Bug#499658: kmtrace crashes while loading a trace dump
Package: kmtrace
Version: 4:3.5.9-2
Severity: normal
While analyzing the ktrace dump and binary located at:
http://data.plan9.de/ktrace.out.crash.lzma
http://data.plan9.de/deliantra-server.ktrace.crash.lzma
which was created by running:
MALLOC_TRACE=/tmp/ktrace.out LD_PRELOAD=/usr/lib/kmtrace/libktrace.so server/deliantra-server
kmtrace crashed like this (kmtrace ktrace.out):
*** glibc detected *** kmtrace: realloc(): invalid next size: 0x0000000001c84ed0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fb91a331978]
/lib/libc.so.6[0x7fb91a335571]
/lib/libc.so.6(realloc+0x12f)[0x7fb91a335fef]
/usr/lib/libqt-mt.so.3(QGArray::resize(unsigned int, QGArray::Optimization)+0x3a)[0x7fb919e3baea]
/usr/lib/libqt-mt.so.3(QGArray::resize(unsigned int)+0xb)[0x7fb919e3bb5b]
/usr/lib/libqt-mt.so.3(QCString::resize(unsigned int)+0x30)[0x7fb919e2f3c0]
/usr/lib/libqt-mt.so.3(QCString::sprintf(char const*, ...)+0xce)[0x7fb919e2ff7e]
kmtrace[0x4049aa]
kmtrace[0x406579]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fb91a2dc1a6]
kmtrace(QGList::~QGList()+0x99)[0x4038c9]
The output up until then is:
http://data.plan9.de/ktrace.crash.log.lzma
Running with valgrind results in:
Looking up symbols...
Looking up symbols: 330600 found 4641 of 4641 symbols
Looking up unknown symbols...
==20690== Invalid write of size 1
==20690== at 0x4C22B38: mempcpy (mc_replace_strmem.c:677)
==20690== by 0x5AF210D: _IO_default_xsputn (genops.c:469)
==20690== by 0x5AC7879: vfprintf (vfprintf.c:1560)
==20690== by 0x5AE6DF8: vsprintf (iovsprintf.c:43)
==20690== by 0x6399F5B: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690== Address 0xb12eff0 is 0 bytes after a block of size 256 alloc'd
==20690== at 0x4C20FEB: malloc (vg_replace_malloc.c:207)
==20690== by 0x63A5B43: QGArray::resize(unsigned, QGArray::Optimization) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x63A5B5A: QGArray::resize(unsigned) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x6399F9C: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690==
==20690== Invalid write of size 1
==20690== at 0x5AF20A5: _IO_default_xsputn (genops.c:481)
==20690== by 0x5AC47A1: vfprintf (vfprintf.c:1590)
==20690== by 0x5AE6DF8: vsprintf (iovsprintf.c:43)
==20690== by 0x6399F5B: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690== Address 0xb12f0a2 is 10 bytes inside a block of size 24 free'd
==20690== at 0x4C207FC: operator delete(void*) (vg_replace_malloc.c:342)
==20690== by 0x63A610F: QGArray::~QGArray() (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4067EA: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690==
==20690== Invalid write of size 1
==20690== at 0x5AE6E07: vsprintf (iovsprintf.c:44)
==20690== by 0x6399F5B: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690== Address 0xb12f0a3 is 11 bytes inside a block of size 24 free'd
==20690== at 0x4C207FC: operator delete(void*) (vg_replace_malloc.c:342)
==20690== by 0x63A610F: QGArray::~QGArray() (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4067EA: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690==
==20690== Invalid read of size 1
==20690== at 0x4C21FA4: strlen (mc_replace_strmem.c:242)
==20690== by 0x6399F72: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690== Address 0xb12eff0 is 0 bytes after a block of size 256 alloc'd
==20690== at 0x4C20FEB: malloc (vg_replace_malloc.c:207)
==20690== by 0x63A5B43: QGArray::resize(unsigned, QGArray::Optimization) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x63A5B5A: QGArray::resize(unsigned) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x6399F9C: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690==
==20690== Conditional jump or move depends on uninitialised value(s)
==20690== at 0x4C21FA8: strlen (mc_replace_strmem.c:242)
==20690== by 0x6398CBA: qstrdup(char const*) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049C4: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
==20690==
==20690== Conditional jump or move depends on uninitialised value(s)
==20690== at 0x4C23431: strcpy (mc_replace_strmem.c:268)
==20690== by 0x4049C4: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
--20690-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--20690-- si_code=80; Faulting address: 0x0; sp: 0x402E87DF0
valgrind: the 'impossible' happened:
Killed by fatal signal
==20690== at 0x380215AD: mkFreeBlock (m_mallocfree.c:205)
==20690== by 0x38021E56: vgPlain_arena_malloc (m_mallocfree.c:1204)
==20690== by 0x38002909: vgMemCheck_new_block (mc_malloc_wrappers.c:195)
==20690== by 0x38002D43: vgMemCheck_malloc (mc_malloc_wrappers.c:226)
==20690== by 0x38033DC6: vgPlain_scheduler (scheduler.c:1269)
==20690== by 0x380448D3: run_a_thread_NORETURN (syswrap-linux.c:89)
sched status:
running_tid=1
Thread 1: status = VgTs_Runnable
==20690== at 0x4C20FEB: malloc (vg_replace_malloc.c:207)
==20690== by 0x63A5B43: QGArray::resize(unsigned, QGArray::Optimization) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x63A5B5A: QGArray::resize(unsigned) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x6399F9C: QCString::sprintf(char const*, ...) (in /localvol/usr/lib/libqt-mt.so.3.3.8)
==20690== by 0x4049A9: (within /localvol/usr/bin/kmtrace)
==20690== by 0x406578: (within /localvol/usr/bin/kmtrace)
==20690== by 0x5A9E1A5: (below main) (libc-start.c:222)
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages kmtrace depends on:
ii kdelibs4c2a 4:3.5.9.dfsg.1-4 core libraries and binaries for al
ii less 394-4 Pager program similar to more
hi libc6 2.7-12 GNU C Library: Shared libraries
ii libgcc1 1:4.3.1-8 GCC support library
ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v
ii libstdc++6 4.3.1-8 The GNU Standard C++ Library v3
kmtrace recommends no packages.
-- no debconf information
Reply to: