Ubuntu
man-db package

mandb crashed with SIGABRT in __libc_message()

Bug #917969 reported by rielgenius1688 on 2012-01-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	man-db (Fedora)	Fix Released	High	redhat-bugs #702904
	man-db (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

Just browsing web using chrome on Alpha of 12.04

ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: man-db 2.6.0.2-3
ProcVersionSignature: Ubuntu 3.2.0-9.16-generic 3.2.1
Uname: Linux 3.2.0-9-generic x86_64
ApportVersion: 1.90-0ubuntu2
Architecture: amd64
CrashCounter: 1
Date: Tue Jan 17 19:59:26 2012
ExecutablePath: /usr/bin/mandb
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
ProcCmdline: /usr/bin/mandb --no-purge --quiet
ProcEnviron:
PATH=(custom, no user)
SHELL=/bin/sh
Signal: 6
SourcePackage: man-db
StacktraceTop:
raise () from /lib/x86_64-linux-gnu/libc.so.6
abort () from /lib/x86_64-linux-gnu/libc.so.6
?? () from /lib/x86_64-linux-gnu/libc.so.6
?? () from /lib/x86_64-linux-gnu/libc.so.6
free () from /lib/x86_64-linux-gnu/libc.so.6
Title: mandb crashed with SIGABRT in raise()
UpgradeStatus: Upgraded to precise on 2012-01-16 (1 days ago)
UserGroups:

Tags:

Revision history for this message

In Red Hat Bugzilla #702904, Sami (sami-redhat-bugs) wrote on 2011-05-08:

Download full text (5.1 KiB)

Description of problem:

*** glibc detected *** mandb: double free or corruption ======= Backtrace: =========
/lib64/libc.so.6[0x3004c788aa]
mandb[0x406124]
mandb[0x403e44]
mandb[0x4041d4]
mandb[0x404e9e]
mandb[0x40beba]
mandb[0x40c3db]
mandb[0x403321]
/lib64/libc.so.6(__libc_start_main+ ======= Memory map: ========
00400000-0041f000 r-xp 00000000 08:17 422029258 0061e000-0061f000 rw-p 0001e000 08:17 422029258 0061f000-00622000 rw-p 00000000 00:00 0
01561000-0270c000 rw-p 00000000 00:00 0 3000000000-3000021000 r-xp 00000000 08:11 3979416 3000220000-3000221000 r--p 00020000 08:11 3979416 3000221000-3000222000 rw-p 00021000 08:11 3979416 3000222000-3000223000 rw-p 00000000 00:00 0
3003400000-3003415000 r-xp 00000000 08:11 3944741 3003415000-3003614000 ---p 00015000 08:11 3944741 3003614000-3003615000 rw-p 00014000 08:11 3944741 3004c00000-3004d92000 r-xp 00000000 08:11 3979417 3004d92000-3004f92000 ---p 00192000 08:11 3979417 3004f92000-3004f96000 r--p 00192000 08:11 3979417 3004f96000-3004f97000 rw-p 00196000 08:11 3979417 3004f97000-3004f9d000 rw-p 00000000 00:00 0
300e800000-300e816000 r-xp 00000000 08:11 3979845 300e816000-300ea16000 ---p 00016000 08:11 3979845 300ea16000-300ea17000 rw-p 00016000 08:11 3979845 7f749813f000-7f749dfd0000 r--p 00000000 08:17 279829358 7f749dfd0000-7f749dfd4000 rw-p 00000000 7f749dfd4000-7f749dfe0000 r-xp 00000000 08:17 403512846 7f749dfe0000-7f749e1e0000 ---p 0000c000 08:17 403512846 7f749e1e0000-7f749e1e1000 rw-p 0000c000 08:17 403512846 7f749e1e1000-7f749e1e6000 r-xp 00000000 08:17 441186495 7f749e1e6000-7f749e3e5000 ---p 00005000 08:17 441186495 7f749e3e5000-7f749e3e6000 rw-p 00004000 08:17 441186495 7f749e46d000-7f749e474000 r--s 00000000 08:17 268994114 7f749e474000-7f749e492000 r-xp 00000000 08:17 9406526 7f749e492000-7f749e691000 ---p 0001e000 08:17 9406526 7f749e691000-7f749e693000 rw-p 0001d000 (fasttop): 0x00000000026fde30 ***
/>0xed)[0x3004c2143d]
/usr/bin/mandb
/usr/bin/mandb
[heap]
/lib64/ld-2.13.90.so
/lib64/ld-2.13.90.so
/lib64/ld-2.13.90.so
/lib64/libgcc_s-4.6.0-20110419.so.1
/lib64/libgcc_s-4.6.0-20110419.so.1
/lib64/libgcc_s-4.6.0-20110419.so.1
/lib64/libc-2.13.90.so
/lib64/libc-2.13.90.so
/lib64/libc-2.13.90.so
/lib64/libc-2.13.90.so
/lib64/libz.so.1.2.5
/lib64/libz.so.1.2.5
/lib64/libz.so.1.2.5
/usr/lib/locale/locale-archive
00:00 0
/usr/lib64/libpipeline.so.1.2.0
/usr/lib64/libpipeline.so.1.2.0
/usr/lib64/libpipeline.so.1.2.0
/usr/lib64/libgdbm.so.3.0.0
/usr/lib64/libgdbm.so.3.0.0
/usr/lib64/libgdbm.so.3.0.0
/usr/lib64/gconv/gconv-modules.cache
/usr/lib64/man-db/libman-2.6.0.2.so
/usr/lib64/man-db/libman-2.6.0.2.so
08:17 940652...

Description of problem:

*** glibc detected *** mandb: double free or corruption (fasttop): 0x00000000026fde30 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3004c788aa]
mandb[0x406124]
mandb[0x403e44]
mandb[0x4041d4]
mandb[0x404e9e]
mandb[0x40beba]
mandb[0x40c3db]
mandb[0x403321]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3004c2143d]
mandb[0x403679]
======= Memory map: ========
00400000-0041f000 r-xp 00000000 08:17 422029258                          /usr/bin/mandb
0061e000-0061f000 rw-p 0001e000 08:17 422029258                          /usr/bin/mandb
0061f000-00622000 rw-p 00000000 00:00 0 
01561000-0270c000 rw-p 00000000 00:00 0                                  [heap]
3000000000-3000021000 r-xp 00000000 08:11 3979416                        /lib64/ld-2.13.90.so
3000220000-3000221000 r--p 00020000 08:11 3979416                        /lib64/ld-2.13.90.so
3000221000-3000222000 rw-p 00021000 08:11 3979416                        /lib64/ld-2.13.90.so
3000222000-3000223000 rw-p 00000000 00:00 0 
3003400000-3003415000 r-xp 00000000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3003415000-3003614000 ---p 00015000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3003614000-3003615000 rw-p 00014000 08:11 3944741                        /lib64/libgcc_s-4.6.0-20110419.so.1
3004c00000-3004d92000 r-xp 00000000 08:11 3979417                        /lib64/libc-2.13.90.so
3004d92000-3004f92000 ---p 00192000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f92000-3004f96000 r--p 00192000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f96000-3004f97000 rw-p 00196000 08:11 3979417                        /lib64/libc-2.13.90.so
3004f97000-3004f9d000 rw-p 00000000 00:00 0 
300e800000-300e816000 r-xp 00000000 08:11 3979845                        /lib64/libz.so.1.2.5
300e816000-300ea16000 ---p 00016000 08:11 3979845                        /lib64/libz.so.1.2.5
300ea16000-300ea17000 rw-p 00016000 08:11 3979845                        /lib64/libz.so.1.2.5
7f749813f000-7f749dfd0000 r--p 00000000 08:17 279829358                  /usr/lib/locale/locale-archive
7f749dfd0000-7f749dfd4000 rw-p 00000000 00:00 0 
7f749dfd4000-7f749dfe0000 r-xp 00000000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749dfe0000-7f749e1e0000 ---p 0000c000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749e1e0000-7f749e1e1000 rw-p 0000c000 08:17 403512846                  /usr/lib64/libpipeline.so.1.2.0
7f749e1e1000-7f749e1e6000 r-xp 00000000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e1e6000-7f749e3e5000 ---p 00005000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e3e5000-7f749e3e6000 rw-p 00004000 08:17 441186495                  /usr/lib64/libgdbm.so.3.0.0
7f749e46d000-7f749e474000 r--s 00000000 08:17 268994114                  /usr/lib64/gconv/gconv-modules.cache
7f749e474000-7f749e492000 r-xp 00000000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e492000-7f749e691000 ---p 0001e000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e691000-7f749e693000 rw-p 0001d000 08:17 9406526                    /usr/lib64/man-db/libman-2.6.0.2.so
7f749e693000-7f749e695000 rw-p 00000000 00:00 0 
7f749e695000-7f749e69a000 r-xp 00000000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e69a000-7f749e899000 ---p 00005000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e899000-7f749e89a000 rw-p 00004000 08:17 531549                     /usr/lib64/man-db/libmandb-2.6.0.2.so
7f749e89a000-7f749e89b000 rw-p 00000000 00:00 0 
7fff2c896000-7fff2c8b7000 rw-p 00000000 00:00 0                          [stack]
7fff2c9d7000-7fff2c9d8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
./man-db.cron: line 25: 10121 Aborted                 mandb $OPTS

Version-Release number of selected component (if applicable):
2.6.0.2-1

How reproducible:
100%

Steps to Reproduce:
1. wait till cronjob runs or start manually
2.
3.
  
Actual results:
crashing

Expected results:
working

Additional info:
I tried running under gdb but the result seemed like fork bomb, does it fork for every man page?

Detaching after fork from child process 7530.
Detaching after fork from child process 7531.
Detaching after fork from child process 7533.

(gdb) bt
#0  0x0000003004c36415 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003004c37d2b in abort () at abort.c:92
#2  0x0000003004c723b3 in __libc_message (do_abort=2, fmt=0x3004d5cbe8 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x0000003004c788aa in malloc_printerr (action=3, str=0x3004d5cdd8 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:6283
#4  0x0000000000406124 in store_descriptions ()
#5  0x0000000000403e44 in test_manfile ()
#6  0x00000000004041d4 in testmandirs ()
#7  0x0000000000404e9e in create_db ()
#8  0x000000000040beba in mandb ()
#9  0x000000000040c3db in process_manpath ()
#10 0x0000000000403321 in main ()

Revision history for this message

In Red Hat Bugzilla #702904, Ivana (ivana-redhat-bugs) wrote on 2011-07-04:

Hello,
I can't reproduce this problem, please what do you have in
/etc/sysconfig/man-db?
how often does this bug appear - each time or occasionally?

Revision history for this message

In Red Hat Bugzilla #702904, Sami (sami-redhat-bugs) wrote on 2011-07-04:

CRON="yes"
OPTS="-q"

This bug appears each time I run mandb.
For example, it crashed just 17 seconds ago when I ran it.

Revision history for this message

In Red Hat Bugzilla #702904, Fedora (fedora-redhat-bugs) wrote on 2011-07-12:

This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.

Revision history for this message

In Red Hat Bugzilla #702904, Peter (peter-redhat-bugs) wrote on 2011-09-16:

#10

Hi,

do you still have this problem? If yes, could you post output of:
# mandb --debug

Thanks,
peter

Revision history for this message

In Red Hat Bugzilla #702904, Sami (sami-redhat-bugs) wrote on 2011-09-16:

#11

*** glibc detected *** mandb: double free or corruption (fasttop): 0x000000000246f360 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3000c78646]
mandb[0x406124]
mandb[0x403e44]
mandb[0x4041d4]
mandb[0x404e9e]
mandb[0x40beba]
mandb[0x40c3db]
mandb[0x403321]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3000c2159d]
mandb[0x403679]

...
ult_src: File /usr/share/man/man8/dpns-shutdown.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpns-shutdown.8.gz)
"dpns-shutdown - shutdown the name server"
record = 'dpns-shutdown - shutdown the name server'
trace->names[0] = '/usr/share/man/man8/dpns-shutdown.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpns-shutdown.8.gz'
name = 'dpns-shutdown', id = B

test_manfile(): link not in cache:
source = /usr/share/man/man8/dpnsdaemon.8.gz
target = /usr/lib64/dpm-mysql/dpnsdaemon.8.gz

ult_src: File /usr/share/man/man8/dpnsdaemon.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpnsdaemon.8.gz)
"dpnsdaemon - start the name server"
record = 'dpnsdaemon - start the name server'
trace->names[0] = '/usr/share/man/man8/dpnsdaemon.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpnsdaemon.8.gz'
name = 'dpnsdaemon', id = B

test_manfile(): link not in cache:
source = /usr/share/man/man8/dpm-srmv1.8.gz
target = /usr/lib64/dpm-mysql/dpm-srmv1.8.gz

ult_src: File /usr/share/man/man8/dpm-srmv1.8.gz in mantree /usr/share/man
ult_softlink: (/usr/lib64/dpm-mysql/dpm-srmv1.8.gz)
"srmv1 - start the SRM v1 server"
record = 'srmv1 - start the SRM v1 server'
trace->names[0] = '/usr/share/man/man8/dpm-srmv1.8.gz'
trace->names[1] = '/usr/lib64/dpm-mysql/dpm-srmv1.8.gz'
mandb: warning: /usr/lib64/dpm-mysql/dpm-srmv1.8.gz: ignoring bogus filename

-rw-r--r-- 1 root root 1401 2011-02-12 15:19:08.000000000 +0200 /usr/lib64/dpm-mysql/dpm-srmv1.8.gz

Revision history for this message

In Red Hat Bugzilla #702904, Peter (peter-redhat-bugs) wrote on 2011-10-06:

#12

Hello,

thank you for provided information. I was able to reproduce the bug and write a patch. Please, could you test this scratch build and confirm that it's working for you?

http://koji.fedoraproject.org/koji/taskinfo?taskID=3409004

Thanks.
peter

Revision history for this message

In Red Hat Bugzilla #702904, Sami (sami-redhat-bugs) wrote on 2011-10-06:

#13

It now runs without crashing.

Revision history for this message

In Red Hat Bugzilla #702904, Peter (peter-redhat-bugs) wrote on 2011-10-06:

#14

Thanks for confirmation.

Fixed in:
man-db-2.6.0.2-3.fc17
http://koji.fedoraproject.org/koji/buildinfo?buildID=267240

Revision history for this message

rielgenius1688 (cramleir) wrote on 2012-01-18:

Dependencies.txt Edit (656 bytes, text/plain; charset="utf-8")
Disassembly.txt Edit (854 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (6.1 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (769 bytes, text/plain; charset="utf-8")
Registers.txt Edit (714 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (962 bytes, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (986 bytes, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2012-01-18:

StacktraceTop:
__libc_message (do_abort=2, fmt=0x7effd1c5c158 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
malloc_printerr (action=3, str=0x7effd1c5c290 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:6283
__GI___libc_free (mem=<optimized out>) at malloc.c:3738
store_descriptions (head=<optimized out>, info=0x7fff0ac3cd10, path=0x7effd34f19c0 "/usr/share/man", base=0x7effd36a6154 "prl_disk_tool", trace=0x7effd36a57d8) at ../../../src/descriptions_store.c:119
test_manfile (file=0x7effd367e720 "/usr/share/man/man8/prl_disk_tool.8.gz", path=0x7effd34f19c0 "/usr/share/man") at ../../../src/check_mandirs.c:298

Revision history for this message

Apport retracing service (apport) wrote on 2012-01-18: Stacktrace.txt

Stacktrace.txt Edit (6.4 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2012-01-18: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (6.5 KiB, text/plain)

Changed in man-db (Ubuntu):
importance:	Undecided → Medium
summary:	- mandb crashed with SIGABRT in raise() + mandb crashed with SIGABRT in __libc_message()
tags:	removed: need-amd64-retrace

Jean-Baptiste Lallement (jibel) on 2012-01-18

visibility:

private → public

Revision history for this message

Colin Watson (cjwatson) wrote on 2012-02-26:

Red Hat contributed a fix upstream to fix this, and that patch is in man-db 2.6.1, which is in precise. Here's the ChangeLog entry:

Sun Oct 9 00:24:22 BST 2011 Peter Schiffer <email address hidden>

        * src/filenames.c (filename_info): Zero-initialise the contents of
          info to avoid a double-free in store_descriptions (Fedora bug
          #702904).
        * src/tests/mandb-6: New file.
        * src/tests/Makefile.am (ALL_TESTS): Add mandb-6.
        * NEWS: Document this.

Changed in man-db (Ubuntu):
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2017-10-27

Changed in man-db (Fedora):
importance:	Unknown → High
status:	Unknown → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

redhat-bugs #702904
[CLOSED RAWHIDE] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuman-db package

mandb crashed with SIGABRT in __libc_message()

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
man-db package