From owner-freebsd-current@FreeBSD.ORG Thu Aug 2 23:27:50 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 882C3106564A for ; Thu, 2 Aug 2012 23:27:50 +0000 (UTC) (envelope-from jasone@freebsd.org) Received: from canonware.com (10140.x.rootbsd.net [204.109.63.53]) by mx1.freebsd.org (Postfix) with ESMTP id 66AD88FC14 for ; Thu, 2 Aug 2012 23:27:50 +0000 (UTC) Received: from [172.25.18.176] (unknown [173.252.71.6]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by canonware.com (Postfix) with ESMTPSA id 1768928416; Thu, 2 Aug 2012 16:21:22 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Jason Evans In-Reply-To: <20120802223246.GA35208@troutmask.apl.washington.edu> Date: Thu, 2 Aug 2012 16:21:20 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20120802223246.GA35208@troutmask.apl.washington.edu> To: Steve Kargl X-Mailer: Apple Mail (2.1278) Cc: freebsd-current@freebsd.org Subject: Re: possible je-malloc issue X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 23:27:50 -0000 On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote: > Libc built today. > Start X with fvwm window manager. > Open xterm and su to root. >=20 > 1. Use nedit to edit a file and close. >=20 > fvwm drops core. If fvwm does not drop core repeat 1 until=20 > she does. >=20 > (gdb) bt > #0 0x4841e294 in __jemalloc_arena_mapbits_get (chunk=3D0x8000000, = pageind=3D245) > at = /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h= :502 > #1 0x4841e2c4 in __jemalloc_arena_mapbits_allocated_get = (chunk=3D0x8000000,=20 > pageind=3D245) > at = /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h= :581 > #2 0x4841e739 in __jemalloc_arena_salloc (ptr=3D0x80f58e0, = demote=3Dfalse) > at = /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h= :902 > #3 0x48423dd1 in __jemalloc_isalloc (ptr=3D0x8000000, demote=3Dfalse) > at = /usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemallo= c_internal.h:791 > #4 0x4842408e in free (ptr=3D0x80f58e0) at jemalloc_jemalloc.c:1212 > #5 0x48164b7d in XFree (data=3D0x80f58e0) at XlibInt.c:1701 > #6 0x080c4f2f in FlocaleFreeNameProperty (ptext=3D0xbfbfcfb4) at = Flocale.c:2363 > #7 0x0806d3ab in HandlePropertyNotify (ea=3D0xbfbfd014) at = events.c:3422 > #8 0x0806c369 in dispatch_event (e=3D0xbfbfd044) at events.c:4135 > #9 0x0806ca5f in HandleEvents () at events.c:4179 > #10 0x0808e06e in main (argc=3D1, argv=3D0xbfbfd7ac) at fvwm.c:2591 > (gdb) frame 4 > #4 0x4842408e in free (ptr=3D0x80f58e0) at jemalloc_jemalloc.c:1212 > 1212 usize =3D isalloc(ptr, config_prof); > (gdb) print *ptr > Attempt to dereference a generic pointer. > (gdb) up 1 > #5 0x48164b7d in XFree (data=3D0x80f58e0) at XlibInt.c:1701 > 1701 XlibInt.c: No such file or directory. > (gdb) print *data > Attempt to dereference a generic pointer. > (gdb) up 1 > #6 0x080c4f2f in FlocaleFreeNameProperty (ptext=3D0xbfbfcfb4) at = Flocale.c:2363 > 2363 Flocale.c: No such file or directory. > (gdb) print *ptext > $5 =3D {name =3D 0x80f58e0 "Untitled", name_list =3D 0x0} jemalloc is asserting that the page which contains 0x80f58e0 is = allocated according to the containing chunk's page map, but the chunk = header isn't even mapped, and the attempted read causes a segfault. = This is almost certainly a result of calling free() with a bogus = pointer. Jason=