/solid/backends/upower/upowerdevice.cpp:149
149             result = description();
(gdb) l
144     QString UPowerDevice::product() const
145     {
146         QString result = prop("Model").toString();
147
148         if (result.isEmpty()) {
149             result = description();
150         }
151
152         return result;
153     }
Comment 1 Myriam Schweingruber 2013-04-06 23:28:10 UTC
A complete backtrace would be useful, if you can reproduce this. Most likely a duplicate of bug 314544 which is a Solid regression, not an Amarok bug.
Comment 2 James Hogan 2013-04-07 19:54:03 UTC
(In reply to comment #1)
> A complete backtrace would be useful, if you can reproduce this. Most likely
> a duplicate of bug 314544 which is a Solid regression, not an Amarok bug.

Thanks Myriam. As I stated it's always reproducible, so I can provide specific debug info on request easily enough, however I think the backtrace I pasted covers the interesting bits? The 116108 omitted stack frames are all just straightforward alternations between Solid::Backends::UPower::UPowerDevice::description and Solid::Backends::UPower::UPowerDevice::product.

Although bug 314544 is in solid, I cannot see any indications that it's the same problem, and none of the backtraces appear to correlate with this problem.

Cheers
James
Comment 3 Myriam Schweingruber 2013-04-07 20:07:03 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > A complete backtrace would be useful, if you can reproduce this. Most likely
> > a duplicate of bug 314544 which is a Solid regression, not an Amarok bug.
> 
> Thanks Myriam. As I stated it's always reproducible, so I can provide
> specific debug info on request easily enough, however I think the backtrace
> I pasted covers the interesting bits? The 116108 omitted stack frames are
> all just straightforward alternations between
> Solid::Backends::UPower::UPowerDevice::description and
> Solid::Backends::UPower::UPowerDevice::product.

What interests me is to get a backtrace like the one produce by Dr. Konqi, you need to run KDE for that, though.

Since I don't have that piece of hardware I can't reproduce this here.
Comment 4 James Hogan 2013-04-07 21:55:30 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > A complete backtrace would be useful, if you can reproduce this. Most likely
> > > a duplicate of bug 314544 which is a Solid regression, not an Amarok bug.
> > 
> > Thanks Myriam. As I stated it's always reproducible, so I can provide
> > specific debug info on request easily enough, however I think the backtrace
> > I pasted covers the interesting bits? The 116108 omitted stack frames are
> > all just straightforward alternations between
> > Solid::Backends::UPower::UPowerDevice::description and
> > Solid::Backends::UPower::UPowerDevice::product.
> 
> What interests me is to get a backtrace like the one produce by Dr. Konqi,
> you need to run KDE for that, though.

I'm running KDE, however Dr. Konqi didn't run. Assuming Dr. Konqi catches the SIGSEGV signal, since the stack has been smashed the signal delivery will fail and Dr. Konqi won't get a chance to run.

If there's particular information Dr. Konqi provides that you're interested in though let me know, since I may be able to extract it from gdb.

Cheers
James
Comment 5 Myriam Schweingruber 2013-04-08 12:54:34 UTC
Well, you should at least install the debugging symbols for Amarok, as those are obviously not installed, and provide a new backtrace with those.
Comment 6 James Hogan 2013-04-08 20:04:38 UTC
Created attachment 78739 [details]
Updated backtrace with full amarok debug symbols installed

Thanks for the suggestion Myriam. I only had the libamarok debug symbols installed, not the full amarok set.
Comment 7 Myriam Schweingruber 2013-04-08 20:16:14 UTC
(In reply to comment #6)
> Created attachment 78739 [details]
> Updated backtrace with full amarok debug symbols installed
> 
> Thanks for the suggestion Myriam. I only had the libamarok debug symbols
> installed, not the full amarok set.

Thank you for the fast feedback. Apparently Amarok excepts a Media device:

#116117 0x00000030567dd59f in MediaDeviceCache::slotAddSolidDevice (this=0x245ce20, udi=...) at /usr/src/debug/amarok-2.7.0/src/MediaDeviceCache.cpp:181
Comment 8 Matěj Laitl 2013-05-04 12:01:05 UTC
This is an infinite recursion in Solid::Backends::UPower::UPowerDevice::product() and Solid::Backends::UPower::UPowerDevice::description().

Amarok just calls device.product(), that alone couldn't be an error.
Comment 9 Alex Fiestas 2013-08-01 19:46:47 UTC
Git commit 8ff75b92fe704d2b7ceca2d4cbe26a0dbbcaaa4f by Àlex Fiestas.
Committed on 01/08/2013 at 19:27.
Pushed by afiestas into branch 'master'.

Fix infinite recursion in UPower backend

Patches avoids calling Product from Description and adds "Vendor" as
an additional fallback  (better vendor than nothing, no?)
REVIEW:111803

M  +7    -2    solid/solid/backends/upower/upowerdevice.cpp

http://commits.kde.org/kdelibs/8ff75b92fe704d2b7ceca2d4cbe26a0dbbcaaa4f
Comment 10 Alex Fiestas 2013-08-05 13:32:18 UTC
Git commit 38602a8d922e1c47cf471aae4739f3dfbff54d0e by Àlex Fiestas.
Committed on 01/08/2013 at 19:27.
Pushed by afiestas into branch 'KDE/4.11'.

Fix infinite recursion in UPower backend

Patches avoids calling Product from Description and adds "Vendor" as
an additional fallback  (better vendor than nothing, no?)
REVIEW:111803
(cherry picked from commit 8ff75b92fe704d2b7ceca2d4cbe26a0dbbcaaa4f)

M  +7    -2    solid/solid/backends/upower/upowerdevice.cpp

http://commits.kde.org/kdelibs/38602a8d922e1c47cf471aae4739f3dfbff54d0e