Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Aug 2012 16:21:20 -0700
From:      Jason Evans <jasone@freebsd.org>
To:        Steve Kargl <sgk@troutmask.apl.washington.edu>
Cc:        freebsd-current@freebsd.org
Subject:   Re: possible je-malloc issue
Message-ID:  <F4BC8216-1C76-4E21-85AC-B8F800B7A97D@freebsd.org>
In-Reply-To: <20120802223246.GA35208@troutmask.apl.washington.edu>
References:  <20120802223246.GA35208@troutmask.apl.washington.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote:
> Libc built today.
> Start X with fvwm window manager.
> Open xterm and su to root.
>=20
> 1. Use nedit to edit a file and close.
>=20
> fvwm drops core.  If fvwm does not drop core repeat 1 until=20
> she does.
>=20
> (gdb) bt
> #0  0x4841e294 in __jemalloc_arena_mapbits_get (chunk=3D0x8000000, =
pageind=3D245)
>    at =
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h=
:502
> #1  0x4841e2c4 in __jemalloc_arena_mapbits_allocated_get =
(chunk=3D0x8000000,=20
>    pageind=3D245)
>    at =
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h=
:581
> #2  0x4841e739 in __jemalloc_arena_salloc (ptr=3D0x80f58e0, =
demote=3Dfalse)
>    at =
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h=
:902
> #3  0x48423dd1 in __jemalloc_isalloc (ptr=3D0x8000000, demote=3Dfalse)
>    at =
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemallo=
c_internal.h:791
> #4  0x4842408e in free (ptr=3D0x80f58e0) at jemalloc_jemalloc.c:1212
> #5  0x48164b7d in XFree (data=3D0x80f58e0) at XlibInt.c:1701
> #6  0x080c4f2f in FlocaleFreeNameProperty (ptext=3D0xbfbfcfb4) at =
Flocale.c:2363
> #7  0x0806d3ab in HandlePropertyNotify (ea=3D0xbfbfd014) at =
events.c:3422
> #8  0x0806c369 in dispatch_event (e=3D0xbfbfd044) at events.c:4135
> #9  0x0806ca5f in HandleEvents () at events.c:4179
> #10 0x0808e06e in main (argc=3D1, argv=3D0xbfbfd7ac) at fvwm.c:2591
> (gdb) frame 4
> #4  0x4842408e in free (ptr=3D0x80f58e0) at jemalloc_jemalloc.c:1212
> 1212                            usize =3D isalloc(ptr, config_prof);
> (gdb) print *ptr
> Attempt to dereference a generic pointer.
> (gdb) up 1
> #5  0x48164b7d in XFree (data=3D0x80f58e0) at XlibInt.c:1701
> 1701    XlibInt.c: No such file or directory.
> (gdb) print *data
> Attempt to dereference a generic pointer.
> (gdb) up 1
> #6  0x080c4f2f in FlocaleFreeNameProperty (ptext=3D0xbfbfcfb4) at =
Flocale.c:2363
> 2363    Flocale.c: No such file or directory.
> (gdb) print *ptext
> $5 =3D {name =3D 0x80f58e0 "Untitled", name_list =3D 0x0}

jemalloc is asserting that the page which contains 0x80f58e0 is =
allocated according to the containing chunk's page map, but the chunk =
header isn't even mapped, and the attempted read causes a segfault.  =
This is almost certainly a result of calling free() with a bogus =
pointer.

Jason=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F4BC8216-1C76-4E21-85AC-B8F800B7A97D>