<<< Date Index >>>     <<< Thread Index >>>

Re: mutt_free_header -> free -> mutt_sort_headers -> segfault



Is this by any chance an IMAP mailbox?

-Daniel

On Mon, Nov 03, 2003 at 07:27:20PM +0100, Thomas Roessler 
<roessler@xxxxxxxxxxxxxxxxxx> wrote:
> Thanks for that report, and apologies for not replying earlier.
> Unfortunately, I don't seem to be able to reproduce the crash with
> my own inbox, on a redhat-9 system.  It would be helpful if you
> could provide me with a "reproduction package", consisting of:
> 
> * a mailbox,
> * a message that can be added to that mailbox to trigger the problem,
> * the configuration file used. (Should be as close as possible to
>   the default configuration.)
> 
> Thanks,
> -- 
> Thomas Roessler ? Personal soap box at <http://log.does-not-exist.org/>.
> 
> 
> 
> 
> 
> On 2003-10-31 00:00:20 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> > From: q4xk3j002@xxxxxxxxxxxxxx
> > To: mutt-dev@xxxxxxxx
> > Date: 31 Oct 2003 00:00:20 -0000
> > Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
> > X-Spam-Level: 
> > 
> > current[*] mutt 1.5.4 cvs is using already freed memory
> > 
> > NOTE: Cc possible replies/extra questions to me.
> > 
> > [*]
> > $ head -n 1 ChangeLog
> > 2003-10-08 19:55:39  Thomas Roessler  <roessler@xxxxxxxxxxxxxxxxxx>  
> > (roessler)
> > 
> > I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
> > RH Linux IA-32, glibc-2.3.2-4.80.
> > 
> > ./configure --with-homespool=Maildir --with-ncurses --with-mixmaster 
> > --enable-pop --enable-imap --with-ssl
> > 
> > 
> > 
> > you can try to reproduce this way:
> > send one mail to user (whose Maildir-inbox is opened in mutt)
> > delete the mail
> > sync-mailbox
> > (maybe press TAB)
> > send another mail to the user
> > press TAB and get segfault
> > 
> > (I used the same subject in this test)
> > 
> > 
> > 
> > here what valgrind has to say about the test.
> > 
> > ==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > ==3497== 
> > ==3497== 1 errors in context 1 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497==    at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
> > ==3497==    by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
> > ==3497==    by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
> > ==3497==    by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
> > ==3497== 
> > ==3497== 1 errors in context 2 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497==    at 0x40009565: _dl_relocate_object_internal (in 
> > /lib/ld-2.3.2.so)
> > ==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
> > ==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > ==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > ==3497== 
> > ==3497== 1 errors in context 3 of 5:
> > ==3497== Conditional jump or move depends on uninitialised value(s)
> > ==3497==    at 0x40009517: _dl_relocate_object_internal (in 
> > /lib/ld-2.3.2.so)
> > ==3497==    by 0x40545D90: (within /lib/libc-2.3.2.so)
> > ==3497==    by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > ==3497==    by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > ==3497== 
> > ==3497== 2 errors in context 4 of 5:
> > ==3497== Invalid read of size 1
> > ==3497==    at 0x40020363: strcmp (in 
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497==    by 0x8078764: hash_find_hash (hash.c:104)
> > ==3497==    by 0x80B3E7A: mutt_sort_threads (thread.c:778)
> > ==3497==    by 0x80B12B1: mutt_sort_headers (sort.c:234)
> > ==3497==    Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
> > ==3497==    at 0x40029381: free (in 
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497==    by 0x80B8661: mutt_free_envelope (muttlib.c:649)
> > ==3497==    by 0x80B77E5: mutt_free_header (muttlib.c:270)
> > ==3497==    by 0x808BB02: mx_update_tables (mx.c:1097)
> > ==3497== 
> > ==3497== 15 errors in context 5 of 5:
> > ==3497== Source and destination overlap in strncpy(0x421b9cfc, 0x421b9ca0, 
> > 168)
> > ==3497==    at 0x400202B5: strncpy (in 
> > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > ==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > ==3497== 
> > ==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
> > ==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.
> > 
> > 
> > 
> > and gdb+efence
> > 
> > ---Mutt: ~/Maildir 
> > [Msgs:0]---(threads/date)----------------------------(all)---
> > Sorting mailbox...                                                          
> >                    
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x4027c5da in strcmp () from /lib/libc.so.6
> > (gdb) bt
> > #0  0x4027c5da in strcmp () from /lib/libc.so.6
> > #1  0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
> > #2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
> >     key=0x4f5a1fc0 
> > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> >     at hash.c:104
> > #3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> > #4  0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
> > #5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
> > oldcount=0, 
> >     index_hint=0) at curs_main.c:313
> > #6  0x08063803 in mutt_index_menu () at curs_main.c:488
> > #7  0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
> > #8  0x40217907 in __libc_start_main () from /lib/libc.so.6
> > (gdb) disass $eip-8 $eip+8 
> > Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
> > 0x4027c5d2 <strcmp+2>:  and    $0x4,%al
> > 0x4027c5d4 <strcmp+4>:  mov    0x8(%esp,1),%edx
> > 0x4027c5d8 <strcmp+8>:  mov    (%ecx),%al
> > 0x4027c5da <strcmp+10>: cmp    (%edx),%al
> > 0x4027c5dc <strcmp+12>: jne    0x4027c5e7 <strcmp+23>
> > 0x4027c5de <strcmp+14>: inc    %ecx
> > 0x4027c5df <strcmp+15>: inc    %edx
> > 0x4027c5e0 <strcmp+16>: test   %al,%al
> > End of assembler dump.
> > (gdb) print $eip
> > $5 = (void *) 0x4027c5da
> > (gdb) print $edx
> > $6 = 1327738816
> > (gdb) frame 2
> > #2  0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0, 
> >     key=0x4f5a1fc0 
> > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> >     at hash.c:104
> > 104         if (mutt_strcmp (key, ptr->key) == 0)
> > (gdb) print *table
> > $10 = {nelem = 2, table = 0x4f24eff8}
> > (gdb) up
> > #3  0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at thread.c:778
> > 778             thread = hash_find (ctx->thread_hash, cur->env->message_id);
> > (gdb) print *ctx
> > $11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 
> > 1067556677, 
> >   mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, 
> > limit_pattern = 0x0, 
> >   hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
> >   thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, 
> > vcount = 1, 
> >   tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet 
> > = -1, data = 0x0, 
> >   magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 
> > 0, quiet = 0, 
> >   collapsed = 0, closing = 0}
> > (gdb) print *cur     
> > $13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0, 
> > changed = 0, 
> >   attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied = 
> > 0, 
> >   subject_changed = 0, threaded = 0, display_subject = 0, recip_valid = 0, 
> > active = 0, 
> >   trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0, matched 
> > = 0, 
> >   collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0, 
> >   date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0, 
> > index = 0, msgno = 0, 
> >   virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc, 
> >   path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0, 
> > thread = 0x0, 
> >   chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> > (gdb) frame 5
> > #5  0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1, 
> > oldcount=0, 
> >     index_hint=0) at curs_main.c:313
> > 313       mutt_sort_headers (Context, (check == M_REOPENED));
> > (gdb)print *Context
> > $15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime = 
> > 1067556677, 
> >   mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0, 
> > limit_pattern = 0x0, 
> >   hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8, 
> >   thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1, 
> > vcount = 1, 
> >   tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0, msgnotreadyet 
> > = -1, data = 0x0, 
> >   magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append = 
> > 0, quiet = 0, 
> >   collapsed = 0, closing = 0}
> > 

-- 
Daniel E. Eisenbud
eisenbud@xxxxxxxxxxxxxx
Computational Biology Center
Memorial Sloan-Kettering Cancer Center