Ubuntu
yelp package

possible double-free in yelp

Bug #12447 reported by Sylvain Defresne
6
Affects Status Importance Assigned to Milestone
yelp (Ubuntu)
Fix Released
Low
Sebastien Bacher

Bug Description

I recently upgraded my system from warty to hoary and yelp
is now unable to launch, stuck in an endless loop in mallopt.

When executing it under gdb, using MALLOC_CHECK_=1 to debug
the glibc memory allocator, I get the following information:

$ MALLOC_CHECK_=1 gdb yelp
...
free(): invalid pointer 0x831b778!
free(): invalid pointer 0x8308b50!
free(): invalid pointer 0x8306458!
free(): invalid pointer 0x8306598!
free(): invalid pointer 0x8306bb0!
free(): invalid pointer 0x830aad0!
free(): invalid pointer 0x830ab38!

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1224942720 (LWP 15946)]
0xb7444c37 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
(gdb) bt
#0 0xb7444c37 in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#1 0xb7444c9b in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#2 0xb7444c9b in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#3 0xb7444c9b in xmlFreeNodeList () from /usr/lib/libxml2.so.2
#4 0xb74427bd in xmlFreeDoc () from /usr/lib/libxml2.so.2
#5 0x0805bc0f in toc_pager_get_sections ()
#6 0x0805b788 in toc_pager_get_sections ()
#7 0xb75d297f in g_child_watch_add () from /usr/lib/libglib-2.0.so.0
#8 0xb75cfc8b in g_main_depth () from /usr/lib/libglib-2.0.so.0
#9 0xb75d0c31 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#10 0xb75d0f53 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#11 0xb75d149a in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#12 0xb77226d3 in bonobo_main () from /usr/lib/libbonobo-2.so.0
#13 0x08064839 in main ()

So it seems that a pointer to non-allocated memory (or already freed one)
is passed to free. I think it more probable that it is a case of double
free problem since the program goes in an endless loop when trying to
allocate some more memory when using non-checking version of malloc/free.

I'm having this problem with version 2.9.3-0ubuntu1 of yelp and version
2.6.17-0ubuntu1 of libxml2 (that can be the other culprit, but since it
is impossible to attach a bug to two different package, and yelp is the
only program that crash for me, I don't think so).

If you can direct me to debug version of those program/library I can
try to look in more detail to this problem (I don't really want to
compile both of them from source, especially after looking at the
yelp dependencies).

Have a nice day.

Revision history for this message
Sebastien Bacher (seb128) wrote :

sorry for the long reply. I don't have this issue here, do you still get it with
the current versions ?

Revision history for this message
Sylvain Defresne (sdefresne) wrote :

I'm still having this bug after upgrading to version 2.9.3cvs20050222-0ubuntu2
of yelp and version 2.6.17-0ubuntu1 of libxml2 (update half an hour ago).

I'm also having the following warnings before the crash:
I/O warning : failed to load external entity
"/home/keiichi/.gnome2/yelp-bookmarks.xbel"
I/O warning : failed to load external entity
"/usr/share/omf/bug-buddy/bug-buddy-C.omf"
(yelp:19212): Yelp-WARNING **: Impossible de charger le fichier OMF
« /usr/share/omf/bug-buddy/bug-buddy-C.omf »

Third warning states that loading OMF file
"/usr/share/omf/bug-buddy/bug-buddy-C.omf" is
impossible. I don't know if it is relevant or not. Both file are missing BTW.

Revision history for this message
Sylvain Defresne (sdefresne) wrote :

I have just reinstalled my system, and yelp is now working
correctly. So it may have come from some incorrect help
files present on my system ...

Revision history for this message
Sebastien Bacher (seb128) wrote :

is that ok to close the bug then? You can reopen it if you get the issue again.

Revision history for this message
Sylvain Defresne (sdefresne) wrote :

Please do so. I'll reopen it if it reappear (or if I find the bug
in the code) ...

Revision history for this message
Sebastien Bacher (seb128) wrote :

bug closed, thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.