[systemd-bugs] [Bug 75571] random pid 1 crash on rawhide systemd-210-2.fc21.x86_64

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Feb 28 08:01:00 PST 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=75571

--- Comment #2 from Kalev Lember <kalevlember at gmail.com> ---
I've seen similar PID 1 crashes on rawhide with the same systemd package
version as the original reporter. A short debugging session seems to point to
uninitialized memory in u->type:

Core was generated by `/usr/lib/systemd/systemd --switched-root --system
--deserialize 20'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007eff009acbdb in raise (sig=sig at entry=11) at
../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
37      return INLINE_SYSCALL (tgkill, 3, pid, THREAD_GETMEM (THREAD_SELF,
tid),
Missing separate debuginfos, use: debuginfo-install
audit-libs-2.3.4-1.fc21.x86_64 libattr-2.4.47-5.fc21.x86_64
libseccomp-2.1.1-2.fc21.x86_64 pcre-8.34-3.fc21.x86_64 zlib-1.2.8-4.fc21.x86_64
(gdb) bt
#0  0x00007eff009acbdb in raise (sig=sig at entry=11) at
../nptl/sysdeps/unix/sysv/linux/pt-raise.c:37
#1  0x00007eff021023ec in crash.2510 (sig=11) at ../src/core/main.c:151
#2  <signal handler called>
#3  0x00007eff0212788a in manager_invoke_notify_message
(m=m at entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698,
buf=buf at entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.",
n=n at entry=39)
    at ../src/core/manager.c:1335
#4  0x00007eff02127b39 in manager_dispatch_notify_fd.part.9
(userdata=0x7eff02ed82a0) at ../src/core/manager.c:1405
#5  0x00007eff02155bb1 in source_dispatch (s=0x7eff02f00820) at
../src/libsystemd/sd-event/sd-event.c:1861
#6  0x00007eff021577a0 in sd_event_run (e=0x7eff02ed8750, timeout=<optimized
out>) at ../src/libsystemd/sd-event/sd-event.c:2117
#7  0x00007eff0211de14 in manager_loop (m=0x7eff02ed82a0) at
../src/core/manager.c:1844
#8  0x00007eff020b4c9c in main (argc=5, argv=0x7fff9b697c98) at
../src/core/main.c:1693
(gdb) frame 3
#3  0x00007eff0212788a in manager_invoke_notify_message
(m=m at entry=0x7eff02ed82a0, u=0x7eff03111c60, pid=27698,
buf=buf at entry=0x7fff9b695fe0 "READY=1\nSTATUS=Startup finished in 9ms.",
n=n at entry=39)
    at ../src/core/manager.c:1335
1335            if (UNIT_VTABLE(u)->notify_message)
(gdb) p u
$1 = (Unit *) 0x7eff03111c60
(gdb) # UNIT_VTABLE is defined as: UNIT_VTABLE(u) unit_vtable[(u)->type]
(gdb) p unit_vtable[(u)->type]
Cannot access memory at address 0x7eff06e81be0
(gdb) p (u)->type
$2 = 10054536
(gdb) # 10054536 is clearly garbage
(gdb) p *u
$3 = {manager = 0x7eff02ee3070, type = 10054536, load_state = 32511,
merged_into = 0x4fa3, id = 0x0, instance = 0x0, names = 0x0, dependencies =
{0x7eff030ab8b8, 0x7eff030ab8d8, 0x0 <repeats 22 times>}, 
  requires_mounts_for = 0x0, description = 0x0, documentation = 0x0,
fragment_path = 0x0, source_path = 0x0, dropin_paths = 0x0, fragment_mtime = 0,
source_mtime = 0, dropin_mtime = 0, job = 0x0, 
  nop_job = 0x0, job_timeout = 41, refs = 0x7eff030ab8a0, conditions = 0x0,
condition_timestamp = {realtime = 139633732794608, monotonic = 41},
inactive_exit_timestamp = {realtime = 0, monotonic = 0}, 
  active_enter_timestamp = {realtime = 21474836479, monotonic = 0},
active_exit_timestamp = {realtime = 0, monotonic = 41},
inactive_enter_timestamp = {realtime = 0, monotonic = 0}, cgroup_path = 0x0, 
  cgroup_realized_mask = (unknown: 0), cgroup_subtree_mask = (unknown: 0),
cgroup_members_mask = (unknown: 0), slice = {unit = 0x0, refs_next =
0x7eff02f2fc70, refs_prev = 0x0}, units_by_type_next = 0x0, 
  units_by_type_prev = 0x29, has_requires_mounts_for_next = 0x0,
has_requires_mounts_for_prev = 0x0, load_queue_next = 0x0, load_queue_prev =
0x0, dbus_queue_next = 0x0, dbus_queue_prev = 0x0, 
  cleanup_queue_next = 0x0, cleanup_queue_prev = 0x0, gc_queue_next = 0x0,
gc_queue_prev = 0x0, cgroup_queue_next = 0x7eff03111ea8, cgroup_queue_prev =
0x7eff030ab8a0, pids = 0x79, gc_marker = 0, 
  deserialized_job = 0, load_error = 0, unit_file_state = UNIT_FILE_ENABLED,
stop_when_unneeded = true, default_dependencies = false, refuse_manual_start =
false, refuse_manual_stop = false, 
  allow_isolate = false, on_failure_job_mode = JOB_FAIL, ignore_on_isolate =
false, ignore_on_snapshot = false, condition_result = false, transient = false,
in_load_queue = false, in_dbus_queue = false, 
  in_cleanup_queue = false, in_gc_queue = false, in_cgroup_queue = false,
sent_dbus_new_signal = false, no_gc = false, in_audit = false, cgroup_realized
= false, cgroup_members_mask_valid = false, 
  cgroup_subtree_mask_valid = false}

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140228/20f2f3e2/attachment.html>

More information about the systemd-bugs mailing list