[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
gEDA-bug: segfault in malloc()

To: geda-bug@xxxxxxxx
Subject: gEDA-bug: segfault in malloc()
From: geda-bugs@xxxxxxxx
Date: Tue, 10 May 2005 10:17:42 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: geda-bug-outgoing@seul.org
Delivered-to: geda-bug@seul.org
Delivery-date: Tue, 10 May 2005 10:18:02 -0400
Reply-to: geda-bug@xxxxxxxx
Sender: owner-geda-bug@xxxxxxxx
Hi,

Geda (version 20050313-1) in debian sid segfaults if I
double-rightclick a file in a project.

Steps to reproduce:

1) Create new project and File->import the example file (from package
geda-examples) TwoStageAmp.sch (MD5 7d8fb26c25f52156351cc5a8437bfae4).

2) Doubleclick filename with right button.

Expected results:

Nothing / No idea, but shouldn't at least crash

Actual results:

Geda segfaults.

Backtrace:

#0  0x4054ad57 in mallopt () from /lib/libc.so.6
#1  0x40549fb3 in malloc () from /lib/libc.so.6
#2  0x400488e7 in g_malloc () from /usr/lib/libglib-2.0.so.0
#3  0x400588c9 in g_strdup () from /usr/lib/libglib-2.0.so.0
#4  0x401ac7c3 in gtk_label_get_mnemonic_keyval () from /usr/lib/libgtk-x11-2.0.so.0
#5  0x401ac8a4 in gtk_label_set_text () from /usr/lib/libgtk-x11-2.0.so.0
#6  0x400ea5b2 in gtk_accel_label_new () from /usr/lib/libgtk-x11-2.0.so.0
#7  0x401cbf1c in gtk_menu_item_new_with_label () from /usr/lib/libgtk-x11-2.0.so.0
#8  0x08054f1b in MenuWindowNew (szName=0x813d3f8 "Open: ../TwoStageAmp.sch") at m_window.c:66
#9  0x08057734 in NewExtCmd (szFilename=0x8062440 "../TwoStageAmp.sch", pAction=0x810bcd0) at task.c:441
#10 0x08056c9c in TaskNew (iTaskType=1, pValue=0x40609310) at task.c:113
#11 0x0804d09f in DocOpen (szFileName=0x8062440 "../TwoStageAmp.sch", iAction=0) at doc.c:197
#12 0x0804e7e2 in on_DocModulesTree_button_press_event (widget=0x80c6758, event=0x10, user_data=0x0) at doc.c:1014
#13 0x401c09fe in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
#14 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#15 0x404b7c5a in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#16 0x404b6c8c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#17 0x404b7126 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#18 0x402afe97 in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#19 0x401bf512 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#20 0x401be366 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#21 0x403bb775 in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#22 0x40042582 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#23 0x400435f8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#24 0x40043930 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#25 0x40043b7d in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#26 0x08055302 in MainLoop () at main.c:195
#27 0x080551ce in main (argc=1, argv=0xbffffd14) at main.c:160
(gdb) frame 8
#8  0x08054f1b in MenuWindowNew (szName=0x813d3f8 "Open: ../TwoStageAmp.sch") at m_window.c:66
66              pMenuItem = GTK_MENU_ITEM(gtk_menu_item_new_with_label(szName));
(gdb) frame 0
#0  0x4054ad57 in mallopt () from /lib/libc.so.6
(gdb) x/2i $eip
0x4054ad57 <mallopt+103>:       mov    0x8(%esi),%eax
0x4054ad5a <mallopt+106>:       mov    %eax,0x24(%edx)
(gdb) info register esi
esi            0x536f7754       1399813972
(gdb) x/32x $esi
0x536f7754:     Cannot access memory at address 0x536f7754

Crash in malloc suggests that this is heap corruption and indeed

$ perl -e 'printf(chr(hex("0x53")).chr(hex("0x6f")).chr(hex("0x77")).chr(hex("0x54")));'

prints out "SowT" which is part of the filename (backwards because of
endianess of course). Later I heard on IRC that if the file is renamed
to a shorter one, e.g. "tsa.sch" then geda does not segfault here :)

Before crashing geda also prints out

(geda:1282): GLib-GObject-WARNING **: invalid cast from `GtkWindow' to `GtkMenuItem'

but I'm not sure if this is related to this bug.

P.S. A more "reliable" way to get geda segfault seems to be to

3) Select TwoStageAmp.sch when it has been imported to the project and
   click Actions->Create PCB layout

After this geda segfaults again in malloc with

#0  0x4054b560 in mallopt () from /lib/libc.so.6
#1  0x4054adcb in mallopt () from /lib/libc.so.6
#2  0x40549fb3 in malloc () from /lib/libc.so.6
#3  0x400488e7 in g_malloc () from /usr/lib/libglib-2.0.so.0
#4  0x4048964f in pango_direction_get_type () from /usr/lib/libpango-1.0.so.0
#5  0x40489f8a in pango_log2vis_get_embedding_levels () from /usr/lib/libpango-1.0.so.0
#6  0x404775b5 in pango_context_get_base_dir () from /usr/lib/libpango-1.0.so.0
#7  0x4047824a in pango_itemize_with_base_dir () from /usr/lib/libpango-1.0.so.0
#8  0x4047f69f in pango_layout_get_pixel_size () from /usr/lib/libpango-1.0.so.0
#9  0x4047db86 in pango_layout_get_cursor_pos () from /usr/lib/libpango-1.0.so.0
#10 0x4047def7 in pango_layout_get_extents () from /usr/lib/libpango-1.0.so.0
#11 0x401adc91 in gtk_label_get () from /usr/lib/libgtk-x11-2.0.so.0
#12 0x401ae20f in gtk_label_get () from /usr/lib/libgtk-x11-2.0.so.0
#13 0x404b8b63 in g_cclosure_marshal_VOID__BOXED () from /usr/lib/libgobject-2.0.so.0
#14 0x404a69c9 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#15 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#16 0x404b7651 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#17 0x404b6e9c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#18 0x404b7216 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#19 0x4020af6e in gtk_size_group_remove_widget () from /usr/lib/libgtk-x11-2.0.so.0
#20 0x4020b2e8 in _gtk_size_group_compute_requisition () from /usr/lib/libgtk-x11-2.0.so.0
#21 0x402ae72c in gtk_widget_size_request () from /usr/lib/libgtk-x11-2.0.so.0
#22 0x402a6d23 in gtk_vbox_new () from /usr/lib/libgtk-x11-2.0.so.0
#23 0x404b8b63 in g_cclosure_marshal_VOID__BOXED () from /usr/lib/libgobject-2.0.so.0
#24 0x404a69c9 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#25 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#26 0x404b7651 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#27 0x404b6e9c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#28 0x404b7216 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#29 0x4020af6e in gtk_size_group_remove_widget () from /usr/lib/libgtk-x11-2.0.so.0
#30 0x4020b2e8 in _gtk_size_group_compute_requisition () from /usr/lib/libgtk-x11-2.0.so.0
#31 0x402ae72c in gtk_widget_size_request () from /usr/lib/libgtk-x11-2.0.so.0
#32 0x402bc543 in gtk_window_reshow_with_initial_size () from /usr/lib/libgtk-x11-2.0.so.0
#33 0x404b8b63 in g_cclosure_marshal_VOID__BOXED () from /usr/lib/libgobject-2.0.so.0
#34 0x404a69c9 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#35 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#36 0x404b7651 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#37 0x404b6e9c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#38 0x404b7216 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#39 0x4020af6e in gtk_size_group_remove_widget () from /usr/lib/libgtk-x11-2.0.so.0
#40 0x4020b2e8 in _gtk_size_group_compute_requisition () from /usr/lib/libgtk-x11-2.0.so.0
#41 0x402ae72c in gtk_widget_size_request () from /usr/lib/libgtk-x11-2.0.so.0
#42 0x402bd4ff in _gtk_window_unset_focus_and_default () from /usr/lib/libgtk-x11-2.0.so.0
---Type <return> to continue, or q <return> to quit---
#43 0x402bbd40 in gtk_window_reshow_with_initial_size () from /usr/lib/libgtk-x11-2.0.so.0
#44 0x404b82a6 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#45 0x404a69c9 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#46 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#47 0x404b7651 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#48 0x404b6e9c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#49 0x404b7126 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#50 0x402ad8e6 in gtk_widget_show () from /usr/lib/libgtk-x11-2.0.so.0
#51 0x40136a4d in gtk_container_get_focus_hadjustment () from /usr/lib/libgtk-x11-2.0.so.0
#52 0x402adcb6 in gtk_widget_show_all () from /usr/lib/libgtk-x11-2.0.so.0
#53 0x08057941 in NewExtCmd (szFilename=0xbffff0c0 "../TwoStageAmp.sch", pAction=0x810c510) at task.c:433
#54 0x08056c9c in TaskNew (iTaskType=1, pValue=0x8159a00) at task.c:113
#55 0x080536db in MenuActionActivation (pMenuItem=0x81160d0, pUserData=0x0) at m_action.c:151
#56 0x404b82a6 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#57 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#58 0x404b7dcf in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#59 0x404b6e9c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#60 0x404b7126 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#61 0x402b0067 in gtk_widget_activate () from /usr/lib/libgtk-x11-2.0.so.0
#62 0x401cfa32 in gtk_menu_shell_activate_item () from /usr/lib/libgtk-x11-2.0.so.0
#63 0x401cefc5 in _gtk_menu_shell_activate () from /usr/lib/libgtk-x11-2.0.so.0
#64 0x401c7d56 in gtk_menu_reorder_child () from /usr/lib/libgtk-x11-2.0.so.0
#65 0x401c09fe in _gtk_marshal_BOOLEAN__BOXED () from /usr/lib/libgtk-x11-2.0.so.0
#66 0x404a69c9 in g_cclosure_new_swap () from /usr/lib/libgobject-2.0.so.0
#67 0x404a6736 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#68 0x404b7855 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#69 0x404b6c8c in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#70 0x404b7126 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#71 0x402afe97 in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#72 0x401bf512 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#73 0x401be366 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#74 0x403bb775 in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#75 0x40042582 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#76 0x400435f8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#77 0x40043930 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#78 0x40043b7d in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#79 0x08055302 in MainLoop () at main.c:195
#80 0x080551ce in main (argc=1, argv=0xbffffd14) at main.c:160

In this case valgrind reports

==1447== Syscall param execve(argv[i]) points to unaddressable byte(s)
==1447==    at 0x1BE82EF8: execve (in /lib/libc-2.3.2.so)
==1447==    by 0x1BE831CD: execl (in /lib/libc-2.3.2.so)
==1447==    by 0x80572BE: TaskProcess (task.c:266)
==1447==    by 0x80552D5: MainLoop (main.c:190)
==1447==    by 0x80551CD: main (main.c:160)
==1447==  Address 0x1C2550C8 is 0 bytes inside a block of size 60 free'd
==1447==    at 0x1B90506F: realloc (vg_replace_malloc.c:196)
==1447==    by 0x8057BD9: StrReplace (task.c:524)
==1447==    by 0x8057630: NewExtCmd (task.c:414)
==1447==    by 0x8056C9B: TaskNew (task.c:113)
==1447==    by 0x80536DA: MenuActionActivation (m_action.c:151)
==1447==    by 0x1BDB52A5: g_cclosure_marshal_VOID__VOID (in /usr/lib/libgobject-2.0.so.0.600.4)
==1447==    by 0x1BDA3735: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.600.4)
==1447==    by 0x1BDB4DCE: (within /usr/lib/libgobject-2.0.so.0.600.4)
==1447==    by 0x1BDB3E9B: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.600.4)
==1447==    by 0x1BDB4125: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.600.4)
==1447==    by 0x1BBA5066: gtk_widget_activate (in /usr/lib/libgtk-x11-2.0.so.0.600.4)
==1447==    by 0x1BAC4A31: gtk_menu_shell_activate_item (in /usr/lib/libgtk-x11-2.0.so.0.600.4)

==1446== Invalid free() / delete / delete[]
==1446==    at 0x1B904B04: free (vg_replace_malloc.c:152)
==1446==    by 0x8056D0D: TaskDelete (task.c:162)
==1446==    by 0x8056F18: TaskProcess (task.c:323)
==1446==    by 0x80552D5: MainLoop (main.c:190)
==1446==    by 0x80551CD: main (main.c:160)
==1446==  Address 0x1C2550C8 is 0 bytes inside a block of size 60 free'd
==1446==    at 0x1B90506F: realloc (vg_replace_malloc.c:196)
==1446==    by 0x8057BD9: StrReplace (task.c:524)
==1446==    by 0x8057630: NewExtCmd (task.c:414)
==1446==    by 0x8056C9B: TaskNew (task.c:113)
==1446==    by 0x80536DA: MenuActionActivation (m_action.c:151)
==1446==    by 0x1BDB52A5: g_cclosure_marshal_VOID__VOID (in /usr/lib/libgobject-2.0.so.0.600.4)
==1446==    by 0x1BDA3735: g_closure_invoke (in /usr/lib/libgobject-2.0.so.0.600.4)
==1446==    by 0x1BDB4DCE: (within /usr/lib/libgobject-2.0.so.0.600.4)
==1446==    by 0x1BDB3E9B: g_signal_emit_valist (in /usr/lib/libgobject-2.0.so.0.600.4)
==1446==    by 0x1BDB4125: g_signal_emit (in /usr/lib/libgobject-2.0.so.0.600.4)
==1446==    by 0x1BBA5066: gtk_widget_activate (in /usr/lib/libgtk-x11-2.0.so.0.600.4)
==1446==    by 0x1BAC4A31: gtk_menu_shell_activate_item (in /usr/lib/libgtk-x11-2.0.so.0.600.4)

and also about very many  "invalid reads/writes" like

==1446== Invalid read of size 1
==1446==    at 0x1B905801: strlen (mac_replace_strmem.c:189)
==1446==    by 0x8057BC9: StrReplace (task.c:524)


I am reporting these both in same bug report because it seems very
likely that both are caused by the same heap corruption problem.



best regards,
Timo Lindfors
Prev by Author: gEDA-bug: Another test.
Next by thread: gEDA-bug: Another test.
Index(es):
- Author
- Thread