Bug 11957

Summary: yelp crashed with SIGSEGV in strlen()
Product: Rarian Reporter: Sebastien Bacher <seb128>
Component: GeneralAssignee: Don Scorgie <Don>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Sebastien Bacher 2007-08-12 02:57:19 UTC
The bug has been opened on https://bugs.launchpad.net/ubuntu/+source/yelp/+bug/130822

"Binary package hint: yelp

yelp 2.19.1-0ubuntu1 crashed on startup when going to System->Help and Support
...
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb)  handle SIG33 pass nostop noprint
Signal        Stop	Print	Pass to program	Description
SIG33         No	No	Yes		Real-time event 33
(gdb) set pagination 0
(gdb) run
Starting program: /usr/bin/yelp 
[Thread debugging using libthread_db enabled]
[New Thread 47365817343952 (LWP 1820)]
[New Thread 1082132816 (LWP 1823)]
[New Thread 1090525520 (LWP 1826)]
[New Thread 1098918224 (LWP 1827)]
[New Thread 1107310928 (LWP 1828)]
[New Thread 1115703632 (LWP 1829)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1115703632 (LWP 1829)]
0x00002b142ec78a80 in strlen () from /lib/libc.so.6
(gdb) backtrace full
#0  0x00002b142ec78a80 in strlen () from /lib/libc.so.6
No symbol table info available.
#1  0x00002b142ec471aa in vfprintf () from /lib/libc.so.6
No symbol table info available.
#2  0x00002b142ec636b9 in vsprintf () from /lib/libc.so.6
No symbol table info available.
#3  0x00002b142ec4d398 in sprintf () from /lib/libc.so.6
No symbol table info available.
#4  0x00002b142d768222 in process_check_file () at rarian-info.c:338
	filename = 0xfefefefefefefeff <Address 0xfefefefefefefeff out of bounds>
	iter = <value optimized out>
	fileinfo = {st_dev = 0, st_ino = 47365687175552, st_nlink = 38, st_mode = 787835264, st_uid = 11028, st_gid = 16311792, pad0 = 0, st_rdev = 16311840, st_size = 47365664240024, st_blksize = 1, st_blocks = 17334672, st_atim = {tv_sec = 47365684077094, tv_nsec = 0}, st_mtim = {tv_sec = 4311690896, tv_nsec = 17334672}, st_ctim = {tv_sec = 16723600, tv_nsec = 17334672}, __unused = {0, 47365664240024, 1}}
#5  0x00002b142d768395 in process_info_dir (dir=<value optimized out>) at rarian-info.c:436
	filename = <value optimized out>
	fp = (FILE *) 0xff2e90
	line = <value optimized out>
	started = 1
#6  0x00002b142d7684da in rrn_info_init () at rarian-info.c:534
	dirname = 0xfbe930 "/usr/share/info"
	info_dirs = 0xdc0490 "/usr/info:/usr/share/info:/usr/local/info:/usr/local/share/info"
	split = 0xdc049a "/usr/share/info:/usr/local/info:/usr/local/share/info"
	free_info_dirs = 1
#7  0x00002b142d7686f5 in rrn_info_get_categories () at rarian-info.c:556
No locals.
#8  0x000000000041f0ba in toc_process_info (toc=0x8ce810) at yelp-toc.c:699
	node = (xmlNodePtr) 0x1055800
	cat_node = <value optimized out>
	mynode = <value optimized out>
	categories = <value optimized out>
	sectno = <value optimized out>
	priv = (YelpTocPriv *) 0x8ce8b0
	i = 1
	xpath = (xmlXPathContextPtr) 0xf92db0
	obj = (xmlXPathObjectPtr) 0xf96000
	info_doc = (xmlDocPtr) 0xf2a030
	parserCtxt = (xmlParserCtxtPtr) 0xfd2ab0
#9  0x00002b142d4e2b84 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
#10 0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
No symbol table info available.
#11 0x00002b142ecd3bed in clone () from /lib/libc.so.6
No symbol table info available.
#12 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) info registers
rax            0xfefefefefefefeff	-72340172838076673
rbx            0x42803e90	1115700880
rcx            0x1	1
rdx            0x42803ed0	1115700944
rsi            0x2b142d770f0e	47365662117646
rdi            0xfefefefefefefeff	-72340172838076673
rbp            0x42803d60	0x42803d60
rsp            0x42803698	0x42803698
r8             0xfefefefefefefeff	-72340172838076673
r9             0x2f2f2f2f2f2f2f2f	3399988123389603631
r10            0x65657263732d6c6c	7306371741938183276
r11            0x246	582
r12            0x2b142d770f0d	47365662117645
r13            0xfefefefefefefeff	-72340172838076673
r14            0x4	4
r15            0x0	0
rip            0x2b142ec78a80	0x2b142ec78a80 <strlen+16>
eflags         0x10213	[ CF AF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x63	99
gs             0x0	0
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x2aaa	10922
fioff          0xaefbc324	-1359232220
foseg          0x0	0
fooff          0xdcfcf0	14482672
fop            0x558	1368
mxcsr          0x1fa1	[ IE PE IM DM ZM OM UM PM ]
(gdb) thread apply all backtrace

Thread 6 (Thread 1115703632 (LWP 1829)):
#0  0x00002b142ec78a80 in strlen () from /lib/libc.so.6
#1  0x00002b142ec471aa in vfprintf () from /lib/libc.so.6
#2  0x00002b142ec636b9 in vsprintf () from /lib/libc.so.6
#3  0x00002b142ec4d398 in sprintf () from /lib/libc.so.6
#4  0x00002b142d768222 in process_check_file () at rarian-info.c:338
#5  0x00002b142d768395 in process_info_dir (dir=<value optimized out>) at rarian-info.c:436
#6  0x00002b142d7684da in rrn_info_init () at rarian-info.c:534
#7  0x00002b142d7686f5 in rrn_info_get_categories () at rarian-info.c:556
#8  0x000000000041f0ba in toc_process_info (toc=0x8ce810) at yelp-toc.c:699
#9  0x00002b142d4e2b84 in ?? () from /usr/lib/libglib-2.0.so.0
#10 0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
#11 0x00002b142ecd3bed in clone () from /lib/libc.so.6
#12 0x0000000000000000 in ?? ()

Thread 5 (Thread 1107310928 (LWP 1828)):
#0  0x00002b142e4d7af8 in __lll_mutex_lock_wait () from /lib/libpthread.so.0
#1  0x00002b142e4d3ada in _L_mutex_lock_100 () from /lib/libpthread.so.0
#2  0x00002b142e4d3475 in pthread_mutex_lock () from /lib/libpthread.so.0
#3  0x00002b142d4e2bf2 in ?? () from /usr/lib/libglib-2.0.so.0
#4  0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
#5  0x00002b142ecd3bed in clone () from /lib/libc.so.6
#6  0x0000000000000000 in ?? ()

Thread 4 (Thread 1098918224 (LWP 1827)):
#0  0x00002b142ecbad07 in sched_yield () from /lib/libc.so.6
#1  0x000000000041e997 in toc_process (toc=0x8ce810) at yelp-toc.c:558
#2  0x00002b142d4e2b84 in ?? () from /usr/lib/libglib-2.0.so.0
#3  0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
#4  0x00002b142ecd3bed in clone () from /lib/libc.so.6
#5  0x0000000000000000 in ?? ()

Thread 3 (Thread 1090525520 (LWP 1826)):
#0  0x00002b142e4d5997 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
#1  0x00002b1435313268 in ?? () from /usr/lib/libnspr4.so.0d
#2  0x00002b1435313e8a in PR_WaitCondVar () from /usr/lib/libnspr4.so.0d
#3  0x00002b142efe36a2 in ?? () from /usr/lib/firefox/libxpcom_core.so
#4  0x00002b142efe17dc in ?? () from /usr/lib/firefox/libxpcom_core.so
#5  0x00002b14353194cd in ?? () from /usr/lib/libnspr4.so.0d
#6  0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
#7  0x00002b142ecd3bed in clone () from /lib/libc.so.6
#8  0x0000000000000000 in ?? ()

Thread 2 (Thread 1082132816 (LWP 1823)):
#0  0x00002b142eccacb6 in poll () from /lib/libc.so.6
#1  0x00002b14353157bd in PR_Poll () from /usr/lib/libnspr4.so.0d
#2  0x00002b143880bb76 in ?? () from /usr/lib/firefox/components/libnecko.so
#3  0x00002b143880c2fe in ?? () from /usr/lib/firefox/components/libnecko.so
#4  0x00002b142efe17dc in ?? () from /usr/lib/firefox/libxpcom_core.so
#5  0x00002b14353194cd in ?? () from /usr/lib/libnspr4.so.0d
#6  0x00002b142e4d1317 in start_thread () from /lib/libpthread.so.0
#7  0x00002b142ecd3bed in clone () from /lib/libc.so.6
#8  0x0000000000000000 in ?? ()

Thread 1 (Thread 47365817343952 (LWP 1820)):
#0  0x00002b142eccacb6 in poll () from /lib/libc.so.6
#1  0x00002b142dde9470 in ?? () from /usr/lib/libX11.so.6
#2  0x00002b142dde9899 in _XRead () from /usr/lib/libX11.so.6
#3  0x00002b142ddea2c1 in _XReply () from /usr/lib/libX11.so.6
#4  0x00002b142ddcbfb2 in XGetAtomName () from /usr/lib/libX11.so.6
#5  0x00002b142bfbaa56 in gdk_x11_xatom_to_atom_for_display () from /usr/lib/libgdk-x11-2.0.so.0
#6  0x00002b142bfad2e7 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#7  0x00002b142bfae8c2 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#8  0x00002b142bfaedce in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#9  0x00002b142d4c10a3 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#10 0x00002b142d4c43ad in ?? () from /usr/lib/libglib-2.0.so.0
#11 0x00002b142d4c46ba in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#12 0x00002b142baaf9d3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#13 0x0000000000419630 in main (argc=<value optimized out>, argv=0x7fff7febb5d8) at yelp-main.c:121
#14 0x00002b142ec1db44 in __libc_start_main () from /lib/libc.so.6
#15 0x000000000040e0b9 in _start ()
#0  0x00002b142ec78a80 in strlen () from /lib/libc.so.6
(gdb) quit
The program is running.  Exit anyway? (y or n) "
Comment 1 Don Scorgie 2007-08-12 08:46:40 UTC
I hope I've fixed the error with this checkin:

2007-08-12  Don Scorgie  <Don@Scorgie.org>

	* librarian/rarian-info.c:
	Reuse filename in check_file
	Reduces number of malloc by quite a margin
	Should also (hopefully) fix
	bug #11957

However, the filename address looks scary and wrong.  Since filename has literally just been malloced, I think it's a malloc failure however it doesn't happen where I would expect it.  Anyway, the above check-in should resolve it (I hope).

Please reopen (with an updated stack trace) if it doesn't fix it and I'll try again.  Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.