Bug 39768

Summary: telepathy-gabble crashed with SIGSEGV in tpy_base_media_call_stream_set_relay_info()
Product: Telepathy Reporter: Pedro Villavicencio <pvillavi>
Component: gabbleAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED FIXED QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: critical    
Priority: medium Keywords: patch
Version: unspecified   
Hardware: Other   
OS: All   
URL: http://cgit.collabora.com/git/user/wjt/telepathy-gabble-wjt.git/log/?h=39768-call-crash-google-relay
Whiteboard:
i915 platform: i915 features:
Attachments: Call: handle google relay reply after channel dies

Description Pedro Villavicencio 2011-08-02 08:47:39 UTC 
this report has been filed here:

https://bugs.launchpad.net/ubuntu/+source/telepathy-gabble/+bug/816636

"Crashed while I was trying to make a video call"

".
Thread 3 (Thread 7105):
#0  0x00007f23b3703093 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = 18446744073709551100
        oldtype = 0
        result = <value optimized out>
#1  0x00007f23b3a14ac8 in g_main_context_poll (context=0x2152860, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3474
        poll_func = 0x7f23b3a23070 <g_poll>
#2  g_main_context_iterate (context=0x2152860, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3156
        max_priority = 2147483647
        timeout = -1
        some_ready = <value optimized out>
        nfds = 3
        allocated_nfds = <value optimized out>
        fds = 0x2151af0
#3  0x00007f23b3a152f2 in g_main_loop_run (loop=0x2151e20) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3369
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#4  0x00007f23b460f516 in gdbus_shared_thread_func (user_data=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./gio/gdbusprivate.c:276
        data = 0x2151e40
#5  0x00007f23b3a3a086 in g_thread_create_proxy (data=0x2151e70) at /build/buildd/glib2.0-2.29.14/./glib/gthread.c:1962
        thread = 0x2151e70
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#6  0x00007f23b5147d8c in start_thread (arg=0x7f23af18f700) at pthread_create.c:304
        pd = 0x7f23af18f700
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139791238231808, 5281530553112715889, 139791255013824, 139791238232512, 0, 3, -5256657065597214095, -5256635183292751247}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
        sp = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#7  0x00007f23b37101dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#8  0x0000000000000000 in ?? ()
No symbol table info available.
.
Thread 2 (Thread 7103):
#0  0x00007f23b3703093 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = 18446744073709551100
        oldtype = 0
        result = <value optimized out>
#1  0x00007f23b3a14ac8 in g_main_context_poll (context=0x213ea10, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3474
        poll_func = 0x7f23b3a23070 <g_poll>
#2  g_main_context_iterate (context=0x213ea10, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3156
        max_priority = 2147483647
        timeout = -1
        some_ready = <value optimized out>
        nfds = 1
        allocated_nfds = <value optimized out>
        fds = 0x20e5400
#3  0x00007f23b3a152f2 in g_main_loop_run (loop=0x20e53e0) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3369
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#4  0x00007f23b0196a0b in dconf_context_thread (data=<value optimized out>) at dconfcontext.c:11
        context = 0x213ea10
        loop = <value optimized out>
        __PRETTY_FUNCTION__ = "dconf_context_thread"
#5  0x00007f23b3a3a086 in g_thread_create_proxy (data=0x213e960) at /build/buildd/glib2.0-2.29.14/./glib/gthread.c:1962
        thread = 0x213e960
        __PRETTY_FUNCTION__ = "g_thread_create_proxy"
#6  0x00007f23b5147d8c in start_thread (arg=0x7f23b0191700) at pthread_create.c:304
        pd = 0x7f23b0191700
        now = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139791255017216, 5281530553112715889, 140733418415360, 139791255017920, 0, 3, -5256646086587063695, -5256635183292751247}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
        robust = <value optimized out>
        sp = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#7  0x00007f23b37101dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#8  0x0000000000000000 in ?? ()
No symbol table info available.
.
Thread 1 (Thread 7102):
#0  tpy_base_media_call_stream_set_relay_info (self=<value optimized out>, relays=0x2a41940) at base-media-call-stream.c:210
        priv = 0xaaaaaaaaaaaaaaaa
        __PRETTY_FUNCTION__ = "tpy_base_media_call_stream_set_relay_info"
#1  0x0000000000488566 in relay_session_data_call (p=<value optimized out>) at jingle-factory.c:1030
        rsd = <value optimized out>
#2  0x0000000000488648 in on_http_response (soup=<value optimized out>, msg=<value optimized out>, user_data=0x2a724a0) at jingle-factory.c:1190
        rsd = 0x2a724a0
        __PRETTY_FUNCTION__ = "on_http_response"
#3  0x00007f23b48d147a in process_queue_item (item=0x215d000, should_prune=0x7fff0d69b33c, loop=1) at soup-session-async.c:383
        session = 0x20c8b30
        proxy_resolver = <value optimized out>
#4  0x00007f23b48d16cb in run_queue (sa=<value optimized out>) at soup-session-async.c:418
        session = 0x20c8b30
        queue = 0x2125400
        item = 0x215d000
        msg = <value optimized out>
        try_pruning = 1
        should_prune = 0
#5  0x00007f23b48d1d13 in idle_run_queue (sa=0x20c8b30) at soup-session-async.c:441
        priv = <value optimized out>
#6  0x00007f23b3a145bd in g_main_dispatch (context=0x20bc010) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:2500
        dispatch = 0x7f23b3a10290 <g_idle_dispatch>
        was_in_call = 0
        user_data = 0x20c8b30
        callback = 0x7f23b48d1cf0 <idle_run_queue>
        cb_funcs = 0x7f23b3cc4650
        cb_data = 0x2a96f80
        current_source_link = {data = 0x2a56570, next = 0x0}
        need_destroy = <value optimized out>
        source = 0x2a56570
        current = 0x20d4080
        i = <value optimized out>
#7  g_main_context_dispatch (context=0x20bc010) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3083
No locals.
#8  0x00007f23b3a14db8 in g_main_context_iterate (context=0x20bc010, block=<value optimized out>, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3161
        max_priority = 0
        timeout = 0
        some_ready = 1
        nfds = 11
        allocated_nfds = <value optimized out>
        fds = <value optimized out>
#9  0x00007f23b3a152f2 in g_main_loop_run (loop=0x20c2400) at /build/buildd/glib2.0-2.29.14/./glib/gmain.c:3369
        __PRETTY_FUNCTION__ = "g_main_loop_run"
#10 0x00007f23b4bf9d3f in tp_run_connection_manager (prog_name=<value optimized out>, version=<value optimized out>, construct_cm=<value optimized out>, argc=<value optimized out>, argv=<value optimized out>) at run.c:285
        connection = 0x20b91a0
        bus_daemon = 0x20be090
        error = 0x0
        ret = 1
        __PRETTY_FUNCTION__ = "tp_run_connection_manager"
#11 0x00000000004320da in gabble_main (argc=1, argv=0x7fff0d69b5e8) at gabble.c:177
        loader = 0x20b5720
        out = <value optimized out>
        fatal_mask = <value optimized out>
#12 0x00007f23b3648e1f in __libc_start_main (main=0x431cc0 <main>, argc=1, ubp_av=0x7fff0d69b5e8, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>, stack_end=0x7fff0d69b5d8) at libc-start.c:226
        result = <value optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 5281530553112715889, 4398304, 140733418419680, 0, 0, -5281069946136698255, -5256647688609078671}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x503330, 0x7fff0d69b5e8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5255984}}}
        not_first_call = <value optimized out>
#13 0x0000000000431d09 in _start ()
No symbol table info available."
Comment 1 Will Thompson 2011-09-20 08:06:01 UTC 
Here's a fix, and a regression test.
Comment 2 Will Thompson 2011-09-20 08:48:40 UTC 
Created attachment 51408 [details] [review]
Call: handle google relay reply after channel dies

Previously, if the Google relay server replied to our HTTP request after
the Call channel had already gone away, we'd crash.

Fixes: <http://bugs.freedesktop.org/show_bug.cgi?id=39768>
Comment 3 Will Thompson 2011-09-20 08:49:58 UTC 
Thanks for the report! This bug will be fixed in the next stable and unstable releases of Gabble: 0.12.7 and 0.13.6. The attached patch addresses the crash.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.