Bug#594324: network-manager-gnome: nm-connection-editor segfaults on editing wired network

Wed, 27 Apr 2011 05:48:20 -0700 

Package: network-manager-gnome
Version: 0.8.1-2
File: /usr/bin/nm-connection-editor

I think I'm seeing the same segfault, with both wired and
wireless connections; but only after nm-connection-editor has
prompted for the root password.  If I create or modify or delete
a single-user connection, then nm-connection-editor does not
prompt for the root password and does not crash.

To debug the crash, I rebuilt network-manager-applet with
DEB_BUILD_OPTIONS="nostrip noopt debug".  (I suppose the "debug"
had no effect.)  There is a GDB session at the end of this
message.

The crash happens because get_permissions_cb is called on a
CEPolkitButton that has already been finalized.  The g_class
pointer no longer points to a CEPolkitButtonClass, and that makes
CE_POLKIT_BUTTON_GET_PRIVATE (object) print a warning and return
NULL.  Because CEPolkitButtonPrivate *priv thus becomes NULL,
priv->perm_calls then crashes.

It seems this bug has been fixed in the upstream Git repository:
http://git.gnome.org/browse/network-manager-applet/commit/?h=NMA_0_8&id=9737403b155d303cffbd08fe4a84c510ac995c8b
https://bugzilla.redhat.com/show_bug.cgi?id=603566

This fix is included in network-manager-applet 0.8.1.997 =
0.8.2-beta1.  There is a different (perhaps more reliable?)
fix in network-manager-applet 0.8.997 = 0.9.0-beta3.

-- System Information:
Debian Release: 6.0.1
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages network-manager-gnome depends on:
ii  dbus-x11               1.2.24-4          simple interprocess messaging syst
ii  gconf2                 2.28.1-6          GNOME configuration database syste
ii  gnome-icon-theme       2.30.3-2          GNOME Desktop icon theme
ii  libatk1.0-0            1.30.0-1          The ATK accessibility toolkit
ii  libc6                  2.11.2-10         Embedded GNU C Library: Shared lib
ii  libcairo2              1.8.10-6          The Cairo 2D vector graphics libra
ii  libdbus-1-3            1.2.24-4          simple interprocess messaging syst
ii  libdbus-glib-1-2       0.88-2.1          simple interprocess messaging syst
ii  libfontconfig1         2.8.0-2.1         generic font configuration library
ii  libfreetype6           2.4.2-2.1         FreeType 2 font engine, shared lib
ii  libgconf2-4            2.28.1-6          GNOME configuration database syste
ii  libglade2-0            1:2.6.4-1         library to load .glade files at ru
ii  libglib2.0-0           2.24.2-1          The GLib library of C routines
ii  libgnome-bluetooth7    2.30.0-2          GNOME Bluetooth tools - support li
ii  libgnome-keyring0      2.30.1-1          GNOME keyring services library
ii  libgtk2.0-0            2.20.1-2          The GTK+ graphical user interface 
ii  libnm-glib-vpn1        0.8.1-6+squeeze1  network management framework (GLib
ii  libnm-glib2            0.8.1-6+squeeze1  network management framework (GLib
ii  libnm-util1            0.8.1-6+squeeze1  network management framework (shar
ii  libnotify1 [libnotify1 0.5.0-2           sends desktop notifications to a n
ii  libpango1.0-0          1.28.3-1+squeeze2 Layout and rendering of internatio
ii  libxml2                2.7.8.dfsg-2      GNOME XML library
ii  network-manager        0.8.1-6+squeeze1  network management framework daemo
ii  policykit-1-gnome      0.96-3            GNOME authentication agent for Pol
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

Versions of packages network-manager-gnome recommends:
ii  gnome-bluetooth               2.30.0-2   GNOME Bluetooth tools
ii  libpam-gnome-keyring [libpam- 2.30.3-5   PAM module to unlock the GNOME key
ii  mobile-broadband-provider-inf 20101106-1 database of mobile broadband servi
ii  notification-daemon           0.5.0-2    daemon to displays passive pop-up 

Versions of packages network-manager-gnome suggests:
pn  network-manager-openvpn-gnome <none>     (no description available)
pn  network-manager-pptp-gnome    <none>     (no description available)
pn  network-manager-vpnc-gnome    <none>     (no description available)

-- no debconf information

GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from 
/home/Kalle/build/x86_64-unknown-linux-gnu/Debian/network-manager-applet-0.8.1/src/connection-editor/nm-connection-editor...done.
(gdb) set environment LANG=en_US.UTF-8
(gdb) break ce-polkit-button.c:dispose
Breakpoint 1 at 0x434e49: file ce-polkit-button.c, line 250.
(gdb) break ce-polkit-button.c:finalize
Breakpoint 2 at 0x434f96: file ce-polkit-button.c, line 279.
(gdb) run
Starting program: 
/home/Kalle/build/x86_64-unknown-linux-gnu/Debian/network-manager-applet-0.8.1/src/connection-editor/nm-connection-editor
 
[Thread debugging using libthread_db enabled]

** (nm-connection-editor:25645): WARNING **: nm_connection_list_new: failed to 
load VPN plugins: Couldn't read VPN .name files directory 
/etc/NetworkManager/VPN.

(nm-connection-editor:25645): Gtk-WARNING **: GtkSpinButton: setting an 
adjustment with non-zero page size is deprecated
[New Thread 0x7fffe9a7b700 (LWP 25648)]
[New Thread 0x7fffe922a700 (LWP 25649)]
[New Thread 0x7fffe89d9700 (LWP 25650)]
[New Thread 0x7fffe8188700 (LWP 25651)]
[New Thread 0x7fffe7937700 (LWP 25652)]
[Thread 0x7fffe8188700 (LWP 25651) exited]
[Thread 0x7fffe9a7b700 (LWP 25648) exited]
[Thread 0x7fffe7937700 (LWP 25652) exited]
[Thread 0x7fffe89d9700 (LWP 25650) exited]
[New Thread 0x7fffe89d9700 (LWP 25654)]
[New Thread 0x7fffe7937700 (LWP 25655)]

Breakpoint 1, dispose (object=0x756b40) at ce-polkit-button.c:250
(gdb) print *object
$1 = {g_type_instance = {g_class = 0x740400}, ref_count = 2, qdata = 0x76ad40}
(gdb) print *(GObjectClass*)(object->g_type_instance.g_class)
$2 = {g_type_class = {g_type = 7775136}, construct_properties = 0x751bb0, 
constructor = 0x7ffff6b66380 <gtk_button_constructor>, set_property = 0, 
get_property = 0, dispose = 0x434e3d <dispose>, finalize = 0x434f8a <finalize>, 
dispatch_properties_changed = 0x7ffff5d6c410 
<g_object_dispatch_properties_changed>, notify = 0, constructed = 0, flags = 1, 
pdummy = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
(gdb) print (char*)g_type_name($2->g_type_class.g_type)
$3 = 0x45ca60 "CEPolkitButton"
(gdb) next
[Thread 0x7fffe7937700 (LWP 25655) exited]
(gdb) # executed: CEPolkitButtonPrivate *priv = CE_POLKIT_BUTTON_GET_PRIVATE 
(object);
(gdb) print *priv
$4 = {disposed = 0, label = 0x83c630 "Apply", tooltip = 0x71b620 "Save any 
changes made to this connection.", auth_label = 0x71b6b0 "Apply...", 
auth_tooltip = 0x76a550 "Authenticate to save this connection for all users of 
this machine.", master_sensitive = 1, stock = 0x806e50, auth = 0x806f00, 
settings = 0x7391e0, permission = 
NM_SETTINGS_SYSTEM_PERMISSION_CONNECTION_MODIFY, use_polkit = 1, perm_calls = 
0x0, authorized = 1, check_id = 347}
(gdb) break get_permissions_cb
Breakpoint 3 at 0x434b02: file ce-polkit-button.c, line 162.
(gdb) break ce_polkit_button_new
Breakpoint 4 at 0x434c66: file ce-polkit-button.c, line 215.
(gdb) condition 3 ((PermInfo*)user_data)->self == &$1
(gdb) continue
Continuing.
[Thread 0x7fffe922a700 (LWP 25649) exited]
[Thread 0x7fffe89d9700 (LWP 25654) exited]

Breakpoint 1, dispose (object=0x756b40) at ce-polkit-button.c:250
(gdb) print *object
$5 = {g_type_instance = {g_class = 0x740400}, ref_count = 1, qdata = 0x76ad40}
(gdb) continue
Continuing.

** (nm-connection-editor:25645): WARNING **: dispose: CEPolkitButton object 
0x756b40 disposed twice

Breakpoint 2, finalize (object=0x756b40) at ce-polkit-button.c:279
(gdb) print *object
$6 = {g_type_instance = {g_class = 0x740400}, ref_count = 0, qdata = 0x76ad40}
(gdb) continue
Continuing.

Breakpoint 3, get_permissions_cb (settings=0x7391e0, permissions=15, error=0x0, 
user_data=0x81d300) at ce-polkit-button.c:162
(gdb) # will execute: PermInfo *info = user_data;
(gdb) next
(gdb) # will execute: CEPolkitButton *self = info->self;
(gdb) next
(gdb) print *info
$7 = {self = 0x756b40, disposed = 0}
(gdb) # info->self has already been finalized, and the breakpoint did not
(gdb) # trigger, which means that address has not been reused for a new
(gdb) # object of the same type.
(gdb) print *info->self
$8 = {parent = {bin = {container = {widget = {object = {parent_instance = 
{g_type_instance = {g_class = 0x756c60}, ref_count = 0, qdata = 0x0}, flags = 
3214880}, private_flags = 15360, state = 0 '\000', saved_state = 0 '\000', name 
= 0x0, style = 0x0, requisition = {width = 57, height = 29}, allocation = {x = 
339, y = 478, width = 1, height = 1}, window = 0x0, parent = 0x0}, focus_child 
= 0x0, border_width = 0, need_resize = 0, resize_mode = 0, reallocate_redraws = 
0, has_focus_chain = 0}, child = 0x0}, event_window = 0x0, label_text = 0x0, 
activate_timeout = 0, constructed = 1, in_button = 0, button_down = 0, relief = 
0, use_underline = 0, use_stock = 0, depressed = 0, depress_on_activate = 1, 
focus_on_click = 1}}
(gdb) print *(GTypeInstance*)self
$9 = {g_class = 0x756c60}
(gdb) print *$9.g_class
$10 = {g_type = 0}
(gdb) # Totally invalid.
(gdb) # will execute: if (info->disposed)
(gdb) next
(gdb) # will execute: priv = CE_POLKIT_BUTTON_GET_PRIVATE (info->self);
(gdb) next

(nm-connection-editor:25645): GLib-GObject-WARNING **: instance of invalid 
non-instantiatable type `<invalid>'
(gdb) # will execute: priv->perm_calls = g_slist_remove (priv->perm_calls, 
info);
(gdb) next

Program received signal SIGSEGV, Segmentation fault.
0x0000000000434b46 in get_permissions_cb (settings=0x7391e0, permissions=15, 
error=0x0, user_data=0x81d300) at ce-polkit-button.c:173
(gdb) backtrace
#0  0x0000000000434b46 in get_permissions_cb (settings=0x7391e0, 
permissions=15, error=0x0, user_data=0x81d300) at ce-polkit-button.c:173
#1  0x00007ffff7bcfd09 in get_permissions_cb (proxy=0x736dd0, call=0x15, 
user_data=0x81d320) at nm-remote-settings-system.c:175
#2  0x00007ffff61ccdca in complete_pending_call_and_unlock 
(connection=0x74f6f0, pending=0x8f53d0, message=<value optimized out>) at 
dbus-connection.c:2234
#3  0x00007ffff61cf02f in dbus_connection_dispatch (connection=0x74f6f0) at 
dbus-connection.c:4397
#4  0x00007ffff68b8bb5 in message_queue_dispatch (source=<value optimized out>, 
callback=<value optimized out>, user_data=<value optimized out>) at 
dbus-gmain.c:101
#5  0x00007ffff5abd6f2 in g_main_dispatch (context=0x6a90f0) at 
/scratch/build-area/glib2.0-2.24.2/glib/gmain.c:1960
#6  IA__g_main_context_dispatch (context=0x6a90f0) at 
/scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2513
#7  0x00007ffff5ac1568 in g_main_context_iterate (context=0x6a90f0, 
block=<value optimized out>, dispatch=<value optimized out>, self=<value 
optimized out>) at /scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2591
#8  0x00007ffff5ac1a75 in IA__g_main_loop_run (loop=0x6ec8f0) at 
/scratch/build-area/glib2.0-2.24.2/glib/gmain.c:2799
#9  0x000000000041e5cb in main (argc=1, argv=0x7fffffffe338) at main.c:291
(gdb) quit
A debugging session is active.

        Inferior 1 [process 25645] will be killed.

Quit anyway? (y or n) y

Attachment: pgpubq5wlcL1t.pgp
Description: PGP signature

Reply via email to