mutt_free_header -> free -> mutt_sort_headers -> segfault

To: mutt-dev@xxxxxxxx
Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
From: q4xk3j002@xxxxxxxxxxxxxx
Date: 31 Oct 2003 00:00:20 -0000
List-unsubscribe: <mailto:mutt-dev-request@mutt.org?body=unsubscribe>
Sender: owner-mutt-dev@xxxxxxxx

current[*] mutt 1.5.4 cvs is using already freed memory

NOTE: Cc possible replies/extra questions to me.

[*]
$ head -n 1 ChangeLog
2003-10-08 19:55:39  Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>  (roessler)

I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
RH Linux IA-32, glibc-2.3.2-4.80.

./configure --with-homespool=Maildir --with-ncurses --with-mixmaster 
--enable-pop --enable-imap --with-ssl



you can try to reproduce this way:
send one mail to user (whose Maildir-inbox is opened in mutt)
delete the mail
sync-mailbox
(maybe press TAB)
send another mail to the user
press TAB and get segfault

(I used the same subject in this test)



here what valgrind has to say about the test.

==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
==3497== 
==3497== 1 errors in context 1 of 5:
==3497== Conditional jump or move depends on uninitialised value(s)
==3497==    at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
==3497==    by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
==3497==    by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
==3497==    by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
==3497== 
==3497== 1 errors in context 2 of 5:
==3497== Conditional jump or move depends on uninitialised value(s)
==3497==    at 0x40009565: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
==3497== 
==3497== 1 errors in context 3 of 5:
==3497== Conditional jump or move depends on uninitialised value(s)
==3497==    at 0x40009517: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
==3497== 
==3497== 2 errors in context 4 of 5:
==3497== Invalid read of size 1
==3497==    at 0x40020363: strcmp (in 
/usr/local/lib/valgrind/vgskin_memcheck.so)
==3497==    by 0x8078764: hash_find_hash (hash.c:104)
==3497==    by 0x80B3E7A: mutt_sort_threads (thread.c:778)
==3497==    by 0x80B12B1: mutt_sort_headers (sort.c:234)
==3497==    Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
==3497==    at 0x40029381: free (in /usr/local/lib/valgrind/vgskin_memcheck.so)
==3497==    by 0x80B8661: mutt_free_envelope (muttlib.c:649)
==3497==    by 0x80B77E5: mutt_free_header (muttlib.c:270)
==3497==    by 0x808BB02: mx_update_tables (mx.c:1097)
==3497== 
==3497== 15 errors in context 5 of 5:
==3497== Source and destination overlap in strncpy(0x421b9cfc, 0x421b9ca0, 168)
==3497==    at 0x400202B5: strncpy (in 
/usr/local/lib/valgrind/vgskin_memcheck.so)
==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
==3497== 
==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.



and gdb+efence

---Mutt: ~/Maildir [Msgs:0]---(threads/date)----------------------------(all)---
Sorting mailbox...                                                              
               
Program received signal SIGSEGV, Segmentation fault.
0x4027c5da in strcmp () from /lib/libc.so.6
(gdb) bt
#0  0x4027c5da in strcmp () from /lib/libc.so.6
#1  0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
#2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
    key=0x4f5a1fc0 
"<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
    at hash.c:104
#3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
#4  0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
#5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
oldcount=0, 
    index_hint=0) at curs_main.c:313
#6  0x08063803 in mutt_index_menu () at curs_main.c:488
#7  0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
#8  0x40217907 in __libc_start_main () from /lib/libc.so.6
(gdb) disass $eip-8 $eip+8 
Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
0x4027c5d2 <strcmp+2>:  and    $0x4,%al
0x4027c5d4 <strcmp+4>:  mov    0x8(%esp,1),%edx
0x4027c5d8 <strcmp+8>:  mov    (%ecx),%al
0x4027c5da <strcmp+10>: cmp    (%edx),%al
0x4027c5dc <strcmp+12>: jne    0x4027c5e7 <strcmp+23>
0x4027c5de <strcmp+14>: inc    %ecx
0x4027c5df <strcmp+15>: inc    %edx
0x4027c5e0 <strcmp+16>: test   %al,%al
End of assembler dump.
(gdb) print $eip
$5 = (void *) 0x4027c5da
(gdb) print $edx
$6 = 1327738816
(gdb) frame 2
#2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
    key=0x4f5a1fc0 
"<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
    at hash.c:104
104         if (mutt_strcmp (key, ptr->key) == 0)
(gdb) print *table
$10 = {nelem = 2, table = 0x4f24eff8}
(gdb) up
#3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
778             thread = hash_find (ctx->thread_hash, cur->env->message_id);
(gdb) print *ctx
$11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 1067556677, 
  mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern = 
0x0, 
  hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
  thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, vcount 
= 1, 
  tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
-1, data = 0x0, 
  magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 0, 
quiet = 0, 
  collapsed = 0, closing = 0}
(gdb) print *cur     
$13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, changed = 
0, 
  attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied = 0, 
  subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0, 
active = 0, 
  trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched = 
0, 
  collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0, 
  date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0, index = 
0, msgno = 0, 
  virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc, 
  path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0, 
thread = 0x0, 
  chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
(gdb) frame 5
#5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
oldcount=0, 
    index_hint=0) at curs_main.c:313
313       mutt_sort_headers (Context, (check == M_REOPENED));
(gdb)print *Context
$15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 1067556677, 
  mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern = 
0x0, 
  hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
  thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, vcount 
= 1, 
  tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet = 
-1, data = 0x0, 
  magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 0, 
quiet = 0, 
  collapsed = 0, closing = 0}

Follow-Ups:
- Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
  - From: qhwt
- Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
  - From: Thomas Roessler

Prev by Date: [2003-10-30] CVS repository changes
Next by Date: [2003-10-31] CVS repository changes
Previous by thread: [2003-10-30] CVS repository changes
Next by thread: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
Index(es):
- Date
- Thread