759401 – Crash when calling oauth_init_nss() from two threads

Bug 759401 - Crash when calling oauth_init_nss() from two threads

Summary: Crash when calling oauth_init_nss() from two threads

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	evolution-data-server
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Barnes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:fb4722dd79e9e90e800c48888ec...
Duplicates (5):	743698 753036 755934 771241 787634 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-02 10:09 UTC by Robert Keersse
Modified:	2012-04-18 09:16 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-18 09:16:35 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
File: build_ids (2.80 KB, text/plain) 2011-12-02 10:09 UTC, Robert Keersse	no flags	Details
File: dso_list (6.31 KB, text/plain) 2011-12-02 10:09 UTC, Robert Keersse	no flags	Details
File: smolt_data (2.79 KB, text/plain) 2011-12-02 10:09 UTC, Robert Keersse	no flags	Details
File: maps (29.83 KB, text/plain) 2011-12-02 10:09 UTC, Robert Keersse	no flags	Details
File: backtrace (46.42 KB, text/plain) 2011-12-02 10:09 UTC, Robert Keersse	no flags	Details
File: backtrace (57.04 KB, text/plain) 2012-04-16 16:35 UTC, Kayvan Sylvan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	674309	0	None	None	None	Never

Description Robert Keersse 2011-12-02 10:09:21 UTC

libreport version: 2.0.7
abrt_version:   2.0.6
backtrace_rating: 4
cmdline:        /usr/libexec/e-addressbook-factory
executable:     /usr/libexec/e-addressbook-factory
kernel:         3.1.2-1.fc16.x86_64
pid:            1841
pwd:            /
reason:         Process /usr/libexec/e-addressbook-factory was killed by signal 11 (SIGSEGV)
time:           Fri 02 Dec 2011 10:56:03 AM CET
uid:            1000
username:       robert

backtrace:      Text file, 47537 bytes
build_ids:      Text file, 2870 bytes
dso_list:       Text file, 6464 bytes
maps:           Text file, 30550 bytes
smolt_data:     Text file, 2861 bytes

environ:
:SHELL=/bin/bash
:DBUS_STARTER_ADDRESS=unix:abstract=/tmp/dbus-iJKV5a4Pw6,guid=29832bf0663c10f67c0c34d40000001d
:XDG_SESSION_COOKIE=73a85630e6e3cb6f794198710000000d-1322818288.900076-217368825
:XDG_RUNTIME_DIR=/run/user/robert
:DISPLAY=:0
:DESKTOP_SESSION=gnome
:SSH_AUTH_SOCK=/tmp/keyring-CqEp36/ssh
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/1509,unix/unix:/tmp/.ICE-unix/1509
:WINDOWPATH=1
:PATH=/usr/local/bin:/usr/bin:/bin
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:GDMSESSION=gnome
:XDG_VTNR=1
:USERNAME=robert
:XDG_SESSION_ID=2
:GPG_AGENT_INFO=/tmp/keyring-CqEp36/gpg:0:1
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-iJKV5a4Pw6,guid=29832bf0663c10f67c0c34d40000001d
:XDG_SEAT=seat0
:XAUTHORITY=/var/run/gdm/auth-for-robert-n2dfx3/database
:USER=robert
:DBUS_STARTER_BUS_TYPE=session
:GNOME_KEYRING_PID=1502
:SHLVL=1
:GDM_LANG=en_US.utf8
:PWD=/home/robert
:GNOME_KEYRING_CONTROL=/tmp/keyring-CqEp36
:LANG=en_US.utf8
:_=/usr/bin/dbus-launch
:LOGNAME=robert
:HOME=/home/robert

var_log_messages:
:Nov 30 16:02:31 localhost abrt[5684]: Saved core dump of pid 5041 (/usr/libexec/e-addressbook-factory) to /var/spool/abrt/ccpp-2011-11-30-16:02:31-5041 (81825792 bytes)
:Dec  2 10:56:03 localhost abrt[2477]: Saved core dump of pid 1841 (/usr/libexec/e-addressbook-factory) to /var/spool/abrt/ccpp-2011-12-02-10:56:03-1841 (81813504 bytes)

Comment 1 Robert Keersse 2011-12-02 10:09:24 UTC

Created attachment 539561 [details]
File: build_ids

Comment 2 Robert Keersse 2011-12-02 10:09:26 UTC

Created attachment 539562 [details]
File: dso_list

Comment 3 Robert Keersse 2011-12-02 10:09:27 UTC

Created attachment 539563 [details]
File: smolt_data

Comment 4 Robert Keersse 2011-12-02 10:09:29 UTC

Created attachment 539564 [details]
File: maps

Comment 5 Robert Keersse 2011-12-02 10:09:31 UTC

Created attachment 539565 [details]
File: backtrace

Comment 6 Milan Crha 2011-12-05 09:50:36 UTC

Thanks for a bug report. I see that Thread 8 and Thread 1 are doing basically the same thing, which may be the reason for this crash. I'm not sure where it belongs, but let's move to libgdata first.

Thread 1 (Thread 0x7fe1793fd700 (LWP 2473)):
#0  PL_HashTableRawLookup (ht=0x7fe16c00a990, keyHash=2169211869, key=0x34a86194e8) at ../../mozilla/nsprpub/lib/ds/plhash.c:178
#1  0x00000034a90018d1 in PL_HashTableRawAdd (ht=0x7fe16c00a990, hep=<optimized out>, keyHash=33754659, key=0x34a86195c8, value=0x34a86195c8) at ../../mozilla/nsprpub/lib/ds/plhash.c:251
#2  0x00000034a8411b79 in SECOID_Init () at secoid.c:1952
#3  0x00007fe169faffa8 in nsc_CommonInitialize (pReserved=0x7fe1793fc730, isFIPS=0) at pkcs11.c:2746
#4  0x00007fe169fb047a in NSC_Initialize (pReserved=0x7fe1793fc730) at pkcs11.c:2880
#5  0x00000034a883e766 in secmod_ModuleInit (mod=0x7fe160008cb0, reload=0x7fe1793fc880, alreadyLoaded=0x7fe1793fc7cc) at pk11load.c:252
#6  0x00000034a883eda8 in secmod_LoadPKCS11Module (mod=0x7fe160008cb0, oldModule=0x7fe1793fc880) at pk11load.c:492
#7  0x00000034a884bcbf in SECMOD_LoadModule (modulespec=0x7fe160008940 "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' upda"..., parent=0x7fe160008020, recurse=1) at pk11pars.c:1121
#8  0x00000034a884be8a in SECMOD_LoadModule (modulespec=0x7fe1600d1460 "name=\"NSS Internal Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='' flags=readOnly,noCertDB,noModDB,forceOpen,optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' upd"..., parent=0x0, recurse=1) at pk11pars.c:1156
#9  0x00000034a881a74a in nss_InitModules (isContextInit=0, optimizeSpace=1, forceOpen=1, noModDB=1, noCertDB=1, readOnly=1, pwRequired=<optimized out>, configStrings=0x0, configName=0x34a88fa4e8 "NSS Internal Module", updateName=0x34a88faa57 "", updateID=0x34a88faa57 "", updKeyPrefix=0x34a88faa57 "", updCertPrefix=0x7fe1600e4150 "`A\016`\341\177", updateDir=0x7fe1600e4130 " ", secmodName=0x34a88faa57 "", keyPrefix=0x7fe1600e4110 "", certPrefix=<optimized out>, configdir=0x34a88faa57 "") at nssinit.c:461
#10 nss_Init (configdir=0x34a88faa57 "", certPrefix=<optimized out>, keyPrefix=0x7fe1600e4110 "", secmodName=0x34a88faa57 "", updateDir=0x7fe1600e4130 " ", updCertPrefix=0x7fe1600e4150 "`A\016`\341\177", updKeyPrefix=0x34a88faa57 "", updateID=0x34a88faa57 "", updateName=0x34a88faa57 "", initContextPtr=0x0, initParams=0x0, readOnly=1, noCertDB=1, noModDB=1, forceOpen=1, noRootInit=1, optimizeSpace=1, noSingleThreadedModules=0, allowAlreadyInitializedModules=0, dontFinalizeModules=0) at nssinit.c:620
#11 0x00000034a881aed7 in NSS_NoDB_Init (configdir=<optimized out>) at nssinit.c:840
#12 0x00000034b000446a in oauth_init_nss () at hash.c:60
#13 oauth_init_nss () at hash.c:58
#14 0x00000034b00039f4 in oauth_gen_nonce () at oauth.c:550
#15 0x00007fe17b90e0d8 in gdata_goa_authorizer_get_parameters (access_token_secret=<optimized out>, access_token=<optimized out>, consumer_secret=0x7fe174005780 "anonymous", consumer_key=<optimized out>, message=0x7fe160007800 [SoupMessage]) at e-gdata-goa-authorizer.c:108
#16 gdata_goa_authorizer_add_authorization (message=0x7fe160007800 [SoupMessage], authorizer=<optimized out>) at e-gdata-goa-authorizer.c:224
#17 gdata_goa_authorizer_process_request (authorizer=<optimized out>, domain=<optimized out>, message=0x7fe160007800 [SoupMessage]) at e-gdata-goa-authorizer.c:398
#18 0x00000034af41f957 in real_append_query_headers (self=0x7fe1700a2080 [GDataContactsService], domain=0x7fe174008240 [GDataAuthorizationDomain], message=0x7fe160007800 [SoupMessage]) at gdata/gdata-service.c:286
#19 0x00000034af420d71 in _gdata_service_build_message (self=0x7fe1700a2080 [GDataContactsService], domain=0x7fe174008240 [GDataAuthorizationDomain], method=<optimized out>, uri=<optimized out>, etag=0x0, etag_if_match=0) at gdata/gdata-service.c:547
#20 0x00000034af4214d2 in _gdata_service_query (self=0x7fe1700a2080 [GDataContactsService], domain=0x7fe174008240 [GDataAuthorizationDomain], feed_uri=<optimized out>, query=<optimized out>, cancellable=0x14dc210 [GCancellable], error=0x7fe1793fcd18) at gdata/gdata-service.c:873
#21 0x00000034af421646 in __gdata_service_query (self=0x7fe1700a2080 [GDataContactsService], domain=<optimized out>, feed_uri=<optimized out>, query=0x7fe1700b6550 [GDataContactsQuery], entry_type=21318384, cancellable=<optimized out>, progress_callback=0x7fe17b90c010 <process_group>, progress_user_data=0x13cc1d0, error=0x7fe1793fcd18, is_async=1) at gdata/gdata-service.c:908
#22 0x00000034af4217e2 in query_thread (result=0x13f4800 [GSimpleAsyncResult], service=0x7fe1700a2080 [GDataContactsService], cancellable=0x14dc210 [GCancellable]) at gdata/gdata-service.c:757
#23 0x00000034a0c67c0c in run_in_thread (job=<optimized out>, c=0x14dc210 [GCancellable], _data=0x14c2640) at gsimpleasyncresult.c:843
#24 0x00000034a0c59496 in io_job_thread (data=0x13df680, user_data=<optimized out>) at gioscheduler.c:180
#25 0x000000349e86c6f8 in g_thread_pool_thread_proxy (data=<optimized out>) at gthreadpool.c:319
#26 0x000000349e86a1d6 in g_thread_create_proxy (data=0x13f6db0) at gthread.c:1962
#27 0x000000349cc07d90 in start_thread (arg=0x7fe1793fd700) at pthread_create.c:309
#28 0x000000349c8eed0d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
No locals.

Comment 7 Milan Crha 2012-01-03 08:35:08 UTC

*** Bug 771241 has been marked as a duplicate of this bug. ***

Comment 8 Cosimo Cecchi 2012-04-10 17:47:11 UTC

*** Bug 787634 has been marked as a duplicate of this bug. ***

Comment 9 Cosimo Cecchi 2012-04-10 17:50:18 UTC

*** Bug 755934 has been marked as a duplicate of this bug. ***

Comment 10 Cosimo Cecchi 2012-04-10 17:51:03 UTC

*** Bug 753036 has been marked as a duplicate of this bug. ***

Comment 11 Cosimo Cecchi 2012-04-10 17:51:19 UTC

*** Bug 743698 has been marked as a duplicate of this bug. ***

Comment 12 Kayvan Sylvan 2012-04-16 16:35:10 UTC

Logging in.

backtrace_rating: 4
Package: evolution-data-server-3.2.3-3.fc16
OS Release: Fedora release 16 (Verne)

Comment 13 Kayvan Sylvan 2012-04-16 16:35:15 UTC

Created attachment 577770 [details]
File: backtrace

Comment 14 Philip Withnall 2012-04-17 09:11:11 UTC

(In reply to comment #6)
> Thanks for a bug report. I see that Thread 8 and Thread 1 are doing basically
> the same thing, which may be the reason for this crash. I'm not sure where it
> belongs, but let's move to libgdata first.

I’d say it’s an EDS bug. libgdata requires that the implementations of GDataAuthorizer->process_request() are thread-safe. EDS’ implementation is thread-safe, but not safe if process_request() is called on two *different* EGDataGoaAuthorizer instances simultaneously.

I guess EDS should put a static global mutex around calls to oauth_gen_nonce(). It could probably replace the call to oauth_sign_hmac_sha1() with GHmac, which would save some locking.

Either that, or make oauth_init_nss() in liboauth be thread-safe.

Comment 15 Milan Crha 2012-04-18 09:16:15 UTC

Thanks for the info, let's fix it in eds first, though it would make sense to have this fixed in the core library first, though your description doesn't sound like the library advertises itself as being thread-safe, it only requests it from its consumers. I moved this upstream as [1]. Please see [1] for any further updates. Feel free to CC yourself there, to follow any additional discussions.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=674309

Note You need to log in before you can comment on or make changes to this bug.