Bug 157686

Summary: Kopete crashes when presented with large roster
Product: [Unmaintained] kopete Reporter: Eric Pullen <epullen>
Component: Jabber PluginAssignee: Kopete Developers <kopete-bugs-null>
Status: RESOLVED FIXED    
Severity: crash CC: blade.runner, marcin, sven.burmeister
Priority: NOR    
Version First Reported In: 0.50.0   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Eric Pullen 2008-02-11 21:39:25 UTC 
Version:           0.50.0 (using KDE 4.0.0)
Installed from:    SuSE RPMs
OS:                Linux

When attaching to our internal jabber server, the client will connect, ask for password, and start to populate the roster.  Once it gets some point into it, it will then crash.  I have almost 350 users in my that roster.  However, I can connect to google talk just fine with only 13 users in the roster.

Here is the backtrace:
Application: Kopete (kopete), signal SIGSEGV
[?1034h(no debugging symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 0x2ab4a0b82450 (LWP 9034)]
[New Thread 0x40800950 (LWP 9238)]
[KCrash handler]
#4  0x00002ab49e3e5687 in memcpy () from /lib64/libc.so.6
#5  0x00002ab495cb376e in KNetwork::Internal::KSocketBuffer::sendTo ()
   from /usr/lib64/libkdecore.so.5
#6  0x00002ab495ca3539 in KNetwork::KBufferedSocket::slotWriteActivity ()
   from /usr/lib64/libkdecore.so.5
#7  0x00002ab495ca26c2 in KNetwork::KBufferedSocket::qt_metacall ()
   from /usr/lib64/libkdecore.so.5
#8  0x00002ab49567b41b in QMetaObject::activate ()
   from /usr/lib64/libQtCore.so.4
#9  0x00002ab4956ae1ce in QSocketNotifier::activated ()
   from /usr/lib64/libQtCore.so.4
#10 0x00002ab4956831bf in QSocketNotifier::event ()
   from /usr/lib64/libQtCore.so.4
#11 0x00002ab49727000f in QApplicationPrivate::notify_helper ()
   from /usr/lib64/libQtGui.so.4
#12 0x00002ab4972768e5 in QApplication::notify () from /usr/lib64/libQtGui.so.4
#13 0x00002ab4968576cb in KApplication::notify () from /usr/lib64/libkdeui.so.5
#14 0x00002ab49566bdd4 in QCoreApplication::notifyInternal ()
   from /usr/lib64/libQtCore.so.4
#15 0x00002ab495690be9 in QEventDispatcherUNIX::activateSocketNotifiers ()
   from /usr/lib64/libQtCore.so.4
#16 0x00002ab49569132b in QEventDispatcherUNIXPrivate::doSelect ()
   from /usr/lib64/libQtCore.so.4
#17 0x00002ab4956914de in QEventDispatcherUNIX::processEvents ()
   from /usr/lib64/libQtCore.so.4
#18 0x00002ab4972e9796 in QEventDispatcherX11::processEvents ()
   from /usr/lib64/libQtGui.so.4
#19 0x00002ab49566b1b8 in QEventLoop::processEvents ()
   from /usr/lib64/libQtCore.so.4
#20 0x00002ab49566b2e6 in QEventLoop::exec () from /usr/lib64/libQtCore.so.4
#21 0x00002ab49566d411 in QCoreApplication::exec ()
   from /usr/lib64/libQtCore.so.4
#22 0x0000000000445f74 in _start ()
#0  0x00002ab495940acf in waitpid () from /lib64/libpthread.so.0
Comment 1 S. Burmeister 2008-02-12 23:04:24 UTC 
I think I see the same crash while importing my roster the first time. This is still valid for today's SVN.

Application: Kopete (kopete), signal SIGSEGV
[?1034hUsing host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 0xb5a5d6d0 (LWP 1212)]
[New Thread 0xb31ebb90 (LWP 1240)]
[KCrash handler]
#6  0xb5ff66cc in memcpy () from /lib/libc.so.6
#7  0xb7d1fd42 in KNetwork::Internal::KSocketBuffer::sendTo (this=0x8142e48, 
    dev=0x8394b60, len=-1)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdecore/network/k3socketbuffer.cpp:256
#8  0xb7d09ba5 in KNetwork::KBufferedSocket::slotWriteActivity (this=0x8111970)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdecore/network/k3bufferedsocket.cpp:349
#9  0xb7d09a0d in KNetwork::KBufferedSocket::qt_metacall (this=0x8111970, 
    _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0xbff6576c)
    at /home/kde-devel/kde/build/KDE/kdelibs/kdecore/k3bufferedsocket.moc:67
#10 0xb7f195b6 in QMetaObject::activate (sender=0x84f9358, 
    from_signal_index=4, to_signal_index=4, argv=0xbff6576c)
    at kernel/qobject.cpp:3087
#11 0xb7f19fc1 in QMetaObject::activate (sender=0x84f9358, m=0xb7f8c8f0, 
    local_signal_index=0, argv=0xbff6576c) at kernel/qobject.cpp:3149
#12 0xb7f3f738 in QSocketNotifier::activated (this=0x84f9358, _t1=24)
    at .moc/debug-shared/moc_qsocketnotifier.cpp:80
#13 0xb7f21ab1 in QSocketNotifier::event (this=0x84f9358, e=0xbff65c68)
    at kernel/qsocketnotifier.cpp:317
#14 0xb6f519c7 in QApplicationPrivate::notify_helper (this=0x80c2d78, 
    receiver=0x84f9358, e=0xbff65c68) at kernel/qapplication.cpp:3556
#15 0xb6f51ce0 in QApplication::notify (this=0xbff67cc0, receiver=0x84f9358, 
    e=0xbff65c68) at kernel/qapplication.cpp:3115
#16 0xb798fcf5 in KApplication::notify (this=0xbff67cc0, receiver=0x84f9358, 
    event=0xbff65c68)
    at /home/kde-devel/kde/src/KDE/kdelibs/kdeui/kernel/kapplication.cpp:311
#17 0xb7f054a4 in QCoreApplication::notifyInternal (this=0xbff67cc0, 
    receiver=0x84f9358, event=0xbff65c68) at kernel/qcoreapplication.cpp:530
#18 0xb7f087f1 in QCoreApplication::sendEvent (receiver=0x84f9358, 
    event=0xbff65c68)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:200
#19 0xb7f2feec in socketNotifierSourceDispatch (source=0x80c2e68)
    at kernel/qeventdispatcher_glib.cpp:102
#20 0xb5f075d6 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#21 0xb5f0a972 in ?? () from /usr/lib/libglib-2.0.so.0
#22 0x080c5098 in ?? ()
#23 0x00000000 in ?? ()
#0  0xffffe410 in __kernel_vsyscall ()
Comment 2 David Heidelberg 2008-02-26 21:43:33 UTC 
I have this problem too (62 users in roster). After adding Jabber account in Kopete and Login, Kopete crash.
Comment 3 Marcin Juszkiewicz 2008-03-19 10:12:57 UTC 
53 users in roster and crashing too - Kopete 4.0.1 from Debian
Comment 4 Marcin Juszkiewicz 2008-03-19 10:14:42 UTC 
adds myself to Cc:
Comment 5 Christophe Marin 2008-07-03 16:39:17 UTC 
*** Bug 161937 has been marked as a duplicate of this bug. ***
Comment 6 Detlev Casanova 2008-07-23 11:38:20 UTC 
Same backtrace here but it does not happen when retrieving the roster. It happen when I send this stanza :

<iq from="kopete@localhost/Kopete" type="set" to="cazou88@localhost/Kopete" id="aabfa" >
 <jingle xmlns="urn:xmpp:tmp:jingle" initiator="cazou88@localhost/Kopete" action="session-info" sid="a99d8" >
  <trying xmlns="urn:xmpp:tmp:jingle:transports:ice-udp:info"/>
 </jingle>
</iq>

I really don't know why...
Also, it does not happen every time but very often.
Comment 7 Detlev Casanova 2008-07-24 15:02:35 UTC 
(gdb) print item.data()
$10 = 0x8482188 "<iq from=\"kopete@localhost/Kopete\" type=\"set\" to=\"cazou88@localhost/Kopete\" id=\"aac4a\" >\n<jingle xmlns=\"urn:xmpp:tmp:jingle\" initiator=\"cazou88@localhost/Kopete\" action=\"session-info\" sid=\"afbee\" >\n<t"...
(gdb) print item.data()+100
$11 = 0x84821ec "ns=\"urn:xmpp:tmp:jingle\" initiator=\"cazou88@localhost/Kopete\" action=\"session-info\" sid=\"afbee\" >\n<trying xmlns=\"urn:xmpp:tmp:jingle:transports:ice-udp:info\"/>\n</jingle>\n</iq>\n"
(gdb) print buf.data()
$12 = 0x84839d0 ""
(gdb) p count
$14 = 0
(gdb) p offset
$15 = 424
(gdb) p item.length()
$16 = 276
(gdb) p item.size() - offset
$18 = -148

here's what I can get from gdb, I don't know that code at all so, I don't know what might cause any problem.
The empty buffer tells no memory has been copied yet.
How come item.length() is 276 and offset is 424 ?
Kopete crashes with this line :

memcpy(buf.data() + count, item.data() + offset, item.size() - offset);

item.data() + offset is outbounds and size (3rd argument to memcpy) is negative (-148).
Comment 8 Olivier Goffart 2008-07-24 16:00:50 UTC 
Resolved in r831170