Description of problem: no idea Version-Release number of selected component: cscope-15.9-19.fc39 Additional info: reporter: libreport-2.17.11 type: CCpp cmdline: cscope -q crash_function: _IO_deallocate_file comment: no idea journald_cursor: s=324a1cb18b6e4ea484c4979592d25d78;i=6ecf2;b=ccf88b0373ef4caf9e48189be29ae9a9;m=29c47e32b71;t=613cd58b38236;x=bc81f54913b5ea21 executable: /usr/bin/cscope rootdir: / uid: 1000 kernel: 6.6.13-200.fc39.x86_64 package: cscope-15.9-19.fc39 runlevel: N 5 cgroup: 0::/user.slice/user-1000.slice/session-280.scope reason: cscope killed by SIGABRT backtrace_rating: 4 Truncated backtrace: Thread no. 1 (4 frames) #8 _IO_deallocate_file at /usr/src/debug/glibc-2.38-16.fc39.x86_64/libio/libioP.h:958 #10 myexit at /usr/src/debug/cscope-15.9-19.fc39.x86_64/src/main.c:1062 #12 __unlink at ../sysdeps/unix/sysv/linux/unlink.c:28 #13 myexit at /usr/src/debug/cscope-15.9-19.fc39.x86_64/src/main.c:1066
Created attachment 2021990 [details] File: mountinfo
Created attachment 2021991 [details] File: environ
Created attachment 2021992 [details] File: core_backtrace
Created attachment 2021993 [details] File: backtrace
Created attachment 2021994 [details] File: limits
Created attachment 2021995 [details] File: proc_pid_status
Created attachment 2021996 [details] File: cpuinfo
Created attachment 2021997 [details] File: os_info
Created attachment 2021998 [details] File: dso_list
Created attachment 2021999 [details] File: maps
Created attachment 2022000 [details] File: open_fds
it looks like cscope was killed by SIGABRT, presumably, at container exit. cscope itself looks ok. > abort() is usually called by library functions which detect an internal error or some seriously > broken constraint. For example malloc() will call abort() if its internal structures are damaged > by a heap overflow.
> container exit I'm not sure what you mean by "container", but just in case: this was being run via an interactive shell on the base OS (no docker, etc. involved).
*** Bug 2256515 has been marked as a duplicate of this bug. ***
so a research shows that the cscope process attempted a normal exit (by "q" or Ctrl-D) calling myexit(0). in the middle of it a signal SIGHUP handler was called, which is myexit() itself. then glibc detects a double-free condition in __GI___libc_free() while performing fclose(refsfound). then glibc aborts the process with __GI_abort() and the "free(): double free detected in tcache 2" message. backtraces we have are: main.c:847 in main(): /* normal quit */ myexit(0); -> main.c:1079 in myexit(sig=0): freefilelist(); -> dir.c:727 in in freefilelist(): free(srcfiles[--nsrcfiles]); -> malloc.c:3352 in __GI___libc_free() -> <signal handler called> -> main.c:1062 in myexit (sig=1 SIGHUP ): fclose(refsfound); -> iofclose.c:74 in _IO_new_fclose() -> ... -> malloc.c:3391 in __GI___libc_free() -> malloc_printerr("free(): double free detected in tcache 2") -> __GI_abort() main.c:847 in main(): /* normal quit */ myexit(0); -> main.c:1066 in myexit(sig=0): unlink(temp1); -> unlink.c:28 __unlink (name=<temp1> "/tmp/cscope.699047/cscope.1"); -> <signal handler called> -> main.c:1062 in myexit (sig=1 SIGHUP ): fclose(refsfound); -> iofclose.c:74 in _IO_new_fclose() -> ... -> malloc.c:3391 in __GI___libc_free() -> malloc_printerr("free(): double free detected in tcache 2") -> __GI_abort() in a short word, a process abort is caused by myexit() interrupted by a signal which handler is myexit() itself. note, free() and fclose() are NOT async-signal-safe, see "man 7 signal-safety". calling an async-signal-unsafe function from a signal handler is perfectly legal unless the signal interrupted another async-signal-unsafe function. so i'm not sure about the unlink() case, unlink() is async-signal-safe. still, the double-free condition is still there, as we can see from the backtrace. i'm not going to fix the whole signal handling in cscope, as it is broken. 1) myexit() calls functions which are not async-signal-safe 2) signal() infrastructure (which is broken) is used instead of sigaction(). i'll fix only this specific case where myexit() is interrupted by a call to myexit() itself by resetting signal handlers to default ones. this may be not entirely correct but whatever.
a fix: https://src.fedoraproject.org/rpms/cscope/c/a4d105ed18317c43e41fd20934509f8f250edc68?branch=rawhide reported upstream: https://sourceforge.net/p/cscope/mailman/message/58802909/ the updates were pushed: https://bodhi.fedoraproject.org/updates/FEDORA-2024-0429a348fa https://bodhi.fedoraproject.org/updates/FEDORA-2024-cd9f88a9af https://bodhi.fedoraproject.org/updates/FEDORA-2024-b787cf0ab9