Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crash on /quit #199

Closed
holomorph opened this Issue Sep 19, 2014 · 5 comments

Comments

Projects
None yet
2 participants
@holomorph
Copy link

holomorph commented Sep 19, 2014

Observed on 1.0+67 6a118ce

This occured when I invoked /quit. I noticed a password (that I doctored) in # 4

GNU gdb (GDB) 7.8
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/weechat...done.
[New LWP 1353]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `weechat -d /home/holomorph/.config/weechat -a'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f8fa0259967 in raise () from /usr/lib/libc.so.6
(gdb) bt full
#0  0x00007f8fa0259967 in raise () from /usr/lib/libc.so.6
No symbol table info available.
#1  0x00007f8fa025ad3a in abort () from /usr/lib/libc.so.6
No symbol table info available.
#2  0x000000000041fbe2 in weechat_shutdown (return_code=1, crash=1) at /tmp/makepkg/weechat-git/src/weechat/src/core/weechat.c:489
No locals.
#3  <signal handler called>
No symbol table info available.
#4  0x0000000000467b1d in gui_bar_item_default_hotlist (data=<optimized out>, item=<optimized out>, window=<optimized out>, buffer=<optimized out>, extra_info=<optimized out>)
    at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar-item.c:1316
        str_hotlist = "H: \031F141\031bD(\031F003\031bD)\000\000\000\000\004\000\000\000\000\000\000\000\000\000\000\001\000\000\000n\"*\240\217\177\000\000\001\200\255\373\000\000\000\000#\000\000\000\000\000\000\000\300\254H\001\000\000\000\000\312y*\240\217\177\000\000`\340\065\001\000\000\000\000\300\254H\001\000\000\000\000Pi\211\001\000\000\000\000\001\000\000\000\000\000\000\000`\340\065\001\000\000\000\000\000\004\000\000\000\000\000\000\000\004\000\000\000\000\000\000\222\361D\000\000\000\000\000(\000\000\000\060\000\000\000P\307\306\333\377\177\000\000p\306\306\333\377\177\000\000\000\344\210\330\a\211nj", '\000' <repeats 16 times>, "\030\351l\000\000\000\000\000б"...
        format = "Pi\211\001\000\000\000\000\n\000\000\000\000\000\000\000= \"SekretPassw"
        buffer_without_name_displayed = 0x136f970 "\001\304\066\001"
        hotlist_suffix = <optimized out>
        ptr_hotlist = 0x195a5a0
        numbers_count = 1
        names_count = 0
        display_name = 0
        count_max = <optimized out>
        priority = <optimized out>
        priority_min = <optimized out>
        priority_min_displayed = <optimized out>
        private = <optimized out>
#5  0x000000000046911c in gui_bar_item_get_value (bar=0xe761b0, window=0x13cf420, item=21, subitem=-607730214)
    at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar-item.c:392
        item_value = 0x13cf420 "\001"
        delimiter_color = "\000F13\000\000\000\000\322Z'\240\217\177\000\000\000\n=\001\000\000\000\000\060\000\000\000\060\000\000"
        bar_color = "\006\000\000\000\000\000\000\000\360\203/\001\000\000\000\000\360\000\000\000\000\000\000\000\300<\\\240\217\177\000"
        str_attr = "\001\000\000\000\000\000\000"
        length = 20760448
        buffer = 0x13cc780
        ptr_item = 0x18aa520
#6  0x000000000046aff7 in gui_bar_window_content_build_item (bar_window=0x7fffdbc6c5d1, bar_window@entry=0x13d0a00, window=0x6cf680 <color+128>, window@entry=0x13cf420,
    index_item=21, index_item@entry=4, index_subitem=-607730214, index_subitem@entry=0) at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar-window.c:588
No locals.
#7  0x000000000046b101 in gui_bar_window_content_get (bar_window=bar_window@entry=0x13d0a00, window=window@entry=0x13cf420, index_item=index_item@entry=4,
    index_subitem=index_subitem@entry=0) at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar-window.c:632
No locals.
#8  0x000000000046b9fd in gui_bar_window_content_get_with_filling (bar_window=bar_window@entry=0x13d0a00, window=window@entry=0x13cf420)
    at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar-window.c:703
        filling = GUI_BAR_FILLING_HORIZONTAL
        ptr_content = <optimized out>
        content = 0x12f8400 "\034\031bi\031F0022:23\034 \031bi\031F13[\031F00core\031F13]\034 \031bi\031F081\034\031bi\031F13:\031F00\034\031bi\031F16weechat\031bi\031bi\031bi\034\031bi\031F05*\031bi"
        content2 = <optimized out>
        str_reinit_color = "\034", '\000' <repeats 15 times>, "\060\304\373\240\217\177\000\000\177\234נ\217\177\000"
        str_reinit_color_space = "\034 \000\333\377\177\000\000\340\330\306\333\063\000\000\000W\000\000\000\000\000\000\000\220\264\227\001\000\000\000"
---Type <return> to continue, or q <return> to quit---
        str_reinit_color_space_start_line = "\034 \031bl\000\000\000\062\000\000\000\062\000\000\000W\000\000\000\000\000\000\000\060\244\347\000\000\000\000"
        str_start_item = "\031bi\000\000\000\000\000\000\344\210\330\a\211nj\000\000\000\000\000\000\000\000\016\000\000\000\000\000\000"
        item_value = <optimized out>
        item_value2 = <optimized out>
        split_items = <optimized out>
        linear_items = <optimized out>
        index_content = <optimized out>
        content_length = 100
        i = 4
        j = <optimized out>
        k = <optimized out>
        sub = 0
        index = <optimized out>
        at_least_one_item = 1
        first_sub_item = 1
        length_reinit_color_space = 2
        length_start_item = 3
        length = <optimized out>
        max_length = <optimized out>
        max_length_screen = <optimized out>
        total_items = <optimized out>
        columns = <optimized out>
        lines = <optimized out>
#9  0x000000000045ec38 in gui_bar_window_draw (bar_window=bar_window@entry=0x13d0a00, window=window@entry=0x13cf420)
    at /tmp/makepkg/weechat-git/src/weechat/src/gui/curses/gui-curses-bar-window.c:460
        x = 0
        y = 0
        items_count = 1
        num_lines = <optimized out>
        line = <optimized out>
        filling = GUI_BAR_FILLING_HORIZONTAL
        content = <optimized out>
        items = <optimized out>
        str_start_input = "\031b_", '\000' <repeats 12 times>
        str_start_input_hidden = "\031b-", '\000' <repeats 12 times>
        str_cursor = "\031b#", '\000' <repeats 12 times>
        pos_start_input = <optimized out>
        pos_after_start_input = <optimized out>
        pos_cursor = <optimized out>
        buf = <optimized out>
        new_start_input = <optimized out>
        ptr_string = <optimized out>
        length_start_input = 3
        length_start_input_hidden = 3
        length_on_screen = <optimized out>
        chars_available = <optimized out>
        index = <optimized out>
        size = <optimized out>
        length_screen_before_cursor = <optimized out>
        length_screen_after_cursor = <optimized out>
---Type <return> to continue, or q <return> to quit---
        diff = <optimized out>
        max_length = <optimized out>
        optimal_number_of_lines = <optimized out>
        some_data_not_displayed = <optimized out>
        index_item = -1
        index_subitem = -1
        index_line = 0
#10 0x0000000000464553 in gui_bar_draw (bar=bar@entry=0xe761b0) at /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-bar.c:653
        ptr_win = 0x13cf420
        ptr_bar_win = 0x13d0a00
#11 0x000000000045992e in gui_main_refreshs () at /tmp/makepkg/weechat-git/src/weechat/src/gui/curses/gui-curses-main.c:316
        ptr_win = <optimized out>
        ptr_buffer = <optimized out>
        ptr_bar = 0xe761b0
#12 0x0000000000459da7 in gui_main_end (clean_exit=<optimized out>) at /tmp/makepkg/weechat-git/src/weechat/src/gui/curses/gui-curses-main.c:450
No locals.
#13 0x00000000004203e6 in weechat_end (gui_end_cb=0x459ca0 <gui_main_end>) at /tmp/makepkg/weechat-git/src/weechat/src/core/weechat.c:583
No locals.
#14 0x000000000041f61f in main (argc=<optimized out>, argv=<optimized out>) at /tmp/makepkg/weechat-git/src/weechat/src/gui/curses/main.c:42
No locals.
(gdb)

@flashcode flashcode added the bug label Sep 19, 2014

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Sep 20, 2014

After analyzing some variables on frame 4, I see there's an overflow in a buffer, but which is caused by corrupted memory (bad buffer pointer).
Such corrupted memory can have different origins, and that's not possible with just this trace to know what happened before (it could be caused for example by scripts).

If you have a way to reproduce the crash, or other tips, please let me know.

@holomorph

This comment has been minimized.

Copy link
Author

holomorph commented Sep 20, 2014

In an attempt to isolate the script (not sure if this was a useful exercise), the crash occurred with only buffers.pl and again with only colorize_nicks.py. I haven't yet been able to reproduce the crash without loading scripts.

Edit: All the traces looked very similar except one where maybe the only difference was weechat managing to call debug_sigsev() which I suppose is weechat's dump log thing

@holomorph

This comment has been minimized.

Copy link
Author

holomorph commented Sep 20, 2014

Crashed reproduced with no plugins. All I did was have weechat running connected to freenode and a bunch of channels. I didn't run with -s, but I simply didn't have any scripts installed (or script config present). /quit → crash. I have a coredump. Rather similar backtrace.

Edit: crash obtained with 03c0067 and -s switch.

@flashcode

This comment has been minimized.

Copy link
Member

flashcode commented Sep 21, 2014

Then if you have a crash without scripts, it would be interesting to run weechat with electric fence (a program to check errors and crash immediately in case of problem detected, like buffer overflow or use of invalid memory area).
Running with electric fence is extremely slow, so I recommend to load only the irc plugin to test (no script plugins at all).
You must install electric fence and run this command (adapt the path to electric fence lib if needed):

EF_ALLOW_MALLOC_0=1 LD_PRELOAD=/usr/lib/libefence.so weechat -p

This runs WeeChat without any plugin loaded. Then in WeeChat:

/plugin load irc
/connect freenode
(wait or do other things...)
/quit

The result should be a crash, but with a different trace: I hope it will crash earlier in code, where the real problem is.

Another question: what is your OS and its version?

@holomorph

This comment has been minimized.

Copy link
Author

holomorph commented Sep 21, 2014

what is your OS

Arch Linux

I compiled with -fsanitize=address and reproduced. Thanks to @vodik and
@Boohbah on freenode for guidance. Got the following:

holomorp1(ZiR) /quit=================================================================
==8
357==ERROR: AddressSanitizer: heap-use-after-free on address 0x61600002ac90 at pc 0x5077
fd bp 0x7fff938822a0 sp 0x7fff93882290
                                      READ of size 4 at 0x61600002ac90 thread T0
#0 0x5077fc in gui_hotlist_remove_buffer /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-hotlist.c:515
#1 0x4ecd37 in gui_buffer_close /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-buffer.c:2604
#2 0x7f503d86d6ec in irc_buffer_close_cb /tmp/makepkg/weechat-git/src/weechat/src/plugins/irc/irc-buffer.c:149
#3 0x4eca93 in gui_buffer_close /tmp/makepkg/weechat-git/src/weechat/src/gui/gui-buffer.c:2528
#4 0x7f503d91b43a in irc_server_free /tmp/makepkg/weechat-git/src/weechat/src/plugins/irc/irc-server.c:1506
#5 0x7f503d91b4d4 in irc_server_free_all /tmp/makepkg/weechat-git/src/weechat/src/plugins/irc/irc-server.c:1537
#6 0x7f503d8691d9 in weechat_plugin_end /tmp/makepkg/weechat-git/src/weechat/src/plugins/irc/irc.c:277
#7 0x5328a5 in plugin_unload /tmp/makepkg/weechat-git/src/weechat/src/plugins/plugin.c:1043
#8 0x532a38 in plugin_unload_all /tmp/makepkg/weechat-git/src/weechat/src/plugins/plugin.c:1094
#9 0x533081 in plugin_end /tmp/makepkg/weechat-git/src/weechat/src/plugins/plugin.c:1217
#10 0x422091 in weechat_end /tmp/makepkg/weechat-git/src/weechat/src/core/weechat.c:577
#11 0x42026e in main /tmp/makepkg/weechat-git/src/weechat/src/gui/curses/main.c:42
#12 0x7f5042dea03f in __libc_start_main (/usr/lib/libc.so.6+0x2003f)
#13 0x420986 (/usr/bin/weechat+0x420986)

ASAN:SIGSEGV
==8357==AddressSanitizer: while reporting a bug found another one.Ignoring.
exit 1

That bit of code is in gui-hotlist.c is from 5d0a74a. My config uses the
default merged.

Recipe? I use bitlbee as an example, but it shouldn't matter

  1. weechat -a
  2. /connect bitlbee. Buffers are now 1.bitlbee weechat 2.&bitlbee with
    buffer 2 focused
  3. C-n M-x C-x. Now buffer 1 is focused with only weechat core output shown
  4. /quit. Crash

This seems to work just the same:

  1. weechat -a -s -p
  2. /plugin load irc. All my servers autoconnect and stuff, but like I said
    above, I don't think it matters
  3. C-n M-x C-x. Now buffer 1 is focused with only weechat core output shown
  4. /quit. Crash

No crash when the setting is toggled to buffer

@holomorph holomorph referenced this issue Sep 21, 2014

Closed

wee-hashtable #211

@flashcode flashcode closed this in c1aa51f Sep 24, 2014

flashcode added a commit that referenced this issue Sep 24, 2014

core: fix crash on buffer close when option weechat.look.hotlist_remo…
…ve is set to "merged" (closes #199)

(cherry picked from commit c1aa51f)

@flashcode flashcode removed the waiting info label Oct 5, 2014

@flashcode flashcode added this to the 1.0.1 milestone Nov 16, 2014

@flashcode flashcode self-assigned this Nov 16, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.