Bug#980516: Bug:980516: mate-power-manager: Crashes soon after startup
Dear Maintainer,
I tried to get some more information from the kernel message.
This led me to this line:
at 0x55555556ee99: file gpm-engine.c, line 540.
There the array is dereferenced unconditionally:
https://sources.debian.org/src/mate-power-manager/1.24.2-1/src/gpm-engine.c/#L540
539 array = up_client_get_devices2 (engine->priv->client);
540 for (i=0;i<array->len;i++) {
Therefore the assertion message just before the segfault
seems related:
up_client_get_devices2: assertion 'UP_IS_CLIENT (client)' failed
That points to this line in upower:
https://cgit.freedesktop.org/upower/tree/libupower-glib/up-client.c#n117
117 g_return_val_if_fail (UP_IS_CLIENT (client), NULL);
And therefore the "array" seems to have received the NULL pointer.
Therefore the value given to function up_client_get_devices2
seems already suspicious.
Unfortunately I have not found any related
entry in upstream bug trackers.
Details in attached file.
Kind regards,
Bernhard
# Bullseye/testing amd64 qemu VM 2021-03-06
apt update
apt dist-upgrade
systemd-coredump mate xserver-xorg lightdm gdb mate-power-manager-dbgsym
reboot
https://wiki.debian.org/InterpretingKernelOutputAtProcessCrash
From submitter:
[ 349.205142] mate-power-mana[3580]: segfault at 8 ip 00005641ef93ae99 sp 00007ffcb468bf60 error 4 in mate-power-manager[5641ef928000+1a000]
[ 349.205154] Code: 00 49 8b 44 24 18 31 db 48 8b 78 20 e8 b0 01 ff ff 4c 89 e7 e8 68 f5 ff ff 49 8b 44 24 18 48 8b 78 08 e8 fa e3 fe ff 48 89 c5 <8b> 40 08 85 c0 74 1a 48 8b 45 00 89 da 4c 89 e7 83 c3 01 48 8b 34
error 4 == 0b00000100:
- 0: no page found
- 0: read access
- 0: kernel-mode access
echo -n "find /b ..., ..., 0x" && \
echo "00 49 8b 44 24 18 31 db 48 8b 78 20 e8 b0 01 ff ff 4c 89 e7 e8 68 f5 ff ff 49 8b 44 24 18 48 8b 78 08 e8 fa e3 fe ff 48 89 c5 <8b> 40 08 85 c0 74 1a 48 8b 45 00 89 da 4c 89 e7 83 c3 01 48 8b 34" \
| sed 's/[<>]//g' | sed 's/ /, 0x/g'
find /b ..., ..., 0x00, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x31, 0xdb, 0x48, 0x8b, 0x78, 0x20, 0xe8, 0xb0, 0x01, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0xe8, 0x68, 0xf5, 0xff, 0xff, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x48, 0x8b, 0x78, 0x08, 0xe8, 0xfa, 0xe3, 0xfe, 0xff, 0x48, 0x89, 0xc5, 0x8b, 0x40, 0x08, 0x85, 0xc0, 0x74, 0x1a, 0x48, 0x8b, 0x45, 0x00, 0x89, 0xda, 0x4c, 0x89, 0xe7, 0x83, 0xc3, 0x01, 0x48, 0x8b, 0x34
gdb -q
set width 0
set pagination off
file /usr/bin/mate-power-manager
tb main
run
info target
...
0x000055555555d760 - 0x0000555555575a11 is .text
...
find /b 0x000055555555d760, 0x0000555555575a11, 0x00, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x31, 0xdb, 0x48, 0x8b, 0x78, 0x20, 0xe8, 0xb0, 0x01, 0xff, 0xff, 0x4c, 0x89, 0xe7, 0xe8, 0x68, 0xf5, 0xff, 0xff, 0x49, 0x8b, 0x44, 0x24, 0x18, 0x48, 0x8b, 0x78, 0x08, 0xe8, 0xfa, 0xe3, 0xfe, 0xff, 0x48, 0x89, 0xc5, 0x8b, 0x40, 0x08, 0x85, 0xc0, 0x74, 0x1a, 0x48, 0x8b, 0x45, 0x00, 0x89, 0xda, 0x4c, 0x89, 0xe7, 0x83, 0xc3, 0x01, 0x48, 0x8b, 0x34
0x55555556ee6f <gpm_engine_coldplug_idle_cb+79>
1 pattern found.
b * (0x55555556ee6f + 42)
Breakpoint 2 at 0x55555556ee99: file gpm-engine.c, line 540.
info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x000055555556ee99 in gpm_engine_coldplug_idle_cb at gpm-engine.c:540
disassemble /r 0x55555556ee6f, 0x55555556ee6f + 62
Dump of assembler code from 0x55555556ee6f to 0x55555556eead:
0x000055555556ee6f <gpm_engine_coldplug_idle_cb+79>: 00 49 8b add %cl,-0x75(%rcx)
0x000055555556ee72 <gpm_engine_coldplug_idle_cb+82>: 44 24 18 rex.R and $0x18,%al
0x000055555556ee75 <gpm_engine_coldplug_idle_cb+85>: 31 db xor %ebx,%ebx
0x000055555556ee77 <gpm_engine_coldplug_idle_cb+87>: 48 8b 78 20 mov 0x20(%rax),%rdi
0x000055555556ee7b <gpm_engine_coldplug_idle_cb+91>: e8 b0 01 ff ff call 0x55555555f030 <gpm_phone_coldplug>
0x000055555556ee80 <gpm_engine_coldplug_idle_cb+96>: 4c 89 e7 mov %r12,%rdi
0x000055555556ee83 <gpm_engine_coldplug_idle_cb+99>: e8 68 f5 ff ff call 0x55555556e3f0 <gpm_engine_recalculate_state>
0x000055555556ee88 <gpm_engine_coldplug_idle_cb+104>: 49 8b 44 24 18 mov 0x18(%r12),%rax
0x000055555556ee8d <gpm_engine_coldplug_idle_cb+109>: 48 8b 78 08 mov 0x8(%rax),%rdi
0x000055555556ee91 <gpm_engine_coldplug_idle_cb+113>: e8 fa e3 fe ff call 0x55555555d290 <up_client_get_devices2@plt>
0x000055555556ee96 <gpm_engine_coldplug_idle_cb+118>: 48 89 c5 mov %rax,%rbp
***0x000055555556ee99 <gpm_engine_coldplug_idle_cb+121>: 8b 40 08 mov 0x8(%rax),%eax
0x000055555556ee9c <gpm_engine_coldplug_idle_cb+124>: 85 c0 test %eax,%eax
0x000055555556ee9e <gpm_engine_coldplug_idle_cb+126>: 74 1a je 0x55555556eeba <gpm_engine_coldplug_idle_cb+154>
0x000055555556eea0 <gpm_engine_coldplug_idle_cb+128>: 48 8b 45 00 mov 0x0(%rbp),%rax
0x000055555556eea4 <gpm_engine_coldplug_idle_cb+132>: 89 da mov %ebx,%edx
0x000055555556eea6 <gpm_engine_coldplug_idle_cb+134>: 4c 89 e7 mov %r12,%rdi
0x000055555556eea9 <gpm_engine_coldplug_idle_cb+137>: 83 c3 01 add $0x1,%ebx
0x000055555556eeac <gpm_engine_coldplug_idle_cb+140>: 48 8b 34 d0 mov (%rax,%rdx,8),%rsi
End of assembler dump.
mate-power-manager-dbgsym_1.24.2-1_amd64.deb
https://sources.debian.org/src/mate-power-manager/1.24.2-1/src/gpm-engine.c/#L540
for (i=0;i<array->len;i++) {
https://git.mate-desktop.org/mate-power-manager/tree/src/gpm-engine.c#n538
https://cgit.freedesktop.org/upower/tree/libupower-glib/up-client.c#n117
(gdb) ptype /o GPtrArray
type = struct _GPtrArray {
/* 0 | 8 */ gpointer *pdata;
/* 8 | 4 */ guint len;
/* XXX 4-byte padding */
/* total size (bytes): 16 */
}
https://github.com/mate-desktop/mate-power-manager/issues?q=is%3Aissue+is%3Aopen+gpm_engine_coldplug_idle_cb
https://gitlab.freedesktop.org/groups/upower/-/issues?scope=all&utf8=%E2%9C%93&state=opened&search=up_client_get_devices2
Reply to: