On Sun, 2008-03-30 at 09:39 -0700, Daniel Burrows wrote: > On Sun, Mar 30, 2008 at 01:46:47PM +0200, Bram Senders <[EMAIL PROTECTED]> > was heard to say: > > ==5065== Invalid read of size 1 > > > ==5065== at 0xFFBBC7C: strlen (mc_replace_strmem.c:242) > > ==5065== by 0xF6593D4: __dcigettext (dcigettext.c:456) > > ==5065== by 0xF658290: dcgettext (dcgettext.c:53) > > ==5065== by 0x100F9F4C: add_menu(cwidget::widgets::menu_info*, > > std::string const&, cwidget::util::ref_ptr<cwidget::widgets::label> const&) > > (ui.cc:2385) > > (...) > > So, all this stuff in the menu code is due to a bug in ui.cc: it > stores a reference to a temporary string and then reads from it. The > attached patch fixes this, but I doubt it's the problem you're seeing: > reading from bad memory shouldn't cause corruption later on. > > > ==5065== Invalid read of size 4 > > ==5065== at 0xFDCA7EC: cwidget::widgets::widget::widget() > > (limit_reference.h:81) > > And we crash. The code at this point is just connecting some signals > to "this" as far as I can tell, and in fact the line of code that's > referenced above is just initializing a reference without even casting > it! That shouldn't crash unless "this" somehow became NULL, but the > address valgrind reports isn't NULL. > > Can you compile the program with > > CXXFLAGS="-g -O0 -fno-inline" ./configure && make
Ah, the segmentation fault now does not happen anymore, and I can access the preferences, nice! I do get a message from aptitude at the beginning stating │E: Opening configuration file /usr/local/share/aptitude/aptitude-defaults - ▒│ │ ifstream::ifstream (2 No such file or directory) ▒│ │E: Opening configuration file /usr/local/share/aptitude/section-descriptions ▒│ │ - ifstream::ifstream (2 No such file or directory) ▒│ but I suspect that is harmless, right? To be sure that the patch what fixes it, I de-applied it and make again... but now aptitude still doesn't segfault! Hmm. It doesn't segfault anymore either with or without the patch. Maybe it's the build options? I try a straight debuild -- without your patch, and without any CXXFLAGS, and install that package, run it... no segfault on preferences! Install the exact same version (0.4.11-3) from the Debian archive... and it segfaults on preferences! Now I am very confused. Anyways, the two binaries (one built myself with debuild, and the other from the archive) differ a bit in size anyways: -rwxr-xr-x 1 bram bram 2287728 2008-03-31 11:48 aptitude-debuild-nopatch -rwxr-xr-x 1 bram bram 2807768 2008-03-31 11:48 aptitude-debian-archive , and a binary diff reveals that they are very different (that may not mean much, I don't know, I don't have experience with these things). aptitude-debuild-nopatch doesn't segfault on preferences, aptitude-debian-archive does. > and valgrind the result? I have attached two valgrindings from the aptitude I built myself, the first one (aptitude-built-myself-with-patch.grind) with your patch applied and built with CXXFLAGS="-g -O0 -fno-inline" ./configure && make , the second one (aptitude-debuild-nopatch.grind) with the straight debuild from source. Again, for the record, neither segfaults on preferences. Is there any way in which I can debug / find out why debuilding myself doesn't segfault, but the package from the Debian archive does? Cheers, Bram
==11016== Memcheck, a memory error detector. ==11016== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==11016== Using LibVEX rev 1804, a library for dynamic binary translation. ==11016== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==11016== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework. ==11016== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==11016== For more details, rerun with: -v ==11016== ==11016== My PID = 11016, parent PID = 4345. Prog and args are: ==11016== ./aptitude-built-myself-with-patch ==11016== ==11016== Conditional jump or move depends on uninitialised value(s) ==11016== at 0x400261C: _dl_start (in /lib/ld-2.7.so) ==11016== by 0x4016BE4: _start (in /lib/ld-2.7.so) ==11016== ==11016== Conditional jump or move depends on uninitialised value(s) ==11016== at 0x4002654: _dl_start (in /lib/ld-2.7.so) ==11016== by 0x4016BE4: _start (in /lib/ld-2.7.so) ==11016== ==11016== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 1 from 1) ==11016== malloc/free: in use at exit: 36,191,079 bytes in 183,114 blocks. ==11016== malloc/free: 1,932,467 allocs, 1,749,353 frees, 87,456,204 bytes allocated. ==11016== For counts of detected errors, rerun with: -v ==11016== searching for pointers to 183,114 not-freed blocks. ==11016== checked 43,651,904 bytes. ==11016== ==11016== LEAK SUMMARY: ==11016== definitely lost: 5,987 bytes in 253 blocks. ==11016== possibly lost: 6,744,305 bytes in 91,226 blocks. ==11016== still reachable: 29,440,787 bytes in 91,635 blocks. ==11016== suppressed: 0 bytes in 0 blocks. ==11016== Rerun with --leak-check=full to see details of leaked memory.
==10986== Memcheck, a memory error detector. ==10986== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==10986== Using LibVEX rev 1804, a library for dynamic binary translation. ==10986== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==10986== Using valgrind-3.3.0-Debian, a dynamic binary instrumentation framework. ==10986== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==10986== For more details, rerun with: -v ==10986== ==10986== My PID = 10986, parent PID = 4345. Prog and args are: ==10986== ./aptitude-debuild-nopatch ==10986== ==10986== Conditional jump or move depends on uninitialised value(s) ==10986== at 0x400261C: _dl_start (in /lib/ld-2.7.so) ==10986== by 0x4016BE4: _start (in /lib/ld-2.7.so) ==10986== ==10986== Conditional jump or move depends on uninitialised value(s) ==10986== at 0x4002654: _dl_start (in /lib/ld-2.7.so) ==10986== by 0x4016BE4: _start (in /lib/ld-2.7.so) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBBC7C: strlen (mc_replace_strmem.c:242) ==10986== by 0xF6593D4: __dcigettext (dcigettext.c:456) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d5c is 12 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBBC94: strlen (mc_replace_strmem.c:242) ==10986== by 0xF6593D4: __dcigettext (dcigettext.c:456) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d5d is 13 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBD790: memcpy (mc_replace_strmem.c:402) ==10986== by 0xF659408: __dcigettext (dcigettext.c:462) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d97 is 71 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBD7A0: memcpy (mc_replace_strmem.c:402) ==10986== by 0xF659408: __dcigettext (dcigettext.c:462) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d96 is 70 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBD7B0: memcpy (mc_replace_strmem.c:402) ==10986== by 0xF659408: __dcigettext (dcigettext.c:462) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d95 is 69 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBD7C0: memcpy (mc_replace_strmem.c:402) ==10986== by 0xF659408: __dcigettext (dcigettext.c:462) ==10986== by 0xF658290: dcgettext (dcgettext.c:53) ==10986== by 0x100BE9BC: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d94 is 68 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBBC7C: strlen (mc_replace_strmem.c:242) ==10986== by 0xFD65D0C: cwidget::util::transcode(char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&, char const*) (transcode.cc:249) ==10986== by 0xFD65F00: cwidget::util::transcode(char const*, char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > (*)(int, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::string const&)) (transcode.cc:287) ==10986== by 0xFD80EB4: cwidget::widgets::menu::menu(int, int, int, cwidget::widgets::menu_info*) (menu.cc:125) ==10986== by 0x100BE9F8: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d5c is 12 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xFFBBC94: strlen (mc_replace_strmem.c:242) ==10986== by 0xFD65D0C: cwidget::util::transcode(char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&, char const*) (transcode.cc:249) ==10986== by 0xFD65F00: cwidget::util::transcode(char const*, char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > (*)(int, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::string const&)) (transcode.cc:287) ==10986== by 0xFD80EB4: cwidget::widgets::menu::menu(int, int, int, cwidget::widgets::menu_info*) (menu.cc:125) ==10986== by 0x100BE9F8: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d5d is 13 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== Invalid read of size 1 ==10986== at 0xF64E480: __gconv_transform_utf8_internal (loop.c:316) ==10986== by 0xF649590: __gconv (gconv.c:80) ==10986== by 0xF6488E4: iconv (iconv.c:53) ==10986== by 0xFD643F0: cwidget::util::transcode_buffer(void*&, char*&, unsigned&, char const*, unsigned, unsigned&, char const*) (transcode.cc:115) ==10986== by 0xFD65D2C: cwidget::util::transcode(char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >&, char const*) (transcode.cc:249) ==10986== by 0xFD65F00: cwidget::util::transcode(char const*, char const*, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > (*)(int, std::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, std::string const&)) (transcode.cc:287) ==10986== by 0xFD80EB4: cwidget::widgets::menu::menu(int, int, int, cwidget::widgets::menu_info*) (menu.cc:125) ==10986== by 0x100BE9F8: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x100C9F8C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10016B3C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF64771C: (below main) (libc-start.c:222) ==10986== Address 0x4037d5c is 12 bytes inside a block of size 72 free'd ==10986== at 0xFFB99BC: operator delete(void*) (vg_replace_malloc.c:342) ==10986== by 0xF961C80: std::string::_Rep::_M_destroy(std::allocator<char> const&) (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0xF9641F0: std::string::~string() (in /usr/lib/libstdc++.so.6.0.10) ==10986== by 0x100BD16C: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B8144: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x10015204: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0x101B7EB4: (within /home/bram/aptitude-debuild-nopatch) ==10986== by 0xF6476B8: (below main) (libc-start.c:181) ==10986== ==10986== ERROR SUMMARY: 243 errors from 11 contexts (suppressed: 1 from 1) ==10986== malloc/free: in use at exit: 31,129,148 bytes in 2,998 blocks. ==10986== malloc/free: 1,660,844 allocs, 1,657,846 frees, 75,872,075 bytes allocated. ==10986== For counts of detected errors, rerun with: -v ==10986== searching for pointers to 2,998 not-freed blocks. ==10986== checked 38,934,672 bytes. ==10986== ==10986== LEAK SUMMARY: ==10986== definitely lost: 5,987 bytes in 253 blocks. ==10986== possibly lost: 3,484,906 bytes in 1,243 blocks. ==10986== still reachable: 27,638,255 bytes in 1,502 blocks. ==10986== suppressed: 0 bytes in 0 blocks. ==10986== Rerun with --leak-check=full to see details of leaked memory.
