Re: possible je-malloc issue

From: Steve Kargl <sgk_at_troutmask.apl.washington.edu> Date: Thu, 2 Aug 2012 17:15:56 -0700 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:29 UTC

On Thu, Aug 02, 2012 at 04:36:35PM -0700, Steve Kargl wrote:
> On Thu, Aug 02, 2012 at 04:21:20PM -0700, Jason Evans wrote:
> > On Aug 2, 2012, at 3:32 PM, Steve Kargl wrote:
> > > (gdb) print *ptr
> > > Attempt to dereference a generic pointer.
> > > (gdb) up 1
> > > #5  0x48164b7d in XFree (data=0x80f58e0) at XlibInt.c:1701
> > > 1701    XlibInt.c: No such file or directory.
> > > (gdb) print *data
> > > Attempt to dereference a generic pointer.
> > > (gdb) up 1
> > > #6  0x080c4f2f in FlocaleFreeNameProperty (ptext=0xbfbfcfb4) at Flocale.c:2363
> > > 2363    Flocale.c: No such file or directory.
> > > (gdb) print *ptext
> > > $5 = {name = 0x80f58e0 "Untitled", name_list = 0x0}
> > 
> > jemalloc is asserting that the page which contains 0x80f58e0 is allocated
> > according to the containing chunk's page map, but the chunk header isn't
> > even mapped, and the attempted read causes a segfault.  This is almost
> > certainly a result of calling free() with a bogus pointer.
> > 
> 
> I suspect, but cannot prove it yet, that ptext->name points at
> a static buffer.  I'm trying to understand the code now.  The
> failure starts in
> 
> void FlocaleFreeNameProperty(FlocaleNameString *ptext)
> {
> 	if (ptext->name_list != NULL)
> 	{
> 		if (ptext->name != NULL && ptext->name != *ptext->name_list)
> 			XFree(ptext->name);
> 		XFreeStringList(ptext->name_list);
> 		ptext->name_list = NULL;
> 	}
> 	else if (ptext->name != NULL)
> 	{
> 		XFree(ptext->name);
> 	}
> 	ptext->name = NULL;
>  
>  	return;
> }
> 
> In the code the XFree(ptext->name) appears protected by the check
> for a NULL pointer, but it appears that 0x80f58e0 is invalid.  I
> don't know how to check for an non-NULL invalid pointer.  I suppose
> I can hack fvwm to leak memory at worse.
> 

I think I found the problem in fvwm/add_window.c
one finds the global entity

char NoName[] = "Untitled"; /* name if no name in XA_WM_NAME */

then later in fvwm/events.c one finds

        FlocaleNameString new_name = { NoName, NULL };

At some point FlocaleFreeNameProperty is called to 
free the FlocaleNameString that contains NoName,
and XFree() is not happy.
-- 
Steve