Bug 20884

Summary: Invalid memory accesses in DBusGProxyManager
Product: dbus Reporter: Simon McVittie <smcv>
Component: GLibAssignee: Rob Taylor <rob.taylor>
Status: RESOLVED FIXED QA Contact: John (J5) Palmieri <johnp>
Severity: normal    
Priority: medium CC: walters
Version: unspecifiedKeywords: patch
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: A patch that seems to fix this crash for me

Description Simon McVittie 2009-03-26 10:44:40 UTC
Circumstances of crash:
* dbus-glib 0.80-3 from Debian (no source patches applied to 0.80)
* telepathy-mission-control rev b4462ff8c069a1ec4436c05937673a80cd469906 from git://git.collabora.co.uk/home/smcv/public_html/git/telepathy-mission-control-smcv.git
* ./autogen.sh '--enable-maintainer-mode' '--enable-gtk-doc' '--enable-coverage'
* make check MISSIONCONTROL_TEST_VALGRIND=1 TWISTED_TESTS=test-connect.py
* core is dumped and test/twisted/tools/missioncontrol-testing.log contains, among others:

==29622== Invalid read of size 4
==29622==    at 0x43CDF27: g_slist_find_custom (gslist.c:608)
==29622==    by 0x42F441A: dbus_g_proxy_manager_filter (dbus-gproxy.c:733)
==29622==    by 0x430E924: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.4.0)
==29622==    by 0x42EAB1C: message_queue_dispatch (dbus-gmain.c:101)
==29622==    by 0x43AE717: g_main_context_dispatch (gmain.c:1814)
==29622==    by 0x43B1C7A: g_main_context_iterate (gmain.c:2448)
==29622==    by 0x43B2149: g_main_loop_run (gmain.c:2656)
==29622==    by 0x407F03D: mcd_service_run (mcd-service.c:987)
==29622==    by 0x80492BF: main (mc-debug-server.c:109)
==29622==  Address 0x4726018 is 0 bytes inside a block of size 8 free'd
==29622==    at 0x4024E3A: free (vg_replace_malloc.c:323)
==29622==    by 0x43B6BC5: g_free (gmem.c:190)
==29622==    by 0x43CE3E9: g_slist_delete_link (gslist.c:446)
==29622==    by 0x42F442F: dbus_g_proxy_manager_filter (dbus-gproxy.c:739)
==29622==    by 0x430E924: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.4.0)
==29622==    by 0x42EAB1C: message_queue_dispatch (dbus-gmain.c:101)
==29622==    by 0x43AE717: g_main_context_dispatch (gmain.c:1814)
==29622==    by 0x43B1C7A: g_main_context_iterate (gmain.c:2448)
==29622==    by 0x43B2149: g_main_loop_run (gmain.c:2656)
==29622==    by 0x407F03D: mcd_service_run (mcd-service.c:987)
==29622==    by 0x80492BF: main (mc-debug-server.c:109)
{
   <insert a suppression name here>
   Memcheck:Addr4
   fun:g_slist_find_custom
   fun:dbus_g_proxy_manager_filter
   fun:dbus_connection_dispatch
   fun:message_queue_dispatch
   fun:g_main_context_dispatch
   fun:g_main_context_iterate
   fun:g_main_loop_run
   fun:mcd_service_run
   fun:main
}
==29622== 
==29622== Invalid read of size 4
==29622==    at 0x42EF6CC: find_name_in_info (dbus-gproxy.c:499)
==29622==    by 0x43CDF2D: g_slist_find_custom (gslist.c:608)
==29622==    by 0x42F441A: dbus_g_proxy_manager_filter (dbus-gproxy.c:733)
==29622==    by 0x430E924: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.4.0)
==29622==    by 0x42EAB1C: message_queue_dispatch (dbus-gmain.c:101)
==29622==    by 0x43AE717: g_main_context_dispatch (gmain.c:1814)
==29622==    by 0x43B1C7A: g_main_context_iterate (gmain.c:2448)
==29622==    by 0x43B2149: g_main_loop_run (gmain.c:2656)
==29622==    by 0x407F03D: mcd_service_run (mcd-service.c:987)
==29622==    by 0x80492BF: main (mc-debug-server.c:109)
==29622==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
{
   <insert a suppression name here>
   Memcheck:Addr4
   fun:find_name_in_info
   fun:g_slist_find_custom
   fun:dbus_g_proxy_manager_filter
   fun:dbus_connection_dispatch
   fun:message_queue_dispatch
   fun:g_main_context_dispatch
   fun:g_main_context_iterate
   fun:g_main_loop_run
   fun:mcd_service_run
   fun:main
}
==29622== 
==29622== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==29622==  Access not within mapped region at address 0x0
==29622==    at 0x42EF6CC: find_name_in_info (dbus-gproxy.c:499)
==29622==    by 0x43CDF2D: g_slist_find_custom (gslist.c:608)
==29622==    by 0x42F441A: dbus_g_proxy_manager_filter (dbus-gproxy.c:733)
==29622==    by 0x430E924: dbus_connection_dispatch (in /usr/lib/libdbus-1.so.3.4.0)
==29622==    by 0x42EAB1C: message_queue_dispatch (dbus-gmain.c:101)
==29622==    by 0x43AE717: g_main_context_dispatch (gmain.c:1814)
==29622==    by 0x43B1C7A: g_main_context_iterate (gmain.c:2448)
==29622==    by 0x43B2149: g_main_loop_run (gmain.c:2656)
==29622==    by 0x407F03D: mcd_service_run (mcd-service.c:987)
==29622==    by 0x80492BF: main (mc-debug-server.c:109)
==29622==  If you believe this happened as a result of a stack overflow in your
==29622==  program's main thread (unlikely but possible), you can try to increase
==29622==  the size of the main thread stack using the --main-stacksize= flag.
==29622==  The main thread stack size used in this run was 16777216.

I believe that telepathy-mission-control is extremely buggy, but that this particular crash is not its fault. I'm able to avoid the crash by patching dbus-glib - a patch is on the way.
Comment 1 Simon McVittie 2009-03-26 11:09:23 UTC
Created attachment 24279 [details] [review]
A patch that seems to fix this crash for me

http://git.collabora.co.uk/?p=user/smcv/dbus-glib-smcv.git;a=commitdiff;h=f36381131b6f410333a9a823a4fc131ac799394f

git://git.collabora.co.uk/git/user/smcv/dbus-glib-smcv.git commit f36381131b6f410333a9a823a4fc131ac799394f
Comment 2 Simon McVittie 2009-04-15 13:32:50 UTC
Colin, any chance you could opine on this? Or someone? Without this patch, the Mission Control regression tests fail...
Comment 3 Colin Walters 2009-04-16 06:22:15 UTC
Patch looks good to me.
Comment 4 Simon McVittie 2009-04-27 02:49:14 UTC
Thanks, fixed in git.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.