Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
Is this by any chance an IMAP mailbox?
-Daniel
On Mon, Nov 03, 2003 at 07:27:20PM +0100, Thomas Roessler
<roessler@xxxxxxxxxxxxxxxxxx> wrote:
> Thanks for that report, and apologies for not replying earlier.
> Unfortunately, I don't seem to be able to reproduce the crash with
> my own inbox, on a redhat-9 system. It would be helpful if you
> could provide me with a "reproduction package", consisting of:
>
> * a mailbox,
> * a message that can be added to that mailbox to trigger the problem,
> * the configuration file used. (Should be as close as possible to
> the default configuration.)
>
> Thanks,
> --
> Thomas Roessler ? Personal soap box at <http://log.does-not-exist.org/>.
>
>
>
>
>
> On 2003-10-31 00:00:20 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> > From: q4xk3j002@xxxxxxxxxxxxxx
> > To: mutt-dev@xxxxxxxx
> > Date: 31 Oct 2003 00:00:20 -0000
> > Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
> > X-Spam-Level:
> >
> > current[*] mutt 1.5.4 cvs is using already freed memory
> >
> > NOTE: Cc possible replies/extra questions to me.
> >
> > [*]
> > $ head -n 1 ChangeLog
> > 2003-10-08 19:55:39 Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> > (roessler)
> >
> > I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
> > RH Linux IA-32, glibc-2.3.2-4.80.
> >
> > ./configure --with-homespool=Maildir --with-ncurses --with-mixmaster
> > --enable-pop --enable-imap --with-ssl
> >
> >
> >
> > you can try to reproduce this way:
> > send one mail to user (whose Maildir-inbox is opened in mutt)
> > delete the mail
> > sync-mailbox
> > (maybe press TAB)
> > send another mail to the user
> > press TAB and get segfault
> >
> > (I used the same subject in this test)
> >
> >
> >
> > here what valgrind has to say about the test.
> >
> > ==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > ==3497==
> > ==3497== 1 errors in context 1 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497== at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
> > ==3497== by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
> > ==3497== by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
> > ==3497== by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
> > ==3497==
> > ==3497== 1 errors in context 2 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497== at 0x40009565: _dl_relocate_object_internal (in
> > /lib/ld-2.3.2.so)
> > ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> > ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > ==3497==
> > ==3497== 1 errors in context 3 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497== at 0x40009517: _dl_relocate_object_internal (in
> > /lib/ld-2.3.2.so)
> > ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> > ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > ==3497==
> > ==3497== 2 errors in context 4 of 5:
> > ==3497== Invalid read of size 1
> > ==3497== at 0x40020363: strcmp (in
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497== by 0x8078764: hash_find_hash (hash.c:104)
> > ==3497== by 0x80B3E7A: mutt_sort_threads (thread.c:778)
> > ==3497== by 0x80B12B1: mutt_sort_headers (sort.c:234)
> > ==3497== Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
> > ==3497== at 0x40029381: free (in
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497== by 0x80B8661: mutt_free_envelope (muttlib.c:649)
> > ==3497== by 0x80B77E5: mutt_free_header (muttlib.c:270)
> > ==3497== by 0x808BB02: mx_update_tables (mx.c:1097)
> > ==3497==
> > ==3497== 15 errors in context 5 of 5:
> > ==3497== Source and destination overlap in strncpy(0x421b9cfc, 0x421b9ca0,
> > 168)
> > ==3497== at 0x400202B5: strncpy (in
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > ==3497==
> > ==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
> > ==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.
> >
> >
> >
> > and gdb+efence
> >
> > ---Mutt: ~/Maildir
> > [Msgs:0]---(threads/date)----------------------------(all)---
> > Sorting mailbox...
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x4027c5da in strcmp () from /lib/libc.so.6
> > (gdb) bt
> > #0 0x4027c5da in strcmp () from /lib/libc.so.6
> > #1 0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
> > #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> > key=0x4f5a1fc0
> > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> > at hash.c:104
> > #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> > #4 0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
> > #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> > oldcount=0,
> > index_hint=0) at curs_main.c:313
> > #6 0x08063803 in mutt_index_menu () at curs_main.c:488
> > #7 0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
> > #8 0x40217907 in __libc_start_main () from /lib/libc.so.6
> > (gdb) disass $eip-8 $eip+8
> > Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
> > 0x4027c5d2 <strcmp+2>: and $0x4,%al
> > 0x4027c5d4 <strcmp+4>: mov 0x8(%esp,1),%edx
> > 0x4027c5d8 <strcmp+8>: mov (%ecx),%al
> > 0x4027c5da <strcmp+10>: cmp (%edx),%al
> > 0x4027c5dc <strcmp+12>: jne 0x4027c5e7 <strcmp+23>
> > 0x4027c5de <strcmp+14>: inc %ecx
> > 0x4027c5df <strcmp+15>: inc %edx
> > 0x4027c5e0 <strcmp+16>: test %al,%al
> > End of assembler dump.
> > (gdb) print $eip
> > $5 = (void *) 0x4027c5da
> > (gdb) print $edx
> > $6 = 1327738816
> > (gdb) frame 2
> > #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> > key=0x4f5a1fc0
> > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> > at hash.c:104
> > 104 if (mutt_strcmp (key, ptr->key) == 0)
> > (gdb) print *table
> > $10 = {nelem = 2, table = 0x4f24eff8}
> > (gdb) up
> > #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> > 778 thread = hash_find (ctx->thread_hash, cur->env->message_id);
> > (gdb) print *ctx
> > $11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> > 1067556677,
> > mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0,
> > limit_pattern = 0x0,
> > hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> > thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> > vcount = 1,
> > tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet
> > = -1, data = 0x0,
> > magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append =
> > 0, quiet = 0,
> > collapsed = 0, closing = 0}
> > (gdb) print *cur
> > $13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0,
> > changed = 0,
> > attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied =
> > 0,
> > subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0,
> > active = 0,
> > trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched
> > = 0,
> > collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0,
> > date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0,
> > index = 0, msgno = 0,
> > virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc,
> > path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0,
> > thread = 0x0,
> > chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> > (gdb) frame 5
> > #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> > oldcount=0,
> > index_hint=0) at curs_main.c:313
> > 313 mutt_sort_headers (Context, (check == M_REOPENED));
> > (gdb)print *Context
> > $15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> > 1067556677,
> > mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0,
> > limit_pattern = 0x0,
> > hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> > thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> > vcount = 1,
> > tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet
> > = -1, data = 0x0,
> > magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append =
> > 0, quiet = 0,
> > collapsed = 0, closing = 0}
> >
--
Daniel E. Eisenbud
eisenbud@xxxxxxxxxxxxxx
Computational Biology Center
Memorial Sloan-Kettering Cancer Center