Bug 508350

Summary: malloc_printerr calls into malloc and then crashes again
Product: [Fedora] Fedora Reporter: Nicholas Miell <nmiell>
Component: glibcAssignee: Andreas Schwab <schwab>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: drjohnson1, fweimer, jakub, pmuller, schwab
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-27 14:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 516995    

Description Nicholas Miell 2009-06-26 17:09:28 UTC 
frame 21 -- malloc_printerr() gets called due to arena corruption
frame 19 -- __libc_message() calls backtrace()
frame 6 -- rtld calls calloc(), and then things blow up even more

#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:85
#1  0x000000388bef3b74 in *__GI___backtrace (array=<value optimized out>, size=32) at ../sysdeps/ia64/backtrace.c:79
#2  0x00000000004e89b6 in xorg_backtrace () at backtrace.c:39
#3  0x000000000047d63f in xf86SigHandler (signo=11) at xf86Events.c:385
#4  <signal handler called>
#5  _int_malloc (av=0x388c169e80, bytes=1174) at malloc.c:4629
#6  0x000000388be79ef8 in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4041
#7  0x000000388ba0b2af in _dl_new_object (realname=0x1e030a0 "/lib64/libgcc_s.so.1", libname=<value optimized out>, type=<value optimized out>, 
    loader=0x0, mode=<value optimized out>, nsid=0) at dl-object.c:52
#8  0x000000388ba064bc in _dl_map_object_from_fd (name=<value optimized out>, fd=<value optimized out>, fbp=0x7fff3328a9b0, 
    realname=<value optimized out>, loader=0x0, l_type=2, mode=<value optimized out>, stack_endp=0x7fff3328acf8, nsid=0) at dl-load.c:966
#9  0x000000388ba088d2 in _dl_map_object (loader=0x0, name=0x388bf318fa "libgcc_s.so.1", preloaded=<value optimized out>, type=<value optimized out>, 
    trace_mode=<value optimized out>, mode=-1879048191, nsid=0) at dl-load.c:2235
#10 0x000000388ba130a9 in dl_open_worker (a=<value optimized out>) at dl-open.c:289
#11 0x000000388ba0e706 in _dl_catch_error (objname=<value optimized out>, errstring=<value optimized out>, mallocedp=<value optimized out>, 
    operate=<value optimized out>, args=<value optimized out>) at dl-error.c:178
#12 0x000000388ba12a27 in _dl_open (file=0x388bf318fa "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0x0, nsid=-2, argc=8, argv=0x2, env=0x7fff3328c110)
    at dl-open.c:615
#13 0x000000388bf1b010 in do_dlopen (ptr=0x7fff3328b110) at dl-libc.c:86
#14 0x000000388ba0e706 in _dl_catch_error (objname=<value optimized out>, errstring=<value optimized out>, mallocedp=<value optimized out>, 
    operate=<value optimized out>, args=<value optimized out>) at dl-error.c:178
#15 0x000000388bf1b177 in dlerror_run (args=<value optimized out>, operate=<value optimized out>) at dl-libc.c:47
#16 *__GI___libc_dlopen_mode (args=<value optimized out>, operate=<value optimized out>) at dl-libc.c:160
#17 0x000000388bef3a75 in init () at ../sysdeps/ia64/backtrace.c:41
#18 0x000000388ca0c4f3 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
#19 0x000000388bef3b74 in *__GI___backtrace (array=<value optimized out>, size=64) at ../sysdeps/ia64/backtrace.c:79
#20 0x000000388be70071 in __libc_message (do_abort=2, fmt=0x388bf35bd0 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:150
#21 0x000000388be75a26 in malloc_printerr (action=3, str=0x388bf35d48 "double free or corruption (!prev)", ptr=<value optimized out>) at malloc.c:6196
#22 0x00007ff92e57a70d in RADEONCSReleaseIndirect (pScrn=<value optimized out>) at radeon_accel.c:743
Comment 1 Bug Zapper 2010-04-27 15:16:42 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 d. johnson 2010-06-30 18:42:40 UTC 
What version did you get this crash from?  Is it repeatable?  If so, how?
Comment 3 Nicholas Miell 2010-06-30 18:52:44 UTC 
I got it from whatever version was current at the time. It was fairly repeatable, but I don't remember how or which program was involved.

Figuring out if the bug is still present shouldn't be too hard -- does the malloc error path still try to malloc memory?
Comment 4 d. johnson 2010-06-30 20:18:35 UTC 
A new glibc package was released between the time you originally submitted this bug report and now.

Additionally, you reported it happening in F11, but now the bug report says F13.

It would help troubleshooting to know how you reproduced this problem.
Comment 5 Bug Zapper 2011-06-02 17:59:00 UTC 
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 6 Bug Zapper 2011-06-27 14:15:46 UTC 
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.