Bug 313525

Summary:	ktp-text-ui crashes, possibly on "bad" sent/received message
Product:	[Unmaintained] telepathy	Reporter:	Maksim Melnikau <maxposedon>
Component:	text-ui	Assignee:	Telepathy Bugs <kde-telepathy-bugs>
Status:	RESOLVED FIXED
Severity:	crash	CC:	kde
Priority:	NOR
Version:	0.5.2
Target Milestone:	Future
Platform:	Compiled Sources
OS:	Linux
Latest Commit:	http://commits.kde.org/telepathy-text-ui/4cc1135127905d3681655e19a1a3d403f3d7c3d1	Version Fixed In:	0.5.3
Sentry Crash Report:

Description Maksim Melnikau 2013-01-19 22:15:01 UTC

Application: ktp-text-ui (0.5.2)
KDE Platform Version: 4.9.5 (Compiled from sources)
Qt Version: 4.8.4
Operating System: Linux 3.7.2-gentoo x86_64
Distribution: "Gentoo Base System release 2.2"

-- Information about the crash:
- What I was doing when the application crashed:
Send message from text chat ui.

- Custom settings of the application:
I'm developing my own "echo" CM, based on my telepathy-python
https://github.com/max-posedon/telepathy-foo
https://github.com/max-posedon/telepathy-python

The crash can be reproduced every time.

-- Backtrace:
Application: Telepathy Text Ui (ktp-text-ui), signal: Segmentation fault
Using host libthread_db library "/lib64/libthread_db.so.1".
[Current thread is 1 (Thread 0x7f1dccc3c780 (LWP 25222))]

Thread 3 (Thread 0x7f1db2d0c700 (LWP 25224)):
#0  pthread_cond_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:164
#1  0x00007f1dc371ff1d in WTF::TCMalloc_PageHeap::scavengerThread() () from /usr/lib64/qt4/libQtWebKit.so.4
#2  0x00007f1dc3720029 in WTF::TCMalloc_PageHeap::runScavengerThread(void*) () from /usr/lib64/qt4/libQtWebKit.so.4
#3  0x00007f1dc8a53f3b in start_thread (arg=0x7f1db2d0c700) at pthread_create.c:308
#4  0x00007f1dc8d5208d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114

Thread 2 (Thread 0x7f1db240b700 (LWP 25225)):
#0  0x00007f1dc8d446bd in read () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f1dc494d53f in read (__nbytes=16, __buf=0x7f1db240ac90, __fd=<optimized out>) at /usr/include/bits/unistd.h:44
#2  g_wakeup_acknowledge (wakeup=0x241fea0) at gwakeup.c:212
#3  0x00007f1dc4911144 in g_main_context_check (context=context@entry=0x7f1dac0009a0, max_priority=2147483647, fds=fds@entry=0x7f1dac0027c0, n_fds=n_fds@entry=1) at gmain.c:3129
#4  0x00007f1dc4911552 in g_main_context_iterate (context=context@entry=0x7f1dac0009a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3287
#5  0x00007f1dc49116d4 in g_main_context_iteration (context=0x7f1dac0009a0, may_block=1) at gmain.c:3351
#6  0x00007f1dca3d92d6 in QEventDispatcherGlib::processEvents (this=0x7f1dac0008c0, flags=...) at kernel/qeventdispatcher_glib.cpp:426
#7  0x00007f1dca3a9c2f in QEventLoop::processEvents (this=this@entry=0x7f1db240ae70, flags=...) at kernel/qeventloop.cpp:149
#8  0x00007f1dca3a9eb8 in QEventLoop::exec (this=0x7f1db240ae70, flags=...) at kernel/qeventloop.cpp:204
#9  0x00007f1dca2abc20 in QThread::exec (this=<optimized out>) at thread/qthread.cpp:542
#10 0x00007f1dca2aebac in QThreadPrivate::start (arg=0x24386e0) at thread/qthread_unix.cpp:338
#11 0x00007f1dc8a53f3b in start_thread (arg=0x7f1db240b700) at pthread_create.c:308
#12 0x00007f1dc8d5208d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114

Thread 1 (Thread 0x7f1dccc3c780 (LWP 25222)):
[KCrash Handler]
#5  0x00007f1dcb60fbcb in Tp::Contact::alias() const () from /usr/lib64/libtelepathy-qt4.so.2
#6  0x00007f1dca73596a in ChatWidget::notifyAboutIncomingMessage(Tp::ReceivedMessage const&) () from /usr/lib64/libktpchat.so
#7  0x00007f1dca73abb6 in ChatWidget::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib64/libktpchat.so
#8  0x00007f1dca3c02df in QMetaObject::activate (sender=0x2255c60, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff0c4e14c0) at kernel/qobject.cpp:3539
#9  0x00007f1dcb725065 in Tp::TextChannel::messageReceived(Tp::ReceivedMessage const&) () from /usr/lib64/libtelepathy-qt4.so.2
#10 0x00007f1dcb72a26b in Tp::TextChannel::Private::processMessageQueue() () from /usr/lib64/libtelepathy-qt4.so.2
#11 0x00007f1dcb72acf1 in Tp::TextChannel::onMessageReceived(QList<Tp::MessagePart> const&) () from /usr/lib64/libtelepathy-qt4.so.2
#12 0x00007f1dcb72e108 in Tp::TextChannel::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib64/libtelepathy-qt4.so.2
#13 0x00007f1dca3c02df in QMetaObject::activate (sender=0x23978f0, m=<optimized out>, local_signal_index=<optimized out>, argv=0x7fff0c4e1880) at kernel/qobject.cpp:3539
#14 0x00007f1dcb5579b5 in Tp::Client::ChannelInterfaceMessagesInterface::MessageReceived(QList<Tp::MessagePart> const&) () from /usr/lib64/libtelepathy-qt4.so.2
#15 0x00007f1dcb55c71c in Tp::Client::ChannelInterfaceMessagesInterface::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) () from /usr/lib64/libtelepathy-qt4.so.2
#16 0x00007f1dcb55c7fb in Tp::Client::ChannelInterfaceMessagesInterface::qt_metacall(QMetaObject::Call, int, void**) () from /usr/lib64/libtelepathy-qt4.so.2
#17 0x00007f1dc9fd4d83 in QDBusConnectionPrivate::deliverCall (this=0x21ea1b0, object=0x23978f0, msg=..., metaTypes=..., slotIdx=10) at qdbusintegrator.cpp:951
#18 0x00007f1dca3bf7be in QObject::event (this=0x23978f0, e=<optimized out>) at kernel/qobject.cpp:1194
#19 0x00007f1dc94f47fc in QApplicationPrivate::notify_helper (this=this@entry=0x220a910, receiver=receiver@entry=0x23978f0, e=e@entry=0x2c56e50) at kernel/qapplication.cpp:4562
#20 0x00007f1dc94f8c7a in QApplication::notify (this=0x21fbd40, receiver=0x23978f0, e=0x2c56e50) at kernel/qapplication.cpp:4423
#21 0x00007f1dcc185cf6 in KApplication::notify(QObject*, QEvent*) () from /usr/lib64/libkdeui.so.5
#22 0x00007f1dca3aaede in QCoreApplication::notifyInternal (this=0x21fbd40, receiver=receiver@entry=0x23978f0, event=event@entry=0x2c56e50) at kernel/qcoreapplication.cpp:946
#23 0x00007f1dca3ae841 in sendEvent (event=0x2c56e50, receiver=0x23978f0) at kernel/qcoreapplication.h:231
#24 QCoreApplicationPrivate::sendPostedEvents (receiver=0x0, event_type=0, data=0x21c3620) at kernel/qcoreapplication.cpp:1570
#25 0x00007f1dca3d9123 in sendPostedEvents () at kernel/qcoreapplication.h:236
#26 postEventSourceDispatch (s=s@entry=0x220bc00) at kernel/qeventdispatcher_glib.cpp:279
#27 0x00007f1dc49112e5 in g_main_dispatch (context=0x220ba20) at gmain.c:2715
#28 g_main_context_dispatch (context=context@entry=0x220ba20) at gmain.c:3219
#29 0x00007f1dc4911618 in g_main_context_iterate (context=context@entry=0x220ba20, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3290
#30 0x00007f1dc49116d4 in g_main_context_iteration (context=0x220ba20, may_block=1) at gmain.c:3351
#31 0x00007f1dca3d92b6 in QEventDispatcherGlib::processEvents (this=0x21c4f00, flags=...) at kernel/qeventdispatcher_glib.cpp:424
#32 0x00007f1dc9593fde in QGuiEventDispatcherGlib::processEvents (this=<optimized out>, flags=...) at kernel/qguieventdispatcher_glib.cpp:204
#33 0x00007f1dca3a9c2f in QEventLoop::processEvents (this=this@entry=0x7fff0c4e2400, flags=...) at kernel/qeventloop.cpp:149
#34 0x00007f1dca3a9eb8 in QEventLoop::exec (this=0x7fff0c4e2400, flags=...) at kernel/qeventloop.cpp:204
#35 0x00007f1dca3aeb58 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:1218
#36 0x000000000040e623 in main ()

Possible duplicates by query: bug 305218.

Reported using DrKonqi

Comment 1 Maksim Melnikau 2013-01-20 00:12:27 UTC

I downgraded to 0.5.1 kde-telepathy version, and everything is works, so its some kind of regression.

Comment 2 David Edmundson 2013-01-20 04:48:42 UTC

It's a null sender() in the receivedMessage. Will happen in the ContactHandle isn't one Telepathy knows about.

Pretty sure there was another crash on that here too for the same issue, that happened once in a jabber chatroom and no-one could repeat.

The thing is I don't know if it's a bug in TpQt, or whether this is a legitimate situation, and we should always check. I don't want to add in workarounds in our code if it's not where the real problem is.

Comment 3 Maksim Melnikau 2013-01-20 08:54:55 UTC

I think segfault on incorrect dbus message is always a bug, data should be checked, warning putted, and message skipped. And as I see processMessageQueue have check for such kind of situations:

void TextChannel::Private::processMessageQueue() {
   while (!incompleteMessages.isEmpty()) {
       if (e->isMessage) {
            if (e->message.senderHandle() != 0 && !e->message.sender()) {
                break;
            }
       emit parent->messageReceived(e->message);
   }

Comment 4 Maksim Melnikau 2013-01-20 09:18:23 UTC

And yes, in my echo CM I make a bug, and message-sender header part is missed.

But accrording too http://telepathy.freedesktop.org/spec/Channel_Interface_Messages.html#Simple-Type:Message_Header_Key:

message-sender (u - Contact_Handle) The contact who sent the message. If 0 or omitted, the contact who sent the message could not be determined.

And this is kind-of situation which happened in jabber room in your, David Edmundson, example.

Comment 5 David Edmundson 2013-01-20 12:12:07 UTC

Brilliant, that's all the info I need.

Will fix.

Comment 6 David Edmundson 2013-01-27 19:50:56 UTC

Git commit 4cc1135127905d3681655e19a1a3d403f3d7c3d1 by David Edmundson.
Committed on 27/01/2013 at 20:40.
Pushed by davidedmundson into branch 'kde-telepathy-0.5'.

Check messages.sender() is valid before using it.

REVIEW: 108508

M  +15   -9    lib/chat-widget.cpp

http://commits.kde.org/telepathy-text-ui/4cc1135127905d3681655e19a1a3d403f3d7c3d1