Bug 1380268

Summary: [abrt] xmlFindCharEncodingHandler() not thread safe
Product: [Fedora] Fedora Reporter: Krzysztof Troska <elleander86>
Component: libxml2Assignee: Daniel Veillard <veillard>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: athmanem, c.david86, david.cussans, ezwen-redhatbugzilla, mbarnes, mcrha, ole.schoenburg, sbaszczyj, stefano.manocchio, veillard
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/532f42fcd9d3068c35573d130dfa6b3373b5ee92
Whiteboard: abrt_hash:4a5b2d7ca66009ce69fa02ffff18bbff3dc2b4bc;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-29 11:40:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages
none
reproducer (libxml.c) none

Description Krzysztof Troska 2016-09-29 07:10:54 UTC
Version-Release number of selected component:
evolution-data-server-3.20.5-3.fc24

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        /usr/libexec/evolution-addressbook-factory-subprocess --factory ews --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx2627x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/2627/3
crash_function: xmlFindCharEncodingHandler__internal_alias
executable:     /usr/libexec/evolution-addressbook-factory-subprocess
global_pid:     2864
kernel:         4.7.2-201.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 8 (10 frames)
 #0 xmlFindCharEncodingHandler__internal_alias at encoding.c:1670
 #1 xmlDocDumpFormatMemoryEnc__internal_alias at xmlsave.c:2443
 #2 xmlDocDumpMemory__internal_alias at xmlsave.c:2496
 #3 e_soap_message_persist at e-soap-message.c:1088
 #4 e_ews_message_write_footer at e-ews-message.c:249
 #5 e_ews_connection_get_folder at e-ews-connection.c:5841
 #6 e_ews_connection_get_folder_sync at e-ews-connection.c:5906
 #7 e_ews_connection_try_credentials_sync at e-ews-connection.c:2258
 #8 e_book_backend_ews_authenticate_sync at e-book-backend-ews.c:4263
 #9 e_backend_authenticate_sync at e-backend.c:248

Potential duplicate: bug 1277578

Comment 1 Krzysztof Troska 2016-09-29 07:11:00 UTC
Created attachment 1205832 [details]
File: backtrace

Comment 2 Krzysztof Troska 2016-09-29 07:11:01 UTC
Created attachment 1205833 [details]
File: cgroup

Comment 3 Krzysztof Troska 2016-09-29 07:11:03 UTC
Created attachment 1205834 [details]
File: core_backtrace

Comment 4 Krzysztof Troska 2016-09-29 07:11:05 UTC
Created attachment 1205835 [details]
File: dso_list

Comment 5 Krzysztof Troska 2016-09-29 07:11:06 UTC
Created attachment 1205836 [details]
File: environ

Comment 6 Krzysztof Troska 2016-09-29 07:11:07 UTC
Created attachment 1205837 [details]
File: exploitable

Comment 7 Krzysztof Troska 2016-09-29 07:11:09 UTC
Created attachment 1205838 [details]
File: limits

Comment 8 Krzysztof Troska 2016-09-29 07:11:11 UTC
Created attachment 1205839 [details]
File: maps

Comment 9 Krzysztof Troska 2016-09-29 07:11:12 UTC
Created attachment 1205840 [details]
File: mountinfo

Comment 10 Krzysztof Troska 2016-09-29 07:11:14 UTC
Created attachment 1205841 [details]
File: namespaces

Comment 11 Krzysztof Troska 2016-09-29 07:11:15 UTC
Created attachment 1205842 [details]
File: open_fds

Comment 12 Krzysztof Troska 2016-09-29 07:11:17 UTC
Created attachment 1205843 [details]
File: proc_pid_status

Comment 13 Krzysztof Troska 2016-09-29 07:11:18 UTC
Created attachment 1205844 [details]
File: var_log_messages

Comment 14 Milan Crha 2016-10-05 11:03:08 UTC
Thanks for a bug report. I'm wondering whether this is caused by the same issue as your bug #1380266, only in an address book factory. It's possible, because this particular code is shared between the processes.

Comment 15 Milan Crha 2017-01-12 15:00:48 UTC
*** Bug 1412304 has been marked as a duplicate of this bug. ***

Comment 16 Milan Crha 2017-05-10 13:25:00 UTC
*** Bug 1449551 has been marked as a duplicate of this bug. ***

Comment 17 Milan Crha 2017-05-10 13:37:32 UTC
I think I finally see the cause of the crash. The backtrace has two threads inside xmlFindCharEncodingHandler() at the same line, where one of them crashed. I guess that the function had been called at the same time in both threads for the first time, which means the 'handlers' had been NULL, thus xmlInitCharEncodingHandlers() had been called. Thread interleaving could cause re-initialization of the global 'handlers' variable or anything like that.

I think the best option would be to add thread-safety guards around access to global memory in libxml2, because library users cannot guard each libxml2 call themself, especially when the final application uses other libraries, which also use libxml2 API.

The libxml2 has xmlMutexPtr already, eventually xmlLockLibrary() can be used, thus it might not be a big deal, no?

I'm not sure about xmlInitThreads() though, should it be called from the main thread on an application start? The modules like evolution-ews do not have any main(), it is dynamically loaded in several other background processes and basically any other application can load it, when using evolution/-data-server libraries either directly on indirectly, through language bindings.

I can add some internal locking around libxml2 calls in evolution-ews/evolution-data-server, eventually call some libxml2 initializers, like xmlInitCharEncodingHandlers() and possibly others, if you can point me to them, but at least xmlInitCharEncodingHandlers() has a comment that even public, it is usually not needed to be called outside of the libxml2.

Comment 18 Milan Crha 2017-10-04 07:53:28 UTC
Created attachment 1334075 [details]
reproducer (libxml.c)

This is a reproducer for the issue. The first line contains a command to compile it, the second contains a command to run it and get useful results, aka it counts how many times the call failed either due to crashing or when the xmlFindCharEncodingHandler() returned two different handlers for the same encoding. Either crashing or returning two different handlers are the same wrong, from my point of view.

The program itself just calls xmlFindCharEncodingHandler() in two threads, similarly as the backtrace above.

I even tried to call xmlInitGlobals(); in the main(), but it didn't help (I hoped it'll call the xmlInitCharEncodingHandlers() too). I tried several other calls and realized that xmlInitParser() helps with this particular issue.

It seems to be the right thing to do, at least with some xmlInit... functions, according to their documentation and the notes about multi-threaded applications. I mean, maybe this bug can be closed as "eds/evo did not use libxml2 properly, even when they both are heavily multi-threaded".

I added e_xml_initialize_in_main(), which calls several xmlInit* functions) into evolution-data-server and call it in appropriate main() functions
(for 3.27.1+ [1] and 3.26.2+). I also call it in evolution (for 3.27.1+ [2]
and 3.26.2+).

[1] https://git.gnome.org/browse/evolution-data-server/commit/?id=4ee08887f
[2] https://git.gnome.org/browse/evolution/commit/?id=76a6c1f948

Comment 19 Fedora End Of Life 2018-05-03 08:27:18 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 20 Fedora End Of Life 2018-05-29 11:40:11 UTC
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.