[Bug 44671] New: Assertion failure in contacts_context_continue() when fuzzing

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jan 11 13:54:11 CET 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=44671

             Bug #: 44671
           Summary: Assertion failure in contacts_context_continue() when
                    fuzzing
    Classification: Unclassified
           Product: Telepathy
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: medium
         Component: tp-glib
        AssignedTo: telepathy-bugs at lists.freedesktop.org
        ReportedBy: bugzilla at tecnocode.co.uk
         QAContact: telepathy-bugs at lists.freedesktop.org


I've been fuzz testing Empathy/folks using a fake CM (which I really should
blog about soon), and managed to cause the following crash:

Core was generated by `/opt/gnome3/build/bin/empathy'.
Program terminated with signal 6, Aborted.
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
(gdb) t a a bt

Thread 3 (Thread 0x7fffed1eb700 (LWP 16208)):
#0  0x0000003f41ee6af3 in poll () from /lib64/libc.so.6
#1  0x00007ffff26df68b in g_poll (fds=0x7fffe80010e0, nfds=3, timeout=-1) at
gpoll.c:132
#2  0x00007ffff26ceea5 in g_main_context_poll (context=0x8bbde0, timeout=-1,
priority=2147483647, fds=0x7fffe80010e0, n_fds=3)
    at gmain.c:3415
#3  0x00007ffff26ce835 in g_main_context_iterate (context=0x8bbde0, block=1,
dispatch=1, self=0x8bcd90) at gmain.c:3116
#4  0x00007ffff26cec86 in g_main_loop_run (loop=0x8bbd90) at gmain.c:3315
#5  0x00007ffff310d9e8 in gdbus_shared_thread_func (user_data=0x8bbdb0) at
gdbusprivate.c:276
#6  0x00007ffff26f97e8 in g_thread_proxy (data=0x8bcd90) at gthread.c:801
#7  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#8  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7fffe339d700 (LWP 16209)):
#0  0x0000003f4260be4f in pthread_cond_timedwait@@GLIBC_2.3.2 () from
/lib64/libpthread.so.0
#1  0x00007ffff271b9a9 in g_cond_wait_until (cond=0xa213f8, mutex=0xa213f0,
end_time=296617946261) at gthread-posix.c:870
#2  0x00007ffff26999e0 in g_cond_timed_wait (cond=0xa213f8, mutex=0xa213f0,
abs_time=0x7fffe339cb80)
    at deprecated/gthread-deprecated.c:1585
#3  0x00007ffff269bc8f in g_async_queue_pop_intern_unlocked (queue=0xa213f0,
wait=1, end_time=0x7fffe339cb80) at gasyncqueue.c:418
#4  0x00007ffff269bed9 in g_async_queue_timed_pop (queue=0xa213f0,
end_time=0x7fffe339cb80) at gasyncqueue.c:542
#5  0x00007ffff26f9bdd in g_thread_pool_wait_for_new_pool () at
gthreadpool.c:174
#6  0x00007ffff26f9ec4 in g_thread_pool_thread_proxy (data=0xa212d0) at
gthreadpool.c:374
#7  0x00007ffff26f97e8 in g_thread_proxy (data=0xa1dd40) at gthread.c:801
#8  0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#9  0x0000003f41eef48d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fffee73c9c0 (LWP 16207)):
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
#1  0x0000003f41e37b9b in abort () from /lib64/libc.so.6
#2  0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib",
file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0
"assertion failed: (contact->priv->handle != 0)")
    at gtestutils.c:1810
#3  0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897
"tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae
"contact->priv->handle != 0") at gtestutils.c:1821
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at
contact.c:1839
#5  0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580,
res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
#6  0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at
gsimpleasyncresult.c:744
#7  0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at
gsimpleasyncresult.c:756
#8  0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90,
callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
    at gmain.c:4632
#9  0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at
gmain.c:3050
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1,
dispatch=1, self=0x8a6f80) at gmain.c:3121
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0,
may_block=1) at gmain.c:3182
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1,
argv=0x7fffffffeca8) at gapplication.c:1599
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
(gdb) bt full
#0  0x0000003f41e36285 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003f41e37b9b in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib",
file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0
"assertion failed: (contact->priv->handle != 0)")
    at gtestutils.c:1810
        lstr =
"1839\000\177\000\000\250yh\362\377\177\000\000\320\350\377\377\377\177\000\000`Ω\000\000\000\000"
        s = 0xad94d0 ""
#3  0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897
"tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839, 
    func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae
"contact->priv->handle != 0") at gtestutils.c:1821
        s = 0xb385b0 "assertion failed: (contact->priv->handle != 0)"
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at
contact.c:1839
        contact = 0xb41900
        i = 0
        __PRETTY_FUNCTION__ = "contacts_context_continue"
#5  0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580,
res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
        c = 0xa9ce60
        __PRETTY_FUNCTION__ = "connection_capabilities_fetched_cb"
#6  0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at
gsimpleasyncresult.c:744
        current_source = 0xb43f90
        current_context = 0x77a8f0
        __PRETTY_FUNCTION__ = "g_simple_async_result_complete"
#7  0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at
gsimpleasyncresult.c:756
        simple = 0xb342a0
#8  0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90,
callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
    at gmain.c:4632
No locals.
#9  0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
        dispatch = 0x7ffff26d0097 <g_idle_dispatch>
        was_in_call = 0
        user_data = 0xb342a0
        callback = 0x7ffff309217b <complete_in_idle_cb>
        cb_funcs = 0x7ffff29bdfe0
        cb_data = 0x905680
        need_destroy = 7827920
        current_source_link = {data = 0xb43f90, next = 0x0}
        source = 0xb43f90
        current = 0x8b9fa0
        i = 0
        __PRETTY_FUNCTION__ = "g_main_dispatch"
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at
gmain.c:3050
No locals.
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1,
dispatch=1, self=0x8a6f80) at gmain.c:3121
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = 7
        allocated_nfds = 7
        fds = 0xa64d20
---Type <return> to continue, or q <return> to quit---
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0,
may_block=1) at gmain.c:3182
        retval = 1
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1,
argv=0x7fffffffeca8) at gapplication.c:1599
        arguments = 0x8a4d90
        status = 0
        i = 1
        __PRETTY_FUNCTION__ = "g_application_run"
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
        app = 0x7bb360
        retval = 0
(gdb) frame 4
#4  0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at
contact.c:1839
1839              g_assert (contact->priv->handle != 0);
(gdb) print *contact
$1 = {parent = {g_type_instance = {g_class = 0xac34f0}, ref_count = 1, qdata =
0x0}, priv = 0xb41920}
(gdb) print *contact->priv
$2 = {connection = 0x8f9580, handle = 0, identifier = 0xa2e970 "", has_features
= 231, 
  alias = 0xb1a390 "\t \r \f\r\f\f\t\r\v\n\t\f\r\f\f\v\v\n\t", avatar_token =
0x906c30 "", avatar_file = 0x0, avatar_mime_type = 0x0, 
  presence_type = TP_CONNECTION_PRESENCE_TYPE_AWAY, presence_status = 0xb14dd0
"available", 
  presence_message = 0xa81700 "Status message씓", location = 0x0, client_types =
0x0, capabilities = 0x0, contact_info = 0x0, 
  subscribe = TP_SUBSCRIPTION_STATE_UNKNOWN, publish =
TP_SUBSCRIPTION_STATE_UNKNOWN, publish_request = 0x0, contact_groups = 0x0, 
  is_blocked = 0}
(gdb) print *c
$3 = {refcount = 1, connection = 0x8f9580, contacts = 0xb432c0, handles =
0xb43000, invalid = 0xb33ca0, request_ids = 0x0, 
  request_errors = 0x0, wanted = 247, signature = CB_BY_HANDLE, callback =
{by_handle = 0x7ffff74d7664 <get_contacts_by_handle_cb>, 
    by_id = 0x7ffff74d7664 <get_contacts_by_handle_cb>, upgrade =
0x7ffff74d7664 <get_contacts_by_handle_cb>}, user_data = 0xa6a4c0, 
  destroy = 0, weak_object = 0x8f9580, no_purpose_in_life = 0, todo = {head =
0x0, tail = 0x0, length = 0}, next_index = 0, 
  contacts_have_ids = 0}

I haven't investigated it properly (I should be working on the fuzz tester
instead), but I realise that this is probably caused by the fake CM violating
something in the Tp spec. However, since tp-glib is fairly resilient against
misbehaving CMs in other places, I guess it would make sense to turn this
g_assert() into a if(fail){continue} or similar.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the telepathy-bugs mailing list