telepathy-gabble crashed with SIGSEGV in tp_base_channel_close()

Bug #1020317 reported by Anders Kaseorg on 2012-07-02
864
This bug affects 177 people
Affects Status Importance Assigned to Milestone
telepathy-gabble
Fix Released
Medium
telepathy-gabble (Ubuntu)
Medium
Unassigned
Precise
High
Unassigned

Bug Description

* Impact:
that's a frequent segfault in the jabber provider used by Ubuntu

* Test Case:
no specific testcase or easy way to trigger the bug, verify that jabber keeps working fine in empathy and watch errors.ubuntu.com for new reports

* Regression potential:
verify that jabber keeps working fine in empathy

Anders Kaseorg (andersk) wrote :

StacktraceTop:
 tp_base_channel_close (chan=0x742f656c62626167) at base-channel.c:403
 close_all (self=self@entry=0x1fba360) at server-tls-manager.c:126
 connection_status_changed_cb (user_data=0x1fba360, conn=<optimized out>, status=<optimized out>, reason=<optimized out>) at server-tls-manager.c:141
 connection_status_changed_cb (conn=<optimized out>, status=2, reason=<optimized out>, user_data=0x1fba360) at server-tls-manager.c:130
 ffi_call_unix64 () at ../src/x86/unix64.S:75

Changed in telepathy-gabble (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
tags: added: running-unity
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in telepathy-gabble (Ubuntu):
status: New → Confirmed
Anders Kaseorg (andersk) on 2012-07-11
visibility: private → public
Download full text (11.4 KiB)

I was manually stress testing my SSO accounts (GTalk, Facebook and Windows Live) by connecting/disconnecting them and Gabble crashed.

#0 tp_base_channel_close (chan=0x742f656c62626167) at base-channel.c:402
        klass = <optimized out>
        __PRETTY_FUNCTION__ = "tp_base_channel_close"
#1 0x000000000048f758 in close_all (self=self@entry=0x1875480)
    at server-tls-manager.c:126
        l = 0x219a2f0
#2 0x000000000048f858 in connection_status_changed_cb (user_data=0x1875480,
    conn=<optimized out>, status=<optimized out>, reason=<optimized out>)
    at server-tls-manager.c:141
No locals.
#3 connection_status_changed_cb (conn=<optimized out>, status=2,
    reason=<optimized out>, user_data=0x1875480) at server-tls-manager.c:130
        self = 0x1875480
#4 0x00007fc260385bb8 in ffi_call_unix64 () at ../src/x86/unix64.S:75
No locals.
#5 0x00007fc2603855c0 in ffi_call (cif=cif@entry=0x7ffffc0767a0,
    fn=fn@entry=0x48f800 <connection_status_changed_cb>,
    rvalue=0x7ffffc076700, avalue=avalue@entry=0x7ffffc0766a0)
    at ../src/x86/ffi64.c:492
        classes = {X86_64_INTEGER_CLASS, X86_64_NO_CLASS, 4228343584, 32767}
        stack = 0x7ffffc0764f0 "\220"
        argp = 0x7ffffc0765a0 ""
        arg_types = <optimized out>
        gprcount = 4
        ssecount = <optimized out>
        ngpr = 1
        nsse = 0
        i = <optimized out>
        avn = <optimized out>
        ret_in_memory = <optimized out>
        reg_args = 0x7ffffc0764f0
#6 0x00007fc2621749bb in g_cclosure_marshal_generic (closure=0x1be9fd0,
    return_gvalue=0x0, n_param_values=<optimized out>,
    param_values=<optimized out>, invocation_hint=<optimized out>,
    marshal_data=0x48f800)
    at /build/buildd/glib2.0-2.33.6/./gobject/gclosure.c:1454
        rtype = <optimized out>
        rvalue = 0x7ffffc076700
        n_args = 4
        atypes = 0x7ffffc0766d0
        args = 0x7ffffc0766a0
        i = <optimized out>
        cif = {abi = FFI_UNIX64, nargs = 4, arg_types = 0x7ffffc0766d0,
          rtype = 0x7fc260385fa0, bytes = 0, flags = 0}
        cc = 0x1be9fd0
        enum_tmpval = 0x7ffffc076720
        tmpval_used = 0
#7 0x00007fc262174050 in g_closure_invoke (closure=0x1be9fd0,
    return_value=0x0, n_param_values=3, param_values=0x7ffffc0769f0,
    invocation_hint=0x7ffffc076990)
    at /build/buildd/glib2.0-2.33.6/./gobject/gclosure.c:777
        marshal = 0x7fc2621747c0 <g_cclosure_marshal_generic>
        marshal_data = 0x0
        in_marshal = 0
        real_closure = 0x1be9fb0
        __PRETTY_FUNCTION__ = "g_closure_invoke"
#8 0x00007fc262185d30 in signal_emit_unlocked_R (node=node@entry=0x189c8f0,
    detail=detail@entry=0, instance=instance@entry=0x18a6a30,
    emission_return=emission_return@entry=0x0,
    instance_and_params=instance_and_params@entry=0x7ffffc0769f0)
    at /build/buildd/glib2.0-2.33.6/./gobject/gsignal.c:3551
        tmp = <optimized out>
        handler = 0x18e9e10
        accumulator = 0x0
        emission = {next = 0x0, instance = 0x18a6a30, ihint = {signal_id = 15,
            detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN,
          chain_type = 4}
        class_closure = 0x0
     ...

*** Bug 53200 has been marked as a duplicate of this bug. ***

Bilal Shahid (s9iper1) wrote :

already reported on freedesktop adding the link of upstream
https://bugs.freedesktop.org/show_bug.cgi?id=53087

Changed in telepathy-gabble (Ubuntu):
status: Confirmed → Triaged
Changed in telepathy-gabble:
importance: Unknown → Medium
status: Unknown → Confirmed

Created attachment 65271
Other trace

Here is another trace when Gabble crashed because of a SSO auth error (the token expired).

I believe that Jonny already fixed this with 5de7189fa93918cc1dda3bfdf8d5833b63e43020 (f88ae541292e0ff4abd9214bef4c7b99a55dc4e9 in stable branch which is not included in 0.16.1 release).

Changed in telepathy-gabble:
status: Confirmed → Fix Released
tags: added: bugpattern-needed
Rainer Rohde (rainer-rohde) wrote :

Just crashed on me when opening up (and closing again) Empathy via the Message Menu in the Panel.

Rainer Rohde (rainer-rohde) wrote :

And again...

Rainer Rohde (rainer-rohde) wrote :

Happened again just now. Beta1.

I also got this crash, shortly after login on Ubuntu 12.10 Beta 1. I cannot recall doing anything to trigger the crash.

Guillaume Desmottes (cassidy) wrote :

This crash is fixed in telepathy-gabble 0.16.2 (but best to update to 0.16.3).

See https://bugs.freedesktop.org/show_bug.cgi?id=53087

For me, crashed in 12.04.1 (fully updated) after two suspend/resume cycles (suspend to RAM).

John Carlson (yottzumm) wrote :

When can we see a fix for Ubuntu 12.04? Or let me know that the package is available for download. Thanks, John

Changed in telepathy-gabble (Ubuntu):
status: Triaged → Fix Committed
Changed in telepathy-gabble (Ubuntu Precise):
importance: Undecided → High
status: New → In Progress
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package telepathy-gabble - 0.16.4-0ubuntu1

---------------
telepathy-gabble (0.16.4-0ubuntu1) raring; urgency=low

  * New upstream version, drop patches including in the update
    - don't segfault in tp_base_channel_close() (lp: #1020317)
    - don't segfault in gabble_muc_factory_broadcast_presence()
      (lp: #1044705)
 -- Sebastien Bacher <email address hidden> Thu, 28 Feb 2013 11:05:43 +0100

Changed in telepathy-gabble (Ubuntu):
status: Fix Committed → Fix Released

Hello Anders, or anyone else affected,

Accepted telepathy-gabble into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/telepathy-gabble/0.16.0-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in telepathy-gabble (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Our current SRU policy indicates that this should also be fixed in Quantal, which it is not. However, the Ubuntu release team will be having a discussion regarding this policy and whether or not it still makes sense. Subsequently, I've accepted this into precise-proposed pending the outcome of that discussion.

Brian Murray (brian-murray) wrote :

Looking at the error bucket I previously mentioned one does not see 0.16.0-0ubuntu3 in the list of packages which indicates that this crash was indeed fixed. Subsequently, I am setting the tag to verification-done.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package telepathy-gabble - 0.16.0-0ubuntu3

---------------
telepathy-gabble (0.16.0-0ubuntu3) precise; urgency=low

  * git_deal_with_iterate_updates.patch: to fix a potential use-after-free
    when disconnecting with TLS verification channels open (lp: #1020317)
 -- Sebastien Bacher <email address hidden> Thu, 28 Feb 2013 11:32:52 +0100

Changed in telepathy-gabble (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.