702904 – double free or corruption

Bug 702904 - double free or corruption

Summary: double free or corruption

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	man-db
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Peter Schiffer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-08 09:04 UTC by Sami Farin
Modified:	2011-10-06 14:05 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-06 14:05:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sami Farin 2011-05-08 09:04:12 UTC

Description of problem:

*** glibc detected *** mandb: double free or corruption (fasttop): 0x00000000026fde30 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3004c788aa]
mandb[0x406124]
mandb[0x403e44]
mandb[0x4041d4]
mandb[0x404e9e]
mandb[0x40beba]
mandb[0x40c3db]
mandb[0x403321]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3004c2143d]
mandb[0x403679]
======= Memory map: ========
00400000-0041f000 r-xp 00000000 08:17 422029258                          /usr/bin/mandb
0061e000-0061f000 rw-p 0001e000 08:17 422029258                          /usr/bin/mandb
0061f000-00622000 rw-p 00000000 00:00 0 
01561000-0270c000 rw-p 00000000 00:00 0                                  [heap]
3000000000-3000021000 r-xp 00000000 08:11 3979416                        /lib64/ld-2.13.90.so
3000220000-3000221000 r--p 00020000 08:11 3979416                        /lib64/ld-2.13.90.so
3000221000-3000222000 rw-p 00021000 08:11 3979416                        /lib64/ld-2.13.90.so
3000222000-3000223000 rw-p 00000000 00:00 0 
3003400000-3003415000 r-xp 00000000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3003415000-3003614000 ---p 00015000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3003614000-3003615000 rw-p 00014000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3004c00000-3004d92000 r-xp 00000000 08:11 3979417                        /lib64/libc-2.13.90.so
3004d92000-3004f92000 ---p 00192000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f92000-3004f96000 r--p 00192000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f96000-3004f97000 rw-p 00196000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f97000-3004f9d000 rw-p 00000000 00:00 0 
300e800000-300e816000 r-xp 00000000 08:11 3979845                        /lib64/libz.so.1.2.5
300e816000-300ea16000 ---p 00016000 08:11 3979845                        /lib64/libz.so.1.2.5
300ea16000-300ea17000 rw-p 00016000 08:11 3979845                        /lib64/libz.so.1.2.5
7f749813f000-7f749dfd0000 r--p 00000000 08:17 279829358                  /usr/lib/locale/locale-archive
7f749dfd0000-7f749dfd4000 rw-p 00000000 00:00 0 
7f749dfd4000-7f749dfe0000 r-xp 00000000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749dfe0000-7f749e1e0000 ---p 0000c000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749e1e0000-7f749e1e1000 rw-p 0000c000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749e1e1000-7f749e1e6000 r-xp 00000000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e1e6000-7f749e3e5000 ---p 00005000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e3e5000-7f749e3e6000 rw-p 00004000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e46d000-7f749e474000 r--s 00000000 08:17 268994114                  /usr/lib64/gconv/gconv-modules.cache
7f749e474000-7f749e492000 r-xp 00000000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e492000-7f749e691000 ---p 0001e000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e691000-7f749e693000 rw-p 0001d000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e693000-7f749e695000 rw-p 00000000 00:00 0 
7f749e695000-7f749e69a000 r-xp 00000000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e69a000-7f749e899000 ---p 00005000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e899000-7f749e89a000 rw-p 00004000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e89a000-7f749e89b000 rw-p 00000000 00:00 0 
7fff2c896000-7fff2c8b7000 rw-p 00000000 00:00 0                          [stack]
7fff2c9d7000-7fff2c9d8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
./man-db.cron: line 25: 10121 Aborted                 mandb $OPTS

Version-Release number of selected component (if applicable):
2.6.0.2-1

How reproducible:
100%

Steps to Reproduce:
1. wait till cronjob runs or start manually
2.
3.
  
Actual results:
crashing

Expected results:
working

Additional info:
I tried running under gdb but the result seemed like fork bomb, does it fork for every man page? 

Detaching after fork from child process 7530.
Detaching after fork from child process 7531.
Detaching after fork from child process 7533.

(gdb) bt
#0  0x0000003004c36415 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003004c37d2b in abort () at abort.c:92
#2  0x0000003004c723b3 in __libc_message (do_abort=2, fmt=0x3004d5cbe8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x0000003004c788aa in malloc_printerr (action=3, str=0x3004d5cdd8 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:6283
#4  0x0000000000406124 in store_descriptions ()
#5  0x0000000000403e44 in test_manfile ()
#6  0x00000000004041d4 in testmandirs ()
#7  0x0000000000404e9e in create_db ()
#8  0x000000000040beba in mandb ()
#9  0x000000000040c3db in process_manpath ()
#10 0x0000000000403321 in main ()

Comment 1 Ivana Varekova 2011-07-04 14:38:07 UTC

Hello, 
I can't reproduce this problem, please what do you have in 
/etc/sysconfig/man-db?
how often does this bug appear - each time or occasionally?

Comment 2 Sami Farin 2011-07-04 15:17:18 UTC

CRON="yes"
OPTS="-q"

This bug appears each time I run mandb.
For example, it crashed just 17 seconds ago when I ran it.

Comment 3 Fedora Admin XMLRPC Client 2011-07-12 11:45:35 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 4 Peter Schiffer 2011-09-16 14:01:44 UTC

Hi,

do you still have this problem? If yes, could you post output of:
# mandb --debug

Thanks,
peter

Comment 5 Sami Farin 2011-09-16 16:05:07 UTC

*** glibc detected *** mandb: double free or corruption (fasttop): 0x000000000246f360 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3000c78646]
mandb[0x406124]
mandb[0x403e44]
mandb[0x4041d4]
mandb[0x404e9e]
mandb[0x40beba]
mandb[0x40c3db]
mandb[0x403321]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3000c2159d]
mandb[0x403679]

...
ult_src: File /usr/share/man/man8/dpns-shutdown.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpns-shutdown.8.gz)
"dpns-shutdown - shutdown the name server"
record = 'dpns-shutdown - shutdown the name server'
trace->names[0] = '/usr/share/man/man8/dpns-shutdown.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpns-shutdown.8.gz'
name = 'dpns-shutdown', id = B

test_manfile(): link not in cache:
 source = /usr/share/man/man8/dpnsdaemon.8.gz
 target = /usr/lib64/dpm-mysql/dpnsdaemon.8.gz

ult_src: File /usr/share/man/man8/dpnsdaemon.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpnsdaemon.8.gz)
"dpnsdaemon - start the name server"
record = 'dpnsdaemon - start the name server'
trace->names[0] = '/usr/share/man/man8/dpnsdaemon.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpnsdaemon.8.gz'
name = 'dpnsdaemon', id = B

test_manfile(): link not in cache:
 source = /usr/share/man/man8/dpm-srmv1.8.gz
 target = /usr/lib64/dpm-mysql/dpm-srmv1.8.gz

ult_src: File /usr/share/man/man8/dpm-srmv1.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpm-srmv1.8.gz)
"srmv1 - start the SRM v1 server"
record = 'srmv1 - start the SRM v1 server'
trace->names[0] = '/usr/share/man/man8/dpm-srmv1.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz'
mandb: warning: /usr/lib64/dpm-mysql/dpm-srmv1.8.gz: ignoring bogus filename




-rw-r--r-- 1 root root 1401 2011-02-12 15:19:08.000000000 +0200 /usr/lib64/dpm-mysql/dpm-srmv1.8.gz

Comment 6 Peter Schiffer 2011-10-06 08:01:45 UTC

Hello,

thank you for provided information. I was able to reproduce the bug and write a patch. Please, could you test this scratch build and confirm that it's working for you?

http://koji.fedoraproject.org/koji/taskinfo?taskID=3409004

Thanks.
peter

Comment 7 Sami Farin 2011-10-06 12:33:48 UTC

It now runs without crashing.

Comment 8 Peter Schiffer 2011-10-06 14:05:59 UTC

Thanks for confirmation.

Fixed in:
man-db-2.6.0.2-3.fc17
http://koji.fedoraproject.org/koji/buildinfo?buildID=267240

Note You need to log in before you can comment on or make changes to this bug.