Bug#527123: reproduced, points at libgnomeprint or libcups, workaround valgrind

Fri, 03 Jul 2009 23:04:43 -0700 

G'day,

This is a fascinating bug.  I'm able to reproduce it.

Please find attached gdb.txt as requested by Patrik, which demonstrates
that the problem occurs while trying to free(3) some heap, in either
libcups or libgnomeprint.

Please also find attached valgrind.txt, which demonstrates that the
failure is caused by a free of a heap pointer that is not valid.

The use of valgrind is also a workaround to the problem, allowing
printing to complete without "Aborted".  It goes much slower, but at
least it works.

The next thing I shall try is to find out where in libgnomeprint or
libcups the segmentation fault is happening.  Ideas on how to do that
are welcome.

It seems that the reproducibility of the problem may depend on the CUPS
configuration.

-- 
James Cameron    mailto:qu...@us.netrek.org     http://quozl.netrek.org/

Starting program: /tmp/abiword-2.6.8-install/bin/abiword 
[Thread debugging using libthread_db enabled]
[New Thread 0xb7f90760 (LWP 404)]
[New Thread 0xb751ab90 (LWP 412)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7f90760 (LWP 404)]
0x478c415d in free () from /lib/i686/cmov/libc.so.6

Thread 2 (Thread 0xb751ab90 (LWP 412)):
#0  0xb7fc1424 in __kernel_vsyscall ()
No symbol table info available.
#1  0x479ed2e2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from 
/lib/i686/cmov/libpthread.so.0
No symbol table info available.
#2  0x47eef02d in g_cond_timed_wait_posix_impl (cond=<value optimized out>, 
entered_mutex=<value optimized out>, abs_time=<value optimized out>) at 
/build/buildd-glib2.0_2.20.1-2-i386-hGzT8z/glib2.0-2.20.1/gthread/gthread-posix.c:242
        result = <value optimized out>
        end_time = Could not find the frame base for 
"g_cond_timed_wait_posix_impl".

Thread 1 (Thread 0xb7f90760 (LWP 404)):
#0  0x478c415d in free () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#1  0x479de048 in ?? () from /lib/i686/cmov/libdl.so.2
No symbol table info available.
#2  0x457adf36 in ?? () from /usr/lib/libcups.so.2
No symbol table info available.
#3  0x479ddf50 in ?? () from /lib/i686/cmov/libdl.so.2
No symbol table info available.
#4  0x479ddb50 in ?? () from /lib/i686/cmov/libdl.so.2
No symbol table info available.
#5  0x479dfff4 in ?? () from /lib/i686/cmov/libdl.so.2
No symbol table info available.
#6  0x00000000 in ?? ()
No symbol table info available.
The program is running.  Exit anyway? (y or n) 
Script started on Sat Jul  4 15:48:49 2009
]0;xterm 
ja...@dors:/c/tmp/abiword-2.6.8/abiword-2.6.8dors:/c/tmp/abiword-2.6.8/abiword-2.6.8$
 valgrind '/tmp/abiword-2.6.8-install/bi 
n/abiword'
==501== Memcheck, a memory error detector.
==501== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==501== Using LibVEX rev 1884, a library for dynamic binary translation.
==501== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==501== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==501== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==501== For more details, rerun with: -v
==501== 
==501== Thread 2:
==501== Invalid read of size 4
==501==    at 0x47849A37: (within /lib/ld-2.9.so)
==501==    by 0x47972621: (within /lib/i686/cmov/libc-2.9.so)
==501==    by 0x47840FE5: (within /lib/ld-2.9.so)
==501==    by 0x479727E4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x47949FCF: __nss_lookup_function (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4794A09E: (within /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4794BA0C: __nss_services_lookup2 (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x47952C15: getservbyname_r (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4795296D: getservbyname (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4579A265: ippPort (in /usr/lib/libcups.so.2)
==501==    by 0x6277304: (within /usr/lib/libgnomecups-1.0.so.1.0.0)
==501==    by 0x47C375E5: (within /usr/lib/libglib-2.0.so.0.2000.1)
==501==  Address 0x5eb7bd4 is 44 bytes inside a block of size 46 alloc'd
==501==    at 0x400801E: malloc (vg_replace_malloc.c:207)
==501==    by 0x478410F3: (within /lib/ld-2.9.so)
==501==    by 0x4783AD65: (within /lib/ld-2.9.so)
==501==    by 0x478451C6: (within /lib/ld-2.9.so)
==501==    by 0x47840FE5: (within /lib/ld-2.9.so)
==501==    by 0x47844BCD: (within /lib/ld-2.9.so)
==501==    by 0x47972621: (within /lib/i686/cmov/libc-2.9.so)
==501==    by 0x47840FE5: (within /lib/ld-2.9.so)
==501==    by 0x479727E4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x47949FCF: __nss_lookup_function (in /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4794A09E: (within /lib/i686/cmov/libc-2.9.so)
==501==    by 0x4794BA0C: __nss_services_lookup2 (in /lib/i686/cmov/libc-2.9.so)
==501== 
==501== Thread 1:
==501== Invalid free() / delete / delete[]
==501==    at 0x4006E3A: free (vg_replace_malloc.c:323)
==501==    by 0x479DE047: (within /lib/i686/cmov/libdl-2.9.so)
==501==    by 0x479DDB20: dlopen (in /lib/i686/cmov/libdl-2.9.so)
==501==    by 0x47F20776: g_module_open (in /usr/lib/libgmodule-2.0.so.0.2000.1)
==501==    by 0x48EAE479: (within /usr/lib/libgnomeprint-2-2.so.0.1.0)
==501==    by 0x48EAE51E: gnome_print_filter_new_from_module_name (in 
/usr/lib/libgnomeprint-2-2.so.0.1.0)
==501==    by 0x48EDA7D2: _gnome_print_filter_parse__parse (in 
/usr/lib/libgnomeprint-2-2.so.0.1.0)
==501==    by 0x48EDACFF: _gnome_print_filter_parse_launch (in 
/usr/lib/libgnomeprint-2-2.so.0.1.0)
==501==    by 0x48EAD496: gnome_print_filter_new_from_description (in 
/usr/lib/libgnomeprint-2-2.so.0.1.0)
==501==    by 0x49837EBC: (within /usr/lib/libgnomeprintui-2-2.so.0.1.0)
==501==    by 0x47EC1A14: g_type_create_instance (in 
/usr/lib/libgobject-2.0.so.0.2000.1)
==501==    by 0x47EA62E4: (within /usr/lib/libgobject-2.0.so.0.2000.1)
==501==  Address 0x457adf36 is not stack'd, malloc'd or (recently) free'd

(abiword:501): GnomePrint-WARNING **: Could not create filter from description 
'GnomePrintFilterSelect': filter 'GnomePrintFilterSelect' is unknown

(abiword:501): GLib-GObject-WARNING **: invalid (NULL) pointer instance

(abiword:501): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion 
`G_TYPE_CHECK_INSTANCE (instance)' failed

(abiword:501): GnomePrint-WARNING **: Could not create filter from description 
'GnomePrintFilterClip [ GnomePrintFilterMultipage ]': filter 
'GnomePrintFilterClip' is unknown

(abiword:501): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): libgnomeprintui-CRITICAL **: 
gnome_print_layout_selector_load_filter: assertion `GNOME_IS_PRINT_FILTER (f)' 
failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GnomePrint-CRITICAL **: gnome_print_filter_reset: assertion 
`GNOME_IS_PRINT_FILTER (f)' failed

(abiword:501): GnomePrint-CRITICAL **: gnome_print_filter_flush: assertion 
`GNOME_IS_PRINT_FILTER (f)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GLib-GObject-CRITICAL **: g_object_set: assertion `G_IS_OBJECT 
(object)' failed

(abiword:501): GnomePrint-CRITICAL **: gnome_print_filter_reset: assertion 
`GNOME_IS_PRINT_FILTER (f)' failed

(abiword:501): GnomePrint-CRITICAL **: gnome_print_filter_flush: assertion 
`GNOME_IS_PRINT_FILTER (f)' failed

** (abiword:501): WARNING **: could not set the value of 
Settings.Document.Filter, node not found
==501== 
==501== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 287 from 6)
==501== malloc/free: in use at exit: 2,032,405 bytes in 21,844 blocks.
==501== malloc/free: 219,516 allocs, 197,673 frees, 19,449,445 bytes allocated.
==501== For counts of detected errors, rerun with: -v
==501== searching for pointers to 21,844 not-freed blocks.
==501== checked 3,589,576 bytes.
==501== 
==501== LEAK SUMMARY:
==501==    definitely lost: 53,375 bytes in 2,025 blocks.
==501==      possibly lost: 395,193 bytes in 386 blocks.
==501==    still reachable: 1,583,837 bytes in 19,433 blocks.
==501==         suppressed: 0 bytes in 0 blocks.
==501== Rerun with --leak-check=full to see details of leaked memory.
]0;xterm 
ja...@dors:/c/tmp/abiword-2.6.8/abiword-2.6.8dors:/c/tmp/abiword-2.6.8/abiword-2.6.8$
 exit

Script done on Sat Jul  4 15:50:44 2009

Reply via email to