Bug 772193 – test-suite failure, tests/multipart-test segfaults (occasionally)

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 772193 - test-suite failure, tests/multipart-test segfaults (occasionally)


Summary:	test-suite failure, tests/multipart-test segfaults (occasionally)


Status:	RESOLVED OBSOLETE

Product:	libsoup
Classification:	Core
Component:	Misc
Version:	2.56.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	libsoup-maint@gnome.bugs
QA Contact:	libsoup-maint@gnome.bugs

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2016-09-29 15:41 UTC by Michael Biebl
Modified:	2018-09-21 16:27 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Michael Biebl 2016-09-29 15:41:05 UTC

Running the test-suite occasionally fails due to  tests/multipart-test segfaulting. This is not 100% reproducible, so it looks like a race condition.

A backtrace is attached

+ Trace 236711

#0 g_source_destroy_internal
at ././glib/gmain.c line 1236
#1 g_source_destroy
at ././glib/gmain.c line 1285
#2 soup_session_dispose
at soup-session.c line 317
#3 g_object_unref
at ././gobject/gobject.c line 3148
#4 main
at multipart-test.c line 515
#0 g_source_destroy_internal
at ././glib/gmain.c line 1236
#1 g_source_destroy
at ././glib/gmain.c line 1285
#2 soup_session_dispose
at soup-session.c line 317
#3 g_object_unref
at ././gobject/gobject.c line 3148
#4 main
at multipart-test.c line 515

Comment 1 Michael Biebl 2016-09-29 15:45:26 UTC

Running tests/multipart-tests eventually fails.
To get the backtrace I used 
ulimit -c unlimited
and then ran the following shell script


#!/bin/sh

set -e

while true; do
  tests/multipart-test
done

Comment 2 Dan Winship 2016-10-27 12:44:57 UTC

worksforme :-/

Comment 3 Emanuele Aina 2017-09-05 08:57:00 UTC

I can reproduce the segfault on 2.59.90.1-3-g4f673b2, running the testcase in a loop. It crashed at the 27875th iteration. :)

 COUNT=1; while env -i G_SLICE=always-malloc PATH=$PATH ./tests/multipart-test -p /multipart/async-small-reads; do printf '=== %d ===\n' $COUNT; COUNT=$((COUNT+1)); done

Since the original crashe ended up in gslice, I used G_SLICE=always-malloc and got a sligthly different backtrace:

(gdb) bt full

+ Trace 237929

#0 io_read
at soup-message-io.c line 609
#1 io_run_until
at soup-message-io.c line 977
#2 soup_message_io_run_until_finish
at soup-message-io.c line 1115
#3 soup_client_input_stream_close_fn
at soup-client-input-stream.c line 132
#4 g_input_stream_close
at /usr/src/packages/BUILD/./gio/ginputstream.c line 511
#5 g_input_stream_close
at /usr/src/packages/BUILD/./gio/ginputstream.c line 511
#6 g_input_stream_dispose
at /usr/src/packages/BUILD/./gio/ginputstream.c line 99
#7 soup_multipart_input_stream_dispose
at soup-multipart-input-stream.c line 77
#8 g_object_unref
at /usr/src/packages/BUILD/./gobject/gobject.c line 3148
#9 g_task_finalize
at /usr/src/packages/BUILD/./gio/gtask.c line 631
#10 g_object_unref
at /usr/src/packages/BUILD/./gobject/gobject.c line 3185
#11 g_task_thread_pool_thread
at /usr/src/packages/BUILD/./gio/gtask.c line 1307
#12 g_thread_pool_thread_proxy
at /usr/src/packages/BUILD/./glib/gthreadpool.c line 307
#13 g_thread_proxy
at /usr/src/packages/BUILD/./glib/gthread.c line 784
#14 start_thread
at pthread_create.c line 333
#15 clone
at ../sysdeps/unix/sysv/linux/x86_64/clone.S line 109


In io_read() msg->priv->io_data is NULL and it causes the crash when it gets dereferenced as there's no check. io_write() does not check as well. I haven't investigated it any further.

Comment 4 Emanuele Aina 2017-09-05 09:57:19 UTC

I also got a warning while running with G_DEBUG=fatal-warningsmore  which reinforces my suspects about the issue being more complex than just a missing NULL check:

(multipart-test:3710): libsoup-WARNING **: finished an item with state 10

(gdb) bt full

+ Trace 237930

#0 _g_log_abort
at /usr/src/packages/BUILD/./glib/gmessages.c line 487
#1 g_logv
at /usr/src/packages/BUILD/./glib/gmessages.c line 1296
#2 g_log
at /usr/src/packages/BUILD/./glib/gmessages.c line 1337
#3 soup_session_unqueue_item
at soup-session.c line 1482
#4 soup_session_process_queue_item
at soup-session.c line 2023
#5 soup_session_async_cancel_message
at soup-session-async.c line 132
#6 soup_session_cancel_message
at soup-session.c line 2451
#7 soup_session_real_flush_queue
at soup-session.c line 2476
#8 soup_session_abort
at soup-session.c line 2532
#9 soup_test_session_abort_unref
at test-utils.c line 273
#10 main
at multipart-test.c line 516

Comment 5 GNOME Infrastructure Team 2018-09-21 16:27:21 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/libsoup/issues/98.