Bug 88056
Summary: | double free() from iofclose() on libio/tst-fopenloc | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | John Reiser <jreiser> |
Component: | glibc | Assignee: | Jakub Jelinek <jakub> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 9 | CC: | fweimer, wtogami |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-04-09 19:21:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2003-136.html |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: A malloc()ed block is free()d twice when running the testcase libio/tst-fopenloc. Version-Release number of selected component (if applicable): glibc-2.3.2-11.9 How reproducible: Always Steps to Reproduce: 1.Run testcase libio/tst-fopenloc with breakpoints at __gconv_release_cache, __gconv_release_step, and __gconv_lookup_cache+289 (just after the call to malloc() at line 360). 2. At each breakpoint, print $eax, which contains the pointer of interest. 3. Actual Results: Note that the first block allocated [the call to malloc() in __gconv_lookup_cache] is freed once from __gconv_release_cache and once from __gconv_release_step. Expected Results: No block is referenced after it is free()d. Additional info: Here is the error report from a commercial tool. valgrind ought to report similarly. [gconv_db.c:199] (Thread 0) **READ_DANGLING** >> if (--step->__counter == 0) Reading from a dangling pointer. Pointer : 0x0804ae98 In block: 0x0804ae90 thru 0x0804af07 (120 bytes) block allocated at gconv_cache.c, 360 __gconv_lookup_cache() gconv_cache.c, 360 __gconv_find_transform() gconv_db.c, 689 __wcsmbs_getfct() wcsmbsload.c, 92 __wcsmbs_named_conv() wcsmbsload.c, 244 _IO_new_file_fopen() fileops.c, 53 __fopen_internal() iofopen.c, 92 _IO_new_fopen() iofopen.c, 106 main() tst-fopenloc.c, 42 stack trace where memory was freed: __gconv_release_cache() gconv_cache.c, 447 _IO_new_file_fopen() fileops.c, 403 __fopen_internal() iofopen.c, 92 _IO_new_fopen() iofopen.c, 106 main() tst-fopenloc.c, 42 Stack trace where the error occurred: __gconv_release_step() gconv_db.c, 199 _IO_new_fclose() iofclose.c, 76 main() tst-fopenloc.c, 59