possible je-malloc issue
Jason Evans
jasone at freebsd.org
Thu Aug 2 23:27:50 UTC 2012
On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote:
> Libc built today.
> Start X with fvwm window manager.
> Open xterm and su to root.
>
> 1. Use nedit to edit a file and close.
>
> fvwm drops core. If fvwm does not drop core repeat 1 until
> she does.
>
> (gdb) bt
> #0 0x4841e294 in __jemalloc_arena_mapbits_get (chunk=0x8000000, pageind=245)
> at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:502
> #1 0x4841e2c4 in __jemalloc_arena_mapbits_allocated_get (chunk=0x8000000,
> pageind=245)
> at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:581
> #2 0x4841e739 in __jemalloc_arena_salloc (ptr=0x80f58e0, demote=false)
> at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:902
> #3 0x48423dd1 in __jemalloc_isalloc (ptr=0x8000000, demote=false)
> at /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:791
> #4 0x4842408e in free (ptr=0x80f58e0) at jemalloc_jemalloc.c:1212
> #5 0x48164b7d in XFree (data=0x80f58e0) at XlibInt.c:1701
> #6 0x080c4f2f in FlocaleFreeNameProperty (ptext=0xbfbfcfb4) at Flocale.c:2363
> #7 0x0806d3ab in HandlePropertyNotify (ea=0xbfbfd014) at events.c:3422
> #8 0x0806c369 in dispatch_event (e=0xbfbfd044) at events.c:4135
> #9 0x0806ca5f in HandleEvents () at events.c:4179
> #10 0x0808e06e in main (argc=1, argv=0xbfbfd7ac) at fvwm.c:2591
> (gdb) frame 4
> #4 0x4842408e in free (ptr=0x80f58e0) at jemalloc_jemalloc.c:1212
> 1212 usize = isalloc(ptr, config_prof);
> (gdb) print *ptr
> Attempt to dereference a generic pointer.
> (gdb) up 1
> #5 0x48164b7d in XFree (data=0x80f58e0) at XlibInt.c:1701
> 1701 XlibInt.c: No such file or directory.
> (gdb) print *data
> Attempt to dereference a generic pointer.
> (gdb) up 1
> #6 0x080c4f2f in FlocaleFreeNameProperty (ptext=0xbfbfcfb4) at Flocale.c:2363
> 2363 Flocale.c: No such file or directory.
> (gdb) print *ptext
> $5 = {name = 0x80f58e0 "Untitled", name_list = 0x0}
jemalloc is asserting that the page which contains 0x80f58e0 is allocated according to the containing chunk's page map, but the chunk header isn't even mapped, and the attempted read causes a segfault. This is almost certainly a result of calling free() with a bogus pointer.
Jason
More information about the freebsd-current
mailing list