Bug#567711: autogen: free(): invalid pointer in testsuite
On Sun, Jan 31, 2010 at 02:38:55PM -0800, Bruce Korb wrote: That value is obtained from ao_string_tokenize( pczOptStr ); Memory management structures have become corrupt. In chasing this a bit, I did discover a bug I introduced: This assert became obsolete in longOptionFind(): [...] If this fixes the problem, I'll be a happy camper and not chase it any more. :) That doesn't change anything. Running this in valgrind shows this: ==6465== Memcheck, a memory error detector ==6465== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==6465== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright info ==6465== Command: ../rc -t xxx MUMBLE ==6465== ==6465== Invalid write of size 1 ==6465==at 0x4048E8: ao_string_tokenize (tokenize.c:278) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f97069 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc (vg_replace_malloc.c:195) ==6465==by 0x4047B8: ao_malloc (autoopts.c:61) ==6465==by 0x40487C: ao_string_tokenize (tokenize.c:220) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== ==6465== Invalid read of size 1 ==6465==at 0x4C22ED4: index (mc_replace_strmem.c:141) ==6465==by 0x4038CA: longOptionFind (autoopts.c:266) ==6465==by 0x4040FC: nextOption (autoopts.c:573) ==6465==by 0x404384: doImmediateOpts (autoopts.c:814) ==6465==by 0x40A5F7: doEnvPresets (environment.c:90) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f97069 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc (vg_replace_malloc.c:195) ==6465==by 0x4047B8: ao_malloc (autoopts.c:61) ==6465==by 0x40487C: ao_string_tokenize (tokenize.c:220) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== ==6465== Invalid read of size 1 ==6465==at 0x4C23234: strlen (mc_replace_strmem.c:275) ==6465==by 0x4038F6: longOptionFind (autoopts.c:288) ==6465==by 0x4040FC: nextOption (autoopts.c:573) ==6465==by 0x404384: doImmediateOpts (autoopts.c:814) ==6465==by 0x40A5F7: doEnvPresets (environment.c:90) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f97069 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc (vg_replace_malloc.c:195) ==6465==by 0x4047B8: ao_malloc (autoopts.c:61) ==6465==by 0x40487C: ao_string_tokenize (tokenize.c:220) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B680: optionProcess (autoopts.c:907) ==6465==by 0x401DA2: main (rc.c:299) ==6465== ==6465== Invalid write of size 1 ==6465==at 0x4048E8: ao_string_tokenize (tokenize.c:278) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B69C: optionProcess (autoopts.c:919) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f970d9 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc (vg_replace_malloc.c:195) ==6465==by 0x4047B8: ao_malloc (autoopts.c:61) ==6465==by 0x40487C: ao_string_tokenize (tokenize.c:220) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B69C: optionProcess (autoopts.c:919) ==6465==by 0x401DA2: main (rc.c:299) ==6465== ==6465== Invalid read of size 1 ==6465==at 0x4C22ED4: index (mc_replace_strmem.c:141) ==6465==by 0x4038CA: longOptionFind (autoopts.c:266) ==6465==by 0x4040FC: nextOption (autoopts.c:573) ==6465==by 0x404435: doRegularOpts (autoopts.c:847) ==6465==by 0x40A498: doEnvPresets (environment.c:100) ==6465==by 0x40B69C: optionProcess (autoopts.c:919) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f970d9 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc (vg_replace_malloc.c:195) ==6465==by 0x4047B8: ao_malloc (autoopts.c:61) ==6465==by 0x40487C: ao_string_tokenize (tokenize.c:220) ==6465==by 0x40A435: doEnvPresets (environment.c:64) ==6465==by 0x40B69C: optionProcess (autoopts.c:919) ==6465==by 0x401DA2: main (rc.c:299) ==6465== ==6465== Invalid read of size 1 ==6465==at 0x4C23234: strlen (mc_replace_strmem.c:275) ==6465==by 0x4038F6: longOptionFind (autoopts.c:288) ==6465==by 0x4040FC: nextOption (autoopts.c:573) ==6465==by 0x404435: doRegularOpts (autoopts.c:847) ==6465==by 0x40A498: doEnvPresets (environment.c:100) ==6465==by 0x40B69C: optionProcess (autoopts.c:919) ==6465==by 0x401DA2: main (rc.c:299) ==6465== Address 0x5f970d9 is 0 bytes after a block of size 41 alloc'd ==6465==at 0x4C221A7: malloc
Bug#567711: autogen: free(): invalid pointer in testsuite
Kurt Roeckx wrote:
When running the regression tests, I rc.test failing. When running
TEST_RC=--no-load ../rc -t xxx MUMBLE I get the following error:
*** glibc detected *** ../rc: free(): invalid pointer: 0x018d4010 ***
=== Backtrace: =
/lib/libc.so.6[0x7f78a4f64d56]
../rc[0x40a4f1]
../rc[0x40b6d1]
../rc[0x401da3]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f78a4f12abd]
../rc[0x401cb9]
=== Memory map:
[...]
With a core file this looks like:
#4 0x0040a511 in doPrognameEnv (pOpts=0x613220, type=ENV_IMM)
at environment.c:106
That value is obtained from ao_string_tokenize( pczOptStr );
Memory management structures have become corrupt.
In chasing this a bit, I did discover a bug I introduced:
This assert became obsolete in longOptionFind():
do {
if (SKIP_OPT(pOD)) {
if ( (pOD-fOptState != (OPTST_OMITTED | OPTST_NO_INIT))
|| (pOD-pz_Name == NULL))
continue;
}
else assert(pOD-pz_Name != NULL);
It now means that the entry should be ignored. The correct form is now:
do {
/*
* If option disabled or a doc option, skip to next
*/
if (pOD-pz_Name == NULL)
continue;
if ( SKIP_OPT(pOD)
(pOD-fOptState != (OPTST_OMITTED | OPTST_NO_INIT)))
continue;
If this fixes the problem, I'll be a happy camper and not chase it any more. :)
Thanks -Bruce
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#567711: autogen: free(): invalid pointer in testsuite
Source: autogen Version: 1:5.10-1 Hi, When running the regression tests, I rc.test failing. When running TEST_RC=--no-load ../rc -t xxx MUMBLE I get the following error: *** glibc detected *** ../rc: free(): invalid pointer: 0x018d4010 *** === Backtrace: = /lib/libc.so.6[0x7f78a4f64d56] ../rc[0x40a4f1] ../rc[0x40b6d1] ../rc[0x401da3] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f78a4f12abd] ../rc[0x401cb9] === Memory map: [...] With a core file this looks like: #4 0x0040a511 in doPrognameEnv (pOpts=0x613220, type=ENV_IMM) at environment.c:106 #5 doEnvPresets (pOpts=0x613220, type=ENV_IMM) at environment.c:193 #6 0x0040b6f1 in doPresets (pOpts=0x613220, argCt=value optimized out, argVect=0x7fff1c0d4e48) at autoopts.c:904 #7 optionProcess (pOpts=0x613220, argCt=value optimized out, argVect=0x7fff1c0d4e48) at autoopts.c:1110 #8 0x00401dc2 in main (argc=4, argv=0x7fff1c0d4e48) at rc.c:299 You need to set the evironment variable MALLOC_CHECK_ to get glibc to do that. (See malloc() manpage.) Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
