double free bug in the aspell hash tables
Status: Beta
Brought to you by:
kevina
Menu
▾
▴
#225 double free bug in the aspell hash tables
When spell-checking 'HTH' aspell core dumps in FreeBSD 8.0 with
debugging malloc() options. From a gdb run, it seems that this is a
double-free bug. The memory that aspell is attempting to free when it
aborts is filled with 0x5a and the malloc() manpage of BSD says about
the 'J' debugging flag of malloc():
J Each byte of new memory allocated by malloc(), realloc() or
reallocf() will be initialized to 0xa5. All memory returned by
free(), realloc() or reallocf() will be initialized to 0x5a.
This is intended for debugging and will impact performance nega-
tively.
- Here is a terminal script with what I could find so far:
-
Script started on Wed Jul 30 03:22:04 2008
-
keramida@kobe:/home/keramida$ echo HTH | aspell -a
-
@(#) International Ispell Version 3.1.20 (but really Aspell 0.60.6)
-
Segmentation fault: 11 (core dumped)
-
keramida@kobe:/home/keramida$ gdb /usr/local/bin/aspell aspell.core
-
GNU gdb 6.1.1 [FreeBSD]
-
Copyright 2004 Free Software Foundation, Inc.
-
GDB is free software, covered by the GNU General Public License, and you are
-
welcome to change it and/or distribute copies of it under certain conditions.
-
Type "show copying" to see the conditions.
-
There is absolutely no warranty for GDB. Type "show warranty" for details.
-
This GDB was configured as "i386-marcel-freebsd"...No symbol table is loaded. Use the "file" command.
- :
- Core was generated by `aspell'.
- Program terminated with signal 11, Segmentation fault.
- Reading symbols from /usr/local/lib/libaspell.so.16...done.
- Loaded symbols for /usr/local/lib/libaspell.so.16
- Reading symbols from /lib/libncursesw.so.7...done.
- Loaded symbols for /lib/libncursesw.so.7
- Reading symbols from /usr/local/lib/libintl.so.8...done.
- Loaded symbols for /usr/local/lib/libintl.so.8
- Reading symbols from /usr/local/lib/libiconv.so.3...done.
- Loaded symbols for /usr/local/lib/libiconv.so.3
- Reading symbols from /usr/lib/libstdc++.so.6...done.
- Loaded symbols for /usr/lib/libstdc++.so.6
- Reading symbols from /lib/libm.so.5...done.
- Loaded symbols for /lib/libm.so.5
- Reading symbols from /lib/libgcc_s.so.1...done.
- Loaded symbols for /lib/libgcc_s.so.1
- Reading symbols from /lib/libc.so.7...done.
- Loaded symbols for /lib/libc.so.7
- Reading symbols from /libexec/ld-elf.so.1...done.
- Loaded symbols for /libexec/ld-elf.so.1
- #0 memset () at /home/build/src/lib/libc/i386/string/memset.S:78
- 78 rep
- (gdb) bt
- #0 memset () at /home/build/src/lib/libc/i386/string/memset.S:78
- #1 0x0812d000 in ?? ()
- #2 0x28438e27 in idalloc (ptr=0x812da60) at /home/build/src/lib/libc/stdlib/malloc.c:3219
- #3 0x284390a7 in free (ptr=0x812da60) at /home/build/src/lib/libc/stdlib/malloc.c:4662
- #4 0x28107c1e in acommon::HashTable<acommon::HashSetParms<acommon::String, acommon::HashString<acommon::String>, std::equal_to<acommon::String>, false> >::del () from /usr/local/lib/libaspell.so.16
- #5 0x28100f38 in (anonymous namespace)::Working::transfer () from /usr/local/lib/libaspell.so.16
- #6 0x28104685 in (anonymous namespace)::Working::get_suggestions () from /usr/local/lib/libaspell.so.16
- #7 0x2810515c in (anonymous namespace)::SuggestImpl::suggest () from /usr/local/lib/libaspell.so.16
- #8 0x28116974 in aspeller::SpellerImpl::suggest () from /usr/local/lib/libaspell.so.16
- #9 0x28149be0 in aspell_speller_suggest () from /usr/local/lib/libaspell.so.16
- #10 0x0805dc32 in pipe ()
- #11 0x0806174a in main ()
- Current language: auto; currently asm
- (gdb) x/100b 0x812da60
- 0x812da60: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da68: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da70: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da78: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da80: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da88: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da90: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812da98: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812daa0: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812daa8: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812dab0: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812dab8: 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a 0x5a
- 0x812dac0: 0x5a 0x5a 0x5a 0x5a
- (gdb) quit
- keramida@kobe:/home/keramida$ exit
- exit
- :
- Script done on Wed Jul 30 03:22:32 2008
Discussion
Logged In: YES
user_id=6591
Originator: NO
I can not seam to reproduce the bug.
It will be a big help if you could reproduce the bug with optimization turned off and debugging on i.e. CXXFLAGS="-g". Failing that enabling debugging with optimization may help.
Logged In: YES
user_id=2162580
Originator: YES
The original gdbtrace was grabbed from a debugging aspell binary.
$ file /usr/local/bin/aspell
/usr/local/bin/aspell: ELF 32-bit LSB executable, Intel 80386, \
version 1 (FreeBSD), for FreeBSD 8.0 (800040), \
dynamically linked (uses shared libs), FreeBSD-style, not stripped
I'll rebuild without any optimizations, just to make sure I'm not
getting the wrong stacktrace. Thanks for the superfast followup :)
Logged In: YES
user_id=6591
Originator: NO
The stack trace you gave me does not have line numbers, thus I don't think the binary was built with debugging turned on.
Also can you do a "locale" and let me see the output.
What version of Aspell is this? Use "aspell -v" to find out.
This issue has moved to GitHub: https://github.com/GNUAspell/aspell/issues/444