GIT commit f50db552 "Revive CUPS_PRINTER_DISCOVERED for cupsEnumDests." causes libcups to segfault

[tillkamppeter]

By bisecting the CUPS GIT repo I have found out that libcups segfaults from above-mentioned commit on.

The command causing the segfault and used for the bisection tests is
lpstat -e
Other lpstat calls segfaultet at me, too.
In addition, with a faulty libcups also GNOME (of Ubuntu Zesty and Artful) gets unstable and crashes from time to time.
A quick way to get able to log in with GNOME again is to re-install the libcups provided by the distro
sudo apt install --reinstall libcups2
from a text console.
The crashes occurred also when building an Ubuntu/Debian package from the current GIT snapshot of CUPS and install this, to get the most correct CUPS installation for the Ubuntu environment. To get rid of the crashes one only needs to downgrade only /usr/lib/x86_64-linux-gnu/libcups.so.2 to any version before the commit mentioned above.
So the problem seems to be in the changes of the above-mentioned commit.

[tillkamppeter]

gdb output of the core file generated by the "lpstat -e" command with the faulty libcups (from exactly the mentioned commit):

till@till-x1carbon:~/printing/cups/tmp7/cups$ lpstat -e
Segmentation fault (core dumped)
till@till-x1carbon:~/printing/cups/tmp7/cups$ ll core*
-rw------- 1 till till 1417216 Jun  7 23:41 core
till@till-x1carbon:~/printing/cups/tmp7/cups$ gdb -c core /usr/bin/lpstat
GNU gdb (Ubuntu 7.99.90.20170502-0ubuntu1) 7.99.90.20170502-git
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/lpstat...(no debugging symbols found)...done.
[New LWP 2465]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by 'lpstat -e'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __GI___pthread_mutex_lock (mutex=0x1b1) at ../nptl/pthread_mutex_lock.c:67
67	../nptl/pthread_mutex_lock.c: No such file or directory.
(gdb) bt
#0  __GI___pthread_mutex_lock (mutex=0x1b1) at ../nptl/pthread_mutex_lock.c:67
#1  0x00007f7d210e2047 in dbus_connection_get_is_connected ()
   from /lib/x86_64-linux-gnu/libdbus-1.so.3
#2  0x00007f7d2310f647 in avahi_client_is_connected ()
   from /usr/lib/x86_64-linux-gnu/libavahi-client.so.3
#3  0x00007f7d23113864 in avahi_record_browser_free ()
   from /usr/lib/x86_64-linux-gnu/libavahi-client.so.3
#4  0x00007f7d23eef04f in cups_dnssd_free_device (device=0x556e99c4f080, 
    data=<optimized out>) at dest.c:3128
#5  0x00007f7d23eed36d in cupsArrayDelete (a=0x556e99c405e0) at array.c:333
#6  0x00007f7d23ef20da in cupsEnumDests (flags=flags@entry=0, 
    msec=msec@entry=1000, cancel=cancel@entry=0x0, type=type@entry=0, 
    mask=mask@entry=0, cb=cb@entry=0x7f7d23ef1624 <cups_get_cb>, 
    user_data=0x7ffeffa3c3d8) at dest.c:1339
#7  0x00007f7d23ef2193 in cupsGetDests2 (http=0x0, dests=0x7ffeffa3cc90)
    at dest.c:2009
#8  0x0000556e98f818db in ?? ()
#9  0x00007f7d23b253f1 in __libc_start_main (main=0x556e98f81680, argc=2, 
    argv=0x7ffeffa3cdb8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffeffa3cda8)
    at ../csu/libc-start.c:291
#10 0x0000556e98f823fa in ?? ()
(gdb) quit
till@till-x1carbon:~/printing/cups/tmp7/cups$

[michaelrsweet]

Will investigate; Avahi's API is a lot more fragile than mDNSResponder so there might be a situation where we are double-freeing or doing something while Avahi is busy...

[tillkamppeter]

I have found a fix now, patch attached:
fix-cupsenumdests-segfault-issue-5022.patch.txt
Problem was the removal of the data.devices array, which contains Avahi records of the discovered printers. Freeing these arrays seems to need the Avahi browsers (and perhaps also the Avahi client) still present. So I moved the removal to before freeing the Avahi browsers/clients. I also had to move the label "enum_finished:" as the array is also created during enumerating the queues of the local CUPS daemon. As in this case there are no Avahi browsers/clients initialized appropriate fields in the data structure to NULL and checked these before freeing the Avahi stuff to not free something which was not created.
I have taken care of the conditionals and did equivalent steps for the HAVE_DNSSD case, but I tested only the HAVE_AVAHI case, neither HAVE_DNSSD nor no DNS-SD at all.

[michaelrsweet]

Looking are your proposed fix; might need some tweaking but looks reasonable on first glance...

[michaelrsweet]

Tweaked and pushed...