Bug 183895

Summary: malloc alignment increase on ppc causes problems
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: caillon, green, overholt, triage, tromey
Target Milestone: ---   
Target Release: ---   
Hardware: powerpc   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-07 00:24:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
glibc-rh183895.patch none

Description David Woodhouse 2006-03-03 14:38:08 UTC
Clean rawhide-20060302 install, thunderbird-1.5-3

*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf7000018 ***
======= Backtrace: =========
/lib/libc.so.6[0xf079824]
/lib/libc.so.6(__libc_free+0xc8)[0xf07ccc8]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_free+0x30)[0xff478f0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9cdcc]
/usr/lib/thunderbird-1.5/libmozjs.so(js_NewRegExp+0x180)[0xff9cf7c]
/usr/lib/thunderbird-1.5/libmozjs.so(js_NewRegExpObject+0x5c)[0xff9d784]
/usr/lib/thunderbird-1.5/libmozjs.so(js_GetToken+0x1c50)[0xffa15c0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_MatchToken+0x2c)[0xffa19dc]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92d24]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9201c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92d48]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9201c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff94770]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff95cc4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff904c0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff956cc]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff904c0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff90718]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff90d64]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff910e4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91c00]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91514]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91c00]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
======= Memory map: ========
00100000-00103000 r-xp 00100000 00:00 0
0bbfa000-0bc44000 r-xp 00000000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc44000-0bc54000 ---p 0004a000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc54000-0bc57000 rw-p 0004a000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc67000-0c350000 r-xp 00000000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c350000-0c35f000 ---p 006e9000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c35f000-0c3bc000 rw-p 006e8000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c3bc000-0c3c3000 rw-p 0c3bc000 00:00 0
0c3d3000-0c41e000 r-xp 00000000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c41e000-0c42d000 ---p 0004b000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c42d000-0c430000 rw-p 0004a000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c440000-0c489000 r-xp 00000000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c489000-0c498000 ---p 00049000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c498000-0c49b000 rw-p 00048000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c4ab000-0c4ad000 r-xp 00000000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4ad000-0c4bc000 ---p 00002000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4bc000-0c4bd000 rw-p 00001000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4cd000-0c4f8000 r-xp 00000000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c4f8000-0c507000 ---p 0002b000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c507000-0c509000 rw-p 0002a000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c519000-0c523000 r-xp 00000000 08:05 1733389

Comment 1 David Woodhouse 2006-03-03 14:59:25 UTC
The above failure was with glibc-2.3.91-1. If I revert to glibc-2.3.90-38 it
works OK. Reassigning to glibc, since it also happened to emacs.

Comment 2 David Woodhouse 2006-03-03 21:02:52 UTC
Seems to happen in a different place each time, although it's always
__libc_free() with a pointer which is only 8-byte aligned. Sometimes it even works.

*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf3a00018 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN14nsStringBuffer7ReleaseEv+0x38)[0xfe8f8cc]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_Z11ReleaseDataPvj+0x38)[0xfe91fac]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring11SetCapacityEj+0x3c)[0xfe90010]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring9SetLengthEj+0x2c)[0xfe900f4]
/usr/lib/thunderbird-1.5/components/libhtmlpars.so[0xcf7af20]


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf580f7a8 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_FinishCodeGenerator+0x6c)[0xff5f920]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x22c)[0xff61824]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5805c28 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/libpng12.so.0(png_free_default+0x38)[0xf0b1988]
/usr/lib/libpng12.so.0(png_free+0x64)[0xf0b1a04]
/usr/lib/libpng12.so.0(png_zfree+0x24)[0xf097fb4]
/usr/lib/libz.so.1(inflateEnd+0x60)[0xfcfad20]
/usr/lib/libpng12.so.0(png_read_destroy+0x234)[0xf0a5e54]
/usr/lib/libpng12.so.0(png_destroy_read_struct+0x8c)[0xf0a5fdc]
/usr/lib/thunderbird-1.5/components/libimglib2.so[0xdccb5c8]
/usr/lib/thunderbird-1.5/components/libimglib2.so[0xdcc821c]


Comment 3 David Woodhouse 2006-03-03 21:16:27 UTC
Hm. Now thunderbird seems to start up every time correctly. Firefox is
displaying similar behaviour to the above though...

*** glibc detected *** /usr/lib/firefox-1.5.0.1/firefox-bin: free(): invalid
pointer: 0xf6d01378 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/firefox-1.5.0.1/libmozjs.so(JS_free+0x30)[0xff478e0]
/usr/lib/firefox-1.5.0.1/libmozjs.so[0xff9d01c]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExp+0x180)[0xff9d1e0]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExpObject+0x5c)[0xff9d9e8]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_GetToken+0x1c6c)[0xffa185c]


Comment 4 David Woodhouse 2006-03-03 21:38:35 UTC
Here it is again, with mtrace info too...

@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810028 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9f90 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810448 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fb0 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fd0 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9430 0xea
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9520 0x34
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4a7e8] - 0xf5810448


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5810448 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/lib/libc.so.6[0xe700438]
/lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]


Comment 5 David Woodhouse 2006-03-03 21:46:01 UTC
Full mtrace output at http://david.woodhou.se/thunderbird.mtrace.gz

 egrep '\+ 0x[0-9a-f]*[1-9a-f] '  thunderbird.mtrace
@ /usr/lib/thunderbird-1.5/libmozjs.so:(js_alloc_table_space+0x28)[0xff4f4c0] +
0xf5800018 0x10000
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810028 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810448 0x417


Comment 6 Roland McGrath 2006-03-04 04:05:12 UTC
How did you manage to get that mtrace output?
When I call mtrace () from break main, it always winds up deadlocking on dladdr
in mtrace hooks vs dlopen calling malloc.  Did you work around that somehow?
Or is that output just what a run of yours produced before it deadlocked?
The runs I've tried have no suspicious bits in the trace by the time they deadlock.

If that trace is complete, it shows a stray free (run it through /usr/bin/mtrace).
Now I wonder whether that is an artifact of a partial trace (allocated before
you started mtrace?) or if it is truly a stray free.  If it is a stray free of
the middle of a block or the middle of a free chunk, perhaps that is just
confusing everything.


Comment 7 Jakub Jelinek 2006-03-04 06:54:53 UTC
I think easiest would be probably to instrument malloc.c (stick
if (!aligned_OK (retptr))
malloc_printerr (check_action, "mallocret1", retptr);
and similar to various places where malloc/realloc/calloc/valloc/memalign
return pointers).  But I'll be away most of the day today, so won't be able to do
that.

Comment 8 David Woodhouse 2006-03-04 07:30:30 UTC
I just called mtrace() after setting a breakpoint in main(). It deadlocked the
first time, worked the second -- ran all the way to its conclusion in abort().

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": Invalid operation
Starting program: /usr/lib/thunderbird-1.5/thunderbird-bin
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x100000
[Thread debugging using libthread_db enabled]
[New Thread -134807024 (LWP 30574)]
[Switching to Thread -134807024 (LWP 30574)]

Breakpoint 1, main (argc=1, argv=0xffbf49f4) at nsMailApp.cpp:62
62        return XRE_main(argc, argv, &kAppData);
(gdb) p mtrace()
$2 = 0
(gdb) c
Continuing.
[New Thread -137014048 (LWP 30582)]
[New Thread -147909408 (LWP 30583)]
Detaching after fork from child process 30586.
[New Thread -162147104 (LWP 30588)]
*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5810448 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/lib/libc.so.6[0xe700438]
/lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]


Comment 9 Jakub Jelinek 2006-03-05 16:39:48 UTC
*** Bug 184056 has been marked as a duplicate of this bug. ***

Comment 11 Jakub Jelinek 2006-03-05 16:48:40 UTC
Created attachment 125673 [details]
glibc-rh183895.patch

Patch that ought to fix the probelm I reproduced myself.

Comment 12 David Woodhouse 2006-03-06 12:11:53 UTC
I can reproduce it with a simple test case:

int main(void) {
int i; void *p; i=0; while(++i) p=malloc(i);
}

$ ./asd
*** glibc detected *** ./asd: sysmalloc #2 returning misaligned pointer:
0x0fd30008 ***


Comment 14 Jakub Jelinek 2006-03-07 08:49:11 UTC
glibc-2.4-1 in rawhide has the malloc alignment changes backed out,
but we should reconsider this for glibc 2.4.1 and after FC5 is out.

Comment 15 Ulrich Drepper 2006-05-08 01:31:38 UTC
*** Bug 183894 has been marked as a duplicate of this bug. ***

Comment 16 Bug Zapper 2008-04-03 17:04:00 UTC
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

Comment 17 Bug Zapper 2008-05-07 00:24:48 UTC
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp