Bug#926658: gnuplot: free(): double free detected in tcache 2
Bernhard Übelacker
bernhardu at mailbox.org
Tue Apr 9 19:22:33 BST 2019
Control: tags 926658 + patch upstream fixed-upstream
Dear Maintainer,
I just tried to help triage this issue.
I think this is related to upstream bug [1] and
was already fixed in the 5.2 branch by commit [2].
A package built with this patch does just show the
'undefined variable' error, but not the double free fault.
Kind regards,
Bernhard
[1] https://sourceforge.net/p/gnuplot/bugs/2115/
[2] https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/
-------------- next part --------------
# Buster amd64 real hardware 2019-04-09
apt update
apt dist-upgrade
#########
mkdir /home/benutzer/926658_gnuplot-crash -p
cd /home/benutzer/926658_gnuplot-crash
debootstrap --arch=amd64 buster chroot http://192.168.178.25:9999/debian-10-buster-deb.debian.org/
mount --rbind /proc chroot/proc
cp -a ../rr*.deb chroot/
# workaround https://github.com/mozilla/rr/issues/2342
env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l root
apt install locales
dpkg-reconfigure locales
nano /etc/inputrc
adduser benutzer
mv /etc/apt/sources.list /etc/apt/sources.list.d/buster-approx.list
echo "deb-src http://192.168.178.25:9999/debian-10-buster-deb.debian.org buster main" >> /etc/apt/sources.list.d/buster-approx.list
echo "deb http://192.168.178.25:9999/debian-10-buster-debug.mirrors.debian.org buster-debug main" >> /etc/apt/sources.list.d/buster-approx.list
apt update
apt install dpkg-dev devscripts mc wget unzip rr gdb gnuplot gnuplot-qt-dbgsym
dpkg -i /*.deb
# workaround https://github.com/mozilla/rr/issues/2342
echo 1 > /proc/sys/kernel/perf_event_paranoid
env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l benutzer
mkdir /home/benutzer/source/gnuplot/orig -p
cd /home/benutzer/source/gnuplot/orig
apt source gnuplot
cd
mkdir /home/benutzer/source/libc6/orig -p
cd /home/benutzer/source/libc6/orig
apt source libc6
cd
wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=926658;filename=test-files.zip;msg=10" -O test-files.zip
unzip test-files.zip
cd test-files
rr record gnuplot call.gpi
rr replay
set width 0
set pagination off
directory /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps
directory /home/benutzer/source/libc6/orig/glibc-2.28/malloc
cont
bt
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
print a->v.string_val
print &(a->v.string_val)
b __GI___libc_free if mem==0x564e97351a60
watch *0x564e9734ed90
reverse-cont
bt
reverse-finish
print a->v.string_val
print &(a->v.string_val)
reverse-cont
bt
#########
benutzer at willi-laptop:~$ gnuplot --version
gnuplot 5.2 patchlevel 6
benutzer at willi-laptop:~/test-files$ rr record gnuplot call.gpi
rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/gnuplot-0'.
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min
free(): double free detected in tcache 2
Abgebrochen
benutzer at willi-laptop:~/test-files$ rr replay
...
Reading symbols from /usr/bin/gnuplot-qt...(no debugging symbols found)...done.
Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal]
Remote debugging using 127.0.0.1:16489
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/75/5312dcb2382eb2fde78494879bb2104028ae80.debug...done.
done.
0x00007f088a6fd090 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) set width 0
(rr) set pagination off
(rr) cont
Continuing.
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min
free(): double free detected in tcache 2
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(rr) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f08888d2535 in __GI_abort () at abort.c:79
#2 0x00007f0888929778 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f088892fe6a in malloc_printerr (str=str at entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341
#4 0x00007f088893194d in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=<optimized out>) at malloc.c:4193
#5 0x0000564e95fbb8bd in ?? ()
#6 0x0000564e95fbbd6b in ?? ()
#7 0x0000564e95fec887 in ?? ()
#8 0x0000564e95fece8d in ?? ()
#9 0x0000564e95f9b3bd in ?? ()
#10 0x00007f08888d409b in __libc_start_main (main=0x564e95f9b000, argc=2, argv=0x7ffe67c3fb68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe67c3fb58) at ../csu/libc-start.c:308
#11 0x0000564e95f9c76a in ?? ()
# With debug symbols
benutzer at willi-laptop:~$ rr replay
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gnuplot-qt...Reading symbols from /usr/lib/debug/.build-id/4f/e8eca6bda32081f21f1443346a77fbc6ae7b83.debug...done.
done.
Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal]
Remote debugging using 127.0.0.1:7991
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/75/5312dcb2382eb2fde78494879bb2104028ae80.debug...done.
done.
0x00007f088a6fd090 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) set width 0
(rr) set pagination off
(rr) directory /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps
Source directories searched: /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps:$cdir:$cwd
(rr) directory /home/benutzer/source/libc6/orig/glibc-2.28/malloc
Source directories searched: /home/benutzer/source/libc6/orig/glibc-2.28/malloc:/home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps:$cdir:$cwd
(rr) cont
Continuing.
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min
free(): double free detected in tcache 2
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 return ret;
# Second free of 0x564e97351a60
(rr) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f08888d2535 in __GI_abort () at abort.c:79
#2 0x00007f0888929778 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007f088892fe6a in malloc_printerr (str=str at entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341
#4 0x00007f088893194d in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=<optimized out>) at malloc.c:4193
#5 0x0000564e95fbb8bd in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423
#6 0x0000564e95fbbd6b in gpfree_string (a=<optimized out>) at ../../../src/eval.c:422
#7 gpfree_array (a=a at entry=0x564e9734edc0) at ../../../src/eval.c:446
#8 0x0000564e95fec887 in lf_pop () at ../../../src/misc.c:515
#9 0x0000564e95fece8d in load_file_error () at ../../../src/misc.c:626
#10 0x0000564e95f9b3bd in main (argc=2, argv=0x7ffe67c3fb68) at ../../../src/plot.c:555
(rr) reverse-finish
Run back to call of #0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 return ret;
(rr) reverse-finish
Run back to call of #0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
0x00007f08888d2530 in __GI_abort () at abort.c:79
79 abort.c: Datei oder Verzeichnis nicht gefunden.
(rr) reverse-finish
Run back to call of #0 0x00007f08888d2530 in __GI_abort () at abort.c:79
__libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
181 abort ();
(rr) reverse-finish
Run back to call of #0 __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
0x00007f088892fe65 in malloc_printerr (str=str at entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341
warning: Source file is more recent than executable.
5341 __libc_message (do_abort, "%s\n", str);
(rr) reverse-finish
Run back to call of #0 0x00007f088892fe65 in malloc_printerr (str=str at entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341
0x00007f0888931948 in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=0) at malloc.c:4193
4193 malloc_printerr ("free(): double free detected in tcache 2");
(rr) reverse-finish
Run back to call of #0 0x00007f0888931948 in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=0) at malloc.c:4193
0x00007f0888934c39 in __GI___libc_free (mem=<optimized out>) at malloc.c:3116
3116 _int_free (ar_ptr, p, 0);
(rr) reverse-finish
Run back to call of #0 0x00007f0888934c39 in __GI___libc_free (mem=<optimized out>) at malloc.c:3116
0x0000564e95fbb8b8 in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423
423 free(a->v.string_val);
(rr) print a->v.string_val
$1 = 0x564e97351a60 "`\354\064\227NV"
(rr) print &(a->v.string_val)
$2 = (char **) 0x564e9734ed90
(rr) b __GI___libc_free if mem==0x564e97351a60
Breakpoint 1 at 0x7f0888934be0: file malloc.c, line 3083.
(rr) watch *0x564e9734ed90
Hardware watchpoint 2: *0x564e9734ed90
(rr) reverse-cont
Continuing.
Breakpoint 1, __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083
3083 = atomic_forced_read (__free_hook);
# First free of 0x564e97351a60
(rr) bt
#0 __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083
#1 0x0000564e95fbb8bd in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423
#2 0x0000564e95fbbd6b in gpfree_string (a=<optimized out>) at ../../../src/eval.c:422
#3 gpfree_array (a=a at entry=0x564e9734edc0) at ../../../src/eval.c:446
#4 0x0000564e95febe1a in prepare_call (calltype=calltype at entry=1) at ../../../src/misc.c:235
#5 0x0000564e95fecb9a in load_file (fp=0x564e97352cb0, name=0x564e9734ec20 "common.gpi", calltype=calltype at entry=1) at ../../../src/misc.c:354
#6 0x0000564e95fab084 in load_command () at ../../../src/command.c:1585
#7 0x0000564e95fad6f0 in command () at ../../../src/command.c:629
#8 do_line () at ../../../src/command.c:419
#9 0x0000564e95feccef in load_file (fp=0x564e97351650, name=name at entry=0x564e97351630 "./tags.gpi", calltype=calltype at entry=2) at ../../../src/misc.c:448
#10 0x0000564e95faa8bd in call_command () at ../../../src/command.c:988
#11 0x0000564e95fad6f0 in command () at ../../../src/command.c:629
#12 do_line () at ../../../src/command.c:419
#13 0x0000564e95feccef in load_file (fp=0x564e972ef260, name=<optimized out>, calltype=<optimized out>) at ../../../src/misc.c:448
#14 0x0000564e95f9b69c in main (argc=1, argv=0x7ffe67c3fb70) at ../../../src/plot.c:654
(rr) reverse-finish
Run back to call of #0 __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083
0x0000564e95fbb8b8 in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423
423 free(a->v.string_val);
(rr) print a->v.string_val
$3 = 0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat"
(rr) print &(a->v.string_val)
$4 = (char **) 0x564e9734ed90
(rr) reverse-cont
Continuing.
Hardware watchpoint 2: *0x564e9734ed90
Old value = -1758127520
New value = 1819309422
0x0000564e95fbbc92 in Gstring (a=a at entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410
410 a->v.string_val = s ? s : strdup("");
# Save pointer to 0x564e97351a60 in 0x564e9734ed90
(rr) bt
#0 0x0000564e95fbbc92 in Gstring (a=a at entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410
#1 0x0000564e95febf5c in prepare_call (calltype=calltype at entry=2) at ../../../src/misc.c:253
#2 0x0000564e95fecb9a in load_file (fp=0x564e97351650, name=name at entry=0x564e97351630 "./tags.gpi", calltype=calltype at entry=2) at ../../../src/misc.c:354
#3 0x0000564e95faa8bd in call_command () at ../../../src/command.c:988
#4 0x0000564e95fad6f0 in command () at ../../../src/command.c:629
#5 do_line () at ../../../src/command.c:419
#6 0x0000564e95feccef in load_file (fp=0x564e972ef260, name=<optimized out>, calltype=<optimized out>) at ../../../src/misc.c:448
#7 0x0000564e95f9b69c in main (argc=1, argv=0x7ffe67c3fb70) at ../../../src/plot.c:654
(rr) print s
$5 = 0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat"
(rr) reverse-finish
Run back to call of #0 0x0000564e95fbbc92 in Gstring (a=a at entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410
0x0000564e95febf57 in prepare_call (calltype=calltype at entry=2) at ../../../src/misc.c:253
253 Gstring(&ARGV[argindex], gp_strdup(udv->udv_value.v.string_val));
(rr) print udv->udv_value.v.string_val
$6 = 0x564e97351a20 "ambiguous-paragraph-in-dep5-copyright.dat"
https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/
https://sourceforge.net/p/gnuplot/bugs/2115/
#########
cd /home/benutzer/source/gnuplot/
git clone https://git.code.sf.net/p/gnuplot/gnuplot-main gnuplot-gnuplot-main
cd gnuplot-gnuplot-main
git show 732014eefd41235a143626d2bc02d3d34934e1b3 > ../732014eefd41235a143626d2bc02d3d34934e1b3.patch
cd ..
cp -a orig try1
cd try1
cd try1/gnuplot-5.2.6+dfsg1/
patch -p1 < ../../732014eefd41235a143626d2bc02d3d34934e1b3.patch
dpkg-buildpackage -b
dpkg -i /home/benutzer/source/gnuplot/try1/{gnuplot-qt,gnuplot-qt-dbgsym}_5.2.6+dfsg1-1_amd64.deb /home/benutzer/source/gnuplot/try1/{gnuplot,gnuplot-data}_5.2.6+dfsg1-1_all.deb
benutzer at willi-laptop:~$ rr record gnuplot call.gpi
rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/gnuplot-1'.
line 0: Cannot open script file 'call.gpi'
More information about the debian-science-maintainers
mailing list