dx-packages team mailing list archive
-
dx-packages team
-
Mailing list archive
-
Message #00609
[Bug 1122596] Re: Race condition in app_indicator_init() causes application crash
discussion in #ubuntu-devel regarding the crash to look for:
16:08 < charles> bdmurray: it would show up as
dereferencing a NULL pointer, the
self->priv field
16:08 < bdmurray> charles: would the crash be filed about
some other package though?
16:08 < charles> bdmurray, likely candidates for where
this would happen would be
16:09 < charles> app-indicator.c, bus_creation(), NULL
dereference on app->priv->connection
16:10 < charles> and much less likely, in
app-indicator.c, theme_changed_cb(), in
"if (priv->dbus_registration != 0)"
16:10 < charles> wrt showing up in a different package...
hmm
16:13 < charles> bdmurray, I guess it's possible. If so,
the stacktrace would show the levels
app_indicator_init() -> bus_creation()
-> crash
16:13 < charles> bdmurray: if you're trying to eliminate
candidate tickets -- if those aren't in
the stacktrace, it's not #1122596
16:14 < charles> bdmurray: is this helpful? I'm not sure
that I'm answering the right question :-)
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to libappindicator in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1122596
Title:
Race condition in app_indicator_init() causes application crash
Status in Libappindicator:
Fix Committed
Status in “libappindicator” package in Ubuntu:
Fix Released
Status in “libappindicator” source package in Precise:
Fix Committed
Bug description:
app_indicator_init() in app-indicator.c calls g_bus_get() before
setting self->priv. This creates a race condition where the
bus_creation() callback can execute while self->priv still contains
garbage. Suggested fix is to set self->priv before calling
g_bus_get().
diff -ruN libappindicator-0.4.92/src/app-indicator.c libappindicator-0.4.92.new/src/app-indicator.c
--- libappindicator-0.4.92/src/app-indicator.c 2012-03-21 11:11:43.967367303 -0700
+++ libappindicator-0.4.92.new/src/app-indicator.c 2013-02-07 13:51:54.773720789 -0800
@@ -611,6 +611,8 @@
priv->sec_activate_target = NULL;
priv->sec_activate_enabled = FALSE;
+ self->priv = priv; // Needs to be set BEFORE calling g_bus_get so our handler can read it.
+
/* Start getting the session bus */
g_object_ref(self); /* ref for the bus creation callback */
g_bus_get(G_BUS_TYPE_SESSION, NULL, bus_creation, self);
@@ -618,8 +620,6 @@
g_signal_connect(G_OBJECT(gtk_icon_theme_get_default()),
"changed", G_CALLBACK(theme_changed_cb), self);
- self->priv = priv;
-
return;
}
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libappindicator1 (not installed)
ProcVersionSignature: Ubuntu 3.2.0-32.51-generic 3.2.30
Uname: Linux 3.2.0-32-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: amd64
Date: Mon Feb 11 17:20:25 2013
InstallationMedia: Ubuntu 12.04.1 LTS "Precise Pangolin" - Release amd64 (20121016)
MarkForUpload: True
ProcEnviron:
LC_CTYPE=en_US.UTF-8
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/zsh
SourcePackage: libappindicator
UpgradeStatus: No upgrade log present (probably fresh install)
[Impact]
This bug was the #2 cause of crashes in the Steam client. I believe this meets the SRU criteria: "Bugs which do not fit under above categories, but (1) have an obviously safe patch and (2) affect an application rather than critical infrastructure packages (like X.org or the kernel)."
[Test Case]
As this is a race condition it is difficult to reproduce. However we have many crashdumps with a SIGSEGV referencing a garbage self->priv pointer in bus_creation(). After applying this fix, the crashes stopped.
[Regression Potential]
Low
To manage notifications about this bug go to:
https://bugs.launchpad.net/libappindicator/+bug/1122596/+subscriptions
