[sugar] gabble segfaults and how to reproduce them

Dafydd Harries dafydd.harries
Thu Apr 12 01:41:32 EDT 2007


Ar 12/04/2007 am 00:07, ysgrifennodd Dan Williams:
> On Wed, 2007-04-11 at 23:57 -0400, Dan Williams wrote:
> > After doing the following, suggested by daf on IRC:
> > 

To clarify:

> > darcs pull http://projects.collabora.co.uk/~monkey/telepathy-gabble-olpc/

This is the branch sugar gets for you already.

> > darcs pull http://projects.collabora.co.uk/~monkey/telepathy-gabble-olpc-rob-review/

This is a branch which has some fixes. Both should soon be merged into Gabble
head.

> > I added a test mode to the presence service.  To reproduce this bug and
> > generally exercise the PS and gabble, you can do the following after
> > doing a git pull of sugar:

That does it for me. Dixit valgrind:

==9315== Invalid read of size 4
==9315==    at 0x806B92D: decrement_contacts_activities_list_foreach (conn-olpc.c:113)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806CE23: extract_activities (conn-olpc.c:624)
==9315==    by 0x806D099: get_activities_reply_cb (conn-olpc.c:707)
==9315==    by 0x804E19D: message_send_reply_cb (gabble-connection.c:893)
==9315==    by 0x403FF0F: _lm_message_handler_handle_message (lm-message-handler.c:47)
==9315==    by 0x403D87E: connection_incoming_dispatch (lm-connection.c:285)
==9315==    by 0x4153C10: g_main_context_dispatch (gmain.c:2045)
==9315==    by 0x4156C85: g_main_context_iterate (gmain.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315==    by 0x8090D4B: tp_run_connection_manager (run.c:237)
==9315==    by 0x804D759: main (gabble.c:48)
==9315==  Address 0x49479EC is 12 bytes inside a block of size 16 free'd
==9315==    at 0x401D0CA: free (vg_replace_malloc.c:233)
==9315==    by 0x415B010: g_free (gmem.c:187)
==9315==    by 0x416B674: g_slice_free1 (gslice.c:824)
==9315==    by 0x806BA89: activity_info_free (conn-olpc.c:94)
==9315==    by 0x4146C56: g_hash_node_destroy (ghash.c:768)
==9315==    by 0x41475F6: g_hash_table_remove (ghash.c:433)
==9315==    by 0x806B984: decrement_contacts_activities_list_foreach (conn-olpc.c:121)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806B90B: connection_presence_update_cb (conn-olpc.c:1511)
==9315==    by 0x41051CA: g_cclosure_marshal_VOID(unsigned i_xx_t) (gmarshal.c:251)
==9315==    by 0x40F809A: g_closure_invoke (gclosure.c:490)
==9315==    by 0x4108CE2: signal_emit_unlocked_R (gsignal.c:2440)
==9315== 
==9315== Invalid read of size 4
==9315==    at 0x806B930: decrement_contacts_activities_list_foreach (conn-olpc.c:115)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806CE23: extract_activities (conn-olpc.c:624)
==9315==    by 0x806D099: get_activities_reply_cb (conn-olpc.c:707)
==9315==    by 0x804E19D: message_send_reply_cb (gabble-connection.c:893)
==9315==    by 0x403FF0F: _lm_message_handler_handle_message (lm-message-handler.c:47)
==9315==    by 0x403D87E: connection_incoming_dispatch (lm-connection.c:285)
==9315==    by 0x4153C10: g_main_context_dispatch (gmain.c:2045)
==9315==    by 0x4156C85: g_main_context_iterate (gmain.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315==    by 0x8090D4B: tp_run_connection_manager (run.c:237)
==9315==    by 0x804D759: main (gabble.c:48)
==9315==  Address 0x49479E0 is 0 bytes inside a block of size 16 free'd
==9315==    at 0x401D0CA: free (vg_replace_malloc.c:233)
==9315==    by 0x415B010: g_free (gmem.c:187)
==9315==    by 0x416B674: g_slice_free1 (gslice.c:824)
==9315==    by 0x806BA89: activity_info_free (conn-olpc.c:94)
==9315==    by 0x4146C56: g_hash_node_destroy (ghash.c:768)
==9315==    by 0x41475F6: g_hash_table_remove (ghash.c:433)
==9315==    by 0x806B984: decrement_contacts_activities_list_foreach (conn-olpc.c:121)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806B90B: connection_presence_update_cb (conn-olpc.c:1511)
==9315==    by 0x41051CA: g_cclosure_marshal_VOID(unsigned i_xx_t) (gmarshal.c:251)
==9315==    by 0x40F809A: g_closure_invoke (gclosure.c:490)
==9315==    by 0x4108CE2: signal_emit_unlocked_R (gsignal.c:2440)
==9315== 
==9315== Invalid write of size 4
==9315==    at 0x806B933: decrement_contacts_activities_list_foreach (conn-olpc.c:113)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806CE23: extract_activities (conn-olpc.c:624)
==9315==    by 0x806D099: get_activities_reply_cb (conn-olpc.c:707)
==9315==    by 0x804E19D: message_send_reply_cb (gabble-connection.c:893)
==9315==    by 0x403FF0F: _lm_message_handler_handle_message (lm-message-handler.c:47)
==9315==    by 0x403D87E: connection_incoming_dispatch (lm-connection.c:285)
==9315==    by 0x4153C10: g_main_context_dispatch (gmain.c:2045)
==9315==    by 0x4156C85: g_main_context_iterate (gmain.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315==    by 0x8090D4B: tp_run_connection_manager (run.c:237)
==9315==    by 0x804D759: main (gabble.c:48)
==9315==  Address 0x49479EC is 12 bytes inside a block of size 16 free'd
==9315==    at 0x401D0CA: free (vg_replace_malloc.c:233)
==9315==    by 0x415B010: g_free (gmem.c:187)
==9315==    by 0x416B674: g_slice_free1 (gslice.c:824)
==9315==    by 0x806BA89: activity_info_free (conn-olpc.c:94)
==9315==    by 0x4146C56: g_hash_node_destroy (ghash.c:768)
==9315==    by 0x41475F6: g_hash_table_remove (ghash.c:433)
==9315==    by 0x806B984: decrement_contacts_activities_list_foreach (conn-olpc.c:121)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806B90B: connection_presence_update_cb (conn-olpc.c:1511)
==9315==    by 0x41051CA: g_cclosure_marshal_VOID(unsigned i_xx_t) (gmarshal.c:251)
==9315==    by 0x40F809A: g_closure_invoke (gclosure.c:490)
==9315==    by 0x4108CE2: signal_emit_unlocked_R (gsignal.c:2440)
==9315== 
==9315== Invalid read of size 4
==9315==    at 0x806AEE7: activity_info_get_room (conn-olpc.c:53)
==9315==    by 0x806B93A: decrement_contacts_activities_list_foreach (conn-olpc.c:115)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806CE23: extract_activities (conn-olpc.c:624)
==9315==    by 0x806D099: get_activities_reply_cb (conn-olpc.c:707)
==9315==    by 0x804E19D: message_send_reply_cb (gabble-connection.c:893)
==9315==    by 0x403FF0F: _lm_message_handler_handle_message (lm-message-handler.c:47)
==9315==    by 0x403D87E: connection_incoming_dispatch (lm-connection.c:285)
==9315==    by 0x4153C10: g_main_context_dispatch (gmain.c:2045)
==9315==    by 0x4156C85: g_main_context_iterate (gmain.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315==    by 0x8090D4B: tp_run_connection_manager (run.c:237)
==9315==  Address 0x49479E0 is 0 bytes inside a block of size 16 free'd
==9315==    at 0x401D0CA: free (vg_replace_malloc.c:233)
==9315==    by 0x415B010: g_free (gmem.c:187)
==9315==    by 0x416B674: g_slice_free1 (gslice.c:824)
==9315==    by 0x806BA89: activity_info_free (conn-olpc.c:94)
==9315==    by 0x4146C56: g_hash_node_destroy (ghash.c:768)
==9315==    by 0x41475F6: g_hash_table_remove (ghash.c:433)
==9315==    by 0x806B984: decrement_contacts_activities_list_foreach (conn-olpc.c:121)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806B90B: connection_presence_update_cb (conn-olpc.c:1511)
==9315==    by 0x41051CA: g_cclosure_marshal_VOID(unsigned i_xx_t) (gmarshal.c:251)
==9315==    by 0x40F809A: g_closure_invoke (gclosure.c:490)
==9315==    by 0x4108CE2: signal_emit_unlocked_R (gsignal.c:2440)
==9315== 
==9315== Invalid read of size 4
==9315==    at 0x806AEF8: activity_info_get_room (conn-olpc.c:53)
==9315==    by 0x806B93A: decrement_contacts_activities_list_foreach (conn-olpc.c:115)
==9315==    by 0x416BA0E: g_slist_foreach (gslist.c:468)
==9315==    by 0x806CE23: extract_activities (conn-olpc.c:624)
==9315==    by 0x806D099: get_activities_reply_cb (conn-olpc.c:707)
==9315==    by 0x804E19D: message_send_reply_cb (gabble-connection.c:893)
==9315==    by 0x403FF0F: _lm_message_handler_handle_message (lm-message-handler.c:47)
==9315==    by 0x403D87E: connection_incoming_dispatch (lm-connection.c:285)
==9315==    by 0x4153C10: g_main_context_dispatch (gmain.c:2045)
==9315==    by 0x4156C85: g_main_context_iterate (gmain.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315==    by 0x8090D4B: tp_run_connection_manager (run.c:237)
==9315==  Address 0x49479E8 is 8 bytes inside a block of size 16 free'd
==9315==    at 0x401D0CA: free (vg_replace_malloc.c:233)
==9315==    by 0x415B010: g_free (gmem.c:187)
==9315==    by 0x416B674: g_slice_free1 (gslice.c:824)
==9315==    by 0x806BA89: activity_info_free (conn-olpc.c:94)
==9315==    by 0x4146C56: g_hash_node_destroy (ghash.c:768)
==9315==    by 0x41475F6: g_hash_table_remove (ghash.c:433)
==9315==    by 0x806B984: decrement_contacts_activities_list_foreach (conn-olpc.c:121)
==9315==    by 0x416BA0E: g_slist_foreach (n.c:2677)
==9315==    by 0x4157046: g_main_loop_run (gmain.c:2881)
==9315== 
==9315== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 47 from 2)

Looks like:

 - inspecting handle 0 causes a crash
 - GHashTable is trying to free stuff that's already freed

I'll look at this further tomorrow.

-- 
Dafydd



More information about the Sugar-devel mailing list