[Pidgin] #4814: Crash if xmpp pong timeout fires after account is disconnected

Sat Feb 9 11:13:57 EST 2008

#4814: Crash if xmpp pong timeout fires after account is disconnected
------------------------------------+---------------------------------------
 Reporter:  nosnilmot               |       Owner:  nwalp
     Type:  defect                  |      Status:  new  
 Priority:  minor                   |   Milestone:       
Component:  XMPP                    |     Version:       
 Keywords:  jabber xmpp ping crash  |     Pending:  0    
------------------------------------+---------------------------------------
 Personally I strongly dislike the use of xmpp ping for keepalive and would
 prefer to revert to relying on TCP (xmpp ping actually causes far more
 disconnects for me). However, if we're going to stick to using xmpp ping
 someone should ensure the timer is removed whenever the account is
 disconnected.

 Relevant debug log prior to crash:
 {{{
 (23:12:15) jabber: Sending (ssl): <iq type='get' id='purple1f4b8671'><ping
 xmlns='urn:xmpp:ping'/></iq>
 (23:12:15) account: Disconnecting account 0x86ed978
 (23:12:15) connection: Disconnecting connection 0x8f2a1c8
 (23:12:15) connection: Deactivating keepalive.
 (23:12:15) jabber: jabber_actions: have pep: NO
 (23:12:15) jabber: jabber_actions: have pep: YES
 (23:12:15) connection: Destroying connection 0x8f2a1c8
 }}}

 some time later, boom.

 Backtrace:
 {{{
 (gdb) bt full
 #0  0x00110402 in __kernel_vsyscall ()
 No symbol table info available.
 #1  0x00515fa0 in raise () from /lib/libc.so.6
 No symbol table info available.
 #2  0x005178b1 in abort () from /lib/libc.so.6
 No symbol table info available.
 #3  0x080c1aba in sighandler (sig=11) at gtkmain.c:220
 No locals.
 #4  <signal handler called>
 No symbol table info available.
 #5  0x06c48f40 in jabber_pong_timeout (gc=0x8f2a1c8) at jabber.c:402
         js = (JabberStream *) 0x0
 #6  0x007e0dc6 in ?? () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #7  0x007e07f2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #8  0x007e37cf in ?? () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #9  0x007e3b79 in g_main_loop_run () from /lib/libglib-2.0.so.0
 No symbol table info available.
 #10 0x0212df44 in IA__gtk_main () at gtkmain.c:1154
         tmp_list = (GList *) 0x0
         functions = (GList *) 0x0
         init = (GtkInitFunction *) 0x4e9ca0
         loop = (GMainLoop *) 0x8b33218
 #11 0x080c2a17 in main (argc=2, argv=0xbfffb694) at gtkmain.c:886
         opt_help = 0
         opt_login = 0
         opt_nologin = 1
         opt_version = 0
         opt_si = 1
         opt_config_dir_arg = 0x0
         opt_login_arg = 0x0
         opt_session_arg = 0x0
         search_path = 0x8586b70 "\001"
         accounts = (GList *) 0x4673528
         sig_indx = 1
         sigset = {__val = {91143, 0 <repeats 31 times>}}
         prev_sig_disp = (void (*)(int)) 0
         errmsg =
 "@\225��(\225���N\000\b\000\000\000,\000\000\000�237N\000<���u�M\000`c�c�024\000\000\000\000\000\000\000�231�000\224�020����,
 '\0' <repeats 16 times>,
 "/���(���$����#N\000C\000\000\000\f\000\000\000\000\000\000\000\t\000\000\000�237N\000\000\000\000\000�237N\000\005\000\000\000�225���\225���N\000\b\000\000\000,\000\000\000�237N\000<���u�M\0000c�030c�024\000\000\000\000\000\000\000���\231�020����000\000\000\000\023\000\000\000\024\000\000\000/�"...
         segfault_message_tmp = 0x856d748
 "e/en_US.UTF-8/LC_MESSAGES/gtk20.mo"
         error = (GError *) 0x0
         opt = -1
         gui_check = 1
         debug_enabled = 1
         migration_failed = 0
         active_accounts = (GList *) 0x88ea1b0
         long_options = {{name = 0x8107a97 "config", has_arg = 1, flag =
 0x0, val = 99}, {name = 0x8107a9e "debug", has_arg = 0, flag = 0x0, val =
 100}, {name = 0x8107aa4 "help", has_arg = 0, flag = 0x0, val = 104}, {name
 = 0x8107aa9 "login", has_arg = 2, flag = 0x0, val = 108}, {name =
 0x8107aaf "multiple", has_arg = 0, flag = 0x0, val = 109}, {name =
 0x8107ab8 "nologin", has_arg = 0, flag = 0x0, val = 110}, {name =
 0x8107ac0 "session", has_arg = 1, flag = 0x0, val = 115}, {name =
 0x810785b "version", has_arg = 0, flag = 0x0, val = 118}, {name =
 0x8107ac8 "display", has_arg = 1, flag = 0x0, val = 68}, {name = 0x8107ad0
 "sync", has_arg = 0, flag = 0x0, val = 83}, {name = 0x0, has_arg = 0, flag
 = 0x0, val = 0}}
 }}}

 In this particular case, checking for js != NULL in jabber_pong_timeout()
 would seem to be a suitable fix, but it is NOT. We have already
 dereferenced gc which will have also been freed by this point.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/4814>
Pidgin <http://pidgin.im>
Pidgin