44671 – Assertion failure in contacts_context_continue() when fuzzing

Bug 44671 - Assertion failure in contacts_context_continue() when fuzzing

Summary: Assertion failure in contacts_context_continue() when fuzzing

Status:	RESOLVED MOVED

Alias:	None

Product:	Telepathy
Classification:	Unclassified
Component:	tp-glib (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	medium major
Assignee:	Telepathy bugs list
QA Contact:	Telepathy bugs list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-01-11 04:54 UTC by Philip Withnall
Modified:	2019-12-03 20:39 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
Empathy/folks/tp-glib log (35.18 KB, text/plain) 2012-01-11 04:57 UTC, Philip Withnall	Details
Simulator log (91.34 KB, text/plain) 2012-01-11 04:58 UTC, Philip Withnall	Details
View All

Description Philip Withnall 2012-01-11 04:54:11 UTC

I've been fuzz testing Empathy/folks using a fake CM (which I really should blog about soon), and managed to cause the following crash:

Core was generated by `/opt/gnome3/build/bin/empathy'.
Program terminated with signal 6, Aborted.
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
(gdb) t a a bt

Thread 3 (Thread 0x7fffed1eb700 (LWP 16208)):
#0  0x0000003f41ee6af3 in poll () from /lib64/libc.so.6
#1  0x00007ffff26df68b in g_poll (fds=0x7fffe80010e0, nfds=3, timeout=-1) at gpoll.c:132
#2  0x00007ffff26ceea5 in g_main_context_poll (context=0x8bbde0, timeout=-1, priority=2147483647, fds=0x7fffe80010e0, n_fds=3)
    at gmain.c:3415
#3  0x00007ffff26ce835 in g_main_context_iterate (context=0x8bbde0, block=1, dispatch=1, self=0x8bcd90) at gmain.c:3116
#4  0x00007ffff26cec86 in g_main_loop_run (loop=0x8bbd90) at gmain.c:3315
#5  0x00007ffff310d9e8 in gdbus_shared_thread_func (user_data=0x8bbdb0) at gdbusprivate.c:276
#6  0x00007ffff26f97e8 in g_thread_proxy (data=0x8bcd90) at gthread.c:801
#7  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#8  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7fffe339d700 (LWP 16209)):
#0  0x0000003f4260be4f in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007ffff271b9a9 in g_cond_wait_until (cond=0xa213f8, mutex=0xa213f0, end_time=296617946261) at gthread-posix.c:870
#2  0x00007ffff26999e0 in g_cond_timed_wait (cond=0xa213f8, mutex=0xa213f0, abs_time=0x7fffe339cb80)
    at deprecated/gthread-deprecated.c:1585
#3  0x00007ffff269bc8f in g_async_queue_pop_intern_unlocked (queue=0xa213f0, wait=1, end_time=0x7fffe339cb80) at gasyncqueue.c:418
#4  0x00007ffff269bed9 in g_async_queue_timed_pop (queue=0xa213f0, end_time=0x7fffe339cb80) at gasyncqueue.c:542
#5  0x00007ffff26f9bdd in g_thread_pool_wait_for_new_pool () at gthreadpool.c:174
#6  0x00007ffff26f9ec4 in g_thread_pool_thread_proxy (data=0xa212d0) at gthreadpool.c:374
#7  0x00007ffff26f97e8 in g_thread_proxy (data=0xa1dd40) at gthread.c:801
#8  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#9  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fffee73c9c0 (LWP 16207)):
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
#1  0x0000003f41e37b9b in abort () from /lib64/libc.so.6
#2  0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0 "assertion failed: (contact->priv->handle != 0)")
    at gtestutils.c:1810
#3  0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae "contact->priv->handle != 0") at gtestutils.c:1821
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
#5  0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580, res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
#6  0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at gsimpleasyncresult.c:744
#7  0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at gsimpleasyncresult.c:756
#8  0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90, callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
    at gmain.c:4632
#9  0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at gmain.c:3050
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, dispatch=1, self=0x8a6f80) at gmain.c:3121
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, may_block=1) at gmain.c:3182
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, argv=0x7fffffffeca8) at gapplication.c:1599
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
(gdb) bt full
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003f41e37b9b in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0 "assertion failed: (contact->priv->handle != 0)")
    at gtestutils.c:1810
        lstr = "1839\000\177\000\000\250yh\362\377\177\000\000\320\350\377\377\377\177\000\000`Ω\000\000\000\000"
        s = 0xad94d0 ""
#3  0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae "contact->priv->handle != 0") at gtestutils.c:1821
        s = 0xb385b0 "assertion failed: (contact->priv->handle != 0)"
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
        contact = 0xb41900
        i = 0
        __PRETTY_FUNCTION__ = "contacts_context_continue"
#5  0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580, res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
        c = 0xa9ce60
        __PRETTY_FUNCTION__ = "connection_capabilities_fetched_cb"
#6  0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at gsimpleasyncresult.c:744
        current_source = 0xb43f90
        current_context = 0x77a8f0
        __PRETTY_FUNCTION__ = "g_simple_async_result_complete"
#7  0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at gsimpleasyncresult.c:756
        simple = 0xb342a0
#8  0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90, callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
    at gmain.c:4632
No locals.
#9  0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
        dispatch = 0x7ffff26d0097 <g_idle_dispatch>
        was_in_call = 0
        user_data = 0xb342a0
        callback = 0x7ffff309217b <complete_in_idle_cb>
        cb_funcs = 0x7ffff29bdfe0
        cb_data = 0x905680
        need_destroy = 7827920
        current_source_link = {data = 0xb43f90, next = 0x0}
        source = 0xb43f90
        current = 0x8b9fa0
        i = 0
        __PRETTY_FUNCTION__ = "g_main_dispatch"
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at gmain.c:3050
No locals.
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, dispatch=1, self=0x8a6f80) at gmain.c:3121
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = 7
        allocated_nfds = 7
        fds = 0xa64d20
---Type <return> to continue, or q <return> to quit---
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, may_block=1) at gmain.c:3182
        retval = 1
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, argv=0x7fffffffeca8) at gapplication.c:1599
        arguments = 0x8a4d90
        status = 0
        i = 1
        __PRETTY_FUNCTION__ = "g_application_run"
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
        app = 0x7bb360
        retval = 0
(gdb) frame 4
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
1839	          g_assert (contact->priv->handle != 0);
(gdb) print *contact
$1 = {parent = {g_type_instance = {g_class = 0xac34f0}, ref_count = 1, qdata = 0x0}, priv = 0xb41920}
(gdb) print *contact->priv
$2 = {connection = 0x8f9580, handle = 0, identifier = 0xa2e970 "", has_features = 231, 
  alias = 0xb1a390 "\t \r \f\r\f\f\t\r\v\n\t\f\r\f\f\v\v\n\t", avatar_token = 0x906c30 "", avatar_file = 0x0, avatar_mime_type = 0x0, 
  presence_type = TP_CONNECTION_PRESENCE_TYPE_AWAY, presence_status = 0xb14dd0 "available", 
  presence_message = 0xa81700 "Status message씓", location = 0x0, client_types = 0x0, capabilities = 0x0, contact_info = 0x0, 
  subscribe = TP_SUBSCRIPTION_STATE_UNKNOWN, publish = TP_SUBSCRIPTION_STATE_UNKNOWN, publish_request = 0x0, contact_groups = 0x0, 
  is_blocked = 0}
(gdb) print *c
$3 = {refcount = 1, connection = 0x8f9580, contacts = 0xb432c0, handles = 0xb43000, invalid = 0xb33ca0, request_ids = 0x0, 
  request_errors = 0x0, wanted = 247, signature = CB_BY_HANDLE, callback = {by_handle = 0x7ffff74d7664 <get_contacts_by_handle_cb>, 
    by_id = 0x7ffff74d7664 <get_contacts_by_handle_cb>, upgrade = 0x7ffff74d7664 <get_contacts_by_handle_cb>}, user_data = 0xa6a4c0, 
  destroy = 0, weak_object = 0x8f9580, no_purpose_in_life = 0, todo = {head = 0x0, tail = 0x0, length = 0}, next_index = 0, 
  contacts_have_ids = 0}

I haven't investigated it properly (I should be working on the fuzz tester instead), but I realise that this is probably caused by the fake CM violating something in the Tp spec. However, since tp-glib is fairly resilient against misbehaving CMs in other places, I guess it would make sense to turn this g_assert() into a if(fail){continue} or similar.

Comment 1 Philip Withnall 2012-01-11 04:57:59 UTC

Created attachment 55426 [details]
Empathy/folks/tp-glib log

Log file made using FOLKS_DEBUG=telepathy EMPATHY_DEBUG=all.

Comment 2 Philip Withnall 2012-01-11 04:58:38 UTC

Created attachment 55427 [details]
Simulator log

Fake CM simulation log, which (if read carefully enough) gives the D-Bus messages which were thrown around.

Comment 3 Philip Withnall 2012-01-11 04:59:36 UTC

I have a core dump of the crash as well, made with tp-glib e88ba20da99e8ebd323dfb09e5c99171d5f17bb5 and Empathy bd4d801363ed6a5457c50d9c8e138c4f0e18f4b9. I can't upload it here because it's too big, but if anybody needs it I can upload it somewhere or something.

Comment 4 GitLab Migration User 2019-12-03 20:39:16 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/telepathy/telepathy-glib/issues/80.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.