URL:
  <http://gna.org/bugs/?21896>

                 Summary: "double free or corruption" after "Connect to
network game"
                 Project: Freeciv
            Submitted by: jtn
            Submitted on: Sun 06 Apr 2014 00:32:03 BST
                Category: client-gtk-2.0
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: trunk r24748
         Discussion Lock: Any
        Operating System: GNU/Linux
         Planned Release: 2.6.0

    _______________________________________________________

Details:

Crash occurred on starting client and then activating the "Connect to network
game" button (by pressing Alt-O rather than clicking, if it makes a
difference).

It crashed once when I didn't catch a coredump. I was able to reproduce a
crash fairly readily, although it didn't happen every time.

The crash is in the metaserver thread, when it's writing "There is no newer
stable release of Freeciv available." to the 'message window' (which at this
point is I think a single status line). I wonder if it's insufficient thread
safety around the message window writing?

Crashing thread backtrace:


#0  0x00007f9890d61425 in __GI_raise (sig=<optimised out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <optimised out>
        selftid = 3520
#1  0x00007f9890d64b8b in __GI_abort () at abort.c:91
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4},
          sa_mask = {__val = {5, 140293289850064, 31, 140293243032311, 1,
              140293241557201, 5, 140293243036555, 3, 140292931954798, 2,
              140293243032258, 1, 140293243041255, 3, 140292931954772}},
          sa_flags = 12, sa_restorer = 0x7f9890ea75eb}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f9890d9f39e in __libc_message (do_abort=2,
    fmt=0x7f9890ea9748 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
        ap = {{gp_offset = 40, fp_offset = 48,
            overflow_arg_area = 0x7f987e5fb1d0,
            reg_save_area = 0x7f987e5fb0e0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48,
            overflow_arg_area = 0x7f987e5fb1d0,
            reg_save_area = 0x7f987e5fb0e0}}
        fd = 8
        on_2 = <optimised out>
        list = <optimised out>
        nlist = <optimised out>
        cp = <optimised out>
        written = <optimised out>
#3  0x00007f9890da9b96 in malloc_printerr (action=3,
    str=0x7f9890ea9938 "double free or corruption (fasttop)",
    ptr=<optimised out>) at malloc.c:5039
        buf = "00000000040b8130"
        cp = <optimised out>
#4  0x00007f9891c395ae in ?? ()
   from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
No symbol table info available.
#5  0x00007f9891c19f80 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
No symbol table info available.
#6  0x00007f98910faca2 in g_closure_invoke ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
No symbol table info available.
#7  0x00007f989110bd71 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
No symbol table info available.
#8  0x00007f9891114069 in g_signal_emit_valist ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
No symbol table info available.
#9  0x00007f9891114724 in g_signal_emit_by_name ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
No symbol table info available.
#10 0x00007f9891c3ed22 in ?? ()
   from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
No symbol table info available.
#11 0x00007f98911024b3 in g_object_set_valist ()
   from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
No symbol table info available.
#12 0x00007f9891c2453a in gtk_text_buffer_create_tag ()
   from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
No symbol table info available.
#13 0x00000000004d657e in apply_text_tag (ptag=0x7f98780147a0, buf=0x1ab8900,
    text_start_offset=166,
    text=0x7f987e5fbd40 "There is no newer stable release of Freeciv
available.") at chatline.c:778
        initalized = false
        start = {dummy1 = 0x7f987e5fbd40, dummy2 = 0x7f9891114212,
          dummy3 = 2013349888, dummy4 = 32664, dummy5 = 48, dummy6 = 48,
          dummy7 = 2120203296, dummy8 = 32664, dummy9 = 0x7f987e5fbb60,
          dummy10 = 0x10, dummy11 = -1837799047, dummy12 = 32664, dummy13 =
0,
          dummy14 = 0x7f987e5fbc20}
        stop = {dummy1 = 0x7f987e5fbd40, dummy2 = 0x36, dummy3 = 28681584,
          dummy4 = 0, dummy5 = 0, dummy6 = 0, dummy7 = 28681584, dummy8 = 0,
          dummy9 = 0x0, dummy10 = 0x7f9878012090, dummy11 = -1849493029,
          dummy12 = 32664, dummy13 = 67132224, dummy14 = 0x1ab8900}
#14 0x00000000004d6897 in real_output_window_append (
    astring=0x7f987e5fbd40 "There is no newer stable release of Freeciv
available.", tags=<optimised out>, conn_id=<optimised out>) at chatline.c:916
        ptag_iter = 0x0
        ptag = 0x7f98780147a0
        buf = 0x1ab8900
        iter = {dummy1 = 0x1b5a680, dummy2 = 0x7f9878012090, dummy3 = 54,
          dummy4 = 54, dummy5 = -1, dummy6 = -1, dummy7 = -2070561311,
          dummy8 = -764178481, dummy9 = 0x1b5a620, dummy10 = 0x1b5a960,
          dummy11 = 0, dummy12 = 0, dummy13 = 67132224,
          dummy14 = 0x7f9891c375d9}
        mark = 0x4005b40
        text_start_offset = 166
        __FUNCTION__ = "real_output_window_append"
#15 0x000000000047a39b in output_window_append (color=...,
    featured_text=<optimised out>) at chatline_common.c:95
        plain_text = "There is no newer stable release of Freeciv available.",
'\000' <repeats 11 times>, "\001", '\000' <repeats 14 times>"\377,
\377\377\377\060\000\000\000
\301_~\230\177\000\000`\300_~\230\177\000\000\240/\016\221\230\177\000\000\000\000\000\000\000\000\000\000\n",
'\000' <repeats 15 times>"\320, -\001x\230\177\000\000\003", '\000' <repeats
23 times>, "P", '\000' <repeats 15 times>, "t\212\225\223\230\177", '\000'
<repeats 11 times>,
"\004\000\000\000\000\000\000\220\276_~\230\177\000\000\000\334\306\067\377\177\000\000\300\351_~\230\177\000\000\000x\322S\255\025\203g\003",
'\000' <repeats 15 times>, "@B\001x\230\177\000\000\000\334"...
        tags = 0x7f9878014800
        __FUNCTION__ = "output_window_append"
#16 0x00000000004b9cb6 in parse_metaserver_data (f=<optimised out>)
    at servers.c:151
        my_comparable = 0x64a857 "2.5.99-dev"
        vertext = "There is no newer stable release of Freeciv
available.\000\000\200'\001x\230\177\000\000D\326_~\230\177\000\000\a\352א\230\177\000\000\350Dmw\000\000\000\000\060\000\000\000\060\000\000\000\340\324_~\230\177\000\000
\324_~\230\177", '\000' <repeats 11 times>,
"\r\267\223\230\177\000\000R\000\000\000\000\000\000\000G\000\000\000\000\000\000\000\064\000\000\000\000\000\000\000f\000\000\000\000\000\000\000\230AӐ\230\177",
'\000' <repeats 18 times>,
"0\271\262\223\230\177\000\000\360\264\264\223\230\177\000\000$\v@\223\230\177\000\000\370\271Ӑ\230\177\000\000\060\307?\223\230\177\000\000h\214Ӑ\230\177\000\000\360\264\264\223\230\177",
'\000' <repeats 11 times>, "\r\267\223\230\177\000\000"...
        file = 0x7f9878014240
        nservers = <optimised out>
        i = <optimised out>
        j = <optimised out>
        latest_ver = 0x7f9878003830 "2.4.2"
#17 meta_read_response (scan=0x4171930) at servers.c:240
        f = <optimised out>
        str =
"\000\000\000\000\000\000\000\000\215|D\223\230\177\000\000\001", '\000'
<repeats 23 times>"\215, |D\223\230\177\000\000\001", '\000' <repeats 23
times>"\215, |D\223\230\177\000\000\001", '\000' <repeats 23 times>, "
?\001x\230\177\000\000\001", '\000' <repeats 23 times>"\217,
\027D\223\230\177\000\000\001", '\000' <repeats 23 times>"\215,
|D\223\230\177\000\000\001", '\000' <repeats 23 times>"\215,
|D\223\230\177\000\000\001", '\000' <repeats 23 times>"\215,
|D\223\230\177\000\000\001", '\000' <repeats 23 times>"\215,
|D\223\230\177\000\000\001", '\000' <repeats 23 times>"\215, |D\223\230\177",
'\000' <repeats 26 times>, "`", '\000' <repeats 15 times>,
"\004\000\000\000\061\000\000\000[\000\000\000n\000\000\000w\000\000\000|\000\000\000\377"...
        srvrs = 0x0
#18 0x00000000004ba1ea in metaserver_scan (arg=0x4171930) at servers.c:294
        scan = 0x4171930
#19 0x000000000062611a in fc_thread_wrapper (arg=<optimised out>)
    at fcthread.c:40
        data = 0x4172200
#20 0x00007f9892096e9a in start_thread (arg=0x7f987e5fe700)
    at pthread_create.c:308
        __res = <optimised out>
        pd = 0x7f987e5fe700
        now = <optimised out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -7639041312816059519,
                140734129167360, 140292931971520, 0, 3, 7695614758446214017,
                7695957373832178561}, mask_was_saved = 0}}, priv = {pad = {
              0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0,
              canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimised out>
        sp = <optimised out>
        freesize = <optimised out>
        __PRETTY_FUNCTION__ = "start_thread"
#21 0x00007f9890e1f3fd in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#22 0x0000000000000000 in ?? ()
No symbol table info available.


Here's what the other (main) thread is doing (this might shed light on the
state of the message window and its GtkTextBuffer, perhaps):


#0  0x00007f9890e13a43 in __GI___poll (fds=<optimised out>,
    nfds=<optimised out>, timeout=<optimised out>)
    at ../sysdeps/unix/sysv/linux/poll.c:87
        resultvar = <optimised out>
        oldtype = 0
        result = <optimised out>
#1  0x00007f989271aff6 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#2  0x00007f989271b45a in g_main_loop_run ()
   from /lib/x86_64-linux-gnu/libglib-2.0.so.0
No symbol table info available.
#3  0x00007f9891b892f7 in gtk_main ()
   from /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0
No symbol table info available.
#4  0x000000000044f149 in ui_main (argc=1, argv=0x7fff37c6e3f8)
    at gui_main.c:1677
        home = <optimised out>
        sig = <optimised out>
        __FUNCTION__ = "ui_main"
#5  0x0000000000478ec2 in client_main (argc=1, argv=0x7fff37c6e3f8)
    at client_main.c:615
        i = 3
        loglevel = LOG_NORMAL
        ui_options = <optimised out>
        ui_separator = <optimised out>
        option = <optimised out>
        user_tileset = <optimised out>
        fatal_assertions = -1
        aii = <optimised out>
        __FUNCTION__ = "client_main"
#6  0x00007f9890d4c76d in __libc_start_main (main=0x44bea0 <main>, argc=3,
    ubp_av=0x7fff37c6e3f8, init=<optimised out>, fini=<optimised out>,
    rtld_fini=<optimised out>, stack_end=0x7fff37c6e3e8) at libc-start.c:226
        result = <optimised out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -7639041312816059519,
                4505256, 140734129169392, 0, 0, 7638883336274881409,
                7695963261451152257}, mask_was_saved = 0}}, priv = {pad = {
              0x0, 0x0, 0x647850, 0x7fff37c6e3f8}, data = {prev = 0x0,
              cleanup = 0x0, canceltype = 6584400}}}
        not_first_call = <optimised out>
#7  0x000000000044bed1 in _start ()
No symbol table info available.





    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?21896>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to