segfaults in twitter_lib.c on non-XML responses

[gardnerm@…]

I'm consistently getting segfault crashes when connecting to Twitter. Here's what gdb has to say. Note that I'm a gdb newbie, if there are additional steps I should take please let me know.

gardnerm@gsi-14372-centos6 ~
$ sudo -u bitlbee gdb /usr/local/sbin/bitlbee
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/bitlbee...done.
(gdb) run -nD
Starting program: /usr/local/sbin/bitlbee -nD

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d744d in twitter_xt_get_users (node=0x0, txl=0x7c1bc0) at twitter_lib.c:434
434		for (child = node->children; child; child = child->next) {
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6_2.9.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 libgcrypt-1.4.5-9.el6_2.2.x86_64 libtasn1-2.3-3.el6_2.1.x86_64
(gdb) 

[gardnerm@…]

Sorry, forgot the backtrace:

gardnerm@gsi-14372-centos6 ~
$ sudo -u bitlbee gdb /usr/local/sbin/bitlbee
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/bitlbee...done.
(gdb) run -nD
Starting program: /usr/local/sbin/bitlbee -nD

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d744d in twitter_xt_get_users (node=0x0, txl=0x771130) at twitter_lib.c:434
434		for (child = node->children; child; child = child->next) {
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6_2.9.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 libgcrypt-1.4.5-9.el6_2.2.x86_64 libtasn1-2.3-3.el6_2.1.x86_64
(gdb) bt
#0  0x00000000004d744d in twitter_xt_get_users (node=0x0, txl=0x771130) at twitter_lib.c:434
#1  0x00000000004d71dc in twitter_http_get_users_lookup (req=0x7b5740) at twitter_lib.c:383
#2  0x0000000000440fd8 in http_incoming_data (data=0x7b5740, source=16, cond=B_EV_IO_READ) at http_client.c:495
#3  0x000000000043e998 in gaim_io_invoke (source=0x7b0020, condition=G_IO_IN, data=0x7b7630) at events_glib.c:88
#4  0x0000003815838f0e in g_main_dispatch (context=0x73c250) at gmain.c:1960
#5  IA__g_main_context_dispatch (context=0x73c250) at gmain.c:2513
#6  0x000000381583c938 in g_main_context_iterate (context=0x73c250, block=1, dispatch=1, self=<value optimized out>)
    at gmain.c:2591
#7  0x000000381583cd55 in IA__g_main_loop_run (loop=0x73c330) at gmain.c:2799
#8  0x000000000043e877 in b_main_run () at events_glib.c:64
#9  0x000000000043a66d in main (argc=2, argv=0x7fffffffe5a8) at unix.c:183
(gdb)

Also got a crash at a different point in twitter_lib.c:

gardnerm@gsi-14372-centos6 ~
$ sudo -u bitlbee gdb /usr/local/sbin/bitlbee
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-50.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/bitlbee...done.
(gdb) run -nD
Starting program: /usr/local/sbin/bitlbee -nD

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d7c7f in twitter_xt_get_status_list (ic=0x76f800, node=0x0, txl=0x770ed0) at twitter_lib.c:544
544		for (child = node->children; child; child = child->next) {
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.47.el6_2.9.x86_64 gnutls-2.8.5-4.el6_2.2.x86_64 libgcrypt-1.4.5-9.el6_2.2.x86_64 libtasn1-2.3-3.el6_2.1.x86_64
(gdb) bt
#0  0x00000000004d7c7f in twitter_xt_get_status_list (ic=0x76f800, node=0x0, txl=0x770ed0) at twitter_lib.c:544
#1  0x00000000004d9768 in twitter_http_get_home_timeline (req=0x8e5530) at twitter_lib.c:911
#2  0x0000000000440fd8 in http_incoming_data (data=0x8e5530, source=16, cond=B_EV_IO_READ) at http_client.c:495
#3  0x000000000043e998 in gaim_io_invoke (source=0x8e5d80, condition=G_IO_IN, data=0x8e7630) at events_glib.c:88
#4  0x0000003815838f0e in g_main_dispatch (context=0x73c250) at gmain.c:1960
#5  IA__g_main_context_dispatch (context=0x73c250) at gmain.c:2513
#6  0x000000381583c938 in g_main_context_iterate (context=0x73c250, block=1, dispatch=1, self=<value optimized out>)
    at gmain.c:2591
#7  0x000000381583cd55 in IA__g_main_loop_run (loop=0x73c330) at gmain.c:2799
#8  0x000000000043e877 in b_main_run () at events_glib.c:64
#9  0x000000000043a66d in main (argc=2, argv=0x7fffffffe5a8) at unix.c:183
(gdb)

[gardnerm@…]

meh had me produce the following debug output on IRC:

296		twitter_xt_get_friends_id_list(parser->root, txl);
(gdb) p *parser
$2 = {parser = 0x775ba0, root = 0x0, cur = 0x0, handlers = 0x0, data = 0x77f320, gerr = 0x7bef50}
(gdb) p *txl
$3 = {type = 0, next_cursor = 0, list = 0x0}
(gdb) p req->reply_body
$4 = 0x7a3b12 "\037\213\b"
(gdb) p *req
$5 = {request = 
    0x79ef40 "GET /1/friends/ids.xml?cursor=-1 HTTP/1.0\r\nHost: api.twitter.com\r\nUser-Agent: BitlBee 3.0.5 Linux/x86_64\r\nAuthorization: OAuth oauth_consumer_key=\"xsDNKJuNZYkZyMcu914uEA\", oauth_nonce=\"x6v1gPcPxuMJVSS"..., 
  request_length = 423, status_code = 200, status_string = 0x7bb060 "200 OK", reply_headers = 
    0x7a3520 "HTTP/1.1 200 OK\r\nDate: Wed, 02 May 2012 17:29:43 GMT\r\nStatus: 200 OK\r\nContent-Type: application/xml; charset=utf-8\r\nX-Runtime: 0.02026\r\nX-Frame-Options: SAMEORIGIN\r\nExpires: Tue, 31 Mar 1981 05:00:00 "..., 
  reply_body = 0x7a3b12 "\037\213\b", body_size = 1695, finished = 1, redir_ttl = 3, func = 
    0x4d6a69 <twitter_http_get_friends_ids>, data = 0x77f520, ssl = 0x0, fd = 16, inpa = 132, bytes_written = 423, 
  bytes_read = 3217}
(gdb)

[meh. <meh@…>]

​This is a temporary fix, I think the issue is in the http_client but I can't reproduce the issue myself.

[owenmarshall@…]

Is this possibly related to issue #944?

I'm seeing a similar crash on OS X Lion:

$ uname -a
Darwin owen-marshall.local 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64

Compile options:

./configure --debug=1 --prefix=~/local/ --config=~/local/etc --pidfile=~/local/var/bitlbee.pid --debug=1 --otr=1

libgcrypt version 1.5.0, libotr version 3.2.0, both installed with Homebrew.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000008
0x00000001000a7d42 in twitter_xt_get_status_list (ic=0x10042d190, node=0x0, txl=0x1004613e0) at twitter_lib.c:544
544             for (child = node->children; child; child = child->next) {
(gdb) bt
#0  0x00000001000a7d42 in twitter_xt_get_status_list (ic=0x10042d190, node=0x0, txl=0x1004613e0) at twitter_lib.c:544
#1  0x00000001000a91c6 in twitter_http_get_mentions (req=0x100463920) at twitter_lib.c:959
#2  0x000000010002dd1e in http_incoming_data (data=0x100463920, source=12, cond=B_EV_IO_READ) at http_client.c:495
#3  0x000000010002bb71 in gaim_io_invoke (source=0x100463d20, condition=G_IO_IN, data=0x100466710) at events_glib.c:88
#4  0x0000000100148068 in g_main_context_dispatch ()
#5  0x0000000100148655 in g_main_context_iterate ()
#6  0x00000001001489ff in g_main_loop_run ()
#7  0x000000010002bab3 in b_main_run () at events_glib.c:64
#8  0x00000001000288d3 in main (argc=4, argv=0x7fff5fbff448) at unix.c:183

This crash tends to occur within ~3-4 minutes of connecting & identifying. It's a rock-solid crasher, at the moment - it crashes almost every time.

The patch in comment #3 touches twitter_xt_get_status_list, so I'm going to apply it & see if my crash is reproducible.

[owenmarshall@…]

Replying to owenmarshall@…:

The patch in comment #3 touches twitter_xt_get_status_list, so I'm going to apply it & see if my crash is reproducible.

I tested this all day & haven't seen any crashes.

Let me know if you need any further debugging information - I can unpatch & help as needed.

[wilmer]

Ouch, I completely missed this one. :-(

What you show there is pretty weird. Almost like you have something on the way that mangles (or perhaps gzips) all responses even to clients that don't support it. Can we get full headers of that response?

[wilmer]

(Either way, I should import meh's patch in some way. Showing an error for malformed resposnes is obviously much better than crashing.)

[wilmer]

Sorry for the noise. Why do everything at once if I can do it in three steps... :-/

[wilmer]

Submitter/gardnerm, changeset:devel,924 should hopefully fix a whole bunch of these by the way. Could you try updating to what's in bzr now without the patch from this bug applied?

[wilmer]

I assume that this is fixed. Certainly the number of crashes on testing.bitlbee.org has gone down. Feel free to reopen if this is still a problem.