[Bug 553745]

James Hunt 553745 at bugs.launchpad.net
Tue Apr 17 09:38:51 UTC 2012 

I think I've worked out what is going on here (and which caused me to
raise the erroneous bug 42285):

In ply_event_loop_process_pending_events(),
ply_event_loop_handle_timeouts() is being called *after* epoll_wait(),
but ply_event_loop_handle_timeouts() may free event sources.

I can reliabily force plymouthd to SIGSEGV (in various parts of the
code) by running the following:

  plymouth show-splash
  plymouth quit

I'm seeing epoll_wait() return with a single valid fd event.
ply_event_loop_handle_timeouts() then runs, and calls
main.c:on_boot_splash_idle(). This causes the event source object
referred to in the epoll_wait() event set to be freed and its reference
count set to zero. After ply_event_loop_handle_timeouts() finishes, the
now invalid source object pointed to by the epoll event data is
referenced (it now has a reference_count of 1), and the invalid event is
now processed with varying SIGSEGV scenarios ensuing.

Currently ply_event_loop_process_pending_events() can be summarized as:

1. get events.
2. handle timeouts.
3. reference event sources.
4. process events.
5. unreference event sources.

The attached patch changes this slightly to be effectively:

1. get events.
2. reference event sources.
3. handle timeouts.
4. process events.
5. unreference event sources.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to plymouth in Ubuntu.
https://bugs.launchpad.net/bugs/553745

Title:
  plymouthd crashed with SIGSEGV in
  ply_event_loop_process_pending_events()

Status in The Plymouth splash screen:
  Confirmed
Status in “plymouth” package in Ubuntu:
  Fix Released
Status in “plymouth” source package in Lucid:
  Triaged
Status in “plymouth” source package in Maverick:
  Invalid
Status in “plymouth” source package in Natty:
  Fix Released
Status in “plymouth” source package in Oneiric:
  Incomplete
Status in “plymouth” source package in Precise:
  Fix Released

Bug description:
  Binary package hint: plymouth

  just upgraded to lucid, first reboot tried to start accounts

  ProblemType: Crash
  DistroRelease: Ubuntu 10.04
  Package: plymouth 0.8.1-4
  ProcVersionSignature: Ubuntu 2.6.32-19.28-generic 2.6.32.10+drm33.1
  Uname: Linux 2.6.32-19-generic i686
  NonfreeKernelModules: wl
  Architecture: i386
  Date: Thu Apr  1 22:14:11 2010
  DefaultPlymouth: /lib/plymouth/themes/kubuntu-logo/kubuntu-logo.plymouth
  ExecutablePath: /sbin/plymouthd
  MachineType: Dell Inc. Inspiron 1545
  ProcCmdLine: root=UUID=73530dc8-e3cc-4147-b801-4725b2f88141 ro quiet splash vga=792
  ProcCmdline: /sbin/plymouthd --mode=boot --attach-to-session
  ProcEnviron: PATH=(custom, no user)
  ProcFB: 0 inteldrmfb
  SegvAnalysis:
   Segfault happened at: 0xfb5fe1 <ply_event_loop_process_pending_events+513>: test   %eax,0x4(%esi)
   PC (0x00fb5fe1) ok
   source "%eax" ok
   destination "0x4(%esi)" (0x00000004) not located in a known VMA region (needed writable region)!
  SegvReason: writing NULL VMA
  Signal: 11
  SourcePackage: plymouth
  StacktraceTop:
   ply_event_loop_process_pending_events ()
   ply_event_loop_run () from /lib/libply.so.2
   ?? ()
   __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
   ?? ()
  TextPlymouth: /lib/plymouth/themes/ubuntu-text/ubuntu-text.plymouth
  Title: plymouthd crashed with SIGSEGV in ply_event_loop_process_pending_events()
  UserGroups:
   
  dmi.bios.date: 07/17/2009
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: A10
  dmi.board.name: 0G848F
  dmi.board.vendor: Dell Inc.
  dmi.chassis.type: 8
  dmi.chassis.vendor: Dell Inc.
  dmi.modalias: dmi:bvnDellInc.:bvrA10:bd07/17/2009:svnDellInc.:pnInspiron1545:pvr:rvnDellInc.:rn0G848F:rvr:cvnDellInc.:ct8:cvr:
  dmi.product.name: Inspiron 1545
  dmi.sys.vendor: Dell Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/plymouth/+bug/553745/+subscriptions

More information about the foundations-bugs mailing list