Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Aug 2012 16:36:35 -0700
From:      Steve Kargl <sgk@troutmask.apl.washington.edu>
To:        Jason Evans <jasone@freebsd.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: possible je-malloc issue
Message-ID:  <20120802233635.GA35429@troutmask.apl.washington.edu>
In-Reply-To: <F4BC8216-1C76-4E21-85AC-B8F800B7A97D@freebsd.org>
References:  <20120802223246.GA35208@troutmask.apl.washington.edu> <F4BC8216-1C76-4E21-85AC-B8F800B7A97D@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Aug 02, 2012 at 04:21:20PM -0700, Jason Evans wrote:
> On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote:
> > (gdb) print *ptr
> > Attempt to dereference a generic pointer.
> > (gdb) up 1
> > #5  0x48164b7d in XFree (data=0x80f58e0) at XlibInt.c:1701
> > 1701    XlibInt.c: No such file or directory.
> > (gdb) print *data
> > Attempt to dereference a generic pointer.
> > (gdb) up 1
> > #6  0x080c4f2f in FlocaleFreeNameProperty (ptext=0xbfbfcfb4) at Flocale.c:2363
> > 2363    Flocale.c: No such file or directory.
> > (gdb) print *ptext
> > $5 = {name = 0x80f58e0 "Untitled", name_list = 0x0}
> 
> jemalloc is asserting that the page which contains 0x80f58e0 is allocated
> according to the containing chunk's page map, but the chunk header isn't
> even mapped, and the attempted read causes a segfault.  This is almost
> certainly a result of calling free() with a bogus pointer.
> 

I suspect, but cannot prove it yet, that ptext->name points at
a static buffer.  I'm trying to understand the code now.  The
failure starts in

void FlocaleFreeNameProperty(FlocaleNameString *ptext)
{
	if (ptext->name_list != NULL)
	{
		if (ptext->name != NULL && ptext->name != *ptext->name_list)
			XFree(ptext->name);
		XFreeStringList(ptext->name_list);
		ptext->name_list = NULL;
	}
	else if (ptext->name != NULL)
	{
		XFree(ptext->name);
	}
	ptext->name = NULL;
 
 	return;
}

In the code the XFree(ptext->name) appears protected by the check
for a NULL pointer, but it appears that 0x80f58e0 is invalid.  I
don't know how to check for an non-NULL invalid pointer.  I suppose
I can hack fvwm to leak memory at worse.

-- 
Steve

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120802233635.GA35429>