Bug#540373: libc6: malloc.c, segmentation fault now and then

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#540373: libc6: malloc.c, segmentation fault now and then
From: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Date: Fri, 7 Aug 2009 15:07:47 +0000
Message-id: <[🔎] 20090807150747.GA12809@rhi.hi.is>
Reply-to: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>, 540373@bugs.debian.org

Package: libc6
Version: 2.7-18
Severity: normal

Description:

  Segmentation fault now and then in ace-of-penguins/ace-canfield

kernel: lt-canfield[1653]: segfault at 64 ip b7d88a19 sp bfae197c error
  4 in libc-2.7.so[b7d1e000+138000]

and ftp, if macro "$safn ." is used

macdef safn
dir $1 "| more"

kernel: ftp[1675]: segfault at 1f6b3 ip b7e34978 sp bf88d088 error 4 in
libc-2.7.so[b7dca000+138000]

For ace-canfield:

Segmentation fault if max_undo == 100 now and then
sizeof(Undo) == 12

------Start of part of code-------

static void
stack_note_undo(Stack *src, int n, Stack *dest)
{
  if (doing_undo) return;
  if (num_undo >= max_undo)
  {
    max_undo += 50;
fprintf(stderr, "max_undo = %d, sizeof(Undo) = %d\n", max_undo,
  sizeof(Undo));
 /* if (max_undo == 100) mtrace(); */
    if (undo)
      undo = (Undo *)realloc(undo, max_undo * sizeof(Undo));
    else
      undo = (Undo *)malloc(max_undo * sizeof(Undo));
  }
/*if (max_undo == 100) muntrace();*/

-------End of part of code--------

Dump with gdb without "fprintf(...)" and "mtrace()":

GNU gdb 6.8-debian
...

Program received signal SIGSEGV, Segmentation fault.
0xb7e9da19 in malloc_consolidate (av=0xb7f6e160) at malloc.c:4842
4842	malloc.c: No such file or directory.
	in malloc.c
(gdb) bt full
#0  0xb7e9da19 in malloc_consolidate (av=0xb7f6e160) at malloc.c:4842
	fb = (mfastbinptr *) 0xb7f6e178
	maxfb = (mfastbinptr *) 0xb7f6e18c
	p = (mchunkptr) 0x9ff4e58
	nextp = (mchunkptr) 0x9ffac08
	unsorted_bin = (mchunkptr) 0xb7f6e190
	first_unsorted = <value optimized out>
	nextchunk = (mchunkptr) 0x9ff4e88
	size = 208
	nextsize = 160
	prevsize = <value optimized out>
	bck = (mchunkptr) 0x53
	fwd = (mchunkptr) 0x65
#1  0xb7e9f9a5 in _int_malloc (av=0xb7f6e160, bytes=1201) at malloc.c:4166
	nb = 1208
	idx = 74
	bin = <value optimized out>
	victim = <value optimized out>
	size = <value optimized out>
	victim_index = <value optimized out>
	remainder = <value optimized out>
	remainder_size = <value optimized out>
	block = <value optimized out>
	bit = <value optimized out>
	map = <value optimized out>
	fwd = <value optimized out>
	bck = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#2  0xb7ea0ecf in _int_realloc (av=0xb7f6e160, oldmem=0x9ff4f70, bytes=1200)
    at malloc.c:4972
	nextsize = <value optimized out>
	nb = 1208
	oldp = (mchunkptr) 0x9ff4f68
	oldsize = 608
	newp = <value optimized out>
	newsize = 608
	newmem = <value optimized out>
	next = (mchunkptr) 0x9ff51c8
	remainder = <value optimized out>
	remainder_size = <value optimized out>
	bck = <value optimized out>
	fwd = <value optimized out>
	copysize = <value optimized out>
	ncopies = <value optimized out>
	errstr = <value optimized out>
#3  0xb7ea1a6f in *__GI___libc_realloc (oldmem=0x9ff4f70, bytes=1200)
    at malloc.c:3709
	ar_ptr = (mstate) 0xb7f6e160
	nb = 1208
	oldp = (mchunkptr) 0x9ff4f68
	oldsize = 608
	newp = <value optimized out>
	hook = <value optimized out>
#4  0xb80d063a in stack_note_undo (src=0x9ff4dc0, n=27, dest=0x9ff4e28)
    at stack.c:592
---Type <return> to continue, or q <return> to quit---
No locals.
#5  0xb80d0404 in stack_flip_card (src=0x9ff4dc0, dest=0x9ff4e28)
    at stack.c:557
No locals.
#6  0x08049766 in hand_to_talon () at canfield.c:263
No locals.
#7  0x08049ede in click (x=54, y=275, b=1) at canfield.c:460
	c = 4
	f = 1
	cp = (Picture *) 0x0
#8  0xb80c9cfd in table_loop () at table.c:405
	event = {type = ev_buttondown, x = 54, y = 275, w = 474, h = 540, 
  button = 1, shifts = 0, key = -1206979872, time = 20910024}
	first_expose = 1
	click_button = 1
#9  0x08048ea4 in main (argc=1, argv=0xbfaf7464) at canfield.c:60
No locals.

-----End without "fprintf(...)" and "mtrace()"--------

Dump from gdb with "mtrace" activated in code

GNU gdb 6.8-debian

max_undo = 50, sizeof(Undo) = 12
Base rank: 1
max_undo = 100, sizeof(Undo) = 12

Program received signal SIGSEGV, Segmentation fault.
0xb7d88a19 in malloc_consolidate (av=0xb7e59160) at malloc.c:4842
4842	malloc.c: No such file or directory.
	in malloc.c
(gdb) bt full
#0  0xb7d88a19 in malloc_consolidate (av=0xb7e59160) at malloc.c:4842
	fb = (mfastbinptr *) 0xb7e59178
	maxfb = (mfastbinptr *) 0xb7e5918c
	p = (mchunkptr) 0x8057e58
	nextp = (mchunkptr) 0x0
	unsorted_bin = (mchunkptr) 0xb7e59190
	first_unsorted = <value optimized out>
	nextchunk = (mchunkptr) 0x8057e88
	size = 208
	nextsize = 160
	prevsize = <value optimized out>
	bck = (mchunkptr) 0x77
	fwd = (mchunkptr) 0x70
#1  0xb7d8a9a5 in _int_malloc (av=0xb7e59160, bytes=512) at malloc.c:4166
	nb = 520
	idx = 64
	bin = <value optimized out>
	victim = <value optimized out>
	size = <value optimized out>
	victim_index = <value optimized out>
	remainder = <value optimized out>
	remainder_size = <value optimized out>
	block = <value optimized out>
	bit = <value optimized out>
	map = <value optimized out>
	fwd = <value optimized out>
	bck = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#2  0xb7d8c586 in *__GI___libc_malloc (bytes=512) at malloc.c:3553
	ar_ptr = (mstate) 0xb7e59160
	victim = (void *) 0xbfe94fb1
	hook = <value optimized out>
#3  0xb7d8e09c in mtrace () at mtrace.c:314
	mallfile = <value optimized out>
	added_atexit_handler = 0
#4  0xb7fbb6bd in stack_note_undo (src=0x8057dc0, n=28, dest=0x8057e28)
    at stack.c:593
No locals.
#5  0xb7fbb474 in stack_flip_card (src=0x8057dc0, dest=0x8057e28)
    at stack.c:558
No locals.
#6  0x08049766 in hand_to_talon () at canfield.c:263
No locals.
#7  0x08049ede in click (x=52, y=265, b=1) at canfield.c:460
	c = 4
	f = 1
	cp = (Picture *) 0x0
#8  0xb7fb4d6d in table_loop () at table.c:405
	event = {type = ev_buttondown, x = 52, y = 265, w = 474, h = 540, 
  button = 1, shifts = 0, key = -1208114464, time = 1799809}
	first_expose = 1
	click_button = 1
#9  0x08048ea4 in main (argc=1, argv=0xbfe92fe4) at canfield.c:60
No locals.

---End of dump for "mtrace()" activated-----

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i586)

Kernel: Linux 2.6.18d and Linux 2.6.26
Locale: LANG=is_IS, LC_CTYPE=is_IS (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libgcc1                      1:4.3.2-1.1 GCC support library

-- 
Bjarni I. Gislason

Reply to:

Follow-Ups:
- Bug#540373: libc6: malloc.c, segmentation fault now and then
  - From: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>

Prev by Date: Bug#540305: tzdata: Etc/GMT+offset form is arcane, confusing
Next by Date: eglibc 2.9-23 MIGRATED to testing
Previous by thread: Bug#540305: tzdata: Etc/GMT+offset form is arcane, confusing
Next by thread: Bug#540373: libc6: malloc.c, segmentation fault now and then
Index(es):
- Date
- Thread