[Pidgin] #7621: MSN Protocol crashing since 16 months

Pidgin trac at pidgin.im
Wed Mar 25 13:04:38 EDT 2009 

#7621: MSN Protocol crashing since 16 months
---------------------+------------------------------------------------------
 Reporter:  Spaaken  |           Owner:  khc
     Type:  defect   |          Status:  new
Milestone:           |       Component:  MSN
  Version:  2.5.2    |      Resolution:     
 Keywords:  crash    |   Launchpad_bug:     
---------------------+------------------------------------------------------
Changes (by MarkDoliner):

  * status:  pending => new


Old description:

> I am using libpurple with a chatbot since about 16 months. During all
> this time, the MSN plug-in is causing crashes (maybe due to the heavy
> load, but the AIM protocol is stable).
>
> A dump of the latest crash:
>
> glib: double free or corrupt memory
>
> Program terminated with signal 6, Aborted.
>
> [New process 17300]
>
> #0  0xb7f13410 in __kernel_vsyscall ()
>
> (gdb) bt
>
> #0  0xb7f13410 in __kernel_vsyscall ()
>
> #1  0xb7b0c085 in raise () from /lib/tls/i686/cmov/libc.so.6
>
> #2  0xb7b0da01 in abort () from /lib/tls/i686/cmov/libc.so.6
>
> #3  0xb7b44b7c in ?? () from /lib/tls/i686/cmov/libc.so.6
>
> #4  0xb7b4ca85 in ?? () from /lib/tls/i686/cmov/libc.so.6
>
> #5  0xb7b504f0 in free () from /lib/tls/i686/cmov/libc.so.6
>
> #6  0xb7e91b51 in g_free () from /usr/lib/libglib-2.0.so.0
>
> #7  0xb62390a9 in msn_slplink_destroy (slplink=0x400) at slplink.c:117
>
> #8  0xb623cc42 in msn_switchboard_destroy (swboard=0x8a31d08) at
> switchboard.c:86
>
> #9  0xb623d5a8 in bye_cmd (cmdproc=0x902ef18, cmd=0x903cc20) at
> switchboard.c:730
>
> #10 0xb621e4a8 in msn_cmdproc_process_cmd (cmdproc=0x902ef18,
> cmd=0x903cc20) at cmdproc.c:321
>
> #11 0xb621e614 in msn_cmdproc_process_cmd_text (cmdproc=0x902ef18,
> command=0x905a6a0 "BYE katrinchen_xxxxx at xxxxxxx.de")
>     at cmdproc.c:343
>
> #12 0xb62355af in read_cb (data=0x833df98, source=9,
> cond=PURPLE_INPUT_READ) at servconn.c:456
>
> #13 0x0804fe88 in purple_glib_io_invoke (source=0x82d3ee8,
> condition=G_IO_IN, data=0x859c0d8) at imbot.cpp:1637
>
> #14 0xb7ebdfed in ?? () from /usr/lib/libglib-2.0.so.0
>
> #15 0xb7e89cc6 in g_main_context_dispatch () from
> /usr/lib/libglib-2.0.so.0
>
> #16 0xb7e8d083 in ?? () from /usr/lib/libglib-2.0.so.0
>
> #17 0xb7e8d467 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
>
> #18 0x0805331c in main () at imbot.cpp:5231
>
> I deactivated this protocol now. I think it needs some serious work to be
> done.

New description:

 I am using libpurple with a chatbot since about 16 months. During all this
 time, the MSN plug-in is causing crashes (maybe due to the heavy load, but
 the AIM protocol is stable).

 A dump of the latest crash:

 {{{
 glib: double free or corrupt memory
 Program terminated with signal 6, Aborted.
 [New process 17300]
 #0  0xb7f13410 in __kernel_vsyscall ()
 (gdb) bt
 #0  0xb7f13410 in __kernel_vsyscall ()
 #1  0xb7b0c085 in raise () from /lib/tls/i686/cmov/libc.so.6
 #2  0xb7b0da01 in abort () from /lib/tls/i686/cmov/libc.so.6
 #3  0xb7b44b7c in ?? () from /lib/tls/i686/cmov/libc.so.6
 #4  0xb7b4ca85 in ?? () from /lib/tls/i686/cmov/libc.so.6
 #5  0xb7b504f0 in free () from /lib/tls/i686/cmov/libc.so.6
 #6  0xb7e91b51 in g_free () from /usr/lib/libglib-2.0.so.0
 #7  0xb62390a9 in msn_slplink_destroy (slplink=0x400) at slplink.c:117
 #8  0xb623cc42 in msn_switchboard_destroy (swboard=0x8a31d08) at
 switchboard.c:86
 #9  0xb623d5a8 in bye_cmd (cmdproc=0x902ef18, cmd=0x903cc20) at
 switchboard.c:730
 #10 0xb621e4a8 in msn_cmdproc_process_cmd (cmdproc=0x902ef18,
 cmd=0x903cc20) at cmdproc.c:321
 #11 0xb621e614 in msn_cmdproc_process_cmd_text (cmdproc=0x902ef18,
     command=0x905a6a0 "BYE katrinchen_xxxxx at xxxxxxx.de") at cmdproc.c:343
 #12 0xb62355af in read_cb (data=0x833df98, source=9,
 cond=PURPLE_INPUT_READ) at servconn.c:456
 #13 0x0804fe88 in purple_glib_io_invoke (source=0x82d3ee8,
 condition=G_IO_IN, data=0x859c0d8) at imbot.cpp:1637
 #14 0xb7ebdfed in ?? () from /usr/lib/libglib-2.0.so.0
 #15 0xb7e89cc6 in g_main_context_dispatch () from
 /usr/lib/libglib-2.0.so.0
 #16 0xb7e8d083 in ?? () from /usr/lib/libglib-2.0.so.0
 #17 0xb7e8d467 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
 #18 0x0805331c in main () at imbot.cpp:5231
 }}}

 I deactivated this protocol now. I think it needs some serious work to be
 done.

--

Comment:

 I can confirm that MSN is pretty crashy.  It is by far the crashiest out
 of oscar, msn, yahoo, jabber and myspace.  I haven't noticed any problems
 where we call purple_ssl_write() with conn->ssl or conn->buf being NULL,
 but I guess that's possible, too.

 From my experience the crashes are sporadic and not easily reproducible.
 Sort of a race condition where we receive data while we're in the process
 of shutting down or being disconnected or something.  And so my guess is
 that it's going to be hard for him to get a valgrind log.

 I think some/all of the crashing is because of our use of the "wasted"
 flag and maybe also the "processing" flag.  I think wasted is set to TRUE
 when we know we should disconnect, but I think maybe it causes the MSN
 prpl to get into a state where it doesn't clean up everything correctly?
 So there is still a watcher on the fd but some data structures have been
 freed.

 I think we should change MSN to not use the wasted flag.  I don't believe
 we do anything similar for other protocols and they don't seem to suffer
 without it.

 I'm also going to mark this as not pending... because I know this bug
 exists and I'm not sure the user will be able to provide any more
 information about it.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7621#comment:4>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list