Bug#540373: libc6: malloc.c, segmentation fault now and then
Bjarni Ingi Gislason
Version: 2.7-18
Severity: normal
Description:
Segmentation fault now and then in ace-of-penguins/ace-canfield
kernel: lt-canfield[1653]: segfault at 64 ip b7d88a19 sp bfae197c error
4 in libc-2.7.so[b7d1e000+138000]
and ftp, if macro "$safn ." is used
macdef safn
dir $1 "| more"
kernel: ftp[1675]: segfault at 1f6b3 ip b7e34978 sp bf88d088 error 4 in
libc-2.7.so[b7dca000+138000]
For ace-canfield:
Segmentation fault if max_undo == 100 now and then
sizeof(Undo) == 12
------Start of part of code-------
static void
stack_note_undo(Stack *src, int n, Stack *dest)
{
if (doing_undo) return;
if (num_undo >= max_undo)
{
max_undo += 50;
fprintf(stderr, "max_undo = %d, sizeof(Undo) = %d\n", max_undo,
sizeof(Undo));
/* if (max_undo == 100) mtrace(); */
if (undo)
undo = (Undo *)realloc(undo, max_undo * sizeof(Undo));
else
undo = (Undo *)malloc(max_undo * sizeof(Undo));
}
/*if (max_undo == 100) muntrace();*/
-------End of part of code--------
Dump with gdb without "fprintf(...)" and "mtrace()":
GNU gdb 6.8-debian
...
Program received signal SIGSEGV, Segmentation fault.
0xb7e9da19 in malloc_consolidate (av=0xb7f6e160) at malloc.c:4842
4842 malloc.c: No such file or directory.
in malloc.c
(gdb) bt full
#0 0xb7e9da19 in malloc_consolidate (av=0xb7f6e160) at malloc.c:4842
fb = (mfastbinptr *) 0xb7f6e178
maxfb = (mfastbinptr *) 0xb7f6e18c
p = (mchunkptr) 0x9ff4e58
nextp = (mchunkptr) 0x9ffac08
unsorted_bin = (mchunkptr) 0xb7f6e190
first_unsorted = <value optimized out>
nextchunk = (mchunkptr) 0x9ff4e88
size = 208
nextsize = 160
prevsize = <value optimized out>
bck = (mchunkptr) 0x53
fwd = (mchunkptr) 0x65
#1 0xb7e9f9a5 in _int_malloc (av=0xb7f6e160, bytes=1201) at malloc.c:4166
nb = 1208
idx = 74
bin = <value optimized out>
victim = <value optimized out>
size = <value optimized out>
victim_index = <value optimized out>
remainder = <value optimized out>
remainder_size = <value optimized out>
block = <value optimized out>
bit = <value optimized out>
map = <value optimized out>
fwd = <value optimized out>
bck = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#2 0xb7ea0ecf in _int_realloc (av=0xb7f6e160, oldmem=0x9ff4f70, bytes=1200)
at malloc.c:4972
nextsize = <value optimized out>
nb = 1208
oldp = (mchunkptr) 0x9ff4f68
oldsize = 608
newp = <value optimized out>
newsize = 608
newmem = <value optimized out>
next = (mchunkptr) 0x9ff51c8
remainder = <value optimized out>
remainder_size = <value optimized out>
bck = <value optimized out>
fwd = <value optimized out>
copysize = <value optimized out>
ncopies = <value optimized out>
errstr = <value optimized out>
#3 0xb7ea1a6f in *__GI___libc_realloc (oldmem=0x9ff4f70, bytes=1200)
at malloc.c:3709
ar_ptr = (mstate) 0xb7f6e160
nb = 1208
oldp = (mchunkptr) 0x9ff4f68
oldsize = 608
newp = <value optimized out>
hook = <value optimized out>
#4 0xb80d063a in stack_note_undo (src=0x9ff4dc0, n=27, dest=0x9ff4e28)
at stack.c:592
---Type <return> to continue, or q <return> to quit---
No locals.
#5 0xb80d0404 in stack_flip_card (src=0x9ff4dc0, dest=0x9ff4e28)
at stack.c:557
No locals.
#6 0x08049766 in hand_to_talon () at canfield.c:263
No locals.
#7 0x08049ede in click (x=54, y=275, b=1) at canfield.c:460
c = 4
f = 1
cp = (Picture *) 0x0
#8 0xb80c9cfd in table_loop () at table.c:405
event = {type = ev_buttondown, x = 54, y = 275, w = 474, h = 540,
button = 1, shifts = 0, key = -1206979872, time = 20910024}
first_expose = 1
click_button = 1
#9 0x08048ea4 in main (argc=1, argv=0xbfaf7464) at canfield.c:60
No locals.
-----End without "fprintf(...)" and "mtrace()"--------
Dump from gdb with "mtrace" activated in code
GNU gdb 6.8-debian
max_undo = 50, sizeof(Undo) = 12
Base rank: 1
max_undo = 100, sizeof(Undo) = 12
Program received signal SIGSEGV, Segmentation fault.
0xb7d88a19 in malloc_consolidate (av=0xb7e59160) at malloc.c:4842
4842 malloc.c: No such file or directory.
in malloc.c
(gdb) bt full
#0 0xb7d88a19 in malloc_consolidate (av=0xb7e59160) at malloc.c:4842
fb = (mfastbinptr *) 0xb7e59178
maxfb = (mfastbinptr *) 0xb7e5918c
p = (mchunkptr) 0x8057e58
nextp = (mchunkptr) 0x0
unsorted_bin = (mchunkptr) 0xb7e59190
first_unsorted = <value optimized out>
nextchunk = (mchunkptr) 0x8057e88
size = 208
nextsize = 160
prevsize = <value optimized out>
bck = (mchunkptr) 0x77
fwd = (mchunkptr) 0x70
#1 0xb7d8a9a5 in _int_malloc (av=0xb7e59160, bytes=512) at malloc.c:4166
nb = 520
idx = 64
bin = <value optimized out>
victim = <value optimized out>
size = <value optimized out>
victim_index = <value optimized out>
remainder = <value optimized out>
remainder_size = <value optimized out>
block = <value optimized out>
bit = <value optimized out>
map = <value optimized out>
fwd = <value optimized out>
bck = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#2 0xb7d8c586 in *__GI___libc_malloc (bytes=512) at malloc.c:3553
ar_ptr = (mstate) 0xb7e59160
victim = (void *) 0xbfe94fb1
hook = <value optimized out>
#3 0xb7d8e09c in mtrace () at mtrace.c:314
mallfile = <value optimized out>
added_atexit_handler = 0
#4 0xb7fbb6bd in stack_note_undo (src=0x8057dc0, n=28, dest=0x8057e28)
at stack.c:593
No locals.
#5 0xb7fbb474 in stack_flip_card (src=0x8057dc0, dest=0x8057e28)
at stack.c:558
No locals.
#6 0x08049766 in hand_to_talon () at canfield.c:263
No locals.
#7 0x08049ede in click (x=52, y=265, b=1) at canfield.c:460
c = 4
f = 1
cp = (Picture *) 0x0
#8 0xb7fb4d6d in table_loop () at table.c:405
event = {type = ev_buttondown, x = 52, y = 265, w = 474, h = 540,
button = 1, shifts = 0, key = -1208114464, time = 1799809}
first_expose = 1
click_button = 1
#9 0x08048ea4 in main (argc=1, argv=0xbfe92fe4) at canfield.c:60
No locals.
---End of dump for "mtrace()" activated-----
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i586)
Kernel: Linux 2.6.18d and Linux 2.6.26
Locale: LANG=is_IS, LC_CTYPE=is_IS (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.3.2-1.1 GCC support library
--
Bjarni I. Gislason
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Bjarni Ingi Gislason
1) No dump if text is keyed in, instead of using the macro "$safn ...".
(only tested once)
2) Dump from a ftp daemon (server)
220-This is a Linux PC (Dell PE-2650, 2 CPUs P4/2800, 12 GB RAM)
220-running SuSE-Linux-8.2 with SuSE kernel 2.4.20-64GB-SMP.
220-/pub is ext3, a 2 TB Partition within a Transtec T6100F16R1
220-IDE/FC Raid array with 15+1 SATA disks Hitachi 240 GB Raid5
...
220 ftp.gwdg.de FTP server (Version wu-2.4.2-academ[BETA-18-em](1) Fri Apr 4 23:14:50 MEST 2003) ready.
...
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub/rfc
...
ftp> $safn std*
dir std* "| more"
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
*** glibc detected *** ftp: corrupted double-linked list: 0x09ceb050 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7ed4845]
/lib/libc.so.6[0xb7ed4ae4]
/lib/libc.so.6[0xb7ed69a5]
/lib/libc.so.6(__libc_malloc+0x96)[0xb7ed8586]
/lib/libc.so.6(_obstack_newchunk+0x169)[0xb7edab99]
ftp[0x8052881]
ftp[0x804b991]
ftp[0x804f05f]
ftp[0x8054553]
/lib/libc.so.6(__libc_start_main+0xe5)[0xb7e80455]
ftp[0x8049b31]
======= Memory map: ========
08048000-08058000 r-xp 00000000 03:09 3043 /usr/bin/netkit-ftp
08058000-0805a000 rw-p 0000f000 03:09 3043 /usr/bin/netkit-ftp
0805a000-08067000 rw-p 0805a000 00:00 0
09cd9000-09cfa000 rw-p 09cd9000 00:00 0 [heap]
b7c00000-b7c21000 rw-p b7c00000 00:00 0
b7c21000-b7d00000 ---p b7c21000 00:00 0
b7db0000-b7dbc000 r-xp 00000000 03:03 15010 /lib/libgcc_s.so.1
b7dbc000-b7dbd000 rw-p 0000b000 03:03 15010 /lib/libgcc_s.so.1
b7dc2000-b7e17000 r--p 00000000 03:09 278583 /usr/lib/locale/locale-archive
b7e17000-b7e26000 r-xp 00000000 03:03 15174 /lib/libresolv-2.7.so
b7e26000-b7e28000 rw-p 0000e000 03:03 15174 /lib/libresolv-2.7.so
b7e28000-b7e2a000 rw-p b7e28000 00:00 0
b7e2a000-b7e2e000 r-xp 00000000 03:03 15162 /lib/libnss_dns-2.7.so
b7e2e000-b7e30000 rw-p 00003000 03:03 15162 /lib/libnss_dns-2.7.so
b7e30000-b7e38000 r-xp 00000000 03:03 15165 /lib/libnss_nis-2.7.so
b7e38000-b7e3a000 rw-p 00007000 03:03 15165 /lib/libnss_nis-2.7.so
b7e3a000-b7e4d000 r-xp 00000000 03:03 15156 /lib/libnsl-2.7.so
b7e4d000-b7e4f000 rw-p 00012000 03:03 15156 /lib/libnsl-2.7.so
b7e4f000-b7e51000 rw-p b7e4f000 00:00 0
b7e51000-b7e58000 r-xp 00000000 03:03 15158 /lib/libnss_compat-2.7.so
b7e58000-b7e5a000 rw-p 00006000 03:03 15158 /lib/libnss_compat-2.7.so
b7e5a000-b7e63000 r-xp 00000000 03:03 15163 /lib/libnss_files-2.7.so
b7e63000-b7e65000 rw-p 00008000 03:03 15163 /lib/libnss_files-2.7.so
b7e65000-b7e66000 rw-p b7e65000 00:00 0
b7e66000-b7e68000 r-xp 00000000 03:03 15149 /lib/libdl-2.7.so
b7e68000-b7e6a000 rw-p 00001000 03:03 15149 /lib/libdl-2.7.so
b7e6a000-b7fa2000 r-xp 00000000 03:03 15045 /lib/libc-2.7.so
b7fa2000-b7fa3000 r--p 00138000 03:03 15045 /lib/libc-2.7.so
b7fa3000-b7fa5000 rw-p 00139000 03:03 15045 /lib/libc-2.7.so
b7fa5000-b7fa9000 rw-p b7fa5000 00:00 0
b7fa9000-b7fd8000 r-xp 00000000 03:03 15136 /lib/libncurses.so.5.7
b7fd8000-b7fdb000 rw-p 0002f000 03:03 15136 /lib/libncurses.so.5.7
b7fdb000-b8008000 r-xp 00000000 03:03 15087 /lib/libreadline.so.5.2
b8008000-b800c000 rw-p 0002d000 03:03 15087 /lib/libreadline.so.5.2
b800c000-b800d000 rw-p b800c000 00:00 0
b800e000-b8013000 rw-p b800e000 00:00 0
b8013000-b8014000 r-xp b8013000 00:00 0 [vdso]
b8014000-b802e000 r-xp 00000000 03:03 13901 /lib/ld-2.7.so
b802e000-b8030000 rw-p 0001a000 03:03 13901 /lib/ld-2.7.so
bfb1a000-bfb2f000 rw-p bffeb000 00:00 0 [stack]
Abort
Aurelien Jarno
> Some more information about dump in ftp.
>
> 1) No dump if text is keyed in, instead of using the macro "$safn ...".
> (only tested once)
Is the problem always reproducible?
> 2) Dump from a ftp daemon (server)
>
> 220-This is a Linux PC (Dell PE-2650, 2 CPUs P4/2800, 12 GB RAM)
> 220-running SuSE-Linux-8.2 with SuSE kernel 2.4.20-64GB-SMP.
> 220-/pub is ext3, a 2 TB Partition within a Transtec T6100F16R1
> 220-IDE/FC Raid array with 15+1 SATA disks Hitachi 240 GB Raid5
> ...
> 220 ftp.gwdg.de FTP server (Version wu-2.4.2-academ[BETA-18-em](1) Fri Apr 4 23:14:50 MEST 2003) ready.
> ...
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> cd pub/rfc
> ...
> ftp> $safn std*
> dir std* "| more"
> 200 PORT command successful.
> 150 Opening ASCII mode data connection for /bin/ls.
> *** glibc detected *** ftp: corrupted double-linked list: 0x09ceb050 ***
This sounds like a bug in the ftp package.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aure...@aurel32.net http://www.aurel32.net
Bjarni Ingi Gislason
> On Sun, Aug 09, 2009 at 05:22:27PM +0000, Bjarni Ingi Gislason wrote:
> > Some more information about dump in ftp.
> >
> > 1) No dump if text is keyed in, instead of using the macro "$safn ...".
> > (only tested once)
>
> Is the problem always reproducible?
>
No, but I found a solution, see next item.
...
> > dir std* "| more"
> > 200 PORT command successful.
> > 150 Opening ASCII mode data connection for /bin/ls.
> > *** glibc detected *** ftp: corrupted double-linked list: 0x09ceb050 ***
>
> This sounds like a bug in the ftp package.
>
Thanks for the tip. This bug has been reported for the ftp package.
Bug #508378 explains the situation. One then only needs to add enough
spaces to the definition of the macro, in my case 2 spaces after the
first word, to get it working.
I think I should report the segmentation fault from "ace-of-penguins"
to that package.
There are still issues with "malloc.c" on my mind.
1) The libc6-dbg package should not be compiled with the -O option (see
"<value optimized out>" in a backtrace). Use that library only for the
program to be tested (e.g.
env LD_LIBRARY_PATH=/usr/lib/debug <program(s) ...>.
or add the name after ".../debug" if the variable exists.
Put that in a file and source the file. Repeating is thus simple.
Such information could be in a README file (now absent) with some
references about debugging.
2) The segmentation fault is in the "unlink(nextchunk, bck, fwd)"
function, but it is a "#define". Therefore no backtrace???
Maybe a compile dependent version of "unlink" should be used if
debugging information is created (option -g).
3) Even an "malloc(512)" can cause a segmentation fault (example with
"mtrace()", line 314: malloc (TRACE_BUFFER_SIZE) ).
4) Errors (warnings) could be better phrased for the novices
Suggestion: Instead of
*** glibc detected *** ftp: corrupted double-linked list: 0x09ceb050 ***
use e.g.
*** glibc detected invalid data from ftp: ...
Generally state with a sentence (if known):
1) Who is reporting
2) What is done
3) Why is it done (cause of problem)
4) Who is the culprit
--
Bjarni I. Gislason
Bjarni Ingi Gislason
--
Bjarni I. Gislason