libroot: free bug - Segment violation

[thorn]

env: haiku hrev24413 texinfo-4.11 / makeinfo

backtrace:

This GDB was configured as "i586-pc-haiku"...
[tcsetpgrp failed in terminal_inferior: Invalid Argument]
Thread 7323 caused an exception: Segment violation
Reading symbols from /boot/beos/system/lib/libroot.so...done.
Loaded symbols for /boot/beos/system/lib/libroot.so
[tcsetpgrp failed in terminal_inferior: Invalid Argument]
[Switching to team ../makeinfo --html -I./../../doc -I../../doc --no-split ./../.. (7323) thread makeinfo (7323)]
0x0027289c in atomic_test_and_set () from /boot/beos/system/lib/libroot.so
(gdb) bt full
#0  0x0027289c in atomic_test_and_set () from /boot/beos/system/lib/libroot.so
No symbol table info available.
#1  0x00276d85 in BPrivate::hoardLock () from /boot/beos/system/lib/libroot.so
No symbol table info available.
#2  0x0027a406 in BPrivate::processHeap::free ()
   from /boot/beos/system/lib/libroot.so
No symbol table info available.
#3  0x0027bb08 in free () from /boot/beos/system/lib/libroot.so
No symbol table info available.
#4  0x00229846 in getdocumenttext (msgid=0x23e447 "Up:") at makeinfo.c:4348
        tmp = 0x0
        old_LC_ALL = 0x0
        old_LANGUAGE = 0x0
        result = 0x23e447 "Up:"
        old_locale = 0x1802bf00 "C"
#5  0x0022d0b8 in cm_node () at node.c:1021
        epilogue_len = 0
        node = 0x1800f548 "Help-FOO"
        prev = 0x0
        next = 0x0
        up = 0x1802bef0 "Help-M"
        new_node_pos = 35337
        defaulting = 0
        this_section = 4

source:

  char* old_locale;
..
  setlocale (LC_ALL, old_locale);
  free (old_locale); 

serial log:

vm_soft_fault: va 0x398 not covered by area in address space
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0x398, ip 0x27289c, write 1, user 1, thread 0x1c9b
vm_page_fault: sending team "makeinfo" 0x1c9b SIGSEGV, ip 0x27289c ("libroot.so_seg0ro" +0x2289c)
stack trace:
  0x0027a406 (libroot.so_seg0ro + 0x2a406)
  0x0027bb08 (libroot.so_seg0ro + 0x2bb08)
  0x00229846 (makeinfo_seg0ro + 0x29846)
  0x0022d0b8 (makeinfo_seg0ro + 0x2d0b8)
  0x00225718 (makeinfo_seg0ro + 0x25718)
  0x00225d35 (makeinfo_seg0ro + 0x25d35)
  0x0022482a (makeinfo_seg0ro + 0x2482a)
  0x00223cef (makeinfo_seg0ro + 0x23cef)
  0x00222ce2 (makeinfo_seg0ro + 0x22ce2)
  0x0020c5e5 (makeinfo_seg0ro + 0xc5e5)
  0x001007ca (runtime_loader_seg0ro + 0x7ca)
  0x7ffe6fec (makeinfo_main_stack + 0xffffec)
vm_soft_fault: va 0x0 not covered by area in address space
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0x0, ip 0x80092ae8, write 0, user 0, thread 0x1c9b
debug_server: Thread 7323 entered the debugger: Segment violation
stack trace, current PC 0x27289c  atomic_test_and_set + 0xc (closest symbol):
  (0x7ffe6924)  0x27a406  free__Q28BPrivate11processHeapPv + 0x17a
  (0x7ffe6964)  0x27bb08  free + 0xa0
  (0x7ffe6994)  0x229846  getdocumenttext + 0x1ae
  (0x7ffe69d4)  0x22d0b8  cm_node + 0x1294
  (0x7ffe6e70)  0x225718  init_paragraph + 0x844 (closest symbol)
  (0x7ffe6eb0)  0x225d35  reader_loop + 0x609
  (0x7ffe6ee0)  0x22482a  reverse_list + 0xe5a (closest symbol)
  (0x7ffe6f10)  0x223cef  reverse_list + 0x31f (closest symbol)
  (0x7ffe6f40)  0x222ce2  main + 0xf5e
  (0x7ffe6f80)  0x20c5e5  _start + 0x61
  (0x7ffe6fac)  0x1007ca  (runtime_loader_seg0ro + 0x7ca)

[thorn]

dublicate #1896

[axeld]

It doesn't have to be a duplicate of #1896. Whenever the allocator runs into a debugger call, it's because we run our allocator in debug mode. And that means it will detect *user* errors better.

Can you point out which source file this is and where I can find it? From the source you pasted here, you don't see where old_locale is initialized or allocated.

[thorn]

full source ​texinfo/makeinfo/makeinfo.c

/* Translate MSGID according to the document language
   (--document-language), rather than the environment language (LANG,
   etc.).  This comes from the get_title function in gettext.  (xsetenv
   and unsetenv come from the gnulib xsetenv module.)  */

char *
getdocumenttext (const char *msgid)
{
  /* The original get_title also saves, sets, and restores
     OUTPUT_CHARSET, so that the translation will be given in
     the proper encoding (via canonical_locale_charset).  But defining
     that function ends up pulling a whole lot of subsidiary functions.
     Not sure how to handle it; skip the whole thing for now.  */
  const char *tmp;
  char *old_LC_ALL;
  char *old_LANGUAGE;
  const char *result;
#ifdef HAVE_SETLOCALE
  char *old_locale;
#endif

  /* Save LC_ALL, LANGUAGE environment variables.  */

  tmp = getenv ("LC_ALL");
  old_LC_ALL = (tmp != NULL ? xstrdup (tmp) : NULL);

  tmp = getenv ("LANGUAGE");
  old_LANGUAGE = (tmp != NULL ? xstrdup (tmp) : NULL);

  xsetenv ("LC_ALL", document_language, 1);
  unsetenv ("LANGUAGE");

#ifdef HAVE_SETLOCALE
  old_locale = xstrdup (setlocale (LC_ALL, NULL));
  if (setlocale (LC_ALL, "") == NULL)
    /* Nonexistent locale.  Use the original.  */
    result = msgid;
  else
#endif
    {
      /* Fetch the translation.  */
      result = gettext (msgid);
    }

  /* Restore LC_ALL, LANGUAGE environment variables.  */

  if (old_LC_ALL != NULL)
    xsetenv ("LC_ALL", old_LC_ALL, 1), free (old_LC_ALL);
  else
    unsetenv ("LC_ALL");

  if (old_LANGUAGE != NULL)
    xsetenv ("LANGUAGE", old_LANGUAGE, 1), free (old_LANGUAGE);
  else
    unsetenv ("LANGUAGE");

#ifdef HAVE_SETLOCALE
  setlocale (LC_ALL, old_locale);
  free (old_locale);
#endif

  return result;
}

and

/* Clone an object P of size S, with error checking.  There's no need
   for xnmemdup (P, N, S), since xmemdup (P, N * S) works without any
   need for an arithmetic overflow check.  */

void *
xmemdup (void const *p, size_t s)
{
  return memcpy (xmalloc (s), p, s);
}

/* Clone STRING.  */

char *
xstrdup (char const *string)
{
  return xmemdup (string, strlen (string) + 1);
}

[axeld]

Probably an application bug, too.