Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
No, this seems to be a maildir thing.
On 2003-11-03 16:46:36 -0500, Daniel E. Eisenbud wrote:
> From: "Daniel E. Eisenbud" <eisenbud@xxxxxxxxxxxxxx>
> To: q4xk3j002@xxxxxxxxxxxxxx, mutt-dev@xxxxxxxx
> Date: Mon, 3 Nov 2003 16:46:36 -0500
> Subject: Re: mutt_free_header -> free -> mutt_sort_headers -> segfault
> Mail-Followup-To: "Daniel E. Eisenbud" <eisenbud@xxxxxxxxxxxxxx>,
> q4xk3j002@xxxxxxxxxxxxxx, mutt-dev@xxxxxxxx
> X-Spam-Level:
>
> Is this by any chance an IMAP mailbox?
>
> -Daniel
>
> On Mon, Nov 03, 2003 at 07:27:20PM +0100, Thomas Roessler
> <roessler@xxxxxxxxxxxxxxxxxx> wrote:
> > Thanks for that report, and apologies for not replying earlier.
> > Unfortunately, I don't seem to be able to reproduce the crash with
> > my own inbox, on a redhat-9 system. It would be helpful if you
> > could provide me with a "reproduction package", consisting of:
> >
> > * a mailbox,
> > * a message that can be added to that mailbox to trigger the problem,
> > * the configuration file used. (Should be as close as possible to
> > the default configuration.)
> >
> > Thanks,
> > --
> > Thomas Roessler ? Personal soap box at <http://log.does-not-exist.org/>.
> >
> >
> >
> >
> >
> > On 2003-10-31 00:00:20 -0000, q4xk3j002@xxxxxxxxxxxxxx wrote:
> > > From: q4xk3j002@xxxxxxxxxxxxxx
> > > To: mutt-dev@xxxxxxxx
> > > Date: 31 Oct 2003 00:00:20 -0000
> > > Subject: mutt_free_header -> free -> mutt_sort_headers -> segfault
> > > X-Spam-Level:
> > >
> > > current[*] mutt 1.5.4 cvs is using already freed memory
> > >
> > > NOTE: Cc possible replies/extra questions to me.
> > >
> > > [*]
> > > $ head -n 1 ChangeLog
> > > 2003-10-08 19:55:39 Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
> > > (roessler)
> > >
> > > I have gcc-3.3.2, valgrind-20030725, libefence-2.2,
> > > RH Linux IA-32, glibc-2.3.2-4.80.
> > >
> > > ./configure --with-homespool=Maildir --with-ncurses --with-mixmaster
> > > --enable-pop --enable-imap --with-ssl
> > >
> > >
> > >
> > > you can try to reproduce this way:
> > > send one mail to user (whose Maildir-inbox is opened in mutt)
> > > delete the mail
> > > sync-mailbox
> > > (maybe press TAB)
> > > send another mail to the user
> > > press TAB and get segfault
> > >
> > > (I used the same subject in this test)
> > >
> > >
> > >
> > > here what valgrind has to say about the test.
> > >
> > > ==3497== ERROR SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > > ==3497==
> > > ==3497== 1 errors in context 1 of 5:
> > > ==3497== Conditional jump or move depends on uninitialised value(s)
> > > ==3497== at 0x80DC5E6: _nc_do_color (in /usr/local/src/mutt/mutt)
> > > ==3497== by 0x80E1837: vidputs (in /usr/local/src/mutt/mutt)
> > > ==3497== by 0x80E2038: vidattr (in /usr/local/src/mutt/mutt)
> > > ==3497== by 0x80E6FC0: _nc_screen_wrap (in /usr/local/src/mutt/mutt)
> > > ==3497==
> > > ==3497== 1 errors in context 2 of 5:
> > > ==3497== Conditional jump or move depends on uninitialised value(s)
> > > ==3497== at 0x40009565: _dl_relocate_object_internal (in
> > > /lib/ld-2.3.2.so)
> > > ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> > > ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > > ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > > ==3497==
> > > ==3497== 1 errors in context 3 of 5:
> > > ==3497== Conditional jump or move depends on uninitialised value(s)
> > > ==3497== at 0x40009517: _dl_relocate_object_internal (in
> > > /lib/ld-2.3.2.so)
> > > ==3497== by 0x40545D90: (within /lib/libc-2.3.2.so)
> > > ==3497== by 0x4000B115: _dl_catch_error_internal (in /lib/ld-2.3.2.so)
> > > ==3497== by 0x405454AE: _dl_open (in /lib/libc-2.3.2.so)
> > > ==3497==
> > > ==3497== 2 errors in context 4 of 5:
> > > ==3497== Invalid read of size 1
> > > ==3497== at 0x40020363: strcmp (in
> > > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > > ==3497== by 0x8078764: hash_find_hash (hash.c:104)
> > > ==3497== by 0x80B3E7A: mutt_sort_threads (thread.c:778)
> > > ==3497== by 0x80B12B1: mutt_sort_headers (sort.c:234)
> > > ==3497== Address 0x421ADBCC is 0 bytes inside a block of size 62 free'd
> > > ==3497== at 0x40029381: free (in
> > > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > > ==3497== by 0x80B8661: mutt_free_envelope (muttlib.c:649)
> > > ==3497== by 0x80B77E5: mutt_free_header (muttlib.c:270)
> > > ==3497== by 0x808BB02: mx_update_tables (mx.c:1097)
> > > ==3497==
> > > ==3497== 15 errors in context 5 of 5:
> > > ==3497== Source and destination overlap in strncpy(0x421b9cfc,
> > > 0x421b9ca0, 168)
> > > ==3497== at 0x400202B5: strncpy (in
> > > /usr/local/lib/valgrind/vgskin_memcheck.so)
> > > ==3497== IN SUMMARY: 20 errors from 5 contexts (suppressed: 0 from 0)
> > > ==3497==
> > > ==3497== malloc/free: in use at exit: 746762 bytes in 15878 blocks.
> > > ==3497== malloc/free: 29065 allocs, 13187 frees, 1589232 bytes allocated.
> > >
> > >
> > >
> > > and gdb+efence
> > >
> > > ---Mutt: ~/Maildir
> > > [Msgs:0]---(threads/date)----------------------------(all)---
> > > Sorting mailbox...
> > >
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x4027c5da in strcmp () from /lib/libc.so.6
> > > (gdb) bt
> > > #0 0x4027c5da in strcmp () from /lib/libc.so.6
> > > #1 0x080b6d3a in mutt_strcmp (a=0x4f24cff8 "\002", b=0x0) at lib.c:574
> > > #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> > > key=0x4f5a1fc0
> > > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> > > at hash.c:104
> > > #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at
> > > thread.c:778
> > > #4 0x080b12b2 in mutt_sort_headers (ctx=0x4e07bf9c, init=0) at sort.c:234
> > > #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> > > oldcount=0,
> > > index_hint=0) at curs_main.c:313
> > > #6 0x08063803 in mutt_index_menu () at curs_main.c:488
> > > #7 0x08080291 in main (argc=1, argv=0xbfffea64) at main.c:907
> > > #8 0x40217907 in __libc_start_main () from /lib/libc.so.6
> > > (gdb) disass $eip-8 $eip+8
> > > Dump of assembler code from 0x4027c5d2 to 0x4027c5e2:
> > > 0x4027c5d2 <strcmp+2>: and $0x4,%al
> > > 0x4027c5d4 <strcmp+4>: mov 0x8(%esp,1),%edx
> > > 0x4027c5d8 <strcmp+8>: mov (%ecx),%al
> > > 0x4027c5da <strcmp+10>: cmp (%edx),%al
> > > 0x4027c5dc <strcmp+12>: jne 0x4027c5e7 <strcmp+23>
> > > 0x4027c5de <strcmp+14>: inc %ecx
> > > 0x4027c5df <strcmp+15>: inc %edx
> > > 0x4027c5e0 <strcmp+16>: test %al,%al
> > > End of assembler dump.
> > > (gdb) print $eip
> > > $5 = (void *) 0x4027c5da
> > > (gdb) print $edx
> > > $6 = 1327738816
> > > (gdb) frame 2
> > > #2 0x08078765 in hash_find_hash (table=0x4f24cff8, hash=0,
> > > key=0x4f5a1fc0
> > > "<37jpyiljbviy4e46gtffe4kabrmk4dhq@xxxxxxxxxxxxxxxxxxxxxxxxxx>")
> > > at hash.c:104
> > > 104 if (mutt_strcmp (key, ptr->key) == 0)
> > > (gdb) print *table
> > > $10 = {nelem = 2, table = 0x4f24eff8}
> > > (gdb) up
> > > #3 0x080b3e7b in mutt_sort_threads (ctx=0x4e07bf9c, init=0) at
> > > thread.c:778
> > > 778 thread = hash_find (ctx->thread_hash,
> > > cur->env->message_id);
> > > (gdb) print *ctx
> > > $11 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> > > 1067556677,
> > > mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0,
> > > limit_pattern = 0x0,
> > > hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> > > thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> > > vcount = 1,
> > > tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0,
> > > msgnotreadyet = -1, data = 0x0,
> > > magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append
> > > = 0, quiet = 0,
> > > collapsed = 0, closing = 0}
> > > (gdb) print *cur
> > > $13 = {security = 0, mime = 0, flagged = 0, tagged = 0, deleted = 0,
> > > changed = 0,
> > > attach_del = 0, old = 0, read = 0, expired = 0, superseded = 0, replied
> > > = 0,
> > > subject_changed = 0, threaded = 0, display_subject = 0, recip_valid =
> > > 0, active = 0,
> > > trash = 0, zhours = 0, zminutes = 0, zoccident = 0, searched = 0,
> > > matched = 0,
> > > collapsed = 0, limited = 0, num_hidden = 0, recipient = 0, pair = 0,
> > > date_sent = 1067556675, received = 1067556675, offset = 0, lines = 0,
> > > index = 0, msgno = 0,
> > > virtual = 0, score = 0, env = 0x4f591fbc, content = 0x4f595fbc,
> > > path = 0x4f582fd8 "new/1067556677.3579.safari.finland.fbi", tree = 0x0,
> > > thread = 0x0,
> > > chain = 0x0, refno = 0, data = 0x0, maildir_flags = 0x0}
> > > (gdb) frame 5
> > > #5 0x080631a8 in update_index (menu=0x4e0c9fa8, ctx=0x4e07bf9c, check=1,
> > > oldcount=0,
> > > index_hint=0) at curs_main.c:313
> > > 313 mutt_sort_headers (Context, (check == M_REOPENED));
> > > (gdb)print *Context
> > > $15 = {path = 0x4e07dfe8 "/home/safari/Maildir", fp = 0x0, mtime =
> > > 1067556677,
> > > mtime_cur = 1067555530, size = 405, vsize = 0, pattern = 0x0,
> > > limit_pattern = 0x0,
> > > hdrs = 0x4f246f9c, tree = 0x0, id_hash = 0x0, subj_hash = 0x4f254ff8,
> > > thread_hash = 0x4f24cff8, v2r = 0x4f248f9c, hdrmax = 25, msgcount = 1,
> > > vcount = 1,
> > > tagged = 0, new = 1, unread = 1, deleted = 0, flagged = 0,
> > > msgnotreadyet = -1, data = 0x0,
> > > magic = 4, locked = 0, changed = 0, readonly = 0, dontwrite = 0, append
> > > = 0, quiet = 0,
> > > collapsed = 0, closing = 0}
> > >
>
> --
> Daniel E. Eisenbud
> eisenbud@xxxxxxxxxxxxxx
> Computational Biology Center
> Memorial Sloan-Kettering Cancer Center
>
--
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.