kernel 2.6.13-1.1552 using inotify evidently gamin 0.1.6 from pkgcvs devel Here's the backtrace from where the subscription gets freed twice. Path to get here is to launch gedit, hit open dialog. gamin gets a SIGPIPE, frees the current subscription when it tears down the listener initially. Next, it frees another subscription. Then it tries to double-free this one: Breakpoint 1, gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100 100 if (sub == NULL) (gdb) bt #0 gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100 #1 0x0804cf2f in gam_poll_basic_remove_subscription (sub=0x936c8c8) at gam_poll_basic.c:223 #2 0x0804b7a8 in gam_poll_remove_subscription (sub=0x936c8c8) at gam_server.c:487 #3 0x0804b40d in gam_remove_subscription (sub=0x936c8c8) at gam_server.c:253 #4 0x0804fecf in gam_connection_request (conn=0x936e0e8, req=0x936e11f) at gam_connection.c:388 #5 0x08050243 in gam_connection_data (conn=0x936e0e8, len=2805) at gam_connection.c:491 #6 0x0804ed48 in gam_client_conn_read (source=0x936c438, condition=G_IO_IN, info=0x936e0e8) at gam_channel.c:283 #7 0x00d71b7c in g_vasprintf () from /usr/lib/libglib-2.0.so.0 #8 0x00d4a9ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #9 0x00d4da06 in g_main_context_check () from /usr/lib/libglib-2.0.so.0 #10 0x00d4dcf3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #11 0x0804bacf in main (argc=1, argv=0xbfcf48c4) at gam_server.c:584 #12 0x00ad14ff in __libc_start_main (main=0x804b8d0 <main>, argc=1, ubp_av=0xbfcf48c4, init=0x805798c <__libc_csu_init>, fini=0x80579e8 <__libc_csu_fini>, rtld_fini=0xaacc9d <_dl_fini>, stack_end=0xbfcf48bc) at ../sysdeps/generic/libc-start.c:231 #13 0x0804a5ad in _start () (gdb) c Continuing. Breakpoint 1, gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100 100 if (sub == NULL) (gdb) bt #0 gam_subscription_free (sub=0x936c8c8) at gam_subscription.c:100 #1 0x0804fee6 in gam_connection_request (conn=0x936e0e8, req=0x936e11f) at gam_connection.c:391 #2 0x08050243 in gam_connection_data (conn=0x936e0e8, len=2805) at gam_connection.c:491 #3 0x0804ed48 in gam_client_conn_read (source=0x936c438, condition=G_IO_IN, info=0x936e0e8) at gam_channel.c:283 #4 0x00d71b7c in g_vasprintf () from /usr/lib/libglib-2.0.so.0 #5 0x00d4a9ee in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #6 0x00d4da06 in g_main_context_check () from /usr/lib/libglib-2.0.so.0 #7 0x00d4dcf3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #8 0x0804bacf in main (argc=1, argv=0xbfcf48c4) at gam_server.c:584 #9 0x00ad14ff in __libc_start_main (main=0x804b8d0 <main>, argc=1, ubp_av=0xbfcf48c4, init=0x805798c <__libc_csu_init>, fini=0x80579e8 <__libc_csu_fini>, rtld_fini=0xaacc9d <_dl_fini>, stack_end=0xbfcf48bc) at ../sysdeps/generic/libc-start.c:231 #10 0x0804a5ad in _start () (gdb) So it appears that the subscription is getting freed by gam_remove_subscription() first, then next explicitly by gam_connection_request().
So, here's the problem. In gam_connection.c, in gam_connection_request(), there is this code: gam_listener_remove_subscription(conn->listener, sub); gam_remove_subscription(sub); #ifdef ENABLE_INOTIFY if (gam_inotify_is_running()) gam_subscription_free(sub); #endif However, in the inotify case, gam_remove_subscription() in gam_server.c already has removed and freed the subscription: if (gam_exclude_check (path)) { #if ENABLE_INOTIFY if (gam_inotify_is_running()) return gam_poll_remove_subscription (sub); else #endif gam_poll_remove_subscription() calls gam_poll_basic_remove_subscription(), which calls gam_subscription_free() before it returns.
*** Bug 168792 has been marked as a duplicate of this bug. ***
Thanks for the excellent bug report, I hope I understood why this happened :-) I assume this is due to the (not so common) fact that you have a .gaminrc or monitoring something in a default excluded path ("/media/*", "/mnt/*" or based on a ~/.gaminrc), in that case yes a double free could occur because gam_exclude_check (path) returned true and that's why it did not show up in the regression tests. Could you try gamin-0.1.6-2 in CVS or rawhide (soonish), I think it should nail it down but I would prefer a bit of real feedback before tempting a new release, thanks, Daniel
Dumping exclude list Exclude: use POLL on /media/* Exclude: use POLL on /mnt/* Exclude: use POLL on /dev/* Exclude: use POLL on /proc/* Dumping mounted file systems binfmt_misc filesystem mounted at /proc/sys/fs/binfmt_misc rpc_pipefs filesystem mounted at /var/lib/nfs/rpc_pipefs iso9660 filesystem mounted at /media/cdrecorder nfs filesystem mounted at /mnt/qafiler nfs filesystem mounted at /home/boston nfs filesystem mounted at /mnt/redhat tmpfs filesystem mounted at /dev/shm devpts filesystem mounted at /dev/pts autofs filesystem mounted at /misc ext3 filesystem mounted at /work ext3 filesystem mounted at /boot proc filesystem mounted at /proc autofs filesystem mounted at /net sysfs filesystem mounted at /sys ext3 filesystem mounted at / Dumping file system properties fstype nfs monitor poll poll timeout 5 fstype novfs monitor poll poll timeout 30 fstype reiserfs monitor kernel poll timeout 0 fstype reiser4 monitor kernel poll timeout 0 fstype ext2 monitor kernel poll timeout 0 fstype ext3 monitor kernel poll timeout 0 No active connections Inotify device fd = 3 Dumping inotify subscriptions No poll missing resources No poll busy resources No poll all resources Exiting on timeout
*Un*patched 0.1.6 generate lots of following errors: Sep 18 12:10:28 mother gam_server: *** glibc detected *** double free or corruption (fasttop): 0x0806ed98 *** Sep 18 12:10:30 mother gam_server: *** glibc detected *** double free or corruption (fasttop): 0x0806ed98 *** Sep 18 12:10:11 mother gam_server: *** glibc detected *** double free or corruption (out): 0x08071e50 *** Sep 18 12:10:24 mother gam_server: *** glibc detected *** double free or corruption (out): 0x08063f70 *** Sep 18 22:08:54 mother gam_server: *** glibc detected *** double free or corruption (!prev): 0x08068000 *** Sep 18 22:09:48 mother gam_server: *** glibc detected *** double free or corruption (!prev): 0x08068000 *** Patched with fix in CVS is silent. System is Slackware 10.2, BTW.
w.r.t. #4 fstype nfs monitor poll poll timeout 5 this isn't a default configuration, this means you added some local conf file stating this. I reproduced the problem with it and updated the fix for it. Could you try gamin-0.1.6-3 ? The fix is also in GNOME CVS, Daniel
Where would that config file be? I don't have ~/.gaminrc or an /etc/gaminrc or anything like that...
http://www.gnome.org/~veillard/gamin/config.html /etc/gamin/... Maybe I'm wrong and there is a default rule ... Try to add fsset nfs kernel in ~/.gaminrc and see if the problem still shows up with gamin-0.1.6-2 then also try with gamin-0.1.6-3 after that :-) dAniel
Dan, any chance you could try a build from GNOME gamin CVS checkout. Your problem may be fixed there, see http://bugzilla.gnome.org/show_bug.cgi?id=319697 anyway I will probably generate a new release soonish, Daniel
I think this should be fixed in gamin-0.1.7, Daniel