Bug 183895
Summary: | malloc alignment increase on ppc causes problems | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> | ||||
Component: | glibc | Assignee: | Jakub Jelinek <jakub> | ||||
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | caillon, green, overholt, triage, tromey | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | powerpc | ||||||
OS: | Linux | ||||||
Whiteboard: | bzcl34nup | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-05-07 00:24:49 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
David Woodhouse
2006-03-03 14:38:08 UTC
The above failure was with glibc-2.3.91-1. If I revert to glibc-2.3.90-38 it works OK. Reassigning to glibc, since it also happened to emacs. Seems to happen in a different place each time, although it's always __libc_free() with a pointer which is only 8-byte aligned. Sometimes it even works. *** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid pointer: 0xf3a00018 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN14nsStringBuffer7ReleaseEv+0x38)[0xfe8f8cc] /usr/lib/thunderbird-1.5/libxpcom_core.so(_Z11ReleaseDataPvj+0x38)[0xfe91fac] /usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring11SetCapacityEj+0x3c)[0xfe90010] /usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring9SetLengthEj+0x2c)[0xfe900f4] /usr/lib/thunderbird-1.5/components/libhtmlpars.so[0xcf7af20] *** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid pointer: 0xf580f7a8 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8] /usr/lib/thunderbird-1.5/libmozjs.so(js_FinishCodeGenerator+0x6c)[0xff5f920] /usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x22c)[0xff61824] /usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0] /usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c] /usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220] *** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid pointer: 0xf5805c28 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /usr/lib/libpng12.so.0(png_free_default+0x38)[0xf0b1988] /usr/lib/libpng12.so.0(png_free+0x64)[0xf0b1a04] /usr/lib/libpng12.so.0(png_zfree+0x24)[0xf097fb4] /usr/lib/libz.so.1(inflateEnd+0x60)[0xfcfad20] /usr/lib/libpng12.so.0(png_read_destroy+0x234)[0xf0a5e54] /usr/lib/libpng12.so.0(png_destroy_read_struct+0x8c)[0xf0a5fdc] /usr/lib/thunderbird-1.5/components/libimglib2.so[0xdccb5c8] /usr/lib/thunderbird-1.5/components/libimglib2.so[0xdcc821c] Hm. Now thunderbird seems to start up every time correctly. Firefox is displaying similar behaviour to the above though... *** glibc detected *** /usr/lib/firefox-1.5.0.1/firefox-bin: free(): invalid pointer: 0xf6d01378 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /usr/lib/firefox-1.5.0.1/libmozjs.so(JS_free+0x30)[0xff478e0] /usr/lib/firefox-1.5.0.1/libmozjs.so[0xff9d01c] /usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExp+0x180)[0xff9d1e0] /usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExpObject+0x5c)[0xff9d9e8] /usr/lib/firefox-1.5.0.1/libmozjs.so(js_GetToken+0x1c6c)[0xffa185c] Here it is again, with mtrace info too... @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] + 0xf5810028 0x417 @ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9f90 0x18 @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] + 0xf5810448 0x417 @ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fb0 0x18 @ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fd0 0x18 @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9430 0xea @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9520 0x34 @ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4a7e8] - 0xf5810448 *** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid pointer: 0xf5810448 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /lib/libc.so.6[0xe700438] /lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8] /usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c] /usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0] /usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c] /usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220] Full mtrace output at http://david.woodhou.se/thunderbird.mtrace.gz egrep '\+ 0x[0-9a-f]*[1-9a-f] ' thunderbird.mtrace @ /usr/lib/thunderbird-1.5/libmozjs.so:(js_alloc_table_space+0x28)[0xff4f4c0] + 0xf5800018 0x10000 @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] + 0xf5810028 0x417 @ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] + 0xf5810448 0x417 How did you manage to get that mtrace output? When I call mtrace () from break main, it always winds up deadlocking on dladdr in mtrace hooks vs dlopen calling malloc. Did you work around that somehow? Or is that output just what a run of yours produced before it deadlocked? The runs I've tried have no suspicious bits in the trace by the time they deadlock. If that trace is complete, it shows a stray free (run it through /usr/bin/mtrace). Now I wonder whether that is an artifact of a partial trace (allocated before you started mtrace?) or if it is truly a stray free. If it is a stray free of the middle of a block or the middle of a free chunk, perhaps that is just confusing everything. I think easiest would be probably to instrument malloc.c (stick if (!aligned_OK (retptr)) malloc_printerr (check_action, "mallocret1", retptr); and similar to various places where malloc/realloc/calloc/valloc/memalign return pointers). But I'll be away most of the day today, so won't be able to do that. I just called mtrace() after setting a breakpoint in main(). It deadlocked the first time, worked the second -- ran all the way to its conclusion in abort(). (gdb) run The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close "shared object read from target memory": Invalid operation Starting program: /usr/lib/thunderbird-1.5/thunderbird-bin Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0x100000 [Thread debugging using libthread_db enabled] [New Thread -134807024 (LWP 30574)] [Switching to Thread -134807024 (LWP 30574)] Breakpoint 1, main (argc=1, argv=0xffbf49f4) at nsMailApp.cpp:62 62 return XRE_main(argc, argv, &kAppData); (gdb) p mtrace() $2 = 0 (gdb) c Continuing. [New Thread -137014048 (LWP 30582)] [New Thread -147909408 (LWP 30583)] Detaching after fork from child process 30586. [New Thread -162147104 (LWP 30588)] *** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid pointer: 0xf5810448 *** ======= Backtrace: ========= /lib/libc.so.6[0xe6fa824] /lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8] /lib/libc.so.6[0xe700438] /lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8] /usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c] /usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0] /usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548] /usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c] /usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220] *** Bug 184056 has been marked as a duplicate of this bug. *** Created attachment 125673 [details]
glibc-rh183895.patch
Patch that ought to fix the probelm I reproduced myself.
I can reproduce it with a simple test case: int main(void) { int i; void *p; i=0; while(++i) p=malloc(i); } $ ./asd *** glibc detected *** ./asd: sysmalloc #2 returning misaligned pointer: 0x0fd30008 *** glibc-2.4-1 in rawhide has the malloc alignment changes backed out, but we should reconsider this for glibc 2.4.1 and after FC5 is out. *** Bug 183894 has been marked as a duplicate of this bug. *** Based on the date this bug was created, it appears to have been reported against rawhide during the development of a Fedora release that is no longer maintained. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained. If this bug remains in NEEDINFO thirty (30) days from now, we will automatically close it. If you can reproduce this bug in a maintained Fedora version (7, 8, or rawhide), please change this bug to the respective version and change the status to ASSIGNED. (If you're unable to change the bug's version or status, add a comment to the bug and someone will change it for you.) Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. This bug has been in NEEDINFO for more than 30 days since feedback was first requested. As a result we are closing it. If you can reproduce this bug in the future against a maintained Fedora version please feel free to reopen it against that version. The process we're following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp |