Bug 390901
Summary: | pidgin segfaults when logging into XMPP account | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Ralston <ralston> |
Component: | pidgin | Assignee: | Warren Togami <wtogami> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7 | CC: | stu |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.3.1-1.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-07 01:18:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Ralston
2007-11-19 19:14:25 UTC
Also, running pidgin repeatedly, I got this on one of the runs: $ /usr/bin/pidgin libnm_glib_nm_state_cb: dbus returned an error. (org.freedesktop.DBus.Error.ServiceUnknown) The name org.freedesktop.NetworkManager was not provided by any .service files *** glibc detected *** /usr/bin/pidgin: double free or corruption (fasttop): 0x00000000007707d0 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3f2f870412] /lib64/libc.so.6(cfree+0x8c)[0x3f2f873b1c] /usr/lib64/purple-2/libjabber.so.0(jabber_set_buddy_icon+0x4df)[0x2aaab425e87f] /usr/lib64/purple-2/libjabber.so.0[0x2aaab425e961] /usr/lib64/purple-2/libjabber.so.0(jabber_iq_parse+0x1c1)[0x2aaab4265a11] /usr/lib64/purple-2/libjabber.so.0[0x2aaab4271a8a] /usr/lib64/libxml2.so.2[0x3f3aa3ab3a] /usr/lib64/libxml2.so.2(xmlParseChunk+0xa6c)[0x3f3aa4710c] /usr/lib64/purple-2/libjabber.so.0(jabber_parser_process+0x28)[0x2aaab4271968] /usr/lib64/purple-2/libjabber.so.0[0x2aaab426e534] /usr/bin/pidgin[0x462cdf] /lib64/libglib-2.0.so.0(g_main_context_dispatch+0x1b4)[0x3eeb82d224] /lib64/libglib-2.0.so.0[0x3eeb83005d] /lib64/libglib-2.0.so.0(g_main_loop_run+0x1ca)[0x3eeb83036a] /usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa3)[0x3c19f2d783] /usr/bin/pidgin(main+0x8ec)[0x47a6ec] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3f2f81dab4] /usr/bin/pidgin[0x429e69] ======= Memory map: ======== 00400000-004cd000 r-xp 00000000 fd:02 2262026 /usr/bin/pidgin 006cc000-006df000 rw-p 000cc000 fd:02 2262026 /usr/bin/pidgin 006df000-00de7000 rw-p 006df000 00:00 0 [heap] 40000000-40001000 ---p 40000000 00:00 0 40001000-40a01000 rw-p 40001000 00:00 0 31a3c00000-31a3c41000 r-xp 00000000 fd:02 65793 /usr/lib64/libpango-1.0.so.0.1600.4 31a3c41000-31a3e40000 ---p 00041000 fd:02 65793 /usr/lib64/libpango-1.0.so.0.1600.4 31a3e40000-31a3e43000 rw-p 00040000 fd:02 65793 /usr/lib64/libpango-1.0.so.0.1600.4 31a4400000-31a442e000 r-xp 00000000 fd:02 65870 /usr/lib64/libpangoft2-1.0.so.0.1600.4 31a442e000-31a462d000 ---p 0002e000 fd:02 65870 /usr/lib64/libpangoft2-1.0.so.0.1600.4 31a462d000-31a462f000 rw-p 0002d000 fd:02 65870 /usr/lib64/libpangoft2-1.0.so.0.1600.4 3233600000-3233608000 r-xp 00000000 fd:02 66259 /usr/lib64/libXi.so.6.0.0 3233608000-3233807000 ---p 00008000 fd:02 66259 /usr/lib64/libXi.so.6.0.0 3233807000-3233808000 rw-p 00007000 fd:02 66259 /usr/lib64/libXi.so.6.0.0 357cc00000-357ccf0000 r-xp 00000000 fd:02 72981 /usr/lib64/libpurple.so.0.2.2 357ccf0000-357ceef000 ---p 000f0000 fd:02 72981 /usr/lib64/libpurple.so.0.2.2 357ceef000-357cef7000 rw-p 000ef000 fd:02 72981 /usr/lib64/libpurple.so.0.2.2 357cef7000-357cefa000 rw-p 357cef7000 00:00 0 357d000000-357d071000 r-xp 00000000 fd:02 69138 /usr/lib64/libgnomevfs-2.so.0.1800.1 357d071000-357d271000 ---p 00071000 fd:02 69138 /usr/lib64/libgnomevfs-2.so.0.1800.1 357d271000-357d276000 rw-p 00071000 fd:02 69138 /usr/lib64/libgnomevfs-2.so.0.1800.1 357d400000-357d416000 r-xp 00000000 fd:02 66916 /usr/lib64/libgnome-2.so.0.1800.0 357d416000-357d615000 ---p 00016000 fd:02 66916 /usr/lib64/libgnome-2.so.0.1800.0 357d615000-357d617000 rw-p 00015000 fd:02 66916 /usr/lib64/libgnome-2.so.0.1800.0 357dc00000-357dc22000 r-xp 00000000 fd:02 72570 /usr/lib64/libedata-book-1.2.so.2.4.0 357dc22000-357de21000 ---p 00022000 fd:02 72570 /usr/lib64/libedata-book-1.2.so.2.4.0 357de21000-357de25000 rw-p 00021000 fd:02 72570 /usr/lib64/libedata-book-1.2.so.2.4.0 357e800000-357e831000 r-xp 00000000 fd:02 73148 /usr/lib64/librsvg-2.so.2.16.1 357e831000-357ea31000 ---p 00031000 fd:02 73148 /usr/lib64/librsvg-2.so.2.16.1 357ea31000-357ea33000 rw-p 00031000 fd:02 73148 /usr/lib64/librsvg-2.so.2.16.1 357ec00000-357ec36000 r-xp 00000000 fd:02 67451 /usr/lib64/libebook-1.2.so.9.0.1 357ec36000-357ee35000 ---p 00036000 fd:02 67451 /usr/lib64/libebook-1.2.so.9.0.1 357ee35000-357ee3b000 rw-p 00035000 fd:02 67451 /usr/lib64/libebook-1.2.so.9.0.1 357ee3b000-357ee3c000 rw-p 357ee3b000 00:00 0 357f000000-357f054000 r-xp 00000000 fd:02 72676 /usr/lib64/libcamel-1.2.so.10.0.0 357f054000-357f253000 ---p 00054000 fd:02 72676 /usr/lib64/libcamel-1.2.so.10.0.0 357f253000-357f258000 rw-p 00053000 fd:02 72676 /usr/lib64/libcamel-1.2.so.10.0.0 358fe00000-358ff25000 r-xp 00000000 fd:01 163894 /lib64/libcrypto.so.0.9.8b 358ff25000-3590125000 ---p 00125000 fd:01 163894 /lib64/libcrypto.so.0.9.8b 3590125000-3590144000 rw-p 00125000 fd:01 163894 /lib64/libcrypto.so.0.9.8b 3590144000-3590148000 rw-p 3590144000 00:00 0 3590200000-3590207000 r-xp 00000000 fd:02 70090 /usr/lib64/libpopt.so.0.0.0 3590207000-3590407000 ---p 00007000 fd:02 70090 /usr/lib64/libpopt.so.0.0.0 3590407000-3590408000 rw-p 00007000 fd:02 70090 /usr/lib64/libpopt.so.0.0.0 3590600000-3590643000 r-xp 00000000 fd:01 163896 /lib64/libssl.so.0.9.8b 3590643000-3590843000 ---p 00043000 fd:01 163896 /lib64/libssl.so.0.9.8b 3590843000-3590849000 rw-p 00043000 fd:01 163896 /lib64/libssl.so.0.9.8b 3592600000-3592628000 r-xp 00000000 fd:02 65820 /usr/lib64/libedataserver-1.2.so.9.0.0 3592628000-3592828000 ---p 00028000 fd:02 65820 /usr/lib64/libedataserver-1.2.so.9.0.0 3592828000-359282a000 rw-p 00028000 fd:02 65820 /usr/lib64/libedataserver-1.2.so.9.0.0 36c4000000-36c4054000 r-xp 00000000 fd:02 73388 /usr/lib64/libsoftokn3.so 36c4054000-36c4253000 ---p 00054000 fd:02 73388 Aborted (core dumped) Aha; I managed to get pidgin to crash when running with MALLOC_CHECK_=2. Here's the backtrace: (gdb) thread apply all backtrace full Thread 2 (process 5571): #0 0x0000003f2f8c82e6 in *__GI___poll (fds=0x7b10e0, nfds=2, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:87 oldtype = 0 result = <value optimized out> #1 0x0000003eeb82feae in g_main_context_iterate (context=0x79d7c0, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2979 max_priority = 2147483647 timeout = -1 some_ready = <value optimized out> nfds = 2 allocated_nfds = <value optimized out> fds = (GPollFD *) 0x7b10e0 __PRETTY_FUNCTION__ = "g_main_context_iterate" #2 0x0000003eeb83036a in IA__g_main_loop_run (loop=0x7bafe0) at gmain.c:2881 got_ownership = <value optimized out> self = (GThread *) 0x77a710 __PRETTY_FUNCTION__ = "IA__g_main_loop_run" #3 0x000000390e803393 in libnm_glib_dbus_worker (user_data=0x77a460) at libnm_glib.c:425 ctx = <value optimized out> __PRETTY_FUNCTION__ = "libnm_glib_dbus_worker" #4 0x0000003eeb849354 in g_thread_create_proxy (data=0x77a710) at gthread.c:594 __PRETTY_FUNCTION__ = "g_thread_create_proxy" #5 0x0000003f318062f7 in start_thread (arg=<value optimized out>) at pthread_create.c:296 __res = <value optimized out> pd = (struct pthread *) 0x40a00950 unwind_buf = {cancel_jmp_buf = {{jmp_buf = {1084229968, 8700715749864488798, 0, 1084229968, 1084231680, 4096, 8700857311950913374, 8701312785833508702}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = 0 robust = <value optimized out> #6 0x0000003f2f8d0fbd in clone () from /lib64/libc.so.6 fstab_state = {fs_fp = 0x0, fs_buffer = 0x0, fs_mntres = { mnt_fsname = 0x0, mnt_dir = 0x0, mnt_type = 0x0, mnt_opts = 0x0, mnt_freq = 0, mnt_passno = 0}, fs_ret = {fs_spec = 0x0, fs_file = 0x0, fs_vfstype = 0x0, fs_mntops = 0x0, fs_type = 0x0, fs_freq = 0, fs_passno = 0}} __elf_set___libc_subfreeres_element_fstab_free__ = ( const void *) 0x3f2f907360 Thread 1 (process 5570): #0 0x0000003f2f8305c5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 pid = <value optimized out> selftid = 0 #1 0x0000003f2f832070 in *__GI_abort () at abort.c:88 act = {__sigaction_handler = {sa_handler = 0xee28d0, sa_sigaction = 0xee28d0}, sa_mask = {__val = {14552944, 15608016, 0, 24, 14209728, 4294967295, 14552944, 15608016, 271383308128, 140735761460096, 271380331152, 24, 270239282257, 8, 15607568, 14571296}}, sa_flags = 15588800, sa_restorer = 0x7fff9911abc0} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x0000003f2f8742cc in free_check (mem=0xde5720, caller=<value optimized out>) at malloc.c:5892 p = (mchunkptr) 0x0 #3 0x0000003f2f873ab7 in *__GI___libc_free (mem=0x6) at malloc.c:3586 ar_ptr = <value optimized out> p = <value optimized out> hook = (void (*)(void *, const void *)) 0 #4 0x00002aaab425e87f in jabber_set_buddy_icon (gc=0xd161b0, img=0xee2110) at buddy.c:561 publish = <value optimized out> metadata = <value optimized out> widthstring = <value optimized out> ctx = <value optimized out> digest = {8 '\b', 92 '\\', 21 '\025', 68 'D', 201 '�, 226 '�, 140 '\214', 255 '�', 58 ':', 199 '�, 27 '\033', 227 '�, 18 '\022', 63 '?', 203 '�, 34 '"', 233 '�, 153 '\231', 42 '*', 88 'X'} base64avatar = <value optimized out> item = <value optimized out> data = <value optimized out> info = (xmlnode *) 0xee2710 lengthstring = 0x15c2 <Address 0x15c2 out of bounds> heightstring = <value optimized out> hash = <value optimized out> gpresence = <value optimized out> status = <value optimized out> #5 0x00002aaab425e961 in jabber_vcard_save_mine (js=0xd163a0, packet=<value optimized out>, data=<value optimized out>) at buddy.c:1149 vcard = <value optimized out> txt = <value optimized out> img = (PurpleStoredImage *) 0xee2110 #6 0x00002aaab4265a11 in jabber_iq_parse (js=0xd163a0, packet=0xee2cd0) at iq.c:326 query = (xmlnode *) 0x0 error = <value optimized out> x = <value optimized out> xmlns = <value optimized out> type = 0xedec80 "result" id = 0xe2b080 "purple6d9f2a1f" from = 0x0 jih = <value optimized out> #7 0x00002aaab4271a8a in jabber_parser_element_end_libxml (user_data=0x15c2, element_name=<value optimized out>, prefix=0x6 <Address 0x6 out of bounds>, namespace=0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>) at parser.c:116 packet = (xmlnode *) 0xee2cd0 #8 0x0000003f3aa3ab3a in xmlParseEndTag2 (ctxt=0xedc830, prefix=0x0, URI=0xdbbc17 "jabber:client", line=<value optimized out>, nsNr=0, tlen=1) at parser.c:8305 name = (const xmlChar *) 0x1 <Address 0x1 out of bounds> #9 0x0000003f3aa4710c in xmlParseChunk__internal_alias (ctxt=0xedc830, chunk=<value optimized out>, size=<value optimized out>, terminate=0) at parser.c:10048 prefix = ( const xmlChar *) 0xdfaf20000099bf00 <Address 0xdfaf20000099bf00 out of bounds> URI = (const xmlChar *) 0xdbbd5c "vcard-temp" nsNr = 15616064 end_in_lf = 0 #10 0x00002aaab4271968 in jabber_parser_process (js=0xd163a0, buf=0x15c2 <Address 0x15c2 out of bounds>, len=6) at parser.c:195 No locals. #11 0x00002aaab426e534 in jabber_recv_cb_ssl (data=0xd161b0, gsc=0xd62c80, cond=<value optimized out>) at jabber.c:400 gc = <value optimized out> js = (JabberStream *) 0xd163a0 len = 6 buf = "LAJES0kIzthirVyH0hmOukVAd4YK1nWyhYKxnvFAtT/va3p59++u9PPf2/z056hnv0SAuTEROwXCyinVDpAj+GgJy3bwsiZw+mPJuKL2bhC6jle3LSVh/Z9l5+xibQFmLu+0ZKpRGbQ81eQ8/ZBFoO3FDpThl6nwp3SE8+aqTmgnpMlMTCyDfT85O/AajKwifpuHgDRD"... #12 0x0000000000462cdf in pidgin_io_invoke (source=<value optimized out>, condition=<value optimized out>, data=0xc25be0) at gtkeventloop.c:78 purple_cond = PURPLE_INPUT_READ #13 0x0000003eeb82d224 in IA__g_main_context_dispatch (context=0x70a880) at gmain.c:2045 No locals. #14 0x0000003eeb83005d in g_main_context_iterate (context=0x70a880, block=1, dispatch=1, self=<value optimized out>) at gmain.c:2677 got_ownership = <value optimized out> max_priority = 2147483647 timeout = 801 some_ready = 1 nfds = <value optimized out> allocated_nfds = <value optimized out> fds = (GPollFD *) 0xd16d50 __PRETTY_FUNCTION__ = "g_main_context_iterate" #15 0x0000003eeb83036a in IA__g_main_loop_run (loop=0xd169c0) at gmain.c:2881 got_ownership = <value optimized out> self = (GThread *) 0x6df470 __PRETTY_FUNCTION__ = "IA__g_main_loop_run" #16 0x0000003c19f2d783 in IA__gtk_main () at gtkmain.c:1154 tmp_list = (GList *) 0x8d3940 functions = (GList *) 0x0 init = (GtkInitFunction *) 0x6f8800 loop = (GMainLoop *) 0xd169c0 #17 0x000000000047a6ec in main (argc=1, argv=0x7fff9911d558) at gtkmain.c:853 saved_status = <value optimized out> opt_help = <value optimized out> opt_login = 0 opt_nologin = 0 opt_version = <value optimized out> opt_si = 1 opt_config_dir_arg = 0x0 opt_login_arg = 0x0 opt_session_arg = 0x0 search_path = <value optimized out> accounts = <value optimized out> sigset = {__val = {91143, 0 <repeats 15 times>}} prev_sig_disp = <value optimized out> errmsg = "\220\001\000\000\000\000\000\000\b\000\000\000\000\000\000\000P�d\004\000\000\000�\a\000\000\000\000\000��?\000\000\000��?\000\000\000t%\000\000\000\000\000\000t%\000\000\000\000\000\000\004\000\000\000\000\000\000\000P�021\231�\177\000\000�\021\231�\177\000\000�A/?", '\0' <repeats 11 times>, "\020\000\000\000\000\000\000\000x�*\000\000��@/?\000\000\000����*\000\000\230g���*\000\000Pl���*\000\000\020q���*\000\000����*\000\000xz���*\000\0008\177���*\000\000�203���*\000\000�\210���*\000\000p"... segfault_message_tmp = <value optimized out> error = (GError *) 0x0 opt = <value optimized out> gui_check = <value optimized out> debug_enabled = <value optimized out> migration_failed = <value optimized out> active_accounts = <value optimized out> long_options = {{name = 0x4bb931 "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x4ab299 "debug", has_arg = 0, flag = 0x0, val = 100}, { name = 0x4ae594 "help", has_arg = 0, flag = 0x0, val = 104}, { name = 0x4ab551 "login", has_arg = 2, flag = 0x0, val = 108}, { name = 0x4b8208 "multiple", has_arg = 0, flag = 0x0, val = 109}, { name = 0x4b8211 "nologin", has_arg = 0, flag = 0x0, val = 110}, { name = 0x4bb927 "session", has_arg = 1, flag = 0x0, val = 115}, { name = 0x4b005b "version", has_arg = 0, flag = 0x0, val = 118}, { name = 0x0, has_arg = 0, flag = 0x0, val = 0}} Frame 4 is where control is passed into malloc() land: (gdb) frame 4 #4 0x00002aaab425e87f in jabber_set_buddy_icon (gc=0xd161b0, img=0xee2110) at buddy.c:561 (gdb) list 556 widthstring = g_strdup_printf("%u", width); 557 xmlnode_set_attrib(info, "width", widthstring); 558 g_free(widthstring); 559 heightstring = g_strdup_printf("%u", height); 560 xmlnode_set_attrib(info, "height", heightstring); 561 g_free(lengthstring); 562 563 /* publish the metadata */ 564 jabber_pep_publish((JabberStream*)gc->proto_data, publish); 565 I strongly suspect the g_free() call on line 561 is a double-free. At no point do you mention the exact package version of pidgin. rpm -q pidgin ? The latest from fedora-updates (currently pidgin-2.2.2-1.fc7). (I already looked for a more recent version in Rawhide, but found none.) good catch and thanks for doing the legwork in debugging the problem. This is fixed upstream now for 2.3.0 due out soonish. Patch is available here, which might apply to 2.2.2: http://developer.pidgin.im/viewmtn/revision/diff/110e884c24fe3779369c410f3ad805a500c8ad79/with/374a8877bfa4fa06b384482815befe37f2c72b9b (no idea why I can't make viewmtn just give me a plain diff file). Warren, do you have any intention of backporting that patch to 2.2.2, or are you just going to wait for 2.3.0? Waiting for 2.3.1 which should be real soon now. pidgin-2.3.1-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pidgin' pidgin-2.3.1-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |