Open BenWiederhake opened 8 years ago
Added a few debug messages. Only the arrows are added afterwards:
(14:45:03) prpl-telegram: Begin tgl_free_all
(14:45:03) prpl-telegram: freeing TLS->message_tree
(14:45:03) prpl-telegram: freeing message at 0x55555673c540
(14:45:03) prpl-telegram: freeing message at 0x555556715bc0
(14:45:03) prpl-telegram: freeing message at 0x55555673c250
(14:45:03) prpl-telegram: freeing message at 0x55555673bb30
(14:45:03) prpl-telegram: freeing message at 0x55555673b640
(14:45:03) prpl-telegram: freeing message at 0x555556715950
(14:45:03) prpl-telegram: freeing message at 0x55555685dc00 <---------
(14:45:03) prpl-telegram: freeing message at 0x5555566f1250
(14:45:03) prpl-telegram: freeing message at 0x5555566c7690
(14:45:03) prpl-telegram: freeing message at 0x55555673c3c0
[SNIP]
(14:45:03) prpl-telegram: freeing message at 0x5555566f0910
(14:45:03) prpl-telegram: freeing message at 0x55555673d7e0
(14:45:03) prpl-telegram: freeing message at 0x555556715a70
(14:45:03) prpl-telegram: freeing message at 0x5555566e5af0
(14:45:03) prpl-telegram: freeing message at 0x5555566f0c00
(14:45:03) prpl-telegram: freeing TLS->message_unsent_tree
(14:45:03) prpl-telegram: freeing message at 0x55555685dc00 <---------
So in the event of a network failure (which is momentarily happening quite often as Telegram has a few issues), a messages is not properly moved from the message_unsent_tree
to the message_tree
.
It seems to be caused in bl_do_edit
:
(17:11:16) prpl-telegram: begin bl_do_edit_message
(17:11:16) prpl-telegram: bl_do_edit_message: flags=0x00014303
(17:11:16) prpl-telegram: tglm_message_alloc M=0x55c8b0d41bc0
(17:11:16) prpl-telegram: tglm_message_insert_tree(M=0x55c8b0d41bc0)
(17:11:16) prpl-telegram: bl_do_edit_message: M->flags=0x00000000
(17:11:16) prpl-telegram: bl_do_edit_message: **NOT** removing unsent
(17:11:16) prpl-telegram: bl_do_edit_message: inserting as normal message
(17:11:16) prpl-telegram: end bl_do_edit_message
[...]
(17:11:20) prpl-telegram: tgprpl_close()
(17:11:20) prpl-telegram: Begin tgl_free_all
(17:11:20) prpl-telegram: freeing TLS->message_tree
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c264a0
(17:11:20) prpl-telegram: freeing message at 0x55c8b0bfb180
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c25d80
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c24bb0
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c24040
(17:11:20) prpl-telegram: freeing message at 0x55c8b0d41bc0 <----------
(17:11:20) prpl-telegram: freeing message at 0x55c8b0bfadf0
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c23cb0
[...]
(17:11:20) prpl-telegram: freeing message at 0x55c8b0bd6ac0
(17:11:20) prpl-telegram: freeing message at 0x55c8b0c22e60
(17:11:20) prpl-telegram: freeing TLS->message_unsent_tree
(17:11:20) prpl-telegram: freeing message at 0x55c8b0d41bc0 <----------
*** Error in `pidgin': double free or corruption (!prev): 0x000055c8b0d41bc0 ***
Aborted (core dumped)
So there's a message in both messagres_tree
and messages_unsent_tree
. Compared with a "normal" execution, this seems to be business as usual:
(17:17:33) prpl-telegram: begin bl_do_edit_message
(17:17:33) prpl-telegram: bl_do_edit_message: flags=0x00014303
(17:17:33) prpl-telegram: tglm_message_alloc M=0x5582941b2d20
(17:17:33) prpl-telegram: tglm_message_insert_tree(M=0x5582941b2d20)
(17:17:33) prpl-telegram: bl_do_edit_message: M->flags=0x00000000
(17:17:33) prpl-telegram: bl_do_edit_message: **NOT** removing unsent
(17:17:33) prpl-telegram: bl_do_edit_message: inserting as normal message
(17:17:33) prpl-telegram: end bl_do_edit_message
(17:17:33) prpl-telegram: Sent query #6273431346611120128 of size 56 to DC 2
(17:17:33) prpl-telegram: tglm_message_insert_tree(M=0x5582941b2d20)
(17:17:33) prpl-telegram: begin bl_do_edit_message
(17:17:33) prpl-telegram: bl_do_edit_message: flags=0x00004103
(17:17:33) prpl-telegram: bl_do_edit_message: M->flags=0x00004103
(17:17:33) prpl-telegram: bl_do_edit_message: **NOT** removing unsent
(17:17:33) prpl-telegram: bl_do_edit_message: **NOT** inserting as normal message
(17:17:33) prpl-telegram: end bl_do_edit_message
(17:17:33) prpl-telegram: sending all pending recipes
(17:17:33) prpl-telegram: tgl_do_mark_read (115630664)
(17:17:33) prpl-telegram: Sent query #6273431346869932032 of size 28 to DC 2
(17:17:33) prpl-telegram: wrote state file: wpts=70999 wqts=0 wseq=102 wdate=1460647037
(17:17:33) prpl-telegram: wrote secret chat file: 0 chats written.
(17:17:38) prpl-telegram: update 0x1bfbd823 (check=0)
(17:17:39) prpl-telegram: tgprpl_close()
(17:17:39) prpl-telegram: Begin tgl_free_all
(17:17:39) prpl-telegram: freeing TLS->message_tree
(17:17:39) prpl-telegram: freeing message at 0x5582943903d0
(17:17:39) prpl-telegram: freeing message at 0x558294374f70
(17:17:39) prpl-telegram: freeing message at 0x55829438fcb0
(17:17:39) prpl-telegram: freeing message at 0x55829438eab0
(17:17:39) prpl-telegram: freeing message at 0x5582941b2d20 <----------
[...]
(17:17:39) prpl-telegram: freeing message at 0x55829438bce0
(17:17:39) prpl-telegram: freeing TLS->message_unsent_tree
user@machine:~/telegram-purple$
However, tgl_free_all
is not aware of this duplicity, meaning it tries to free the messages again.
One could make a dirty workaround where tgl_free_all
not only frees each message in messages_tree
, but also removes it from messages_unsent_tree
(... before freeing the message, obviously).
However, I'd rather fix the underlying logic. But in order to do so, I'd need to know what the intended behavior is, and what the lifecycle of a message is supposed to be. Help? @majn
Steps to reproduce:
Expected behavior: Not a crash
Actual behavior and gdb backtrace:
Thus,
structures.c:2471
tries to do free a message inTLS->message_unsent_tree
that already was freed.Note that this bug was discovered in https://github.com/majn/tgl/commit/bec66c25d52368695e10625f956de5250a2d836d , but there have been no changes to
TLS->message_unsent_tree
since then.