Bugs item #1692546, was opened at 2007-04-01 14:21 Message generated for change (Comment added) made by sf-robot You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1692546&group_id=235
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed Resolution: None Priority: 5 Private: No Submitted By: Tasci Synx (synx13) Assigned to: Nathan Walp (faceprint) Summary: Memory corruption when getting Jabber User Info Initial Comment: With the latest SVN of gaim as of today, I can reproduce a hideous crash simply by logging into a jabber account, then requesting the User Info of one of my buddies. Only with Jabber, requesting the User Info causes gaim to free an invalid pointer, causing it to crash immediately without a stack trace. Valgrind to the rescue, it reveals that there is a spot in libgaim/jabber/buddy.c that is freeing an invalid pointer. Only trouble is... the pointer is valid! I printed out the result of g_strdup that assigns the ID, and then the pointer to be freed, and their addresses and values were identical. I'm fairly sure g_strdup always returns a pointer that may be used in g_free. The problem is in libgaim/jabber/buddy.c on line 736, far as I can tell. I'll attach my valgrind log (memcheck full) during a session where I caused this crash. I have a hunch the problem isn't here at all, but instead somewhere else where memory gets corrupted, and only on line 736 does the awful deed come to light. Line 736 is ALWAYS reached by a pointer that can be freed, as I found when adding a gaim_debug_log("jabber","ID Remove %p:%s",l->data,l->data); around that g_free statement. Yet somehow glibc and valgrind both claim that an invalid pointer is being freed. A very puzzling problem. I should add that beta 6 does NOT have this problem. I can read the user infos just fine. In fact I haven't noticed this crash in SVN since at least last week, but I can't back that up. Anyone who knows the SVN version of beta 6 can attach a diff here if they so please. ...ok, final note: I can't attach my valgrind log since sourceforge thinks it's too big to attach. Try getting it from http://synx.us.to/valgrind.log ---------------------------------------------------------------------- >Comment By: SourceForge Robot (sf-robot) Date: 2007-04-17 19:20 Message: Logged In: YES user_id=1312539 Originator: NO This Tracker item was closed automatically by the system. It was previously set to a Pending status, and the original submitter did not respond within 14 days (the time period specified by the administrator of this Tracker). ---------------------------------------------------------------------- Comment By: Nathan Walp (faceprint) Date: 2007-04-02 21:53 Message: Logged In: YES user_id=17471 Originator: NO This was fixed in SVN. The code now looks like: if(!strcmp(id, l->data)) { gpointer tmp = l->data; jbi->ids = g_slist_remove(jbi->ids, l->data); // current line 736 g_free(tmp); return; } ---------------------------------------------------------------------- Comment By: Ka-Hing Cheung (bsponline) Date: 2007-04-01 16:38 Message: Logged In: YES user_id=159910 Originator: NO duplicate of 1676403, but this one has a link to a valgrind trace... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=100235&aid=1692546&group_id=235 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Gaim-bugs mailing list Gaim-bugs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gaim-bugs