Bug 183895 - malloc alignment increase on ppc causes problems
malloc alignment increase on ppc causes problems
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
powerpc Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
bzcl34nup
:
: 183894 184056 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-03 09:38 EST by David Woodhouse
Modified: 2008-05-06 20:24 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 20:24:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
glibc-rh183895.patch (772 bytes, patch)
2006-03-05 11:48 EST, Jakub Jelinek
no flags Details | Diff

  None (edit)
Description David Woodhouse 2006-03-03 09:38:08 EST
Clean rawhide-20060302 install, thunderbird-1.5-3

*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf7000018 ***
======= Backtrace: =========
/lib/libc.so.6[0xf079824]
/lib/libc.so.6(__libc_free+0xc8)[0xf07ccc8]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_free+0x30)[0xff478f0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9cdcc]
/usr/lib/thunderbird-1.5/libmozjs.so(js_NewRegExp+0x180)[0xff9cf7c]
/usr/lib/thunderbird-1.5/libmozjs.so(js_NewRegExpObject+0x5c)[0xff9d784]
/usr/lib/thunderbird-1.5/libmozjs.so(js_GetToken+0x1c50)[0xffa15c0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_MatchToken+0x2c)[0xffa19dc]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92d24]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9201c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92d48]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9201c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff94770]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff95cc4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff904c0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff956cc]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff904c0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff90718]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff90d64]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff910e4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91c00]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9281c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff928b8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff929ac]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92a6c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91514]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff91c00]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff922a4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff9238c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92454]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92524]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff925e0]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff926d4]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff92780]
======= Memory map: ========
00100000-00103000 r-xp 00100000 00:00 0
0bbfa000-0bc44000 r-xp 00000000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc44000-0bc54000 ---p 0004a000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc54000-0bc57000 rw-p 0004a000 08:05 1733354                           
/usr/lib/thunderbird-1.5/components/libi18n.so
0bc67000-0c350000 r-xp 00000000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c350000-0c35f000 ---p 006e9000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c35f000-0c3bc000 rw-p 006e8000 08:05 1733352                           
/usr/lib/thunderbird-1.5/components/libgklayout.so
0c3bc000-0c3c3000 rw-p 0c3bc000 00:00 0
0c3d3000-0c41e000 r-xp 00000000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c41e000-0c42d000 ---p 0004b000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c42d000-0c430000 rw-p 0004a000 08:05 1733362                           
/usr/lib/thunderbird-1.5/components/libmork.so
0c440000-0c489000 r-xp 00000000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c489000-0c498000 ---p 00049000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c498000-0c49b000 rw-p 00048000 08:05 1733350                           
/usr/lib/thunderbird-1.5/components/libgfx_gtk.so
0c4ab000-0c4ad000 r-xp 00000000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4ad000-0c4bc000 ---p 00002000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4bc000-0c4bd000 rw-p 00001000 08:05 1733363                           
/usr/lib/thunderbird-1.5/components/libmozfind.so
0c4cd000-0c4f8000 r-xp 00000000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c4f8000-0c507000 ---p 0002b000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c507000-0c509000 rw-p 0002a000 08:05 1733339                           
/usr/lib/thunderbird-1.5/components/libappcomps.so
0c519000-0c523000 r-xp 00000000 08:05 1733389
Comment 1 David Woodhouse 2006-03-03 09:59:25 EST
The above failure was with glibc-2.3.91-1. If I revert to glibc-2.3.90-38 it
works OK. Reassigning to glibc, since it also happened to emacs.
Comment 2 David Woodhouse 2006-03-03 16:02:52 EST
Seems to happen in a different place each time, although it's always
__libc_free() with a pointer which is only 8-byte aligned. Sometimes it even works.

*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf3a00018 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN14nsStringBuffer7ReleaseEv+0x38)[0xfe8f8cc]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_Z11ReleaseDataPvj+0x38)[0xfe91fac]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring11SetCapacityEj+0x3c)[0xfe90010]
/usr/lib/thunderbird-1.5/libxpcom_core.so(_ZN11nsSubstring9SetLengthEj+0x2c)[0xfe900f4]
/usr/lib/thunderbird-1.5/components/libhtmlpars.so[0xcf7af20]


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf580f7a8 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_FinishCodeGenerator+0x6c)[0xff5f920]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x22c)[0xff61824]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5805c28 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/libpng12.so.0(png_free_default+0x38)[0xf0b1988]
/usr/lib/libpng12.so.0(png_free+0x64)[0xf0b1a04]
/usr/lib/libpng12.so.0(png_zfree+0x24)[0xf097fb4]
/usr/lib/libz.so.1(inflateEnd+0x60)[0xfcfad20]
/usr/lib/libpng12.so.0(png_read_destroy+0x234)[0xf0a5e54]
/usr/lib/libpng12.so.0(png_destroy_read_struct+0x8c)[0xf0a5fdc]
/usr/lib/thunderbird-1.5/components/libimglib2.so[0xdccb5c8]
/usr/lib/thunderbird-1.5/components/libimglib2.so[0xdcc821c]
Comment 3 David Woodhouse 2006-03-03 16:16:27 EST
Hm. Now thunderbird seems to start up every time correctly. Firefox is
displaying similar behaviour to the above though...

*** glibc detected *** /usr/lib/firefox-1.5.0.1/firefox-bin: free(): invalid
pointer: 0xf6d01378 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/usr/lib/firefox-1.5.0.1/libmozjs.so(JS_free+0x30)[0xff478e0]
/usr/lib/firefox-1.5.0.1/libmozjs.so[0xff9d01c]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExp+0x180)[0xff9d1e0]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_NewRegExpObject+0x5c)[0xff9d9e8]
/usr/lib/firefox-1.5.0.1/libmozjs.so(js_GetToken+0x1c6c)[0xffa185c]
Comment 4 David Woodhouse 2006-03-03 16:38:35 EST
Here it is again, with mtrace info too...

@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810028 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9f90 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810448 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fb0 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4f440] + 0xf5af9fd0 0x18
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9430 0xea
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_malloc+0x48)[0xff48604] + 0xf5af9520 0x34
@ /usr/lib/thunderbird-1.5/libmozjs.so:[0xff4a7e8] - 0xf5810448


*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5810448 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/lib/libc.so.6[0xe700438]
/lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]
Comment 5 David Woodhouse 2006-03-03 16:46:01 EST
Full mtrace output at http://david.woodhou.se/thunderbird.mtrace.gz

 egrep '\+ 0x[0-9a-f]*[1-9a-f] '  thunderbird.mtrace
@ /usr/lib/thunderbird-1.5/libmozjs.so:(js_alloc_table_space+0x28)[0xff4f4c0] +
0xf5800018 0x10000
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810028 0x417
@ /usr/lib/thunderbird-1.5/libmozjs.so:(JS_ArenaAllocate+0xcc)[0xff4aae4] +
0xf5810448 0x417
Comment 6 Roland McGrath 2006-03-03 23:05:12 EST
How did you manage to get that mtrace output?
When I call mtrace () from break main, it always winds up deadlocking on dladdr
in mtrace hooks vs dlopen calling malloc.  Did you work around that somehow?
Or is that output just what a run of yours produced before it deadlocked?
The runs I've tried have no suspicious bits in the trace by the time they deadlock.

If that trace is complete, it shows a stray free (run it through /usr/bin/mtrace).
Now I wonder whether that is an artifact of a partial trace (allocated before
you started mtrace?) or if it is truly a stray free.  If it is a stray free of
the middle of a block or the middle of a free chunk, perhaps that is just
confusing everything.
Comment 7 Jakub Jelinek 2006-03-04 01:54:53 EST
I think easiest would be probably to instrument malloc.c (stick
if (!aligned_OK (retptr))
malloc_printerr (check_action, "mallocret1", retptr);
and similar to various places where malloc/realloc/calloc/valloc/memalign
return pointers).  But I'll be away most of the day today, so won't be able to do
that.
Comment 8 David Woodhouse 2006-03-04 02:30:30 EST
I just called mtrace() after setting a breakpoint in main(). It deadlocked the
first time, worked the second -- ran all the way to its conclusion in abort().

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
warning: cannot close "shared object read from target memory": Invalid operation
Starting program: /usr/lib/thunderbird-1.5/thunderbird-bin
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x100000
[Thread debugging using libthread_db enabled]
[New Thread -134807024 (LWP 30574)]
[Switching to Thread -134807024 (LWP 30574)]

Breakpoint 1, main (argc=1, argv=0xffbf49f4) at nsMailApp.cpp:62
62        return XRE_main(argc, argv, &kAppData);
(gdb) p mtrace()
$2 = 0
(gdb) c
Continuing.
[New Thread -137014048 (LWP 30582)]
[New Thread -147909408 (LWP 30583)]
Detaching after fork from child process 30586.
[New Thread -162147104 (LWP 30588)]
*** glibc detected *** /usr/lib/thunderbird-1.5/thunderbird-bin: free(): invalid
pointer: 0xf5810448 ***
======= Backtrace: =========
/lib/libc.so.6[0xe6fa824]
/lib/libc.so.6(__libc_free+0xc8)[0xe6fdcc8]
/lib/libc.so.6[0xe700438]
/lib/libc.so.6(__libc_free+0x4c)[0xe6fdc4c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4a7e8]
/usr/lib/thunderbird-1.5/libmozjs.so(js_EmitTree+0x274)[0xff6186c]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff905a0]
/usr/lib/thunderbird-1.5/libmozjs.so(js_CompileTokenStream+0xfc)[0xff96548]
/usr/lib/thunderbird-1.5/libmozjs.so[0xff4407c]
/usr/lib/thunderbird-1.5/libmozjs.so(JS_CompileUCScriptForPrincipals+0x6c)[0xff44220]
Comment 9 Jakub Jelinek 2006-03-05 11:39:48 EST
*** Bug 184056 has been marked as a duplicate of this bug. ***
Comment 11 Jakub Jelinek 2006-03-05 11:48:40 EST
Created attachment 125673 [details]
glibc-rh183895.patch

Patch that ought to fix the probelm I reproduced myself.
Comment 12 David Woodhouse 2006-03-06 07:11:53 EST
I can reproduce it with a simple test case:

int main(void) {
int i; void *p; i=0; while(++i) p=malloc(i);
}

$ ./asd
*** glibc detected *** ./asd: sysmalloc #2 returning misaligned pointer:
0x0fd30008 ***
Comment 14 Jakub Jelinek 2006-03-07 03:49:11 EST
glibc-2.4-1 in rawhide has the malloc alignment changes backed out,
but we should reconsider this for glibc 2.4.1 and after FC5 is out.
Comment 15 Ulrich Drepper 2006-05-07 21:31:38 EDT
*** Bug 183894 has been marked as a duplicate of this bug. ***
Comment 16 Bug Zapper 2008-04-03 13:04:00 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 17 Bug Zapper 2008-05-06 20:24:48 EDT
This bug has been in NEEDINFO for more than 30 days since feedback was
first requested. As a result we are closing it.

If you can reproduce this bug in the future against a maintained Fedora
version please feel free to reopen it against that version.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

Note You need to log in before you can comment on or make changes to this bug.