[ expat-Bugs-511175 ] efence catches freeing freed

noreply@sourceforge.net noreply@sourceforge.net
Thu May 16 19:23:02 2002 

Bugs item #511175, was opened at 2002-01-31 07:45
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=511175&group_id=10127

Category: XML::Parser (Perl module)
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Daniel Horn (hellcatv)
>Assigned to: Nobody/Anonymous (nobody)
Summary: efence catches freeing freed

Initial Comment:
I am on an intel pentium III 550

i use expat numerous times in my application
vegastrike.sourceforge.net

it seems randomly in 10,000 parses of different, short
documents I get an error when running efence with set
environment  EF_PROTECT_FREE 1



no stack is left and it took me about 25 hours to
figure out where it was happening
I added printf's to almost every line of my code to
find this..... but here is what XML_FreeBuffer said 


your memory management routines are kinda funky
though...could it be playing tricks on efence??

anyhow here's the trace of what happens:


parser 59358d8

bufget59b61000

parsing....


59358d8cxml_freefor
 if (tagstack0==0)
TagSTack= freeTagList5935efdc
  p = tagStack5935efdc
Free  p->buf59b66fe0
Destroy  p->bindings59b66fe0
FREE (p5935ef
"`G\021\b\200:\021\b0\035\021\b`T\021\bàP\021\b\220R\021\bp]\021\b°^\021\b\020_\021\b\220_\021\b\220W\021\b\020[\021\b0\\021\bà_\021\bÐV\021\bÀ`\021\b`a\021\b\001",

0x8122ad0 "U\211å\203ì\b\203ì\bÿu\024ÿu\020ÿu\fj", 
  0x8122b00 
"U\211å\203ì\b\203ì\bÿu\024ÿu\020ÿu\fj\001ÿu\bh¬¯\030\bè\037üÿÿ\203Ä

\211À\211À\211ì]Ã\215t&", 0x0 <repeats 11 times>, 
  0x8121560 
"U\211å\203ì\bÿu\024ÿu\020ÿu\fh`^\030\bègJÿÿ\203Ä\020\211ì]ÃU\211å\203ì\b\215Eÿ\211Eø\203ì\f\213U\b\213Eø@P\215EøPÿu\020\215E\fPÿu\b\213B<ÿÐ\203Ä

\2---Type <return> to continue, or q <return> to quit---
15Eÿ9Eøu\013¸ÿÿÿÿë\n\215t&", 0x0, 0x0, 0x0, 0x0, 
  0x600 <Address 0x600 out of bounds>, 0x56e98e18
"`^\030\bÐ*\022\b", 
  0x8186160 "`G\021\b\200:\021\dc)
for
  p = tagStack59b6efdc
Free  p->buf59b70fe0
Destroy  p->bindings59b70fe0
FREE (p59b6efdc)
for
 if (tagstack0==0)
poolDest (tempPool0)
poolDest (temp2Pool0)
free (atts5935af00)
free (buffer59b61000)
ElectricFence Aborting: free(59b61000): freeing free
memory.

Program received signal SIGILL, Illegal instruction.
[Switching to Thread 1024 (LWP 3627)]
0x4018a971 in kill () from /lib/libc.so.6
Current language:  auto; currently c
(gdb) bt

#0  0x4018a971 in kill () from /lib/libc.so.6
#1  0x400ed953 in EF_Abort () from /usr/lib/libefence.so.0
#2  0x40829000 in ?? ()


this happens very consistently

an earlier run (takes about 1 hour of continuous
parsing of small files)


parscreated at 56e98d8c
bufget58c41000ebufget
xml_free(56e98d8c)
ElectricFence Aborting: free(58c41000): freeing free
memory.

Program received signal SIGILL, Illegal instruction.
0x4018a971 in ?? ()
(gdb) 
(gdb) up
#1  0x40829000 in ?? ()
(gdb) 
Initial frame selected; you cannot go up.
(gdb) down
#0  0x4018a971 in ?? ()
(gdb) 
Bottom (i.e., innermost) frame selected; you cannot go
down.
(gdb) print 56e98d8c
Invalid number "56e98d8c".
(gdb) print 0x56e98d8c
$1 = 1458146700
(gdb) print (char *[10])((XML_Parser)0x56e98d8c)
Invalid cast.
(gdb) print (char *[10])*(char **)((XML_Parser)0x56e98d8c)
$9 = {0x56e09fc8 "¤\235#[\003", 0x56e09fc8 "¤\235#[\003", 
  0x58c41000 "<SCRIPT>\n  <MatchLin afterburn=\0\
terminate=\0\ 
local=\1\>\n    <Vector x=\0\ y=\0\
z=\10000\/>\n  </MatchLin>\n  
<FaceTarget terminate=\0\>\n
 </FaceTarget>\n</SCRIPT>\n", 0x804dd84 
"ÿ%\210ê\035\bh`\001", 
  0x804e244 "ÿ%¸ë\035\bhÀ\003", 0x804e9a4
"ÿ%\220í\035\bhp\a", 
  0x58c41000 "<SCRIPT>\n  <MatchLin afterburn=\0\
terminate=\0\ 
local=\1\>\n    <Vector x=\0\ y=\0\
z=\10000\/>\n  </MatchLin>\n  
<FaceTarget terminate=\0\>\n
 </FaceTarget>\n</SCRIPT>\n", 0x58c410a5 "", 
  0x58c45000 <Address 0x58c45000 out of bounds>, 
  0xa5 <Address 0xa5 out of bounds>}


(gdb) print (char *[100])*(char **)((XML_Parser)0x56e98d8c)
$10 = {0x56e09fc8 "¤\235#[\003", 0x56e09fc8 "¤\235#[\003", 
  0x58c41000 "<SCRIPT>\n  <MatchLin afterburn=\0\
terminate=\0\ 
local=\1\>\n    <Vector x=\0\ y=\0\
z=\10000\/>\n  </MatchLin>\n  
<FaceTarget terminate=\0\>\n
 </FaceTarget>\n</SCRIPT>\n", 0x804dd84 
"ÿ%\210ê\035\bh`\001", 
  0x804e244 "ÿ%¸ë\035\bhÀ\003", 0x804e9a4
"ÿ%\220í\035\bhp\a", 
  0x58c41000 "<SCRIPT>\n  <MatchLin afterburn=\0\
terminate=\0\ 
local=\1\>\n    <Vector x=\0\ y=\0\
z=\10000\/>\n  </MatchLin>\n  
<FaceTarget terminate=\0\>\n
 </FaceTarget>\n</SCRIPT>\n", 0x58c410a5 "", 
  0x58c45000 <Address 0x58c45000 out of bounds>, 
  0xa5 <Address 0xa5 out of bounds>, 0x58c410a5 "",
0x56e9cc00 "", 
  0x56e9d000 <Address 0x56e9d000 out of bounds>, 
  0x8093c00
"U\211å\203ì(\203ì\004ÿu\fhò\215\027\bÿ5ðî\035\bèÈ 
ûÿ\203Ä\020\203ì\004\203ì\004ÿu\020\215EèPè\237¡üÿ\203Ä\f\215EèPÿu\f\215EØPè,\016\t",

  0x8093ce0 
"U\211å\203ì\030\203ì\004ÿu\fhú\215\027\bÿ5ðî\035\bèè\237ûÿ\203Ä\020\203ì\bÿu\f\215EèPèb\r\t",

0x0 <repeats 14 times>, 
  0x56e98d8c "È\237àVÈ\237àV", 0x0, 0x0, 0x0, 0x0, 0x0, 
  0x8185e60 

----------------------------------------------------------------------

>Comment By: Fred L. Drake, Jr. (fdrake)
Date: 2002-05-16 22:22

Message:
Logged In: YES 
user_id=3066

Removed assignment to Clark since he's not longer working on
Expat.

What version of Expat was being used in the application?

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=511175&group_id=10127