<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - random pid 1 crash on rawhide systemd-210-2.fc21.x86_64"
href="https://bugs.freedesktop.org/show_bug.cgi?id=75571#c2">Comment # 2</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - random pid 1 crash on rawhide systemd-210-2.fc21.x86_64"
href="https://bugs.freedesktop.org/show_bug.cgi?id=75571">bug 75571</a>
from <span class="vcard"><a class="email" href="mailto:kalevlember@gmail.com" title="Kalev Lember <kalevlember@gmail.com>"> <span class="fn">Kalev Lember</span></a>
</span></b>
<pre>I've seen similar PID 1 crashes on rawhide with the same systemd package
version as the original reporter. A short debugging session seems to point to
uninitialized memory in u->type:
Core was generated by `/usr/lib/systemd/systemd --switched-root --system
--deserialize 20'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007eff009acbdb in raise (sig=sig@entry=11) at
../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
37 return INLINE_SYSCALL (tgkill, 3, pid, THREAD_GETMEM (THREAD_SELF,
tid),
Missing separate debuginfos, use: debuginfo-install
audit-libs-2.3.4-1.fc21.x86_64 libattr-2.4.47-5.fc21.x86_64
libseccomp-2.1.1-2.fc21.x86_64 pcre-8.34-3.fc21.x86_64 zlib-1.2.8-4.fc21.x86_64
(gdb) bt
#0 0x00007eff009acbdb in raise (sig=sig@entry=11) at
../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
#1 0x00007eff021023ec in crash.2510 (sig=11) at ../src/core/main.c:151
#2 <signal handler called>
#3 0x00007eff0212788a in manager_invoke_notify_message
(m=m@entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698,
buf=buf@entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.",
n=n@entry=39)
at ../src/core/manager.c:1335
#4 0x00007eff02127b39 in manager_dispatch_notify_fd.part.9
(userdata=0x7eff02ed82a0) at ../src/core/manager.c:1405
#5 0x00007eff02155bb1 in source_dispatch (s=0x7eff02f00820) at
../src/libsystemd/sd-event/sd-event.c:1861
#6 0x00007eff021577a0 in sd_event_run (e=0x7eff02ed8750, timeout=<optimized
out>) at ../src/libsystemd/sd-event/sd-event.c:2117
#7 0x00007eff0211de14 in manager_loop (m=0x7eff02ed82a0) at
../src/core/manager.c:1844
#8 0x00007eff020b4c9c in main (argc=5, argv=0x7fff9b697c98) at
../src/core/main.c:1693
(gdb) frame 3
#3 0x00007eff0212788a in manager_invoke_notify_message
(m=m@entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698,
buf=buf@entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.",
n=n@entry=39)
at ../src/core/manager.c:1335
1335 if (UNIT_VTABLE(u)->notify_message)
(gdb) p u
$1 = (Unit *) 0x7eff03111c60
(gdb) # UNIT_VTABLE is defined as: UNIT_VTABLE(u) unit_vtable[(u)->type]
(gdb) p unit_vtable[(u)->type]
Cannot access memory at address 0x7eff06e81be0
(gdb) p (u)->type
$2 = 10054536
(gdb) # 10054536 is clearly garbage
(gdb) p *u
$3 = {manager = 0x7eff02ee3070, type = 10054536, load_state = 32511,
merged_into = 0x4fa3, id = 0x0, instance = 0x0, names = 0x0, dependencies =
{0x7eff030ab8b8, 0x7eff030ab8d8, 0x0 <repeats 22 times>},
requires_mounts_for = 0x0, description = 0x0, documentation = 0x0,
fragment_path = 0x0, source_path = 0x0, dropin_paths = 0x0, fragment_mtime = 0,
source_mtime = 0, dropin_mtime = 0, job = 0x0,
nop_job = 0x0, job_timeout = 41, refs = 0x7eff030ab8a0, conditions = 0x0,
condition_timestamp = {realtime = 139633732794608, monotonic = 41},
inactive_exit_timestamp = {realtime = 0, monotonic = 0},
active_enter_timestamp = {realtime = 21474836479, monotonic = 0},
active_exit_timestamp = {realtime = 0, monotonic = 41},
inactive_enter_timestamp = {realtime = 0, monotonic = 0}, cgroup_path = 0x0,
cgroup_realized_mask = (unknown: 0), cgroup_subtree_mask = (unknown: 0),
cgroup_members_mask = (unknown: 0), slice = {unit = 0x0, refs_next =
0x7eff02f2fc70, refs_prev = 0x0}, units_by_type_next = 0x0,
units_by_type_prev = 0x29, has_requires_mounts_for_next = 0x0,
has_requires_mounts_for_prev = 0x0, load_queue_next = 0x0, load_queue_prev =
0x0, dbus_queue_next = 0x0, dbus_queue_prev = 0x0,
cleanup_queue_next = 0x0, cleanup_queue_prev = 0x0, gc_queue_next = 0x0,
gc_queue_prev = 0x0, cgroup_queue_next = 0x7eff03111ea8, cgroup_queue_prev =
0x7eff030ab8a0, pids = 0x79, gc_marker = 0,
deserialized_job = 0, load_error = 0, unit_file_state = UNIT_FILE_ENABLED,
stop_when_unneeded = true, default_dependencies = false, refuse_manual_start =
false, refuse_manual_stop = false,
allow_isolate = false, on_failure_job_mode = JOB_FAIL, ignore_on_isolate =
false, ignore_on_snapshot = false, condition_result = false, transient = false,
in_load_queue = false, in_dbus_queue = false,
in_cleanup_queue = false, in_gc_queue = false, in_cgroup_queue = false,
sent_dbus_new_signal = false, no_gc = false, in_audit = false, cgroup_realized
= false, cgroup_members_mask_valid = false,
cgroup_subtree_mask_valid = false}</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>