Assertion failure in contacts_context_continue() when fuzzing
Submitted by Philip Withnall
Assigned to Telepathy bugs list
Description
I've been fuzz testing Empathy/folks using a fake CM (which I really should blog about soon), and managed to cause the following crash:
Core was generated by `/opt/gnome3/build/bin/empathy'. Program terminated with signal 6, Aborted.
#0 0x0000003f41e36285 in raise () from /lib64/libc.so.6
(gdb) t a a bt
Thread 3 (Thread 0x7fffed1eb700 (LWP 16208)):
#0 0x0000003f41ee6af3 in poll () from /lib64/libc.so.6
#1 0x00007ffff26df68b in g_poll (fds=0x7fffe80010e0, nfds=3, timeout=-1) at gpoll.c:132
#2 0x00007ffff26ceea5 in g_main_context_poll (context=0x8bbde0, timeout=-1, priority=2147483647, fds=0x7fffe80010e0, n_fds=3)
at gmain.c:3415
#3 0x00007ffff26ce835 in g_main_context_iterate (context=0x8bbde0, block=1, dispatch=1, self=0x8bcd90) at gmain.c:3116
#4 0x00007ffff26cec86 in g_main_loop_run (loop=0x8bbd90) at gmain.c:3315
#5 0x00007ffff310d9e8 in gdbus_shared_thread_func (user_data=0x8bbdb0) at gdbusprivate.c:276
#6 0x00007ffff26f97e8 in g_thread_proxy (data=0x8bcd90) at gthread.c:801
#7 0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#8 0x0000003f41eef48d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7fffe339d700 (LWP 16209)):
#0 0x0000003f4260be4f in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1 0x00007ffff271b9a9 in g_cond_wait_until (cond=0xa213f8, mutex=0xa213f0, end_time=296617946261) at gthread-posix.c:870
#2 0x00007ffff26999e0 in g_cond_timed_wait (cond=0xa213f8, mutex=0xa213f0, abs_time=0x7fffe339cb80)
at deprecated/gthread-deprecated.c:1585
#3 0x00007ffff269bc8f in g_async_queue_pop_intern_unlocked (queue=0xa213f0, wait=1, end_time=0x7fffe339cb80) at gasyncqueue.c:418
#4 0x00007ffff269bed9 in g_async_queue_timed_pop (queue=0xa213f0, end_time=0x7fffe339cb80) at gasyncqueue.c:542
#5 0x00007ffff26f9bdd in g_thread_pool_wait_for_new_pool () at gthreadpool.c:174
#6 0x00007ffff26f9ec4 in g_thread_pool_thread_proxy (data=0xa212d0) at gthreadpool.c:374
#7 0x00007ffff26f97e8 in g_thread_proxy (data=0xa1dd40) at gthread.c:801
#8 0x0000003f42607d90 in start_thread () from /lib64/libpthread.so.0
#9 0x0000003f41eef48d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7fffee73c9c0 (LWP 16207)):
#0 0x0000003f41e36285 in raise () from /lib64/libc.so.6
#1 0x0000003f41e37b9b in abort () from /lib64/libc.so.6
#2 0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839,
func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0 "assertion failed: (contact->priv->handle != 0)")
at gtestutils.c:1810
#3 0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839,
func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae "contact->priv->handle != 0") at gtestutils.c:1821
#4 0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
#5 0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580, res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
#6 0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at gsimpleasyncresult.c:744
#7 0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at gsimpleasyncresult.c:756
#8 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90, callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
at gmain.c:4632
#9 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at gmain.c:3050
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, dispatch=1, self=0x8a6f80) at gmain.c:3121
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, may_block=1) at gmain.c:3182
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, argv=0x7fffffffeca8) at gapplication.c:1599
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
(gdb) bt full
#0 0x0000003f41e36285 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x0000003f41e37b9b in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007ffff26f77f6 in g_assertion_message (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839,
func=0x7ffff5e41b70 "contacts_context_continue", message=0xb385b0 "assertion failed: (contact->priv->handle != 0)")
at gtestutils.c:1810
lstr = "1839\000\177\000\000\250yh\362\377\177\000\000\320\350\377\377\377\177\000\000`Ω\000\000\000\000"
s = 0xad94d0 ""
#3 0x00007ffff26f7857 in g_assertion_message_expr (domain=0x7ffff5e3f897 "tp-glib", file=0x7ffff5e3f9c9 "contact.c", line=1839,
func=0x7ffff5e41b70 "contacts_context_continue", expr=0x7ffff5e3f9ae "contact->priv->handle != 0") at gtestutils.c:1821
s = 0xb385b0 "assertion failed: (contact->priv->handle != 0)"
#4 0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
contact = 0xb41900
i = 0
__PRETTY_FUNCTION__ = "contacts_context_continue"
#5 0x00007ffff5d99ac6 in connection_capabilities_fetched_cb (object=0x8f9580, res=0xb342a0, user_data=0xa9ce60) at contact.c:2553
c = 0xa9ce60
__PRETTY_FUNCTION__ = "connection_capabilities_fetched_cb"
#6 0x00007ffff3092162 in g_simple_async_result_complete (simple=0xb342a0) at gsimpleasyncresult.c:744
current_source = 0xb43f90
current_context = 0x77a8f0
__PRETTY_FUNCTION__ = "g_simple_async_result_complete"
#7 0x00007ffff30921ae in complete_in_idle_cb (data=0xb342a0) at gsimpleasyncresult.c:756
simple = 0xb342a0
#8 0x00007ffff26d00e3 in g_idle_dispatch (source=0xb43f90, callback=0x7ffff309217b <complete_in_idle_cb>, user_data=0xb342a0)
at gmain.c:4632
No locals.
#9 0x00007ffff26cd9c1 in g_main_dispatch (context=0x77a8f0) at gmain.c:2513
dispatch = 0x7ffff26d0097 <g_idle_dispatch>
was_in_call = 0
user_data = 0xb342a0
callback = 0x7ffff309217b <complete_in_idle_cb>
cb_funcs = 0x7ffff29bdfe0
cb_data = 0x905680
need_destroy = 7827920
current_source_link = {data = 0xb43f90, next = 0x0}
source = 0xb43f90
current = 0x8b9fa0
i = 0
__PRETTY_FUNCTION__ = "g_main_dispatch"
#10 0x00007ffff26ce67d in g_main_context_dispatch (context=0x77a8f0) at gmain.c:3050
No locals.
#11 0x00007ffff26ce860 in g_main_context_iterate (context=0x77a8f0, block=1, dispatch=1, self=0x8a6f80) at gmain.c:3121
max_priority = 0
timeout = 0
some_ready = 1
nfds = 7
allocated_nfds = 7
fds = 0xa64d20
---Type <return> to continue, or q <return> to quit---
#12 0x00007ffff26ce924 in g_main_context_iteration (context=0x77a8f0, may_block=1) at gmain.c:3182
retval = 1
#13 0x00007ffff30c8e96 in g_application_run (application=0x7bb360, argc=1, argv=0x7fffffffeca8) at gapplication.c:1599
arguments = 0x8a4d90
status = 0
i = 1
__PRETTY_FUNCTION__ = "g_application_run"
#14 0x0000000000457da0 in main (argc=1, argv=0x7fffffffeca8) at empathy.c:869
app = 0x7bb360
retval = 0
(gdb) frame 4
#4 0x00007ffff5d98024 in contacts_context_continue (c=0xa9ce60) at contact.c:1839
1839 g_assert (contact->priv->handle != 0);
(gdb) print *contact
$1 = {parent = {g_type_instance = {g_class = 0xac34f0}, ref_count = 1, qdata = 0x0}, priv = 0xb41920}
(gdb) print *contact->priv
$2 = {connection = 0x8f9580, handle = 0, identifier = 0xa2e970 "", has_features = 231,
alias = 0xb1a390 "\t \r \f\r\f\f\t\r\v\n\t\f\r\f\f\v\v\n\t", avatar_token = 0x906c30 "", avatar_file = 0x0, avatar_mime_type = 0x0,
presence_type = TP_CONNECTION_PRESENCE_TYPE_AWAY, presence_status = 0xb14dd0 "available",
presence_message = 0xa81700 "Status message씓", location = 0x0, client_types = 0x0, capabilities = 0x0, contact_info = 0x0,
subscribe = TP_SUBSCRIPTION_STATE_UNKNOWN, publish = TP_SUBSCRIPTION_STATE_UNKNOWN, publish_request = 0x0, contact_groups = 0x0,
is_blocked = 0}
(gdb) print *c
$3 = {refcount = 1, connection = 0x8f9580, contacts = 0xb432c0, handles = 0xb43000, invalid = 0xb33ca0, request_ids = 0x0,
request_errors = 0x0, wanted = 247, signature = CB_BY_HANDLE, callback = {by_handle = 0x7ffff74d7664 <get_contacts_by_handle_cb>,
by_id = 0x7ffff74d7664 <get_contacts_by_handle_cb>, upgrade = 0x7ffff74d7664 <get_contacts_by_handle_cb>}, user_data = 0xa6a4c0,
destroy = 0, weak_object = 0x8f9580, no_purpose_in_life = 0, todo = {head = 0x0, tail = 0x0, length = 0}, next_index = 0,
contacts_have_ids = 0}
I haven't investigated it properly (I should be working on the fuzz tester instead), but I realise that this is probably caused by the fake CM violating something in the Tp spec. However, since tp-glib is fairly resilient against misbehaving CMs in other places, I guess it would make sense to turn this g_assert() into a if(fail){continue} or similar.