assertion failed in libc/stdlib/malloc.c

From: Jille Timmermans <jille_at_quis.cx> Date: Mon, 22 Sep 2008 18:24:31 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:35 UTC

Hello,

I ran into an assertion failure in malloc.c; I'm running HEAD of 20 sept
(i386).
Assertion failed: (arena->magic == ARENA_MAGIC), function arena_dalloc,
file /usr/src/lib/libc/stdlib/malloc.c, line 3837.

Here is (my stripped down) program (crash.c), a file it reads data from
(doolhof), and output from: compiling, running and gdb on the .core
(typescript (not really a typescript (anymore))).

If mailman eats the attachments I will reply with urls.

-- Jille

0 0 0 0 0 1 0
0 0 18

#include <stdio.h>
#include <stdlib.h>
#define MAP_WIDTH		1
#define MAP_HEIGHT	1

typedef enum { LEEG, BAL, MUUR } hokje;
hokje map[MAP_HEIGHT][MAP_WIDTH];

int
main(int argc, char **argv) {
	int kx, ky, kd, bx, by, hmuren, vmuren;
	FILE *fh = fopen("doolhof", "r");
	fscanf(fh, "%d %d %d %d %d %d %d\n", &kx, &ky, &kd, &bx, &by, &hmuren, &vmuren);

	while(hmuren--) {
		int mx, my, md;
		fscanf(fh, "%d %d %d\n", &mx, &my, &md);

		while(md--) {
			map[my][mx] = MUUR;
			mx++;
		}
	}

	fclose(fh);
	return 0;
}

$ gcc -nodefaultlibs -o crash crash.c /usr/obj/usr/src/lib/libc/libc.so.7
$ LD_LIBRARY_PATH=/usr/obj/usr/src/lib/libc ./crash
Assertion failed: (arena->magic == ARENA_MAGIC), function arena_dalloc, file /usr/src/lib/libc/stdlib/malloc.c, line 3837.
Abort trap (core dumped)
$ gdb crash crash.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `crash'.
Program terminated with signal 6, Aborted.
Reading symbols from /usr/obj/usr/src/lib/libc/libc.so.7...done.
Loaded symbols for /usr/obj/usr/src/lib/libc/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x281687d7 in kill () at kill.S:2
2	RSYSCALL(kill)
(gdb) bt
#0  0x281687d7 in kill () at kill.S:2
#1  0x28168736 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:46
#2  0x2816735a in abort () at /usr/src/lib/libc/stdlib/abort.c:65
#3  0x2814d676 in __assert (func=0x6 <Address 0x6 out of bounds>, 
    file=0x5 <Address 0x5 out of bounds>, line=0, 
    failedexpr=0x28170169 "arena->magic == ARENA_MAGIC")
    at /usr/src/lib/libc/gen/assert.c:54
#4  0x280ef7e5 in idalloc (ptr=0x8101000)
    at /usr/src/lib/libc/stdlib/malloc.c:3837
#5  0x280f00b7 in free (ptr=0x8101000)
    at /usr/src/lib/libc/stdlib/malloc.c:5447
#6  0x2815249e in fclose (fp=0x28192060)
    at /usr/src/lib/libc/stdio/fclose.c:61
#7  0x08048558 in main ()
Current language:  auto; currently asm
(gdb) frame 7
#7  0x08048558 in main ()
(gdb) list
61			free((char *)fp->_bf._base);
62		if (HASUB(fp))
63			FREEUB(fp);
64		if (HASLB(fp))
65			FREELB(fp);
66		fp->_file = -1;
67		fp->_r = fp->_w = 0;	/* Mess up if reaccessed. */
68		fp->_flags = 0;		/* Release this FILE for reuse. */
69		FUNLOCKFILE(fp);
70		return (r);
(gdb) frame 6
#6  0x2815249e in fclose (fp=0x28192060)
    at /usr/src/lib/libc/stdio/fclose.c:61
61			free((char *)fp->_bf._base);
Current language:  auto; currently c
(gdb) list
56		FLOCKFILE(fp);
57		r = fp->_flags & __SWR ? __sflush(fp) : 0;
58		if (fp->_close != NULL && (*fp->_close)(fp->_cookie) < 0)
59			r = EOF;
60		if (fp->_flags & __SMBF)
61			free((char *)fp->_bf._base);
62		if (HASUB(fp))
63			FREEUB(fp);
64		if (HASLB(fp))
65			FREELB(fp);
(gdb) frame 5
#5  0x280f00b7 in free (ptr=0x8101000)
    at /usr/src/lib/libc/stdlib/malloc.c:5447
5447			idalloc(ptr);
(gdb) list
5442	
5443		UTRACE(ptr, 0, 0);
5444		if (ptr != NULL) {
5445			assert(malloc_initialized);
5446	
5447			idalloc(ptr);
5448		}
5449	}
5450	
5451	/*
(gdb) frame 4
#4  0x280ef7e5 in idalloc (ptr=0x8101000)
    at /usr/src/lib/libc/stdlib/malloc.c:3837
3837		assert(arena->magic == ARENA_MAGIC);
(gdb) list
3832	{
3833		size_t pageind;
3834		arena_chunk_map_t *mapelm;
3835	
3836		assert(arena != NULL);
3837		assert(arena->magic == ARENA_MAGIC);
3838		assert(chunk->arena == arena);
3839		assert(ptr != NULL);
3840		assert(CHUNK_ADDR2BASE(ptr) != ptr);
3841	
(gdb) 