© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
gdb backtrace with debugging symbols:
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-
(gdb) run '{length($1)}' rc_cmp.txt
Starting program: /usr/bin/gawk '{length($1)}' rc_cmp.txt
*** glibc detected *** double free or corruption (fasttop): 0x080ac6f0 ***
Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7e689a1 in raise () from /lib/tls/
#2 0xb7e6a2b9 in abort () from /lib/tls/
#3 0xb7e9c87a in __fsetlocking () from /lib/tls/
#4 0xb7ea2fd4 in malloc_usable_size () from /lib/tls/
#5 0xb7ea334a in free () from /lib/tls/
#6 0x080707e2 in str2wstr (n=0xb7f6aadc, ptr=0x0) at node.c:710
#7 0x08056887 in do_length (tree=0x80adbe8) at builtin.c:485
#8 0x0807f7fa in r_tree_eval (tree=0x80adc10, iscond=0) at eval.c:991
#9 0x080811b7 in interpret (tree=0x80adc10) at eval.c:877
#10 0x08081291 in interpret (tree=0x80adb70) at eval.c:456
#11 0x0806aa8d in do_input () at io.c:457
#12 0x0806f3b1 in main (argc=3, argv=0xbfbb5db4) at main.c:595
(gdb)
The double free happens within str2wstr(), apparently on the input file's 8th line ("R:r"). I tried various changes to the text file, which produced no difference; however, removing the blank line from the file causes gawk to exit gracefully.
Code such as the following also reproduces the bug. Strangely, changing the length of the line emitted by the non-blank echo seems to change whether the double-free is produced:
for ((i=0; i!=10; ++i)); do [ $(($i % 2)) -eq 1 ] && echo a || echo; done | gawk '{print length($1)}'