[ expat-Bugs-511175 ] efence catches freeing freed
noreply@sourceforge.net
noreply@sourceforge.net
Tue Jun 25 21:53:02 2002
Bugs item #511175, was opened at 2002-01-31 07:45
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=511175&group_id=10127
Category: XML::Parser (Perl module)
Group: None
>Status: Closed
>Resolution: Out of Date
Priority: 5
Submitted By: Daniel Horn (hellcatv)
Assigned to: Nobody/Anonymous (nobody)
Summary: efence catches freeing freed
Initial Comment:
I am on an intel pentium III 550
i use expat numerous times in my application
vegastrike.sourceforge.net
it seems randomly in 10,000 parses of different, short
documents I get an error when running efence with set
environment EF_PROTECT_FREE 1
no stack is left and it took me about 25 hours to
figure out where it was happening
I added printf's to almost every line of my code to
find this..... but here is what XML_FreeBuffer said
your memory management routines are kinda funky
though...could it be playing tricks on efence??
anyhow here's the trace of what happens:
parser 59358d8
bufget59b61000
parsing....
59358d8cxml_freefor
if (tagstack0==0)
TagSTack= freeTagList5935efdc
p = tagStack5935efdc
Free p->buf59b66fe0
Destroy p->bindings59b66fe0
FREE (p5935ef
"`G\021\b\200:\021\b0\035\021\b`T\021\bàP\021\b\220R\021\bp]\021\b°^\021\b\020_\021\b\220_\021\b\220W\021\b\020[\021\b0\\021\bà_\021\bÐV\021\bÀ`\021\b`a\021\b\001",
0x8122ad0 "U\211å\203ì\b\203ì\bÿu\024ÿu\020ÿu\fj",
0x8122b00
"U\211å\203ì\b\203ì\bÿu\024ÿu\020ÿu\fj\001ÿu\bh¬¯\030\bè\037üÿÿ\203Ä
\211À\211À\211ì]Ã\215t&", 0x0 <repeats 11 times>,
0x8121560
"U\211å\203ì\bÿu\024ÿu\020ÿu\fh`^\030\bègJÿÿ\203Ä\020\211ì]ÃU\211å\203ì\b\215Eÿ\211Eø\203ì\f\213U\b\213Eø@P\215EøPÿu\020\215E\fPÿu\b\213B<ÿÐ\203Ä
\2---Type <return> to continue, or q <return> to quit---
15Eÿ9Eøu\013¸ÿÿÿÿë\n\215t&", 0x0, 0x0, 0x0, 0x0,
0x600 <Address 0x600 out of bounds>, 0x56e98e18
"`^\030\bÐ*\022\b",
0x8186160 "`G\021\b\200:\021\dc)
for
p = tagStack59b6efdc
Free p->buf59b70fe0
Destroy p->bindings59b70fe0
FREE (p59b6efdc)
for
if (tagstack0==0)
poolDest (tempPool0)
poolDest (temp2Pool0)
free (atts5935af00)
free (buffer59b61000)
ElectricFence Aborting: free(59b61000): freeing free
memory.
Program received signal SIGILL, Illegal instruction.
[Switching to Thread 1024 (LWP 3627)]
0x4018a971 in kill () from /lib/libc.so.6
Current language: auto; currently c
(gdb) bt
#0 0x4018a971 in kill () from /lib/libc.so.6
#1 0x400ed953 in EF_Abort () from /usr/lib/libefence.so.0
#2 0x40829000 in ?? ()
this happens very consistently
an earlier run (takes about 1 hour of continuous
parsing of small files)
parscreated at 56e98d8c
bufget58c41000ebufget
xml_free(56e98d8c)
ElectricFence Aborting: free(58c41000): freeing free
memory.
Program received signal SIGILL, Illegal instruction.
0x4018a971 in ?? ()
(gdb)
(gdb) up
#1 0x40829000 in ?? ()
(gdb)
Initial frame selected; you cannot go up.
(gdb) down
#0 0x4018a971 in ?? ()
(gdb)
Bottom (i.e., innermost) frame selected; you cannot go
down.
(gdb) print 56e98d8c
Invalid number "56e98d8c".
(gdb) print 0x56e98d8c
$1 = 1458146700
(gdb) print (char *[10])((XML_Parser)0x56e98d8c)
Invalid cast.
(gdb) print (char *[10])*(char **)((XML_Parser)0x56e98d8c)
$9 = {0x56e09fc8 "¤\235#[\003", 0x56e09fc8 "¤\235#[\003",
0x58c41000 "<SCRIPT>\n <MatchLin afterburn=\0\
terminate=\0\
local=\1\>\n <Vector x=\0\ y=\0\
z=\10000\/>\n </MatchLin>\n
<FaceTarget terminate=\0\>\n
</FaceTarget>\n</SCRIPT>\n", 0x804dd84
"ÿ%\210ê\035\bh`\001",
0x804e244 "ÿ%¸ë\035\bhÀ\003", 0x804e9a4
"ÿ%\220í\035\bhp\a",
0x58c41000 "<SCRIPT>\n <MatchLin afterburn=\0\
terminate=\0\
local=\1\>\n <Vector x=\0\ y=\0\
z=\10000\/>\n </MatchLin>\n
<FaceTarget terminate=\0\>\n
</FaceTarget>\n</SCRIPT>\n", 0x58c410a5 "",
0x58c45000 <Address 0x58c45000 out of bounds>,
0xa5 <Address 0xa5 out of bounds>}
(gdb) print (char *[100])*(char **)((XML_Parser)0x56e98d8c)
$10 = {0x56e09fc8 "¤\235#[\003", 0x56e09fc8 "¤\235#[\003",
0x58c41000 "<SCRIPT>\n <MatchLin afterburn=\0\
terminate=\0\
local=\1\>\n <Vector x=\0\ y=\0\
z=\10000\/>\n </MatchLin>\n
<FaceTarget terminate=\0\>\n
</FaceTarget>\n</SCRIPT>\n", 0x804dd84
"ÿ%\210ê\035\bh`\001",
0x804e244 "ÿ%¸ë\035\bhÀ\003", 0x804e9a4
"ÿ%\220í\035\bhp\a",
0x58c41000 "<SCRIPT>\n <MatchLin afterburn=\0\
terminate=\0\
local=\1\>\n <Vector x=\0\ y=\0\
z=\10000\/>\n </MatchLin>\n
<FaceTarget terminate=\0\>\n
</FaceTarget>\n</SCRIPT>\n", 0x58c410a5 "",
0x58c45000 <Address 0x58c45000 out of bounds>,
0xa5 <Address 0xa5 out of bounds>, 0x58c410a5 "",
0x56e9cc00 "",
0x56e9d000 <Address 0x56e9d000 out of bounds>,
0x8093c00
"U\211å\203ì(\203ì\004ÿu\fhò\215\027\bÿ5ðî\035\bèÈ
ûÿ\203Ä\020\203ì\004\203ì\004ÿu\020\215EèPè\237¡üÿ\203Ä\f\215EèPÿu\f\215EØPè,\016\t",
0x8093ce0
"U\211å\203ì\030\203ì\004ÿu\fhú\215\027\bÿ5ðî\035\bèè\237ûÿ\203Ä\020\203ì\bÿu\f\215EèPèb\r\t",
0x0 <repeats 14 times>,
0x56e98d8c "È\237àVÈ\237àV", 0x0, 0x0, 0x0, 0x0, 0x0,
0x8185e60
----------------------------------------------------------------------
>Comment By: Fred L. Drake, Jr. (fdrake)
Date: 2002-06-26 00:52
Message:
Logged In: YES
user_id=3066
This was an older version of Expat (based on the submission
date, much has changed). If you can reproduce this with
1.95.3 or newer (CVS), please add a comment to this report
or file a new report. Please always tell what version of
Expat you're using.
(This also may have been an XML::Parser-specific bug, so not
relevant to the Expat project.)
----------------------------------------------------------------------
Comment By: Fred L. Drake, Jr. (fdrake)
Date: 2002-05-16 22:22
Message:
Logged In: YES
user_id=3066
Removed assignment to Clark since he's not longer working on
Expat.
What version of Expat was being used in the application?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=511175&group_id=10127