Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
Thanks for that report, and apologies for not replying earlier.
Unfortunately, I don't seem to be able to reproduce the crash with
my own inbox, on a redhat-9 system. It would be helpful if you
could provide me with a "reproduction package", consisting of:
* a mailbox,
* a message that can be added to that mailbox to trigger the problem,
* the configuration file used. (Should be as close as possible to
the default configuration.)
Thanks,
--
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.
On 2003-10-31 00:00:20 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> From: q4xk3j002@xxxxxxxxxxxxxx
> To: mutt-dev@xxxxxxxx
> Date: 31 Oct 2003 00:00:20 -0000
> Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
> X-Spam-Level:
>
> current[*] mutt 1.5.4 cvs is using already freed memory
>
> NOTE: Cc possible replies/extra questions to me.
>
> [*]
> $ head -n 1 ChangeLog
> 2003-10-08 19:55:39 Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> (roessler)
>
> I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
> RH Linux IA-32, glibc-2.3.2-4.80.
>
> ./configure --with-homespool=Maildir --with-ncurses --with-mixmaster
> --enable-pop --enable-imap --with-ssl
>
>
>
> you can try to reproduce this way:
> send one mail to user (whose Maildir-inbox is opened in mutt)
> delete the mail
> sync-mailbox
> (maybe press TAB)
> send another mail to the user
> press TAB and get segfault
>
> (I used the same subject in this test)
>
>
>
> here what valgrind has to say about the test.
>
> ==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> ==3497==
> ==3497== 1 errors in context 1 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497== at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
> ==3497== by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
> ==3497== by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
> ==3497== by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
> ==3497==
> ==3497== 1 errors in context 2 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497== at 0x40009565: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
> ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> ==3497==
> ==3497== 1 errors in context 3 of 5:
> ==3497== Conditional jump or move depends on uninitialised value(s)
> ==3497== at 0x40009517: _dl_relocate_object_internal (in /lib/ld-2.3.2.so)
> ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> ==3497==
> ==3497== 2 errors in context 4 of 5:
> ==3497== Invalid read of size 1
> ==3497== at 0x40020363: strcmp (in
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497== by 0x8078764: hash_find_hash (hash.c:104)
> ==3497== by 0x80B3E7A: mutt_sort_threads (thread.c:778)
> ==3497== by 0x80B12B1: mutt_sort_headers (sort.c:234)
> ==3497== Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
> ==3497== at 0x40029381: free (in
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497== by 0x80B8661: mutt_free_envelope (muttlib.c:649)
> ==3497== by 0x80B77E5: mutt_free_header (muttlib.c:270)
> ==3497== by 0x808BB02: mx_update_tables (mx.c:1097)
> ==3497==
> ==3497== 15 errors in context 5 of 5:
> ==3497== Source and destination overlap in strncpy(0x421b9cfc, 0x421b9ca0,
> 168)
> ==3497== at 0x400202B5: strncpy (in
> /usr/local/lib/valgrind/vgskin_memcheck.so)
> ==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> ==3497==
> ==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
> ==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.
>
>
>
> and gdb+efence
>
> ---Mutt: ~/Maildir
> [Msgs:0]---(threads/date)----------------------------(all)---
> Sorting mailbox...
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x4027c5da in strcmp () from /lib/libc.so.6
> (gdb) bt
> #0 0x4027c5da in strcmp () from /lib/libc.so.6
> #1 0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
> #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> key=0x4f5a1fc0
> "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> at hash.c:104
> #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> #4 0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
> #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> oldcount=0,
> index_hint=0) at curs_main.c:313
> #6 0x08063803 in mutt_index_menu () at curs_main.c:488
> #7 0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
> #8 0x40217907 in __libc_start_main () from /lib/libc.so.6
> (gdb) disass $eip-8 $eip+8
> Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
> 0x4027c5d2 <strcmp+2>: and $0x4,%al
> 0x4027c5d4 <strcmp+4>: mov 0x8(%esp,1),%edx
> 0x4027c5d8 <strcmp+8>: mov (%ecx),%al
> 0x4027c5da <strcmp+10>: cmp (%edx),%al
> 0x4027c5dc <strcmp+12>: jne 0x4027c5e7 <strcmp+23>
> 0x4027c5de <strcmp+14>: inc %ecx
> 0x4027c5df <strcmp+15>: inc %edx
> 0x4027c5e0 <strcmp+16>: test %al,%al
> End of assembler dump.
> (gdb) print $eip
> $5 = (void *) 0x4027c5da
> (gdb) print $edx
> $6 = 1327738816
> (gdb) frame 2
> #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> key=0x4f5a1fc0
> "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> at hash.c:104
> 104 if (mutt_strcmp (key, ptr->key) == 0)
> (gdb) print *table
> $10 = {nelem = 2, table = 0x4f24eff8}
> (gdb) up
> #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> 778 thread = hash_find (ctx->thread_hash, cur->env->message_id);
> (gdb) print *ctx
> $11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> 1067556677,
> mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern
> = 0x0,
> hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> vcount = 1,
> tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet =
> -1, data = 0x0,
> magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append =
> 0, quiet = 0,
> collapsed = 0, closing = 0}
> (gdb) print *cur
> $13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, changed
> = 0,
> attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied =
> 0,
> subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0,
> active = 0,
> trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched =
> 0,
> collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0,
> date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0, index
> = 0, msgno = 0,
> virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc,
> path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0,
> thread = 0x0,
> chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> (gdb) frame 5
> #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> oldcount=0,
> index_hint=0) at curs_main.c:313
> 313 mutt_sort_headers (Context, (check == M_REOPENED));
> (gdb)print *Context
> $15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> 1067556677,
> mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, limit_pattern
> = 0x0,
> hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> vcount = 1,
> tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet =
> -1, data = 0x0,
> magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append =
> 0, quiet = 0,
> collapsed = 0, closing = 0}
>