483537 – Ruby/Tk crashed on simplest application (reopening)

Bug 483537 - Ruby/Tk crashed on simplest application (reopening)

Summary: Ruby/Tk crashed on simplest application (reopening)

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ruby
Sub Component:
Version:	10
Hardware:	i386
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Jeroen van Meeuwen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:
Depends On:
Blocks:	517000 555730
TreeView+	depends on / blocked

Reported:	2009-02-02 09:56 UTC by Dmitry A. Ustalov
Modified:	2010-01-15 11:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	455045
Clones:	555730 (view as bug list)
Environment:
Last Closed:	2009-12-18 07:46:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
log with backtrace and memory map (6.72 KB, text/plain) 2009-02-02 09:56 UTC, Dmitry A. Ustalov	no flags	Details
Ruby/Tk Example 3 from PickAxe book (ruby-tk-ex3.rb) (52 bytes, text/plain) 2009-02-02 09:59 UTC, Dmitry A. Ustalov	no flags	Details
View All

Description Dmitry A. Ustalov 2009-02-02 09:56:26 UTC

Created attachment 330606 [details]
log with backtrace and memory map

On a number of unexplained causes, launching the simplest program written in 
ruby/tk, leads to crashing ruby.

For example:
eveel{~}% ruby ruby-tk-ex3.rb 
*** glibc detected *** ruby: free(): invalid next size (fast): 0x0a07c1b8 ***
{...}
zsh: abort      ruby ruby-tk-ex3.rb

My system is Fedora release 10 (Cambridge).

eveel{~}% uname -a
Linux tazik 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 i686 i386 GNU/Linux
eveel{~}% ruby -v
ruby 1.8.6 (2008-08-11 patchlevel 287) [i386-linux]
eveel{~}% yum info ruby-tcltk | grep Version
Version    : 1.8.6.287
eveel{~}% yum info tcl | grep Version       
Version    : 8.5.3
eveel{~}% yum info tk | grep Version
Version    : 8.5.3
eveel{~}% yum info glibc | grep Version
Version    : 2.9

Reopening of https://bugzilla.redhat.com/show_bug.cgi?id=455045

Comment 1 Dmitry A. Ustalov 2009-02-02 09:59:27 UTC

Created attachment 330609 [details]
Ruby/Tk Example 3 from PickAxe book (ruby-tk-ex3.rb)

Comment 2 Jon Dufresne 2009-02-16 19:23:48 UTC

Thank you for your bug report. Next time can you please provide a full stack trace; please make sure you have debuginfo packages installed and see http://fedoraproject.org/wiki/StackTraces for more information about getting a useful stack trace.

I can confirm this bug using the provided test file. See the full stack trace below. As this is repeatable with a test case and we have a full stack trace I am marking this ASSIGNED.

Program received signal SIGABRT, Aborted.
0x00fb4416 in __kernel_vsyscall ()
(gdb) thread apply all bt

Thread 1 (Thread 0xb7fe46c0 (LWP 8834)):
#0  0x00fb4416 in __kernel_vsyscall ()
#1  0x00b4b460 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00b4ce28 in abort () at abort.c:88
#3  0x00b88fed in __libc_message (do_abort=2, fmt=0xc63e68 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00b8f3a4 in malloc_printerr (action=2, str=0xc63eb4 "free(): invalid next size (fast)", ptr=0x81c2038) at malloc.c:5994
#5  0x00b91356 in __libc_free (mem=0x81c2038) at malloc.c:3625
#6  0x004d268d in TclpFree (oldPtr=0x81c2038 "") at /usr/src/debug/tcl8.5.3/generic/tclAlloc.c:729
#7  0x004dc0ed in Tcl_Free (ptr=0x81c2038 "") at /usr/src/debug/tcl8.5.3/generic/tclCkalloc.c:1182
#8  0x0056ee00 in FreeStringInternalRep (objPtr=0x80d9af0) at /usr/src/debug/tcl8.5.3/generic/tclStringObj.c:2877
#9  0x004d99ae in SetByteArrayFromAny (interp=0x0, objPtr=0x80d9af0) at /usr/src/debug/tcl8.5.3/generic/tclBinary.c:412
#10 0x004d9a1b in Tcl_GetByteArrayFromObj (objPtr=0x80d9af0, lengthPtr=0xbfffb148) at /usr/src/debug/tcl8.5.3/generic/tclBinary.c:314
#11 0x00116efe in get_str_from_obj (obj=0x80d9af0) at tcltklib.c:5400
#12 0x00117bc5 in ip_get_result_string_obj (interp=<value optimized out>) at tcltklib.c:5453
#13 0x00118047 in ip_invoke_core (interp=3084168100, objc=2, objv=0x81cb0f0) at tcltklib.c:6769
#14 0x001182a4 in ip_invoke_real (argc=2, argv=0xbfffb5e0, interp=3084168100) at tcltklib.c:6868
#15 0x00118548 in ip_invoke_with_position (argc=2, argv=0xbfffb5e0, obj=3084168100, position=TCL_QUEUE_TAIL) at tcltklib.c:6977
#16 0x007e5ff0 in call_cfunc (func=0x1188e0 <ip_invoke>, recv=3084168100, len=6, argc=2, argv=0x2282) at eval.c:5715
#17 0x007f0e8e in rb_call0 (klass=3086337960, recv=3084168100, id=10617, oid=10625, argc=2, argv=0xbfffb5e0, body=0xb7f5baec, flags=0)
    at eval.c:5870
#18 0x007f102a in rb_call (klass=3086337960, recv=3084168100, mid=10617, argc=2, argv=0xbfffb5e0, scope=0, self=3084007720) at eval.c:6117
#19 0x007eb7a1 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3490
#20 0x007eca31 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3675
#21 0x007f0d91 in rb_call0 (klass=3084156860, recv=3084007720, id=12681, oid=12681, argc=3, argv=0xbfffbf50, body=0xb7fac44c, flags=-2)
    at eval.c:6021
#22 0x007f102a in rb_call (klass=3084156860, recv=3084007720, mid=12681, argc=3, argv=0xbfffbf50, scope=1, self=3084007720) at eval.c:6117
#23 0x007eb8c1 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3505
#24 0x007eca31 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3675
#25 0x007ee5c0 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3306
#26 0x007f0d91 in rb_call0 (klass=3084156860, recv=3084007720, id=12713, oid=12713, argc=3, argv=0xbfffcc00, body=0xb7fabbdc, flags=-2)
    at eval.c:6021
#27 0x007f102a in rb_call (klass=3084156860, recv=3084007720, mid=12713, argc=3, argv=0xbfffcc00, scope=1, self=3084007720) at eval.c:6117
#28 0x007eb8c1 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3505
#29 0x007f0d91 in rb_call0 (klass=3084156860, recv=3084007720, id=11545, oid=11545, argc=2, argv=0xbfffd220, body=0xb7faaffc, flags=-1)
    at eval.c:6021
#30 0x007f102a in rb_call (klass=3084156860, recv=3084007720, mid=11545, argc=2, argv=0xbfffd220, scope=1, self=3084007720) at eval.c:6117
#31 0x007eb8c1 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3505
---Type <return> to continue, or q <return> to quit---
#32 0x007f0d91 in rb_call0 (klass=3084158020, recv=3084007720, id=14537, oid=14537, argc=1, argv=0xbfffd850, body=0xb7f681e8, flags=1)
    at eval.c:6021
#33 0x007f102a in rb_call (klass=3084158020, recv=3084007720, mid=14537, argc=1, argv=0xbfffd850, scope=1, self=3084007720) at eval.c:6117
#34 0x007eb8c1 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3505
#35 0x007f0d91 in rb_call0 (klass=3084158020, recv=3084007720, id=2953, oid=2953, argc=1, argv=0xbfffded0, body=0xb7f68940, flags=2) at eval.c:6021
#36 0x007f102a in rb_call (klass=3084158020, recv=3084007720, mid=2953, argc=1, argv=0xbfffded0, scope=3, self=6) at eval.c:6117
#37 0x007fa06b in rb_call_super (argc=1, argv=0xbfffded0) at eval.c:6285
#38 0x007eba20 in rb_eval (self=3084007720, n=<value optimized out>) at eval.c:3556
#39 0x007f0d91 in rb_call0 (klass=3083995460, recv=3084007720, id=2953, oid=2953, argc=1, argv=0xbfffe890, body=0xb7d22ec4, flags=2) at eval.c:6021
#40 0x007f102a in rb_call (klass=3083995460, recv=3084007720, mid=2953, argc=1, argv=0xbfffe890, scope=1, self=6) at eval.c:6117
#41 0x007f1a13 in rb_funcall2 (recv=6, mid=2953, argc=1, argv=0xbfffe890) at eval.c:6253
#42 0x007f1ab7 in rb_obj_call_init (obj=3084007720, argc=1, argv=0xbfffe890) at eval.c:7650
#43 0x00820b7a in rb_class_new_instance (argc=1, argv=0xbfffe890, klass=3083995460) at object.c:1572
#44 0x00d988d0 in tk_s_new (argc=1, argv=0xbfffe890, klass=3083995460) at tkutil.c:59
#45 0x007e5ff0 in call_cfunc (func=0xd988a0 <tk_s_new>, recv=3083995460, len=6, argc=1, argv=0x2282) at eval.c:5715
#46 0x007f0e8e in rb_call0 (klass=3086332920, recv=3083995460, id=3345, oid=3345, argc=1, argv=0xbfffe890, body=0xb7fd2a48, flags=0) at eval.c:5870
#47 0x007f102a in rb_call (klass=3086332920, recv=3083995460, mid=3345, argc=1, argv=0xbfffe890, scope=0, self=3086887340) at eval.c:6117
#48 0x007eb7a1 in rb_eval (self=3086887340, n=<value optimized out>) at eval.c:3490
#49 0x007eec21 in rb_eval (self=3086887340, n=<value optimized out>) at eval.c:3220
#50 0x007eca31 in rb_eval (self=3086887340, n=<value optimized out>) at eval.c:3675
#51 0x007fd2a7 in ruby_exec_internal () at eval.c:1642
#52 0x007fd2f2 in ruby_exec () at eval.c:1662
#53 0x007fd32f in ruby_run () at eval.c:1672
#54 0x0804868d in main (argc=Cannot access memory at address 0x2282
) at main.c:48

---
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers

Comment 3 Dmitry A. Ustalov 2009-02-16 21:01:26 UTC

Oh, sorry. Running again (with debuginfo installed):

Thread 1 (Thread 0xb7fe36c0 (LWP 3710)):
#0  0x00bdf416 in __kernel_vsyscall ()
#1  0x006d7460 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x006d8e28 in abort () at abort.c:88
#3  0x00714fed in __libc_message (do_abort=2, fmt=0x7efe68 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x0071b3a4 in malloc_printerr (action=2, str=0x7efeb4 "free(): invalid next size (fast)", ptr=0x81c5be8) at malloc.c:5994
#5  0x0071d356 in __libc_free (mem=0x81c5be8) at malloc.c:3625
#6  0x0024c68d in TclpFree (oldPtr=0x81c5be8 "") at /usr/src/debug/tcl8.5.3/generic/tclAlloc.c:729
#7  0x002560ed in Tcl_Free (ptr=0x81c5be8 "") at /usr/src/debug/tcl8.5.3/generic/tclCkalloc.c:1182
#8  0x002e8e00 in FreeStringInternalRep (objPtr=0x80cc5d0) at /usr/src/debug/tcl8.5.3/generic/tclStringObj.c:2877
#9  0x002539ae in SetByteArrayFromAny (interp=0x0, objPtr=0x80cc5d0) at /usr/src/debug/tcl8.5.3/generic/tclBinary.c:412
#10 0x00253a1b in Tcl_GetByteArrayFromObj (objPtr=0x80cc5d0, lengthPtr=0xbfffb118) at /usr/src/debug/tcl8.5.3/generic/tclBinary.c:314
#11 0x00aa0efe in get_str_from_obj (obj=0x80cc5d0) at tcltklib.c:5400
#12 0x00aa1bc5 in ip_get_result_string_obj (interp=<value optimized out>) at tcltklib.c:5453
#13 0x00aa2047 in ip_invoke_core (interp=3084163960, objc=2, objv=0x81cec90) at tcltklib.c:6769
#14 0x00aa22a4 in ip_invoke_real (argc=2, argv=0xbfffb5b0, interp=3084163960) at tcltklib.c:6868
#15 0x00aa2548 in ip_invoke_with_position (argc=2, argv=0xbfffb5b0, obj=3084163960, position=TCL_QUEUE_TAIL) at tcltklib.c:6977
#16 0x00896ff0 in call_cfunc (func=0xaa28e0 <ip_invoke>, recv=3084163960, len=6, argc=2, argv=0xe7e) at eval.c:5715
#17 0x008a1e8e in rb_call0 (klass=3086333840, recv=3084163960, id=10617, oid=10625, argc=2, argv=0xbfffb5b0, body=0xb7f5aad4, flags=0)
    at eval.c:5870
#18 0x008a202a in rb_call (klass=3086333840, recv=3084163960, mid=10617, argc=2, argv=0xbfffb5b0, scope=0, self=3084003580)
#19 0x0089c7a1 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3490
#20 0x0089da31 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3675
#21 0x008a1d91 in rb_call0 (klass=3084152720, recv=3084003580, id=12681, oid=12681, argc=3, argv=0xbfffbf20, body=0xb7fab434, flags=-2)
    at eval.c:6021
#22 0x008a202a in rb_call (klass=3084152720, recv=3084003580, mid=12681, argc=3, argv=0xbfffbf20, scope=1, self=3084003580)
    at eval.c:6117
#23 0x0089c8c1 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3505
#24 0x0089da31 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3675
#25 0x0089f5c0 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3306
#26 0x008a1d91 in rb_call0 (klass=3084152720, recv=3084003580, id=12713, oid=12713, argc=3, argv=0xbfffcbd0, body=0xb7faabc4, flags=-2)
    at eval.c:6021
#27 0x008a202a in rb_call (klass=3084152720, recv=3084003580, mid=12713, argc=3, argv=0xbfffcbd0, scope=1, self=3084003580)
    at eval.c:6117
#28 0x0089c8c1 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3505
#29 0x008a1d91 in rb_call0 (klass=3084152720, recv=3084003580, id=11545, oid=11545, argc=2, argv=0xbfffd1f0, body=0xb7fa9fe4, flags=-1)
    at eval.c:6021
#30 0x008a202a in rb_call (klass=3084152720, recv=3084003580, mid=11545, argc=2, argv=0xbfffd1f0, scope=1, self=3084003580)
    at eval.c:6117
#31 0x0089c8c1 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3505
#32 0x008a1d91 in rb_call0 (klass=3084153880, recv=3084003580, id=14537, oid=14537, argc=1, argv=0xbfffd820, body=0xb7f671d0, flags=1)
    at eval.c:6021
#33 0x008a202a in rb_call (klass=3084153880, recv=3084003580, mid=14537, argc=1, argv=0xbfffd820, scope=1, self=3084003580)
#34 0x0089c8c1 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3505
#35 0x008a1d91 in rb_call0 (klass=3084153880, recv=3084003580, id=2953, oid=2953, argc=1, argv=0xbfffdea0, body=0xb7f67928, flags=2)
    at eval.c:6021
#36 0x008a202a in rb_call (klass=3084153880, recv=3084003580, mid=2953, argc=1, argv=0xbfffdea0, scope=3, self=6) at eval.c:6117
#37 0x008ab06b in rb_call_super (argc=1, argv=0xbfffdea0) at eval.c:6285
#38 0x0089ca20 in rb_eval (self=3084003580, n=<value optimized out>) at eval.c:3556
#39 0x008a1d91 in rb_call0 (klass=3083991320, recv=3084003580, id=2953, oid=2953, argc=1, argv=0xbfffe860, body=0xb7d21e98, flags=2)
    at eval.c:6021
#40 0x008a202a in rb_call (klass=3083991320, recv=3084003580, mid=2953, argc=1, argv=0xbfffe860, scope=1, self=6) at eval.c:6117
#41 0x008a2a13 in rb_funcall2 (recv=6, mid=2953, argc=1, argv=0xbfffe860) at eval.c:6253
#42 0x008a2ab7 in rb_obj_call_init (obj=3084003580, argc=1, argv=0xbfffe860) at eval.c:7650
#43 0x008d1b7a in rb_class_new_instance (argc=1, argv=0xbfffe860, klass=3083991320) at object.c:1572
#44 0x004548d0 in tk_s_new (argc=1, argv=0xbfffe860, klass=3083991320) at tkutil.c:59
#45 0x00896ff0 in call_cfunc (func=0x4548a0 <tk_s_new>, recv=3083991320, len=6, argc=1, argv=0xe7e) at eval.c:5715
#46 0x008a1e8e in rb_call0 (klass=3086328800, recv=3083991320, id=3345, oid=3345, argc=1, argv=0xbfffe860, body=0xb7fd1a30, flags=0)
    at eval.c:5870
#47 0x008a202a in rb_call (klass=3086328800, recv=3083991320, mid=3345, argc=1, argv=0xbfffe860, scope=0, self=3086883240) at eval.c:6117
#48 0x0089c7a1 in rb_eval (self=3086883240, n=<value optimized out>) at eval.c:3490
#49 0x0089fc21 in rb_eval (self=3086883240, n=<value optimized out>) at eval.c:3220
#50 0x0089da31 in rb_eval (self=3086883240, n=<value optimized out>) at eval.c:3675
#51 0x008ae2a7 in ruby_exec_internal () at eval.c:1642
#52 0x008ae2f2 in ruby_exec () at eval.c:1662
#53 0x008ae32f in ruby_run () at eval.c:1672
#54 0x0804868d in main (argc=Cannot access memory at address 0xe7e
) at main.c:48

Confirmed? :)

Comment 4 Timothy Davis 2009-05-01 16:03:31 UTC

Could it be a memory/stack problem?
I wrote a simple RubyTk program and it runs on Ubuntu but crashes on Fedora 10
It will run if inside valgrind

[tim@tidavis-fedora ~]$ yum info tcl | grep Version
Version    : 8.5.3
[tim@tidavis-fedora ~]$ yum info tk | grep Version
Version    : 8.5.3
[tim@tidavis-fedora ~]$ yum info glibc | grep Version
Version    : 2.9
Version    : 2.9
[tim@tidavis-fedora ~]$ uname -a
Linux tidavis-fedora 2.6.27.21-170.2.56.fc10.i686 #1 SMP Mon Mar 23 23:37:54 EDT 2009 i686 athlon i386 GNU/Linux
[tim@tidavis-fedora ~]$ ruby -v
ruby 1.8.6 (2009-03-31 patchlevel 368) [i686-linux]


I even went so far as to compile Ruby, Tcl and Tk from source

Comment 5 Richard Z. 2009-10-27 13:03:59 UTC

tried with old tcl/tk 8.3 and older ruby packages that worked well on a previous distribution - the problem remains the same.

My guess after looking at some valgrind output is that it is an old bug in ruby, which turned into segfaults when glibc malloc/free behaviour became more strict.
Possibly there is some off by one when strings or something else is passed to tcl.

It would be nice if there was an easy way to try ruby-1.9 to see if the bug persists.

Comment 6 Bug Zapper 2009-11-18 09:47:48 UTC

This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Bug Zapper 2009-12-18 07:46:43 UTC

Fedora 10 changed to end-of-life (EOL) status on 2009-12-17. Fedora 10 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.