[Bug 893605] Re: crashes with glibc-2.14/2.15 on dlopen (seen with kvm and gnucash)

Ppluzhnikov-google 893605 at bugs.launchpad.net
Mon Jan 9 20:48:10 UTC 2012 

I've reproduced the gnucash crash.

The actual crash stack trace is (using 2.15~pre6-0ubuntu2):

#0  do_lookup_x (new_hash=2334765441, old_hash=<optimized out>, result=0x7fffffffdb60, scope=<optimized out>, i=0, flags=2, skip=0x0, undef_map=0x7ffff7ff8000) at dl-lookup.c:98
#1  0x00007ffff7de44e3 in _dl_lookup_symbol_x (undef_name=0x7ffff272e0c0 "g_module_check_init", undef_map=0x7ffff7ff8000, ref=0x7fffffffdc80, symbol_scope=0x7ffff7ff8388, version=0x0, type_class=0, flags=2, skip_map=0x0) at dl-lookup.c:739
#2  0x00007ffff57a041a in do_sym (handle=<optimized out>, name=0x7ffff272e0c0 "g_module_check_init", who=<optimized out>, vers=<optimized out>, flags=2) at dl-sym.c:178
#3  0x00007fffeace7044 in dlsym_doit (a=0x7fffffffde50) at dlsym.c:51
#4  0x00007ffff7de90f6 in _dl_catch_error (objname=0x611410, errstring=0x611418, mallocedp=0x611408, operate=0x7fffeace7030 <dlsym_doit>, args=0x7fffffffde50) at dl-error.c:178
#5  0x00007fffeace752f in _dlerror_run (operate=0x7fffeace7030 <dlsym_doit>, args=0x7fffffffde50) at dlerror.c:164
#6  0x00007fffeace709a in __dlsym (handle=<optimized out>, name=<optimized out>) at dlsym.c:71
#7  0x00007ffff272d3f0 in g_module_symbol () from /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0
#8  0x00007ffff272d8aa in g_module_open () from /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0
#9  0x00007ffff70de17e in ?? () from /usr/lib/gnucash/libgnc-module.so.0
#10 0x00007ffff70de468 in gnc_module_load () from /usr/lib/gnucash/libgnc-module.so.0
#11 0x0000000000405cd5 in _start ()

The problem appears to be that the map->l_local_scope in frame #2
is corrupt:

(gdb) p map.l_name
$16 = 0x7ffff7ffafa8 "/usr/lib/gnucash/gnucash/libgncmod-app-utils.so"
(gdb) p map.l_local_scope
$17 = {0x7ffff7ff82b8, 0x0}
(gdb) p map.l_local_scope[0]
$18 = (struct r_scope_elem *) 0x7ffff7ff82b8
(gdb) p map.l_local_scope[0][0]
$19 = {r_list = 0x63bb48, r_nlist = 56}
(gdb) p map.l_local_scope[0][0].r_list[0]
$20 = (struct link_map *) 0x51

Back in frame #0:

(gdb) x/i $pc
=> 0x7ffff7de3b32 <do_lookup_x+146>:    mov    0x28(%rax),%rsi
(gdb) p/x $rax
$21 = 0x51

The value 0x51 is written into 0x63bb48 here:
Hardware watchpoint 1: *(int**)0x0063bb48

Old value = (int *) 0x301
New value = (int *) 0x51
_int_malloc (av=0x7ffff5a27720, bytes=64) at malloc.c:3586
3586    in malloc.c
(gdb) bt
#0  _int_malloc (av=0x7ffff5a27720, bytes=64) at malloc.c:3586
#1  0x00007ffff56f3495 in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3274
#2  0x00007ffff5c983e1 in g_malloc0 () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3  0x00007ffff2e74bd6 in ?? () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#4  0x00007ffff2e790b2 in g_type_register_static () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5  0x00007ffff2e5bd7b in g_flags_register_static () from /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6  0x00007ffff3ecadf3 in gnome_date_edit_flags_get_type () from /usr/lib/libgnomeui-2.so.0
#7  0x00007ffff3eff365 in gnome_type_init () from /usr/lib/libgnomeui-2.so.0
#8  0x00007ffff3ed84eb in ?? () from /usr/lib/libgnomeui-2.so.0
#9  0x00007ffff678683e in gnome_program_preinit () from /usr/lib/libgnome-2.so.0
#10 0x00007ffff678751e in ?? () from /usr/lib/libgnome-2.so.0
#11 0x00007ffff678779d in gnome_program_initv () from /usr/lib/libgnome-2.so.0
#12 0x00007ffff678788f in gnome_program_init () from /usr/lib/libgnome-2.so.0
#13 0x00007ffff78cba16 in gnc_gnome_init () from /usr/lib/gnucash/gnucash/libgncmod-gnome-utils.so
#14 0x00000000004064a3 in main ()

So it's pretty clear that map.l_local_scope[0][0].r_list is dangling.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/893605

Title:
  crashes with glibc-2.14/2.15 on dlopen (seen with kvm and gnucash)

Status in “eglibc” package in Ubuntu:
  Confirmed
Status in “glibc” package in Fedora:
  Unknown

Bug description:
  seen with glibc-2.14/glibc-2.15:

  kvm -cdrom <iso>

  Program received signal SIGSEGV, Segmentation fault.
  0xb7fe7740 in ?? () from /lib/ld-linux.so.2
  (gdb) bt
  #0  0xb7fe7740 in ?? () from /lib/ld-linux.so.2
  #1  0xb7fe7eb9 in ?? () from /lib/ld-linux.so.2
  #2  0xb7a26490 in do_sym (handle=0xb7d86860, 
      name=0xb7c7ff4f "XAllocClassHint", who=<optimized out>, vers=0x0, flags=2)
      at dl-sym.c:178
  #3  0xb7a26927 in _dl_sym (handle=<optimized out>, name=<optimized out>, 
      who=<optimized out>) at dl-sym.c:283
  #4  0xb778cd67 in dlsym_doit (a=0xbfffeef0) at dlsym.c:51
  #5  0xb7feccaf in ?? () from /lib/ld-linux.so.2
  #6  0xb778d33a in _dlerror_run (operate=0xb778cd40 <dlsym_doit>, 
      args=0xbfffeef0) at dlerror.c:164
  #7  0xb778cde4 in __dlsym (handle=0xb7d86860, 
      name=0xb7c7ff4f "XAllocClassHint") at dlsym.c:71
  #8  0xb7c56b5a in SDL_LoadFunction () from /usr/lib/libSDL-1.2.so.0
  #9  0xb7c58511 in ?? () from /usr/lib/libSDL-1.2.so.0
  #10 0xb7c5a8aa in ?? () from /usr/lib/libSDL-1.2.so.0
  #11 0xb7c61825 in ?? () from /usr/lib/libSDL-1.2.so.0
  #12 0xb7c5155a in SDL_VideoInit () from /usr/lib/libSDL-1.2.so.0
  #13 0xb7c25c7a in SDL_InitSubSystem () from /usr/lib/libSDL-1.2.so.0
  #14 0xb7c25cfb in SDL_Init () from /usr/lib/libSDL-1.2.so.0
  #15 0x00202967 in ?? ()
  ---Type <return> to continue, or q <return> to quit---
  #16 0x0013cfdc in main ()

  gnucash:

  
  Program received signal SIGSEGV, Segmentation fault.
  0x00119740 in ?? () from /lib/ld-linux.so.2
  (gdb) bt
  #0  0x00119740 in ?? () from /lib/ld-linux.so.2
  #1  0x00119eb9 in ?? () from /lib/ld-linux.so.2
  #2  0x00c0a490 in do_sym (handle=0xb7ffd000, 
      name=0x10eeec4 "g_module_check_init", who=<optimized out>, vers=0x0, 
      flags=2) at dl-sym.c:178
  #3  0x00c0a927 in _dl_sym (handle=<optimized out>, name=<optimized out>, 
      who=<optimized out>) at dl-sym.c:283
  #4  0x03195d67 in dlsym_doit (a=0xbfffedc0) at dlsym.c:51
  #5  0x0011ecaf in ?? () from /lib/ld-linux.so.2
  #6  0x0319633a in _dlerror_run (operate=0x3195d40 <dlsym_doit>, 
      args=0xbfffedc0) at dlerror.c:164
  #7  0x03195de4 in __dlsym (handle=0xb7ffd000, 
      name=0x10eeec4 "g_module_check_init") at dlsym.c:71
  #8  0x010ee065 in g_module_symbol ()
     from /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0
  #9  0x010ee54f in g_module_open ()
     from /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0
  #10 0x003ff61e in ?? () from /usr/lib/gnucash/libgnc-module.so.0
  #11 0x003ff90b in gnc_module_load () from /usr/lib/gnucash/libgnc-module.so.0
  #12 0x0804ca5f in _start ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/893605/+subscriptions

More information about the foundations-bugs mailing list