Bug 20992

Summary: Dispatcher: null pointer dereference if ObserveChannels times out
Product: Telepathy Reporter: Simon McVittie <smcv>
Component: mission-controlAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED FIXED QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Unfinished regression test which demonstrates the bug

Description Simon McVittie 2009-04-01 06:08:23 UTC 
Created attachment 24429 [details]
Unfinished regression test which demonstrates the bug

An unfinished test that does not yet return from ObserveChannels (attached) causes Mission Control to segfault.

#0  0x4005a970 in mcd_connection_get_account (id=0x0) at mcd-connection.c:1982
No locals.
#1  0x40064afc in mcd_dispatcher_context_get_protocol_name (context=0x8b92740)
    at mcd-dispatcher.c:2911
	conn = (McdConnection *) 0x0
	account = <value optimized out>
#2  0x4006d6d0 in mcd_dispatcher_run_handlers (context=0x8b92740)
    at mcd-dispatcher.c:815
	channels = (GList *) 0x8b93d90
	unhandled = (GList *) 0x8b88830
#3  0x4006e0bd in mcd_dispatcher_context_release_client_lock (
    context=0x8b92740) at mcd-dispatcher.c:1346
	__PRETTY_FUNCTION__ = "mcd_dispatcher_context_release_client_lock"
#4  0x4006e304 in observe_channels_cb (proxy=0x8b72f50, error=0x8b93da0, 
    user_data=0x8b92740, weak_object=0x8b82828) at mcd-dispatcher.c:1360
	__PRETTY_FUNCTION__ = "observe_channels_cb"
#5  0x4006c0d7 in _mc_cli_client_observer_invoke_callback_observe_channels (
    self=0x8b72f50, error=0x8b93da0, args=0x0, 
    generic_callback=0x4006e270 <observe_channels_cb>, user_data=0x8b92740, 
    weak_object=0x8b82828) at _gen/cli-client-body.h:626
No locals.
#6  0x402afdf7 in tp_proxy_pending_call_idle_invoke (p=0x8b8f6b0)
    at proxy-methods.c:153
	invoke = (TpProxyInvokeFunc) 0x8b73bd8
	__PRETTY_FUNCTION__ = "tp_proxy_pending_call_idle_invoke"
#7  0x403a5811 in g_idle_dispatch (source=0x8b93af0, callback=0, 
    user_data=0x8b8f6b0)
    at /build/buildd-glib2.0_2.20.0-2-i386-rcJiVy/glib2.0-2.20.0/glib/gmain.c:3922
No locals.
#8  0x403a7718 in IA__g_main_context_dispatch (context=0x8b77da8)
    at /build/buildd-glib2.0_2.20.0-2-i386-rcJiVy/glib2.0-2.20.0/glib/gmain.c:1814
No locals.
#9  0x403aac7b in g_main_context_iterate (context=0x8b77da8, block=1, 
    dispatch=1, self=0x8b7b9d0)
    at /build/buildd-glib2.0_2.20.0-2-i386-rcJiVy/glib2.0-2.20.0/glib/gmain.c:2448
	max_priority = -100
	timeout = 0
	some_ready = 1
	nfds = 0
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x8b7c260
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#10 0x403ab14a in IA__g_main_loop_run (loop=0x8b78bc0)
    at /build/buildd-glib2.0_2.20.0-2-i386-rcJiVy/glib2.0-2.20.0/glib/gmain.c:2656
	self = (GThread *) 0x8b7b9d0
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#11 0x4007690e in mcd_service_run (self=0x8b7f810) at mcd-service.c:987
No locals.
#12 0x080492c0 in main () at mc-debug-server.c:109
	bus_daemon = <value optimized out>
	mcd = <value optimized out>
	error = (GError *) 0x0
	connection = (DBusConnection *) 0x8b76438
	ret = <value optimized out>
Comment 1 Simon McVittie 2009-04-01 06:14:44 UTC 
The reason for the crash appears to be that mcd_dispatcher_context_get_protocol_name copies the protocol name lazily, by obtaining the account from the context's connection, then copying the protocol from the account; however, when it is first called in this test, the connection has been set to NULL already. It seems to be necessary to either copy the protocol name eagerly, or ref the connection and/or account in the "dispatcher context".

(What is a dispatcher context, anyway? Answers on a postcard.)
Comment 2 Simon McVittie 2009-10-13 04:35:40 UTC 
Fixed some time ago.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.