Issue with connman_agent_cancel() and null DBusMessage in dbus_message_get_type()

Thu, 08 Jan 2015 12:12:32 -0800 

Hi,

I am running into a problem where libdbus asserts
dbus_message_get_type() with message = 0.

It seems that when service disconnects due to a new service connecting
the connman_agent_cancel() gets called to clear all pending requests
to the agent.

This in turn calls agent_finalize_pending(agent, NULL).

And this in turn calls the pending->callback (request_browser_reply()
in this case), with NULL reply. This gets passed to
dbus_message_get_type() and libdbus asserts on it.

Stack:
#0  0xb6bf5448 in nanosleep () from /lib/libc.so.6
#1  0xb6ddbb60 in _dbus_sleep_milliseconds (milliseconds=<optimized out>)
    at dbus-sysdeps-unix.c:2814
#2  0xb6de16e0 in _dbus_abort () at dbus-sysdeps.c:88
#3  0xb6dcf7f8 in _dbus_warn_check_failed (
    format=0xb6dee000 "arguments to %s() were incorrect, assertion
\"%s\" failed in file %s line %d.\nThis is normally a bug in some
application using the D-Bus library.\n") at dbus-internals.c:275
#4  0xb6db9504 in dbus_message_get_type (message=0x0) at dbus-message.c:1724
#5  0x000443c8 in request_browser_reply ()
#6  0x00045c74 in agent_finalize_pending.clone ()
#7  0x00046694 in connman_agent_cancel ()
#8  0x0003f7a4 in __connman_service_disconnect ()
#9  0x00041864 in connect_service ()
#10 0x00078b18 in process_message.clone ()
#11 0x00079058 in generic_message ()
#12 0xb6dc19a8 in _dbus_object_tree_dispatch_and_unlock (tree=0x988f8,
    message=<optimized out>, found_object=<optimized out>)
    at dbus-object-tree.c:1018
#13 0xb6dab0d4 in dbus_connection_dispatch (connection=0xb0598)
    at dbus-connection.c:4718
#14 0x0007570c in message_dispatch ()
#15 0xb6e35edc in g_idle_dispatch () from /usr/lib/libglib-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#16 0xb6e39b98 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb6e39f10 in g_main_context_iterate.clone ()
   from /usr/lib/libglib-2.0.so.0
#18 0xb6e3a24c in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#19 0x0002fbd4 in main ()

Observation:
This and other cases throughout connman seem to depend that libdbus'
"fatal_warnings_on_check_failed" is set to FALSE, allowing NULL
pointers to be passed in to dbus_message_get_type() yielding
DBUS_MESSAGE_TYPE_INVALID. This is not the case for dbus-1.8.8 at
least.

- Juha

-- 
Duck tape is like the force, it has a light side and a dark side and
it holds the universe together.
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman

Reply via email to