[Bug 277751] New: calling free() gets SIGABRT
https://bugzilla.novell.com/show_bug.cgi?id=277751 Summary: calling free() gets SIGABRT Product: openSUSE 10.3 Version: Alpha 4 Platform: PowerPC-64 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: pkirsch@novell.com QAContact: qa@suse.de CC: olh@novell.com host: marconi, PS3 Platform openSUSE 10.3 (PPC) Alpha4, package: glibc-2.5-48 Steps to reproduce: - run attached test.c, you will see that calling free on char* exits with SIGABRT, which i did not expect. - the code in test.c is derived of reaim-testsuite of QA-Kernel 31 free(s); (gdb) Program received signal SIGABRT, Aborted. 0x0fec9ba4 in raise () from /lib/libc.so.6 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 ------- Comment #1 from pkirsch@novell.com 2007-05-24 05:03 MST ------- Created an attachment (id=141974) --> (https://bugzilla.novell.com/attachment.cgi?id=141974&action=view) show the unexpected SIGABRT of free -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 olh@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #2 from olh@novell.com 2007-05-24 05:23 MST ------- --- /dev/shm/bug-277751_test.c.orig 2007-05-24 13:22:42.669538520 +0200 +++ /dev/shm/bug-277751_test.c 2007-05-24 13:22:55.957467912 +0200 @@ -11,7 +11,7 @@ char *logfile_prefix_g="123"; char *ext_strcat(char *s1, char *s2) { - char *stmp = (char*)malloc(strlen(s1)+strlen(s2)); + char *stmp = (char*)malloc(strlen(s1)+strlen(s2)+1); stmp[0] = '\0'; strcat(stmp,s1); strcat(stmp,s2); -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 pkirsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Comment #3 from pkirsch@novell.com 2007-05-24 06:06 MST ------- to #2: interesting, that fixes the failure of my test.c, which i intended to show the problem. The fix from olh does not help further in the reaim-testsuite. Yes i tried it with the above patch applied in src/drv_funcs.c function: ext_strcat() . This time strace (strace -s 4096 -fox reaim -c reaim.config -f data/workfile.alltests) attached: 10229 close(3) = 0 10229 munmap(0xf7fdf000, 4096) = 0 10229 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 10229 tgkill(10229, 10229, SIGABRT) = 0 10229 --- SIGABRT (Aborted) @ 0 (0) --- 10229 +++ killed by SIGABRT +++ Sorry, this time i have no shorter program to show the problem, now i have to point to the reaim source :(. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 ------- Comment #4 from pkirsch@novell.com 2007-05-24 06:06 MST ------- Created an attachment (id=141984) --> (https://bugzilla.novell.com/attachment.cgi?id=141984&action=view) strace -s 4096 -fox reaim -c reaim.config -f data/workfile.alltests -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |pbaudis@novell.com |screening@forge.provo.novell| |.com | Status|REOPENED |NEW -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 ------- Comment #5 from olh@novell.com 2007-05-24 08:45 MST ------- if the ext_strcat() comes from reaim, it simply shows that there are more bugs of that sort. Its unlikely a bug in glibc. glibc just detected data corruption due to incorrect array size access. I guess you have to audit the reaim sources to spot similar errors like the one in the provided testcase. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=277751 aj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #6 from aj@novell.com 2007-05-25 00:34 MST ------- An abort in free is always an error in the application which somehow corrupts the internal datastructures of glibc's malloc implementation, e.g. in overwriting memory. I advise to use valgrind or one of the malloc checking tools, e.g. MALLOC_CHECK_ to figure out the bug in reaim. I agree with Olaf in comment #5. Btw. from man 3 free: Recent versions of Linux libc (later than 5.4.23) and GNU libc (2.x) include a malloc implementation which is tunable via environment variables. When MALLOC_CHECK_ is set, a special (less efficient) implementation is used which is designed to be tolerant against simple errors, such as double calls of free() with the same argument, or overruns of a single byte (off-by-one bugs). Not all such errors can be protected against, however, and memory leaks can result. If MALLOC_CHECK_ is set to 0, any detected heap corruption is silently ignored; if set to 1, a diagnostic is printed on stderr; if set to 2, abort() is called imme‐ diately. This can be useful because otherwise a crash may happen much later, and the true cause for the problem is then very hard to track down. Since this is not a bug in glibc, I close this as invalid. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com