From owner-freebsd-current@FreeBSD.ORG Fri Aug 3 00:15:57 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2604B106566C; Fri, 3 Aug 2012 00:15:57 +0000 (UTC) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.95.76.21]) by mx1.freebsd.org (Postfix) with ESMTP id F0AEC8FC08; Fri, 3 Aug 2012 00:15:56 +0000 (UTC) Received: from troutmask.apl.washington.edu (localhost.apl.washington.edu [127.0.0.1]) by troutmask.apl.washington.edu (8.14.5/8.14.5) with ESMTP id q730FuOv035699; Thu, 2 Aug 2012 17:15:56 -0700 (PDT) (envelope-from sgk@troutmask.apl.washington.edu) Received: (from sgk@localhost) by troutmask.apl.washington.edu (8.14.5/8.14.5/Submit) id q730Fu0j035698; Thu, 2 Aug 2012 17:15:56 -0700 (PDT) (envelope-from sgk) Date: Thu, 2 Aug 2012 17:15:56 -0700 From: Steve Kargl To: Jason Evans Message-ID: <20120803001556.GA35672@troutmask.apl.washington.edu> References: <20120802223246.GA35208@troutmask.apl.washington.edu> <20120802233635.GA35429@troutmask.apl.washington.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120802233635.GA35429@troutmask.apl.washington.edu> User-Agent: Mutt/1.4.2.3i Cc: freebsd-current@freebsd.org Subject: Re: possible je-malloc issue X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2012 00:15:57 -0000 On Thu, Aug 02, 2012 at 04:36:35PM -0700, Steve Kargl wrote: > On Thu, Aug 02, 2012 at 04:21:20PM -0700, Jason Evans wrote: > > On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote: > > > (gdb) print *ptr > > > Attempt to dereference a generic pointer. > > > (gdb) up 1 > > > #5 0x48164b7d in XFree (data=0x80f58e0) at XlibInt.c:1701 > > > 1701 XlibInt.c: No such file or directory. > > > (gdb) print *data > > > Attempt to dereference a generic pointer. > > > (gdb) up 1 > > > #6 0x080c4f2f in FlocaleFreeNameProperty (ptext=0xbfbfcfb4) at Flocale.c:2363 > > > 2363 Flocale.c: No such file or directory. > > > (gdb) print *ptext > > > $5 = {name = 0x80f58e0 "Untitled", name_list = 0x0} > > > > jemalloc is asserting that the page which contains 0x80f58e0 is allocated > > according to the containing chunk's page map, but the chunk header isn't > > even mapped, and the attempted read causes a segfault. This is almost > > certainly a result of calling free() with a bogus pointer. > > > > I suspect, but cannot prove it yet, that ptext->name points at > a static buffer. I'm trying to understand the code now. The > failure starts in > > void FlocaleFreeNameProperty(FlocaleNameString *ptext) > { > if (ptext->name_list != NULL) > { > if (ptext->name != NULL && ptext->name != *ptext->name_list) > XFree(ptext->name); > XFreeStringList(ptext->name_list); > ptext->name_list = NULL; > } > else if (ptext->name != NULL) > { > XFree(ptext->name); > } > ptext->name = NULL; > > return; > } > > In the code the XFree(ptext->name) appears protected by the check > for a NULL pointer, but it appears that 0x80f58e0 is invalid. I > don't know how to check for an non-NULL invalid pointer. I suppose > I can hack fvwm to leak memory at worse. > I think I found the problem in fvwm/add_window.c one finds the global entity char NoName[] = "Untitled"; /* name if no name in XA_WM_NAME */ then later in fvwm/events.c one finds FlocaleNameString new_name = { NoName, NULL }; At some point FlocaleFreeNameProperty is called to free the FlocaleNameString that contains NoName, and XFree() is not happy. -- Steve