Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

double free bug in the aspell hash tables #444

Open
aspell-helper opened this issue Jul 30, 2008 · 6 comments
Open

double free bug in the aspell hash tables #444

aspell-helper opened this issue Jul 30, 2008 · 6 comments
Labels
sf-bug sf-l-crash sf-ms-other sf-pri-5

Comments

@aspell-helper
Copy link
Collaborator

aspell-helper commented Jul 30, 2008
edited by kevina
Loading

Giorgos Keramidas <gkeramidas@sf> created a bug report on 2008-07-30 00:37:53 UTC
(Orig. from https://sourceforge.net/p/aspell/bugs/225)

When spell-checking 'HTH' aspell core dumps in FreeBSD 8.0 with
debugging malloc() options. From a gdb run, it seems that this is a
double-free bug. The memory that aspell is attempting to free when it
aborts is filled with 0x5a and the malloc() manpage of BSD says about
the 'J' debugging flag of malloc():

J Each byte of new memory allocated by malloc(), realloc() or
reallocf() will be initialized to 0xa5. All memory returned by
free(), realloc() or reallocf() will be initialized to 0x5a.
This is intended for debugging and will impact performance nega-
tively.

Here is a terminal script with what I could find so far:

Script started on Wed Jul 30 03:22:04 2008
keramida@kobe:/home/keramida$ echo HTH | aspell -a
@(#) International Ispell Version 3.1.20 (but really Aspell 0.60.6)
Segmentation fault: 11 (core dumped)
keramida@kobe:/home/keramida$ gdb /usr/local/bin/aspell aspell.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...No symbol table is loaded.  Use the "file" command.

Core was generated by `aspell'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libaspell.so.16...done.
Loaded symbols for /usr/local/lib/libaspell.so.16
Reading symbols from /lib/libncursesw.so.7...done.
Loaded symbols for /lib/libncursesw.so.7
Reading symbols from /usr/local/lib/libintl.so.8...done.
Loaded symbols for /usr/local/lib/libintl.so.8
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /usr/lib/libstdc++.so.6...done.
Loaded symbols for /usr/lib/libstdc++.so.6
Reading symbols from /lib/libm.so.5...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#&#8203;0  memset () at /home/build/src/lib/libc/i386/string/memset.S:78
78              rep
(gdb) bt
#&#8203;0  memset () at /home/build/src/lib/libc/i386/string/memset.S:78
#&#8203;1  0x0812d000 in ?? ()
#&#8203;2  0x28438e27 in idalloc (ptr=0x812da60) at /home/build/src/lib/libc/stdlib/malloc.c:3219
#&#8203;3  0x284390a7 in free (ptr=0x812da60) at /home/build/src/lib/libc/stdlib/malloc.c:4662
#&#8203;4  0x28107c1e in acommon::HashTable<acommon::HashSetParms<acommon::String, acommon::HashString<acommon::String>, std::equal_to<acommon::String>, false> >::del () from /usr/local/lib/libaspell.so.16
#&#8203;5  0x28100f38 in (anonymous namespace)::Working::transfer () from /usr/local/lib/libaspell.so.16
#&#8203;6  0x28104685 in (anonymous namespace)::Working::get_suggestions () from /usr/local/lib/libaspell.so.16
#&#8203;7  0x2810515c in (anonymous namespace)::SuggestImpl::suggest () from /usr/local/lib/libaspell.so.16
#&#8203;8  0x28116974 in aspeller::SpellerImpl::suggest () from /usr/local/lib/libaspell.so.16
#&#8203;9  0x28149be0 in aspell_speller_suggest () from /usr/local/lib/libaspell.so.16
#&#8203;10 0x0805dc32 in pipe ()
#&#8203;11 0x0806174a in main ()
Current language auto; currently asm
(gdb) x/100b 0x812da60
0x812da60:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da68:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da70:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da78:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da80:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da88:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da90:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812da98:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812daa0:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812daa8:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812dab0:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812dab8:      0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a    0x5a
0x812dac0:      0x5a    0x5a    0x5a    0x5a
(gdb) quit
keramida@kobe:/home/keramida$ exit
exit

Script done on Wed Jul 30 03:22:32 2008
@aspell-helper
Copy link
Collaborator Author

Kevin Atkinson <kevina@sf> commented on 2008-07-30 03:36:50 UTC

Logged In: YES
user_id=6591
Originator: NO

I can not seam to reproduce the bug.

It will be a big help if you could reproduce the bug with optimization turned off and debugging on i.e. CXXFLAGS="-g". Failing that enabling debugging with optimization may help.

@aspell-helper
Copy link
Collaborator Author

Giorgos Keramidas <gkeramidas@sf> commented on 2008-07-30 03:44:45 UTC

Logged In: YES
user_id=2162580
Originator: YES

The original gdbtrace was grabbed from a debugging aspell binary.

$ file /usr/local/bin/aspell
/usr/local/bin/aspell: ELF 32-bit LSB executable, Intel 80386,
version 1 (FreeBSD), for FreeBSD 8.0 (800040),
dynamically linked (uses shared libs), FreeBSD-style, not stripped

I'll rebuild without any optimizations, just to make sure I'm not
getting the wrong stacktrace. Thanks for the superfast followup :)

@aspell-helper
Copy link
Collaborator Author

Kevin Atkinson <kevina@sf> commented on 2008-07-30 03:50:38 UTC

Logged In: YES
user_id=6591
Originator: NO

The stack trace you gave me does not have line numbers, thus I don't think the binary was built with debugging turned on.

Also can you do a "locale" and let me see the output.

@aspell-helper
Copy link
Collaborator Author

Kevin Atkinson <kevina@sf> commented on 2010-03-04 01:28:06 UTC

What version of Aspell is this? Use "aspell -v" to find out.

@aspell-helper
Copy link
Collaborator Author

Kevin Atkinson <kevina@sf> updated the issue on 2010-03-04 01:28:06 UTC

  • milestone: --> other

@kevina kevina added this to the 0.60.8 milestone Sep 1, 2019
@kevina
Copy link
Member

kevina commented Sep 23, 2019

I still can't reproduce this, but valgrind did find a bug that was fixed in 3e20784. It not a double-free bug, so I am not sure if it is related.

@kevina kevina removed this from the 0.60.8 milestone Sep 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
sf-bug sf-l-crash sf-ms-other sf-pri-5
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevina @aspell-helper