[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947279: apt SIGABRT's with `malloc(): unsorted double linked list corrupted`



Package: apt
Version: 1.9.4

I experienced an unexpected SIGABRT signal being raised with apt(1). I
saw the following:

   $ sudo apt install trousers
   Reading package lists... Done
   Building dependency tree       
   Reading state information... Done
   The following NEW packages will be installed:
     trousers
   0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
   Need to get 119 kB of archives.
   After this operation, 369 kB of additional disk space will be used.
   Get:1 http://ca.archive.ubuntu.com/ubuntu eoan/universe amd64
   trousers amd64 0.3.14+fixed1-1build1 [119 kB]
   Fetched 119 kB in 0s (257 kB/s)  
   malloc(): unsorted double linked list corrupted
   Aborted

This appears to be a very difficult bug to reproduce. It only appeared
once and with the second invocation succeeding without issue.

Fortunately apport managed to preserve the core dump. After unpacking
it with apport-unpack and loading the core dump with gdb, the full
stack trace is as follows:

   #0  __GI_raise (sig=sig@entry=6) at
   ../sysdeps/unix/sysv/linux/raise.c:50
           set = {__val = {0, 16383, 9223372036854775808, 16383,
   9223372036854775808, 16384, 0, 0, 
               18446742974197923840, 65280, 18446744073709551615,
   18446744073709551615, 
               8317666021292143937, 110386773516660,
   4629771061636907072, 4629771061636907072}}
           pid = <optimized out>
           tid = <optimized out>
           ret = <optimized out>
   #1  0x00007fd1dde66899 in __GI_abort () at abort.c:79
           save_stage = 1
           act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction
   = 0x0}, sa_mask = {__val = {
                 0 <repeats 16 times>}}, sa_flags = 0, sa_restorer =
   0x0}
           sigs = {__val = {32, 0 <repeats 15 times>}}
   #2  0x00007fd1dded138e in __libc_message (action=action@entry=do_abo
   rt, 
       fmt=fmt@entry=0x7fd1ddffa3a5 "%s\n") at
   ../sysdeps/posix/libc_fatal.c:181
           ap = {{gp_offset = 24, fp_offset = 32764, overflow_arg_area
   = 0x7ffc2ecb2010, 
               reg_save_area = 0x7ffc2ecb1fa0}}
           fd = 2
           list = <optimized out>
           nlist = <optimized out>
           cp = <optimized out>
           written = <optimized out>
   #3  0x00007fd1dded94dc in malloc_printerr (
       str=str@entry=0x7fd1ddffc508 "malloc(): unsorted double linked
   list corrupted") at malloc.c:5332
   No locals.
   #4  0x00007fd1ddedc4bc in _int_malloc (av=av@entry=0x7fd1de02bb80
   <main_arena>, bytes=bytes@entry=26)
       at malloc.c:3744
           next = <optimized out>
           iters = <optimized out>
           nb = <optimized out>
   --Type <RET> for more, q to quit, c to continue without paging--
           idx = 3
           bin = <optimized out>
           victim = <optimized out>
           size = <optimized out>
           victim_index = <optimized out>
           remainder = <optimized out>
           remainder_size = <optimized out>
           block = <optimized out>
           bit = <optimized out>
           map = <optimized out>
           fwd = <optimized out>
           bck = <optimized out>
           tcache_unsorted_count = 0
           tcache_nb = 48
           tc_idx = 1
           return_cached = <optimized out>
           __PRETTY_FUNCTION__ = "_int_malloc"
   #5  0x00007fd1ddede304 in __GI___libc_malloc (bytes=bytes@entry=26)
   at malloc.c:3058
           ar_ptr = <optimized out>
           victim = <optimized out>
           hook = <optimized out>
           tbytes = <optimized out>
           tc_idx = <optimized out>
           __PRETTY_FUNCTION__ = "__libc_malloc"
   #6  0x00007fd1de0f71d9 in operator new (sz=26) at
   ../../../../src/libstdc++-v3/libsupc++/new_op.cc:50
           p = <optimized out>
   #7  0x00007fd1de2ca4bd in void std::__cxx11::basic_string<char,
   std::char_traits<char>, std::allocator<char>
   >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) ()
      from /lib/x86_64-linux-gnu/libapt-pkg.so.5.90
   --Type <RET> for more, q to quit, c to continue without paging--c
   No symbol table info available.
   #8  0x00007fd1de3a58a3 in
   pkgCache::PkgIterator::FullName[abi:cxx11](bool const&) const ()
   from /lib/x86_64-linux-gnu/libapt-pkg.so.5.90
   No symbol table info available.
   #9  0x00007fd1de378e86 in pkgDepCache::writeStateFile(OpProgress*,
   bool) () from /lib/x86_64-linux-gnu/libapt-pkg.so.5.90
   No symbol table info available.
   #10 0x00007fd1de369980 in
   pkgDPkgPM::Go(APT::Progress::PackageManager*) () from /lib/x86_64-
   linux-gnu/libapt-pkg.so.5.90
   No symbol table info available.
   #11 0x00007fd1de39d9f0 in
   pkgPackageManager::DoInstallPostFork(APT::Progress::PackageManager*)
   () from /lib/x86_64-linux-gnu/libapt-pkg.so.5.90
   No symbol table info available.
   #12 0x00007fd1de44433f in InstallPackages(CacheFile&, bool, bool,
   bool) () from /lib/x86_64-linux-gnu/libapt-private.so.0.0
   No symbol table info available.
   #13 0x00007fd1de44a2bc in DoInstall(CommandLine&) () from
   /lib/x86_64-linux-gnu/libapt-private.so.0.0
   No symbol table info available.
   #14 0x00007fd1de306aaf in
   CommandLine::DispatchArg(CommandLine::Dispatch const*, bool) () from
   /lib/x86_64-linux-gnu/libapt-pkg.so.5.90
   No symbol table info available.
   #15 0x00007fd1de4397d7 in DispatchCommandLine(CommandLine&,
   std::vector<CommandLine::Dispatch,
   std::allocator<CommandLine::Dispatch> > const&) () from /lib/x86_64-
   linux-gnu/libapt-private.so.0.0
   No symbol table info available.
   #16 0x0000557faf17e3ea in ?? ()
   No symbol table info available.
   #17 0x00007fd1dde681e3 in __libc_start_main (main=0x557faf17e320,
   argc=3, argv=0x7ffc2ecb3718, init=<optimized out>, fini=<optimized
   out>, rtld_fini=<optimized out>, stack_end=0x7ffc2ecb3708) at
   ../csu/libc-start.c:308
           self = <optimized out>
           result = <optimized out>
           unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0,
   3588779076796669643, 94006886786240, 140721093555984, 0, 0,
   7262868277543689931, 7246575941430795979}, mask_was_saved = 0}},
   priv = {pad = {0x0, 0x0, 0x7ffc2ecb3738, 0x7fd1de4fa190}, data =
   {prev = 0x0, cleanup = 0x0, canceltype = 785069880}}}
           not_first_call = <optimized out>
   #18 0x0000557faf17e4ee in ?? ()
   No symbol table info available.

It is apparent that a lot of information has been optimized out by the
compiler. But based on the signatures in #8 and #9, I'm guessing this
may have something to do with saving the state file.

I am using Ubuntu Eoan (19.10) on amd64 with kernel 5.3.0-24-lowlatency 
#26-Ubuntu and libc6 2.30-0ubuntu2.

Yours truly,

-- 
Kip Warner -- Senior Software Engineer
OpenPGP signed/encrypted mail preferred
https://www.thevertigo.com

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: