length() memory error

Bug #58256 reported by Geraint Bevan
4
Affects Status Importance Assigned to Milestone
gawk (Debian)
Fix Released
Unknown
gawk (Ubuntu)
Fix Released
Undecided
Micah Cowan

Bug Description

Binary package hint: gawk

With the text file below (rc_cmp.txt) in the working directory, the following command produces an error

$ cat rc_cmp.txt | gawk '{length($1)}'
*** glibc detected *** double free or corruption (fasttop): 0x080ae700 ***
Aborted

rc_cmp.txt:
## List of components contained in system rc
## File rc_cmp.txt
## Created by mtt on Wed Aug 30 21:09:19 BST 2006

0
1
C:c
R:r
SS:e1
SS:e2

Related branches

Revision history for this message
Micah Cowan (micahcowan) wrote :

Confirmed on Dapper, for gawk_3.1.5-2build1

Changed in gawk:
status: Unconfirmed → Confirmed
Revision history for this message
Micah Cowan (micahcowan) wrote :

gdb backtrace with debugging symbols:

GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run '{length($1)}' rc_cmp.txt
Starting program: /usr/bin/gawk '{length($1)}' rc_cmp.txt
*** glibc detected *** double free or corruption (fasttop): 0x080ac6f0 ***

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7e689a1 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7e6a2b9 in abort () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7e9c87a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6
#4 0xb7ea2fd4 in malloc_usable_size () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7ea334a in free () from /lib/tls/i686/cmov/libc.so.6
#6 0x080707e2 in str2wstr (n=0xb7f6aadc, ptr=0x0) at node.c:710
#7 0x08056887 in do_length (tree=0x80adbe8) at builtin.c:485
#8 0x0807f7fa in r_tree_eval (tree=0x80adc10, iscond=0) at eval.c:991
#9 0x080811b7 in interpret (tree=0x80adc10) at eval.c:877
#10 0x08081291 in interpret (tree=0x80adb70) at eval.c:456
#11 0x0806aa8d in do_input () at io.c:457
#12 0x0806f3b1 in main (argc=3, argv=0xbfbb5db4) at main.c:595
(gdb)

The double free happens within str2wstr(), apparently on the input file's 8th line ("R:r"). I tried various changes to the text file, which produced no difference; however, removing the blank line from the file causes gawk to exit gracefully.

Code such as the following also reproduces the bug. Strangely, changing the length of the line emitted by the non-blank echo seems to change whether the double-free is produced:

  for ((i=0; i!=10; ++i)); do [ $(($i % 2)) -eq 1 ] && echo a || echo; done | gawk '{print length($1)}'

Revision history for this message
Micah Cowan (micahcowan) wrote :
Revision history for this message
Micah Cowan (micahcowan) wrote :

Confirmed still a problem in feisty.

Micah Cowan (micahcowan)
Changed in gawk:
assignee: nobody → micah-cowan
Revision history for this message
Micah Cowan (micahcowan) wrote :

glibc isn't "noticing" every time the double-free happens: for instance, a minimal example of «printf "\na\nb\n" | gawk '{length($1)}'» doesn't crash on my system, but running «printf "\na\nb\n" | valgrind gawk '{length($1)}'» produces the error in valgrind's output.

I've isolated the problem, and expect to prepare a patch soon. The bug is that a "Null field" value gets a pointer value written to one of its members (specifically, the one to hold the "wide string" version of its normal string vaue). The Null field value is used to initialize certain newly created field values, but when that pointer value is encountered, it is freed. Since the Null field value is used to initialize multiple other variables, that pointer value is freed multiple times.

Changed in gawk:
status: Confirmed → In Progress
Revision history for this message
Micah Cowan (micahcowan) wrote :
Revision history for this message
Micah Cowan (micahcowan) wrote :

Um... I shouldn't have subscribed ubuntu-universe-sponsors, considering gawk is in main.

Changed in gawk:
status: Unknown → Unconfirmed
Revision history for this message
Sarah Kowalik (hobbsee-deactivatedaccount) wrote :

removed u-u-s

Revision history for this message
Colin Watson (cjwatson) wrote :

gawk (1:3.1.5.dfsg-4ubuntu1) gutsy; urgency=low

  * 25_free_wstr-and-multiple-frees.dpatch: brought in some changes from
    current CVS, to resolve an issue with multiple frees (LP: #58256).

 -- Micah Cowan <email address hidden> Tue, 15 May 2007 17:29:34 +0100

Sorry for our delay in dealing with this!

Changed in gawk:
status: In Progress → Fix Released
Revision history for this message
Micah Cowan (micahcowan) wrote :

Thanks for the attention! :)

Changed in gawk:
status: New → Fix Committed
Changed in gawk:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.