40523 – telepathy-gabble crashed with signal 5 in g_return_if_fail_warning()

Bug 40523 - telepathy-gabble crashed with signal 5 in g_return_if_fail_warning()

Summary: telepathy-gabble crashed with signal 5 in g_return_if_fail_warning()

Status:	RESOLVED FIXED

Alias:	None

Product:	Telepathy
Classification:	Unclassified
Component:	tp-glib (show other bugs)
Version:	0.13
Hardware:	Other All

Importance:	medium critical
Assignee:	Telepathy bugs list
QA Contact:	Telepathy bugs list

URL:	http://cgit.collabora.com/git/user/wj...
Whiteboard:
Keywords:	patch

Depends on:
Blocks:

Reported:	2011-08-31 11:14 UTC by Pedro Villavicencio
Modified:	2011-10-11 09:51 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Pedro Villavicencio 2011-08-31 11:14:15 UTC

this report has been filed here:

https://bugs.launchpad.net/ubuntu/+source/telepathy-gabble/+bug/838242

"Just crash when I received message from facebook with protocols xmpp"

backtrace:

".
Thread 3 (Thread 0xb76d1b70 (LWP 17789)):
#0  0x00de7416 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00eab40e in __GI___poll (fds=0xb6d004c0, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = <optimized out>
        oldtype = -516
        result = <optimized out>
#2  0x0086e93b in g_poll (fds=0xb6d004c0, nfds=1, timeout=-1) at /build/buildd/glib2.0-2.29.16/./glib/gpoll.c:132
No locals.
#3  0x0085fe56 in g_main_context_poll (n_fds=1, fds=0xb6d004c0, timeout=<optimized out>, context=0x944f720, priority=<optimized out>) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3399
        poll_func = 0x86e910 <g_poll>
#4  g_main_context_iterate (context=0x944f720, block=8841488, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3081
        max_priority = 2147483647
        timeout = -1
        some_ready = <optimized out>
        nfds = 1
        allocated_nfds = <optimized out>
        fds = 0xb6d004c0
#5  0x0086055b in g_main_loop_run (loop=0xb6d004b0) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3294
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#6  0x00984434 in dconf_context_thread (data=0x944f720) at dconfcontext.c:11
        context = 0x944f720
        loop = <optimized out>
        __PRETTY_FUNCTION__ = "dconf_context_thread"
#7  0x00886e34 in g_thread_create_proxy (data=0x944f7b0) at /build/buildd/glib2.0-2.29.16/./glib/gthread.c:1962
        thread = 0x944f7b0
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#8  0x00fb3d31 in start_thread (arg=0xb76d1b70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb76d1b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {16535540, 0, 4001536, -1217588216, 1494644027, 1967797844}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0x00eba0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further
.
Thread 2 (Thread 0xb64feb70 (LWP 17791)):
#0  0x00de7416 in __kernel_vsyscall ()
No symbol table info available.
#1  0x00eab40e in __GI___poll (fds=0xb6d0a028, nfds=3, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = <optimized out>
        oldtype = -516
        result = <optimized out>
#2  0x0086e93b in g_poll (fds=0xb6d0a028, nfds=3, timeout=-1) at /build/buildd/glib2.0-2.29.16/./glib/gpoll.c:132
No locals.
#3  0x0085fe56 in g_main_context_poll (n_fds=3, fds=0xb6d0a028, timeout=<optimized out>, context=0x9459838, priority=<optimized out>) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3399
        poll_func = 0x86e910 <g_poll>
#4  g_main_context_iterate (context=0x9459838, block=8841488, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3081
        max_priority = 2147483647
        timeout = -1
        some_ready = <optimized out>
        nfds = 3
        allocated_nfds = <optimized out>
        fds = 0xb6d0a028
#5  0x0086055b in g_main_loop_run (loop=0x9458f68) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3294
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#6  0x00795b4a in gdbus_shared_thread_func (user_data=0x9458500) at /build/buildd/glib2.0-2.29.16/./gio/gdbusprivate.c:276
        data = 0x9458500
#7  0x00886e34 in g_thread_create_proxy (data=0x9458568) at /build/buildd/glib2.0-2.29.16/./glib/gthread.c:1962
        thread = 0x9458568
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#8  0x00fb3d31 in start_thread (arg=0xb64feb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb64feb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {16535540, 0, 4001536, -1236278264, 485913913, 1967797844}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0x00eba0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further
.
Thread 1 (Thread 0xb76f4750 (LWP 17787)):
#0  g_logv (log_domain=0xa2ea8f "GLib-GObject", log_level=<optimized out>, format=0x8b1176 "%s: assertion `%s' failed", args1=0xbfc5ae1c "\236\031\243") at /build/buildd/glib2.0-2.29.16/./glib/gmessages.c:577
        depth = 0
        domain = 0x0
        data = 0x0
        log_func = 0x8070180 <log_handler>
        domain_fatal_mask = <optimized out>
        masquerade_fatal = <optimized out>
        test_level = <optimized out>
        was_fatal = 0
        was_recursion = 0
        i = <optimized out>
#1  0x008686c3 in g_log (log_domain=0xa2ea8f "GLib-GObject", log_level=G_LOG_LEVEL_CRITICAL, format=0x8b1176 "%s: assertion `%s' failed") at /build/buildd/glib2.0-2.29.16/./glib/gmessages.c:591
        args = 0xbfc5ae1c "\236\031\243"
#2  0x0086892d in g_return_if_fail_warning (log_domain=0xa2ea8f "GLib-GObject", pretty_function=0xa3199e "g_object_unref", expression=0xa307e2 "G_IS_OBJECT (object)") at /build/buildd/glib2.0-2.29.16/./glib/gmessages.c:600
No locals.
#3  0x00a025ab in g_object_unref (_object=0x9c6fca0) at /build/buildd/glib2.0-2.29.16/./gobject/gobject.c:2681
        object = 0x9c6fca0
        old_ref = <optimized out>
        __PRETTY_FUNCTION__ = "g_object_unref"
#4  0x0039615b in tp_message_destroy (self=0x9c6fca0) at message.c:156
No locals.
#5  0x00398721 in tp_message_mixin_acknowledge_pending_messages_async (iface=0x9c4f868, ids=0x942ab80, context=0x94366b8) at message-mixin.c:429
        item = 0x9c6fca0
        cm_msg = 0x9c6fca0
        mixin = 0x942ab80
        nodes = 0x96263a0
        i = <optimized out>
        __PRETTY_FUNCTION__ = "tp_message_mixin_acknowledge_pending_messages_async"
#6  0x003c616d in tp_svc_channel_type_text_acknowledge_pending_messages (self=0x9c4f868, in_IDs=0x942ab80, context=0x94366b8) at _gen/tp-svc-channel.c:4697
        impl = <optimized out>
#7  0x003ba68a in _tp_marshal_VOID__BOXED_POINTER (closure=0xbfc5b04c, return_value=0x0, n_param_values=3, param_values=0x9467b00, invocation_hint=0x0, marshal_data=0x3c6120) at _gen/signals-marshal.c:742
        callback = 0x3c6120 <tp_svc_channel_type_text_acknowledge_pending_messages>
        cc = 0xbfc5b04c
        data1 = <optimized out>
        data2 = <optimized out>
        __PRETTY_FUNCTION__ = "_tp_marshal_VOID__BOXED_POINTER"
#8  0x00b3677d in invoke_object_method (message=0x9ca8688, connection=0x93ed598, method=0x44e4a0, object_info=<optimized out>, object=0x9c4f868) at dbus-gobject.c:1744
        had_error = <optimized out>
        value_array = 0x9c6f540
        result = <optimized out>
        gerror = 0x0
        closure = {ref_count = 0, meta_marshal = 0, n_guards = 0, n_fnotifiers = 0, n_inotifiers = 0, in_inotify = 0, floating = 0, derivative_flag = 0, in_marshal = 0, is_invalid = 0, marshal = 0, data = 0x0, notifiers = 0x0}
        out_param_pos = <optimized out>
        have_retval = 0
        send_reply = <optimized out>
        in_signature = 0x9c7abd8 "au"
        out_param_count = <optimized out>
        out_param_gvalue_pos = <optimized out>
        retval_signals_error = 0
        arg_metadata = <optimized out>
        is_async = 1
        out_param_values = 0x0
        return_value = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
        out_param_gvalues = 0x0
        reply = 0x0
        retval_is_synthetic = 0
        retval_is_constant = 0
#9  object_registration_message (connection=0x93ed598, message=0x9ca8688, user_data=0x9c6fc50) at dbus-gobject.c:1968
        pspec = <optimized out>
        object = 0x9c4f868
        setter = <optimized out>
        getter = <optimized out>
        getall = <optimized out>
        s = <optimized out>
        requested_propname = <optimized out>
        wincaps_propiface = <optimized out>
        iter = {dummy1 = 0x0, dummy2 = 0x1, dummy3 = 155133184, dummy4 = 163771016, dummy5 = 161196832, dummy6 = 0, dummy7 = 163782916, dummy8 = 163782912, dummy9 = 1, dummy10 = 0, dummy11 = 0, pad1 = 0, pad2 = 2170280, pad3 = 0x9406138}
        method = 0x44e4a0
        object_info = <optimized out>
        ret = <optimized out>
        o = 0x9c6fc50
#10 0x001e8821 in ?? () from /tmp/tmp17wGd2/lib/i386-linux-gnu/libdbus-1.so.3
No symbol table info available.
#11 0x001d846f in dbus_connection_dispatch () from /tmp/tmp17wGd2/lib/i386-linux-gnu/libdbus-1.so.3
No symbol table info available.
#12 0x00b3295d in message_queue_dispatch (source=0x93f0068, callback=0, user_data=0x0) at dbus-gmain.c:90
        connection = 0x93ed598
#13 0x0085f81f in g_main_dispatch (context=0x93effd8) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:2439
        dispatch = 0xb32930 <message_queue_dispatch>
        was_in_call = 0
        user_data = 0x0
        callback = 0
        cb_funcs = 0x0
        cb_data = 0x0
        current_source_link = {data = 0x93f0068, next = 0x0}
        need_destroy = <optimized out>
        source = 0x93f0068
        current = 0x93fb258
        i = <optimized out>
#14 g_main_context_dispatch (context=0x93effd8) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3008
No locals.
#15 0x0085ff50 in g_main_context_iterate (context=0x93effd8, block=8841488, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3086
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0xb6d14be8
#16 0x0086055b in g_main_loop_run (loop=0x93f3fb8) at /build/buildd/glib2.0-2.29.16/./glib/gmain.c:3294
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#17 0x003ab730 in tp_run_connection_manager (prog_name=0x815fe4b "telepathy-gabble", version=0x817644b "0.13.5", construct_cm=0x8070150 <construct_cm>, argc=1, argv=0xbfc5b524) at run.c:285
        connection = 0x93ed598
        bus_daemon = 0x93f1458
        error = 0x0
        ret = 1
        __PRETTY_FUNCTION__ = "tp_run_connection_manager"
#18 0x080704e0 in gabble_main (argc=1, argv=0xbfc5b524) at gabble.c:177
        loader = 0x93e34a8
        out = <optimized out>
        fatal_mask = <optimized out>
#19 0x08070090 in main (argc=1, argv=0xbfc5b524) at main.c:28
No locals."

Comment 1 Will Thompson 2011-10-03 04:44:13 UTC

I have a test case for this now; it's a crash in telepathy-glib caused by an application passing the same ID more than once in a call to AcknowledgePendingMessages...

Comment 2 Will Thompson 2011-10-03 06:26:08 UTC

Here's a fix, which could do with being reviewed.

(I do wonder which client is being foolish and acking the same message more than once in a single call!)

Comment 3 Xavier Claessens 2011-10-04 05:14:29 UTC

I don't understand how the first commit helps, but it's fine.

I would just add a DEBUG() in the case it found a dup, to help debug the faulty client later.

Comment 4 Will Thompson 2011-10-04 06:18:28 UTC

(In reply to comment #3)
> I don't understand how the first commit helps, but it's fine.

It's so we don't have to skip over “holes” in the array.

If AcknowledgePendingMessages([1, 2, 1, 3]) is called, previously 'nodes' would end up looking like this:

 [ GList { data = 0x1111 }
 , GList { data = 0x2222 }
 , GList { data = 0x1111 }
 , GList { data = 0x3333 }
 ]

The crash occurred when we tried to free 0x1111 a second time.

If I had just changed the loop to skip duplicates, it would have looked like this:

 [ GList { data = 0x1111 }
 , GList { data = 0x2222 }
 , uninitialized memory
 , GList { data = 0x3333 }
 ]

Obviously we could use g_new0, but we'd still have to check for, and skip, the NULLed-out gap in the array.

By switching to a dynamically-sized array, there are no gaps to skip.

> I would just add a DEBUG() in the case it found a dup, to help debug the faulty
> client later.

Added a patch to do this.

Comment 5 Will Thompson 2011-10-11 09:47:33 UTC

Fixed in 0.14.10 and 0.15.7.

Comment 6 Will Thompson 2011-10-11 09:51:09 UTC

(In reply to comment #5)
> Fixed in 0.14.10 and 0.15.7.

I should be clear that these are versions of telepathy-glib.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.