Bug 790299

Summary: elinks crashes on URI redirection
Product: [Fedora] Fedora Reporter: Amit Shah <amit.shah>
Component: elinksAssignee: Kamil Dudka <kdudka>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kdudka, ovasik
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:d86302bf0393bb978e2b574961175f98cb98e3a0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-11 13:49:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: maps
none
File: backtrace none

Description Amit Shah 2012-02-14 06:55:06 UTC 
libreport version: 2.0.8
abrt_version:   2.0.7
backtrace_rating: 4
cmdline:        links http://www.espncricinfo.com/netstorage/518957.html
crash_function: __GI_raise
executable:     /usr/bin/elinks
kernel:         3.2.2-1.fc16.x86_64
pid:            11179
pwd:            /home/amit/src/rh/6/rhel6
reason:         Process /usr/bin/elinks was killed by signal 6 (SIGABRT)
time:           Wed 08 Feb 2012 04:03:20 PM IST
uid:            1000
username:       amit
var_log_messages: Feb  8 16:03:20 amit abrt[15046]: Saved core dump of pid 11179 (/usr/bin/elinks) to /var/spool/abrt/ccpp-2012-02-08-16:03:20-11179 (23011328 bytes)

backtrace:      Text file, 13450 bytes
maps:           Text file, 14695 bytes

dso_list:
:/lib64/libm-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/lib64/libbz2.so.1.0.6 bzip2-libs-1.0.6-3.fc15.x86_64 (Fedora Project) 1324533103
:/usr/lib64/libnssutil3.so nss-util-3.13.1-3.fc16.x86_64 (Fedora Project) 1325052896
:/usr/lib64/libgpm.so.2.1.0 gpm-libs-1.20.6-21.fc16.x86_64 (Fedora Project) 1328242495
:/lib64/libkeyutils.so.1.4 keyutils-libs-1.5.2-1.fc16.x86_64 (Fedora Project) 1324533108
:/lib64/libfreebl3.so nss-softokn-freebl-3.13.1-15.fc16.x86_64 (Fedora Project) 1326379291
:/lib64/libresolv-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/lib64/libgssapi_krb5.so.2.2 krb5-libs-1.9.2-4.fc16.x86_64 (Fedora Project) 1324533109
:/usr/lib64/libnssdbm3.so nss-softokn-3.13.1-15.fc16.x86_64 (Fedora Project) 1326379291
:/usr/lib64/libssl3.so nss-3.13.1-10.fc16.x86_64 (Fedora Project) 1326379291
:/lib64/libnspr4.so nspr-4.8.9-2.fc16.x86_64 (Fedora Project) 1324533102
:/usr/lib64/libpcsclite.so.1.0.0 pcsc-lite-libs-1.7.4-6.fc16.x86_64 (Fedora Project) 1324533146
:/lib64/libpthread-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/lib64/libexpat.so.1.5.2 expat-2.0.1-11.fc15.x86_64 (Fedora Project) 1324533103
:/usr/lib64/libnss3.so nss-3.13.1-10.fc16.x86_64 (Fedora Project) 1326379291
:/usr/lib64/libmozjs185.so.1.0.0 js-1:1.8.5-7.fc16.x86_64 (Fedora Project) 1324533123
:/lib64/libz.so.1.2.5 zlib-1.2.5-6.fc16.x86_64 (Fedora Project) 1326866830
:/usr/lib64/libsmime3.so nss-3.13.1-10.fc16.x86_64 (Fedora Project) 1326379291
:/lib64/libkrb5.so.3.3 krb5-libs-1.9.2-4.fc16.x86_64 (Fedora Project) 1324533109
:/lib64/libgcc_s-4.6.2-20111027.so.1 libgcc-4.6.2-1.fc16.x86_64 (Fedora Project) 1324533081
:/usr/lib64/libsqlite3.so.0.8.6 sqlite-3.7.7.1-1.fc16.x86_64 (Fedora Project) 1324533103
:/lib64/libplds4.so nspr-4.8.9-2.fc16.x86_64 (Fedora Project) 1324533102
:/lib64/libdl-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/lib64/libkrb5support.so.0.1 krb5-libs-1.9.2-4.fc16.x86_64 (Fedora Project) 1324533109
:/lib64/libc-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/usr/lib64/libnsspem.so nss-3.13.1-10.fc16.x86_64 (Fedora Project) 1326379291
:/usr/lib64/libnss_compat_ossl.so.0.0.0 nss_compat_ossl-0.9.6-2.fc15.x86_64 (Fedora Project) 1324533157
:/usr/lib64/libckyapplet.so.1.0.0 coolkey-1.1.0-19.fc15.x86_64 (Fedora Project) 1324533527
:/lib64/libidn.so.11.6.5 libidn-1.22-3.fc16.x86_64 (Fedora Project) 1324533109
:/lib64/libplc4.so nspr-4.8.9-2.fc16.x86_64 (Fedora Project) 1324533102
:/lib64/ld-2.14.90.so glibc-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910602
:/usr/bin/elinks elinks-0.12-0.26.pre5.fc16.x86_64 (Fedora Project) 1324533562
:/lib64/libk5crypto.so.3.1 krb5-libs-1.9.2-4.fc16.x86_64 (Fedora Project) 1324533109
:/usr/lib64/libstdc++.so.6.0.16 libstdc++-4.6.2-1.fc16.x86_64 (Fedora Project) 1324533102
:/usr/lib/locale/locale-archive glibc-common-2.14.90-24.fc16.4.x86_64 (Fedora Project) 1325910608
:/usr/lib64/libsoftokn3.so nss-softokn-3.13.1-15.fc16.x86_64 (Fedora Project) 1326379291
:/lib64/libcom_err.so.2.1 libcom_err-1.41.14-2.fc15.x86_64 (Fedora Project) 1324533102
:/usr/lib64/pkcs11/libcoolkeypk11.so coolkey-1.1.0-19.fc15.x86_64 (Fedora Project) 1324533527
:/lib64/libselinux.so.1 libselinux-2.1.6-5.fc16.x86_64 (Fedora Project) 1324533101

environ:
:GIT_PS1_SHOWDIRTYSTATE=true
:XDG_VTNR=1
:XDG_SESSION_ID=2
:HOSTNAME=amit.redhat.com
:IMSETTINGS_INTEGRATE_DESKTOP=yes
:GPG_AGENT_INFO=/tmp/keyring-lKGRLK/gpg:0:1
:TERM=xterm
:SHELL=/bin/bash
:HISTSIZE=1000
:XDG_SESSION_COOKIE=e97f28546269cc03026af5ff0000000e-1328243715.568880-938201045
:WINDOWID=37748741
:GNOME_KEYRING_CONTROL=/tmp/keyring-lKGRLK
:IMSETTINGS_MODULE=none
:USER=amit
:LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:*.pdf=00;33:*.ps=00;33:*.ps.gz=00;33:*.txt=00;33:*.patch=00;33:*.diff=00;33:*.log=00;33:*.tex=00;33:*.xls=00;33:*.xlsx=00;33:*.ppt=00;33:*.pptx=00;33:*.rtf=00;33:*.doc=00;33:*.docx=00;33:*.odt=00;33:*.ods=00;33:*.odp=00;33:*.xml=00;33:*.epub=00;33:*.abw=00;33:*.html=00;33:*.wpd=00;33:
:SSH_AUTH_SOCK=/tmp/keyring-lKGRLK/ssh
:SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2759,unix/unix:/tmp/.ICE-unix/2759
:USERNAME=amit
:PATH=/usr/lib64/ccache:/usr/lib64/ccache:/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/amit/.local/bin:/home/amit/bin
:MAIL=/var/spool/mail/amit
:DESKTOP_SESSION=gnome
:QT_IM_MODULE=xim
:PWD=/home/amit/src/rh/6/rhel6
:XMODIFIERS=@im=none
:GNOME_KEYRING_PID=2746
:LANG=en_US.utf8
:GDM_LANG=en_US.utf8
:'PS1=\\[\\033[01;34m\\][\\t]\\[\\033[00m\\] \\[\\033[00;36m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;34m\\] \\w\\[\\033[00m\\]$(__git_ps1 \" (%s)\")\\$ '
:BREW_FLAGS=--arch-override=x86_64
:GIT_PS1_SHOWUNTRACKEDFILES=true
:GDMSESSION=gnome
:HISTCONTROL=ignoredups
:MALLOC_PERTURB_=154
:HOME=/home/amit
:XDG_SEAT=seat0
:SHLVL=2
:GNOME_DESKTOP_SESSION_ID=this-is-deprecated
:LOGNAME=amit
:DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-qoNR2kV7lr,guid=ce4694cbb1327a1dfbd13b5000000018
:'LESSOPEN=||/usr/bin/lesspipe.sh %s'
:WINDOWPATH=1
:XDG_RUNTIME_DIR=/run/user/amit
:DISPLAY=:0
:CCACHE_HASHDIR=
:COLORTERM=gnome-terminal
:XAUTHORITY=/var/run/gdm/auth-for-amit-ggYkYm/database
:_=/usr/bin/links
:OLDPWD=/home/amit/src/notmuch
Comment 1 Amit Shah 2012-02-14 06:55:13 UTC 
Created attachment 561773 [details]
File: maps
Comment 2 Amit Shah 2012-02-14 06:55:17 UTC 
Created attachment 561774 [details]
File: backtrace
Comment 3 Kamil Dudka 2012-02-14 13:52:12 UTC 
Comment on attachment 561774 [details]
File: backtrace

>#5  0x000000000047f295 in compare_uri (a=0x9a9a9a9a9a9a9a9a, b=0x272f320, components=<optimized out>) at uri.c:470

compare_uri() seems to be called with an invalid pointer.  0x9a9a9a9a9a9a9a9a looks like a poisoning constant.

>#6  0x00000000004a3b17 in do_redirect (cached=0x277f4d0, download_p=<synthetic pointer>, ses=0x272f3d0) at task.c:414

cached->uri must hold the value 0x9a9a9a9a9a9a9a9a at this level.

>#7  do_move (download_p=<synthetic pointer>, ses=0x272f3d0) at task.c:482

(*download_p)->cached->uri must hold the value 0x9a9a9a9a9a9a9a9a at this level.

So far I have no idea why the above is happening.  Could you please provide more details on how to reproduce the issue?
Comment 4 Amit Shah 2012-02-14 15:11:42 UTC 
I was using mobile broadband when this happened: so the signal comes and goes.  This happened once when the signal was bad, no network activity could happen, but NM had kept the connection ON.  Just a few moments after this crash, NM marked the connection as dropped, so I'm guessing it was already dropped for a while, and elinks barfed on that?
Comment 5 Kamil Dudka 2012-03-02 14:57:20 UTC 
Did you use a proxy?
Comment 6 Amit Shah 2012-03-02 18:38:17 UTC 
Nope, no proxy.
Comment 7 Kamil Dudka 2012-03-05 13:07:08 UTC 
Really no idea where the value 0x9a9a9a9a9a9a9a9a originates from.  There must have been some uncaught memory corruption.

The explicit poisoning constants are:

#define _MAGIC 0x950412de
#define _MAGIC_SWAPPED 0xde120495
#define LISTMAGIC1 ((void *) 0xdadababa)
#define LISTMAGIC2 ((void *) 0xd0d0b0b0)
#define LISTMAGIC3 ((void *) 0x25254545)
#define AH_SANITY_MAGIC 0xD3BA110C
#define AH_FREE_MAGIC 0xD3BF110C
#define HASH_MAGIC 0xdeadbeef
#define STRING_MAGIC 0x2E5BF271

... but most of them seem to be used only in debug build anyway.

Unless we get a reliable reproducer, it is unlikely to move this bug forward.
Comment 8 Amit Shah 2012-03-05 18:25:35 UTC 
I have this in my env:

export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))

which is a great way to catch malloc-related bugs.  Hope that helps a bit :)
Comment 9 Kamil Dudka 2012-04-11 13:49:08 UTC 
(In reply to comment #8)
> I have this in my env:
> 
> export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
> 
> which is a great way to catch malloc-related bugs.  Hope that helps a bit :)

Thanks.  This means elinks likely operates on already freed data, maybe a cache entry has been invalidated meanwhile.  Unfortunately, I do not know the elinks internal data structures enough to consider all possibilities.  This bug could be hardly investigated by reading the backtrace only.  Please reopen the bug if you find a reliable way to trigger the crash.