Bug 16918

Summary: Invalid read in vcard-manager: cache_entry_complete_requests
Product: Telepathy Reporter: Guillaume Desmottes <guillaume.desmottes>
Component: gabbleAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED FIXED QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Guillaume Desmottes 2008-07-31 02:15:58 UTC 
To reproduce with Gabble HEAD:

- cd tests/twisted
- export GABBLE_TEST_VALGRIND=1
- make check TWISTED_TESTS=olpc/olpc-muc-invitation.py
- look at tools/gabble-testing.log

You'll find the following invalid read:

==10543== Invalid read of size 4
==10543==    at 0x807F33B: cache_entry_complete_requests (vcard-manager.c:458)
==10543==    by 0x807F446: pipeline_reply_cb (vcard-manager.c:1089)
==10543==    by 0x806BA54: gabble_request_pipeline_dispose (request-pipeline.c:230)
==10543==    by 0x409983B: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x80560AF: gabble_connection_dispose (connection.c:683)
==10543==    by 0x409983B: g_object_unref (in /usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x40B994B: g_value_unset (in /usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x40BA8F8: g_value_array_free (in /usr/lib/libgobject-2.0.so.0.1600.3)
==10543==    by 0x4045B62: gobject_message_function (dbus-gobject.c:1267)
==10543==    by 0x407169A: (within /usr/lib/libdbus-1.so.3.4.0)
==10543==    by 0x4063A65: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.4.0)
==10543==    by 0x40424CC: message_queue_dispatch (dbus-gmain.c:101)
==10543==    by 0x4148BF7: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x414BE5D: (within /usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x414C1E6: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.1600.3)
==10543==    by 0x4230655: tp_run_connection_manager (run.c:263)
==10543==    by 0x805ABB1: gabble_main (gabble.c:76)
==10543==    by 0x8053355: main (main-debug.c:30)



The first time the while condition is evaluated (entry->pending_requests) there is no problem as the entry still exists. During the first iteration, complete_one_request is called which calls delete_request which calls cache_entry_attempt_to_free. In cache_entry_attempt_to_free, the entry is removed from priv->cache causing the destroying of its value (the entry) using cache_entry_free.
So, when the while condition is evalatued for the second time, the entry was freed causing the invalid read.
Comment 1 Guillaume Desmottes 2008-07-31 03:58:00 UTC 
Fixed in Gabble HEAD.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.