Ubuntu
glibc package

Bug #9917
Comment #10

Comment 10 for bug 9917

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-02-05:

#10

Message-ID: <email address hidden>
Date: Thu, 3 Feb 2005 17:36:44 +0100
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: wim delvaux <email address hidden>, GOTO Masanori <email address hidden>,
Daniel Jacobowitz <email address hidden>,
Bill Allombert <email address hidden>, <email address hidden>
Subject: Re: libc6: application sometimes crashes, valgrind shows error in gconv_db.c

Hi,

This is a followup for Debian bug <http://bugs.debian.org/279722>.

wim delvaux <email address hidden> - Thu, Nov 04, 2004:

> Valgrind shows the following backtrace ...
> =3D=3D7105=3D=3D Invalid read of size 4
> =3D=3D7105=3D=3D at 0x1C22857E: __gconv_release_step (gconv_db.c:198=
)
> =3D=3D7105=3D=3D by 0x1C22914C: __gconv_close_transform (gconv_db.c:=
751)

I can get that one fairly easily with:
% valgrind --db-attach=3Dyes ls -l

(% locale LANG=3Dfr_FR@euro LC_CTYPE=3Dfr_FR@euro LC_NUMERIC=3Dfr_FR@eur=
o
LC_TIME=3Dfr_FR@euro LC_COLLATE=3Dfr_FR@euro LC_MONETARY=3Dfr_FR@euro
LC_MESSAGES=3Dfr_FR@euro LC_PAPER=3Dfr_FR@euro LC_NAME=3Dfr_FR@euro
LC_ADDRESS=3Dfr_FR@euro LC_TELEPHONE=3Dfr_FR@euro LC_MEASUREMENT=3Dfr_FR=
@euro
LC_IDENTIFICATION=3Dfr_FR@euro LC_ALL=3D)

I get the same bt, I installed the -dbg version of glibc and debuilded
a part of the source (to get the patches applied):

(gdb) bt
#0 0x1b94e58f in __gconv_release_step (step=3D0x1bae2ccc) at gconv_db.c:=
198
#1 0x1b94f14d in __gconv_close_transform (steps=3D0x1bae2c90, nsteps=3D2=
)
at gconv_db.c:751
#2 0x1b94e256 in __gconv_close (cd=3D0x1bae3868) at gconv_close.c:64
#3 0x1b95c54d in _nl_free_domain_conv (domain=3D0x1baba698) at loadmsgca=
t.c:873
#4 0x1b95d0b4 in _nl_unload_domain (domain=3D0x1baba698) at loadmsgcat.c=
:1289
#5 0x1ba42afd in free_mem () at finddomain.c:179
#6 0x1ba42c45 in *__GI___libc_freeres () at set-freeres.c:49
#7 0x1b8fec51 in _vgw__freeres () at vg_intercept.c:117
#8 0x1b962b18 in *__GI_exit (status=3D0) at exit.c:82

I think the problem is in iconv/gconv_close.c, in __gconv_close() at
the very end of the file:
while (!((drunp++)->__flags & __GCONV_IS_LAST));

/* Free the data allocated for the descriptor. */
free (cd);

/* Close the participating modules. */
return __gconv_close_transform (srunp, nsteps);

I think "srunp" uses a reference in "cd".

I already tried in the past to build glibc on my system, and this was
too long a task for my laptop, could someone try swapping the free
after the __gconv_close_transform() or hand me a build if he can't
reproduce the bug?

Thanks,

--=20
Lo=EFc Minier <email address hidden>
"Neutral President: I have no strong feelings one way or the other."

Message-ID: <20050203163644.GA21245@bugs.debian.org>
Date: Thu, 3 Feb 2005 17:36:44 +0100
From: =?iso-8859-1?Q?Lo=EFc?= Minier <lool@dooz.org>
To: wim delvaux <wim.delvaux@adaptiveplanet.com>, GOTO Masanori <gotom@debian.or.jp>,
	Daniel Jacobowitz <dan@debian.org>,
	Bill Allombert <allomber@math.u-bordeaux.fr>, 279722@bugs.debian.org
Subject: Re: libc6: application sometimes crashes, valgrind shows error in gconv_db.c

Hi,

This is a followup for Debian bug <http://bugs.debian.org/279722>.

wim delvaux <wim.delvaux@adaptiveplanet.com> - Thu, Nov 04, 2004:

> Valgrind shows the following backtrace ...
> =3D=3D7105=3D=3D Invalid read of size 4
> =3D=3D7105=3D=3D    at 0x1C22857E: __gconv_release_step (gconv_db.c:198=
)
> =3D=3D7105=3D=3D    by 0x1C22914C: __gconv_close_transform (gconv_db.c:=
751)

I can get that one fairly easily with:
    % valgrind --db-attach=3Dyes ls -l

(% locale LANG=3Dfr_FR@euro LC_CTYPE=3Dfr_FR@euro LC_NUMERIC=3Dfr_FR@eur=
o
 LC_TIME=3Dfr_FR@euro LC_COLLATE=3Dfr_FR@euro LC_MONETARY=3Dfr_FR@euro
 LC_MESSAGES=3Dfr_FR@euro LC_PAPER=3Dfr_FR@euro LC_NAME=3Dfr_FR@euro
 LC_ADDRESS=3Dfr_FR@euro LC_TELEPHONE=3Dfr_FR@euro LC_MEASUREMENT=3Dfr_FR=
@euro
 LC_IDENTIFICATION=3Dfr_FR@euro LC_ALL=3D)

I get the same bt, I installed the -dbg version of glibc and debuilded
 a part of the source (to get the patches applied):

(gdb) bt
#0  0x1b94e58f in __gconv_release_step (step=3D0x1bae2ccc) at gconv_db.c:=
198
#1  0x1b94f14d in __gconv_close_transform (steps=3D0x1bae2c90, nsteps=3D2=
)
    at gconv_db.c:751
#2  0x1b94e256 in __gconv_close (cd=3D0x1bae3868) at gconv_close.c:64
#3  0x1b95c54d in _nl_free_domain_conv (domain=3D0x1baba698) at loadmsgca=
t.c:873
#4  0x1b95d0b4 in _nl_unload_domain (domain=3D0x1baba698) at loadmsgcat.c=
:1289
#5  0x1ba42afd in free_mem () at finddomain.c:179
#6  0x1ba42c45 in *__GI___libc_freeres () at set-freeres.c:49
#7  0x1b8fec51 in _vgw__freeres () at vg_intercept.c:117
#8  0x1b962b18 in *__GI_exit (status=3D0) at exit.c:82

I think the problem is in iconv/gconv_close.c, in __gconv_close() at
 the very end of the file:
  while (!((drunp++)->__flags & __GCONV_IS_LAST));

/* Free the data allocated for the descriptor.  */
  free (cd);

/* Close the participating modules.  */
  return __gconv_close_transform (srunp, nsteps);

I think "srunp" uses a reference in "cd".

I already tried in the past to build glibc on my system, and this was
 too long a task for my laptop, could someone try swapping the free
 after the __gconv_close_transform() or hand me a build if he can't
 reproduce the bug?

Thanks,

--=20
Lo=EFc Minier <lool@dooz.org>
"Neutral President: I have no strong feelings one way or the other."

Ubuntuglibc package

Comment 10 for bug 9917

Ubuntu
glibc package