After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 637741 - Libsoup crashes on canceling message, if client is waiting for a response
Libsoup crashes on canceling message, if client is waiting for a response
Status: RESOLVED FIXED
Product: libsoup
Classification: Core
Component: API
2.32.x
Other Linux
: Normal major
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
: 603368 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2010-12-21 13:12 UTC by Marek Chrzanowski
Modified: 2011-11-22 08:25 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
soup-message-io: don't watch for SoupSocket::disconnect (2.50 KB, patch)
2011-01-10 18:55 UTC, Dan Winship
none Details | Review
soup_session_cancel_message: fix up, especially in sync sessions (9.20 KB, patch)
2011-01-10 18:55 UTC, Dan Winship
none Details | Review

Description Marek Chrzanowski 2010-12-21 13:12:07 UTC
Using sync session I sent a request to a server, it takes a long time for server to process the request. Libsoup thread is waiting on soup_socket_read_until at read_metadata function.. At the same time I called soup_session_cancel_message from another thread, which calls soup_message_io_cleanup, which clears priv->io_data of msg.Libsoup thread receive EOF on soup_socket_read_until, which causes to call io_error, which tries to access io, which in another thread was set to NULL. 
Segmentation fault occurs.

Fix, which helps.

diff --git a/libsoup/soup-message-io.c b/libsoup/soup-message-io.c
index d78aa39..cb2b9b4 100644
--- a/libsoup/soup-message-io.c
+++ b/libsoup/soup-message-io.c
@@ -186,6 +186,9 @@ io_error (SoupSocket *sock, SoupMessage *msg, GError *error)
        SoupMessagePrivate *priv = SOUP_MESSAGE_GET_PRIVATE (msg);
        SoupMessageIOData *io = priv->io_data;
 
+       if (!io)
+               return;
+
        if (error && error->domain == G_TLS_ERROR) {
                soup_message_set_status_full (msg,
                                              SOUP_STATUS_SSL_FAILED,
Comment 1 Marek Chrzanowski 2010-12-22 07:16:57 UTC
I've also changed this to get it finally working, but I don't know if I didnt broke something else:
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -1638,7 +1638,7 @@ cancel_message (SoupSession *session, SoupMessage *msg, guint status_code)
 
        soup_message_set_status (msg, status_code);
        if (soup_message_io_in_progress (msg))
-               soup_message_io_finished (msg);
+               soup_message_io_stop (msg);
        else
                item->state = SOUP_MESSAGE_FINISHING;
Comment 2 Dan Winship 2011-01-10 18:55:45 UTC
Created attachment 177957 [details] [review]
soup-message-io: don't watch for SoupSocket::disconnect

The IO code was explicitly handling the SoupSocket::disconnect signal,
but this is actually redundant; if the socket gets disconnected we'll
get either an error (if writing) or an eof (if reading), and the code
will do the right thing with that. Watching ::disconnected too just
results in processing the same error twice and having to be extra
careful to do it idempotently.
Comment 3 Dan Winship 2011-01-10 18:55:47 UTC
Created attachment 177958 [details] [review]
soup_session_cancel_message: fix up, especially in sync sessions

Cancelling a message from another thread had some race conditions that
could sometimes cause crashes. Fix things up a bit by using
GCancellable to interrupt the I/O, rather than calling
soup_message_io_finished() directly.

Also added a test for this case to tests/misc-test, although
unfortunately due to the raciness of the bug, it only failed
sporadically even before the fix (but seems to fail never now).
Comment 4 Dan Winship 2011-01-10 18:56:35 UTC
(In reply to comment #1)
> I've also changed this to get it finally working, but I don't know if I didnt
> broke something else:

"make check" is a good way to test for that.

Anyway, can you try the attached patches?
Comment 5 Milan Crha 2011-02-08 10:55:54 UTC
Downstream bug report about the same:
https://bugzilla.redhat.com/show_bug.cgi?id=675754

Thread 1 (Thread 3228)

  • #0 soup_message_io_finished
    at soup-message-io.c line 163
  • #1 io_error
    at soup-message-io.c line 206
  • #2 write_data
    at soup-message-io.c line 523
  • #3 io_write
    at soup-message-io.c line 610
  • #4 soup_message_send_request
    at soup-message-client-io.c line 144
  • #5 soup_connection_send_request
    at soup-connection.c line 704
  • #6 soup_session_send_queue_item
    at soup-session.c line 1197
  • #7 process_queue_item
    at soup-session-sync.c line 287
  • #8 send_message
    at soup-session-sync.c line 366
  • #9 soup_session_send_message
    at soup-session.c line 1575

Comment 6 Dan Winship 2011-04-14 17:38:28 UTC
this should be fixed in 2.34.0
Comment 7 Milan Crha 2011-11-22 08:25:27 UTC
*** Bug 603368 has been marked as a duplicate of this bug. ***