Ubuntu
eglibc package

  1. Bug #893605
  2. Comment #3

Comment 3 for bug 893605

Revision history for this message
Ppluzhnikov-google (ppluzhnikov-google) wrote :

I've reproduced the gnucash crash.

The actual crash stack trace is (using 2.15~pre6-0ubuntu2):

#0 do_lookup_x (new_hash=2334765441, old_hash=<optimized out>, result=0x7fffffffdb60, scope=<optimized out>, i=0, flags=2, skip=0x0, undef_map=0x7ffff7ff8000) at dl-lookup.c:98
#1 0x00007ffff7de44e3 in _dl_lookup_symbol_x (undef_name=0x7ffff272e0c0 "g_module_check_init", undef_map=0x7ffff7ff8000, ref=0x7fffffffdc80, symbol_scope=0x7ffff7ff8388, version=0x0, type_class=0, flags=2, skip_map=0x0) at dl-lookup.c:739
#2 0x00007ffff57a041a in do_sym (handle=<optimized out>, name=0x7ffff272e0c0 "g_module_check_init", who=<optimized out>, vers=<optimized out>, flags=2) at dl-sym.c:178
#3 0x00007fffeace7044 in dlsym_doit (a=0x7fffffffde50) at dlsym.c:51
#4 0x00007ffff7de90f6 in _dl_catch_error (objname=0x611410, errstring=0x611418, mallocedp=0x611408, operate=0x7fffeace7030 <dlsym_doit>, args=0x7fffffffde50) at dl-error.c:178
#5 0x00007fffeace752f in _dlerror_run (operate=0x7fffeace7030 <dlsym_doit>, args=0x7fffffffde50) at dlerror.c:164
#6 0x00007fffeace709a in __dlsym (handle=<optimized out>, name=<optimized out>) at dlsym.c:71
#7 0x00007ffff272d3f0 in g_module_symbol () from /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0
#8 0x00007ffff272d8aa in g_module_open () from /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0
#9 0x00007ffff70de17e in ?? () from /usr/lib/gnucash/libgnc-module.so.0
#10 0x00007ffff70de468 in gnc_module_load () from /usr/lib/gnucash/libgnc-module.so.0
#11 0x0000000000405cd5 in _start ()

The problem appears to be that the map->l_local_scope in frame #2
is corrupt:

(gdb) p map.l_name
$16 = 0x7ffff7ffafa8 "/usr/lib/gnucash/gnucash/libgncmod-app-utils.so"
(gdb) p map.l_local_scope
$17 = {0x7ffff7ff82b8, 0x0}
(gdb) p map.l_local_scope[0]
$18 = (struct r_scope_elem *) 0x7ffff7ff82b8
(gdb) p map.l_local_scope[0][0]
$19 = {r_list = 0x63bb48, r_nlist = 56}
(gdb) p map.l_local_scope[0][0].r_list[0]
$20 = (struct link_map *) 0x51

Back in frame #0:

(gdb) x/i $pc
=> 0x7ffff7de3b32 <do_lookup_x+146>: mov 0x28(%rax),%rsi
(gdb) p/x $rax
$21 = 0x51

The value 0x51 is written into 0x63bb48 here:
Hardware watchpoint 1: *(int**)0x0063bb48

Old value = (int *) 0x301
New value = (int *) 0x51
_int_malloc (av=0x7ffff5a27720, bytes=64) at malloc.c:3586
3586 in malloc.c
(gdb) bt
#0 _int_malloc (av=0x7ffff5a27720, bytes=64) at malloc.c:3586
#1 0x00007ffff56f3495 in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3274
#2 0x00007ffff5c983e1 in g_malloc0 () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007ffff2e74bd6 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#4 0x00007ffff2e790b2 in g_type_register_static () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x00007ffff2e5bd7b in g_flags_register_static () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x00007ffff3ecadf3 in gnome_date_edit_flags_get_type () from /usr/lib/libgnomeui-2.so.0
#7 0x00007ffff3eff365 in gnome_type_init () from /usr/lib/libgnomeui-2.so.0
#8 0x00007ffff3ed84eb in ?? () from /usr/lib/libgnomeui-2.so.0
#9 0x00007ffff678683e in gnome_program_preinit () from /usr/lib/libgnome-2.so.0
#10 0x00007ffff678751e in ?? () from /usr/lib/libgnome-2.so.0
#11 0x00007ffff678779d in gnome_program_initv () from /usr/lib/libgnome-2.so.0
#12 0x00007ffff678788f in gnome_program_init () from /usr/lib/libgnome-2.so.0
#13 0x00007ffff78cba16 in gnc_gnome_init () from /usr/lib/gnucash/gnucash/libgncmod-gnome-utils.so
#14 0x00000000004064a3 in main ()

So it's pretty clear that map.l_local_scope[0][0].r_list is dangling.