Debian Bug report logs -
#372171
w3m: searching without migemo causes segfault
Reported by: john@wjsullivan.net
Date: Thu, 8 Jun 2006 16:49:49 UTC
Severity: normal
Tags: help, moreinfo, unreproducible
Merged with 475199,
532921
Found in versions w3m/0.5.1-4, w3m/0.5.1-5.1, w3m/0.5.2-2
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, John Sullivan <john@wjsullivan.net>, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to john@wjsullivan.net:
New Bug report received and forwarded. Copy sent to John Sullivan <john@wjsullivan.net>, Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: w3m
Version: 0.5.1-4
Severity: grave
Searching on any page with either "/" or "C-s" causes a segfault after entering
the string to search for and hitting RET.
I can't pinpoint exactly when, but I've been using w3m on this unstable system
for years, and this has only started happening in the last month or two.
It might matter that I'm using w3m under GNU Screen.
I'm marking this grave because searching is probably the prime method of page
navigation for most people in a text browser. It is for me.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages w3m depends on:
ii libc6 2.3.6-13 GNU C Library: Shared libraries
ii libgc1c2 1:6.7-1 conservative garbage collector for
ii libgpmg1 1.19.6-22 General Purpose Mouse - shared lib
ii libncurses5 5.5-2 Shared libraries for terminal hand
ii libssl0.9.7 0.9.7i-1 SSL shared libraries
ii zlib1g 1:1.2.3-11 compression library - runtime
Versions of packages w3m recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to John Sullivan <john@wjsullivan.net>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #10 received at 372171@bugs.debian.org (full text, mbox, reply):
I have no idea why, but moving my ~/.w3m directory out of the way and
restarting w3m has solved the problem.
Tags added: moreinfo, unreproducible
Request was from Fumitoshi UKAI <ukai@debian.or.jp>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `important' from `grave'
Request was from Julien Cristau <julien.cristau@ens-lyon.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to "Benjamin A. Okopnik" <ben@linuxgazette.net>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #19 received at 372171@bugs.debian.org (full text, mbox, reply):
Package: w3m
Version: 0.5.1-4
Followup-For: Bug #372171
w3m segfaults (about 70% of the time, based on my informal testing) when
searching either forward (/) or in reverse (?). Like the previous reporter,
I'm marking this one grave for the same reasons: it's my primary means of
navigation within long pages, and I believe that this is true for most
users as well.
Relevant part of an strace dump (I'm opening a file, "foo.html", that has
no content beyond the basic HTML structure):
------------------------------------------------------------------------
stat64("/tmp/foo.html", {st_mode=S_IFREG|0644, st_size=60, ...}) = 0
open("/tmp/foo.html", O_RDONLY) = 5
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGINT, {0x8058ef0, [], SA_RESTART}, {0x8091640, [], SA_RESTART}, 8) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGINT, {0x8058ef0, [], SA_RESTART}, {0x8058ef0, [], SA_RESTART}, 8) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
read(5, "<html>\n<head><title></title></he"..., 8192) = 60
read(5, "", 8192) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
rt_sigaction(SIGINT, {0x8058ef0, [], SA_RESTART}, {0x8058ef0, [], SA_RESTART}, 8) = 0
rt_sigaction(SIGINT, {SIG_IGN}, {0x8058ef0, [], SA_RESTART}, 8) = 0
close(5) = 0
rt_sigaction(SIGINT, {0x8058ef0, [], SA_RESTART}, {SIG_IGN}, 8) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
rt_sigaction(SIGINT, {0x8091640, [], SA_RESTART}, {0x8058ef0, [], SA_RESTART}, 8) = 0
write(3, "\33[?1049h\33[H\33[2J\33[41;1H\33[7m\342\211\252 \342\206"..., 69) = 69
stat64("/dev/vc/0", 0xbfa3e29c) = -1 ENOENT (No such file or directory)
stat64("/dev/tty0", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 0), ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0666, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f27000
write(1, "\33[?1001s", 8) = 8
write(1, "\33[?1000h", 8) = 8
write(1, "\33[?1000l", 8) = 8
write(1, "\33[?1001r", 8) = 8
rt_sigaction(SIGTSTP, {SIG_DFL}, NULL, 8) = 0
rt_sigaction(SIGWINCH, {SIG_DFL}, NULL, 8) = 0
close(-1) = -1 EBADF (Bad file descriptor)
write(3, "\33[?1001s\33[?1000h", 16) = 16
rt_sigaction(SIGWINCH, {0x804c3a0, [], SA_RESTART}, {SIG_DFL}, 8) = 0
read(3, "/", 1) = 1
rt_sigaction(SIGWINCH, {0x804c340, [], SA_RESTART}, {0x804c3a0, [], SA_RESTART}, 8) = 0
write(3, "\33[?1000l\33[?1001r", 16) = 16
brk(0x824a000) = 0x824a000
write(3, "\33[41;10H\33[K\33[41;1HForward: \33[41;"..., 35) = 35
read(3, "f", 1) = 1
write(3, "\33[41;10Hf\33[41;11H", 17) = 17
read(3, "o", 1) = 1
write(3, "\33[41;11Ho\33[41;12H", 17) = 17
read(3, "o", 1) = 1
write(3, "\33[41;12Ho\33[41;13H", 17) = 17
read(3, "\n", 1) = 1
write(3, "\33[41;1H", 7) = 7
rt_sigaction(SIGINT, {0x804c320, [], SA_RESTART}, {0x8091640, [], SA_RESTART}, 8) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_START or TCSETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
pipe([5, 7]) = 0
pipe([9, 10]) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7bd0928) = 4518
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], WNOHANG) = 4518
waitpid(-1, 0xbfa3e120, WNOHANG) = -1 ECHILD (No child processes)
rt_sigaction(SIGCHLD, {0x804ba60, [], SA_RESTART}, {0x804ba60, [], SA_RESTART}, 8) = 0
sigreturn() = ? (mask now [])
close(7) = 0
fcntl64(5, F_GETFL) = 0 (flags O_RDONLY)
fstat64(5, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f26000
_llseek(5, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
close(9) = 0
fcntl64(10, F_GETFL) = 0x1 (flags O_WRONLY)
fstat64(10, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f25000
_llseek(10, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) @ 0 (0) ---
close(5) = 0
munmap(0xb7f26000, 4096) = 0
write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
close(10) = 0
munmap(0xb7f25000, 4096) = 0
kill(4518, SIGKILL) = -1 ESRCH (No such process)
rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
sigreturn() = ? (mask now [])
--- SIGPIPE (Broken pipe) @ 0 (0) ---
rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
sigreturn() = ? (mask now [])
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
------------------------------------------------------------------------
Regards,
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://linuxgazette.net *
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages w3m depends on:
ii libc6 2.3.6-15 GNU C Library: Shared libraries
ii libgc1c2 1:6.7-1 conservative garbage collector for
ii libgpmg1 1.19.6-22 General Purpose Mouse - shared lib
ii libncurses5 5.5-2 Shared libraries for terminal hand
ii libssl0.9.7 0.9.7i-1 SSL shared libraries
ii zlib1g 1:1.2.3-11 compression library - runtime
Versions of packages w3m recommends:
ii ca-certificates 20050804 Common CA Certificates PEM files
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #24 received at 372171@bugs.debian.org (full text, mbox, reply):
I also sometimes experience segfaults after a search and got a core
dump, available on
http://dept-info.labri.fr/~thibault/tmp/core
and I've put my gdb-enabled binary on
http://dept-info.labri.fr/~thibault/tmp/w3m
The backtrace is
(gdb) bt
#0 0x414cabf2 in mallopt () from /lib/i686/cmov/libc.so.6
#1 0x414cc94e in malloc () from /lib/i686/cmov/libc.so.6
#2 0x4153247c in tsearch () from /lib/i686/cmov/libc.so.6
#3 0x4148dba0 in unsetenv () from /lib/i686/cmov/libc.so.6
#4 0x4148dc42 in setenv () from /lib/i686/cmov/libc.so.6
#5 0x0808dfa0 in set_environ (var=0x80cfb2e "W3M_CURRENT_WORD", value=0x83cec98 "brlapi") at local.c:206
#6 0x08059f4c in set_buffer_environ (buf=0x8233c60) at main.c:5609
#7 0x0804f1fe in main (argc=2, argv=0xbffda164, envp=0xbffda170) at main.c:1135
Which seems to point out either a bogus environment variable use (the
string returned by getenv() shouldn't ever be modified, maybe a "const"
qualifier would help tracking those) or a memory corruption (way harder
to track).
Samuel
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #29 received at 372171@bugs.debian.org (full text, mbox, reply):
Hello,
I've dug a bit, since I've got an administration website which allows me
to reproduce the bug quite reliably.
Benjamin A. Okopnik, le Mon 03 Jul 2006 11:26:34 -0400, a écrit :
> ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
> rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
> pipe([5, 7]) = 0
> pipe([9, 10]) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7bd0928) = 4518
> --- SIGCHLD (Child exited) @ 0 (0) ---
> waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], WNOHANG) = 4518
> waitpid(-1, 0xbfa3e120, WNOHANG) = -1 ECHILD (No child processes)
> rt_sigaction(SIGCHLD, {0x804ba60, [], SA_RESTART}, {0x804ba60, [], SA_RESTART}, 8) = 0
> sigreturn() = ? (mask now [])
> close(7) = 0
> fcntl64(5, F_GETFL) = 0 (flags O_RDONLY)
> fstat64(5, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f26000
> _llseek(5, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> close(9) = 0
> fcntl64(10, F_GETFL) = 0x1 (flags O_WRONLY)
> fstat64(10, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f25000
> _llseek(10, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
> --- SIGPIPE (Broken pipe) @ 0 (0) ---
> close(5) = 0
> munmap(0xb7f26000, 4096) = 0
> write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
> close(10) = 0
> munmap(0xb7f25000, 4096) = 0
> kill(4518, SIGKILL) = -1 ESRCH (No such process)
> rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
> sigreturn() = ? (mask now [])
> --- SIGPIPE (Broken pipe) @ 0 (0) ---
> rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
> sigreturn() = ? (mask now [])
> --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> +++ killed by SIGSEGV +++
Note that at this point the segfault happens in malloc called by putenv
(which itself is called by the / command).
I've run this through gdb with handle SIGPIPE nopass, and then I
wouldn't get the segfault. Digging a bit in the SIGPIPE handler showed
me that it calls init_migemo(), which itself calls fclose(), which
is not safe since that function is not in the list of signal-safe
functions. I commented these fclose() calls, and now I can't reproduce
the bug any more. I'll keep that "fixed" version of w3m for some more
long-term testing, but I really think the problem is here: I guess that
fclose() frees something, so that it may corrupt the heap, thus the
segfault on the next malloc (which happens to be due to searching the
page). So the solution is probably to have the signal handler just set
a variable and move the call to init_migemo into the main stream of
instruction.
Samuel
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to Ben Okopnik <ben@linuxgazette.net>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #34 received at 372171@bugs.debian.org (full text, mbox, reply):
Hi, Samuel -
On Sun, Jan 06, 2008 at 03:13:46PM +0000, Samuel Thibault wrote:
> Hello,
>
> I've dug a bit, since I've got an administration website which allows me
> to reproduce the bug quite reliably.
>
> Benjamin A. Okopnik, le Mon 03 Jul 2006 11:26:34 -0400, a écrit :
> > ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
> > rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
> > pipe([5, 7]) = 0
> > pipe([9, 10]) = 0
> > clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7bd0928) = 4518
> > --- SIGCHLD (Child exited) @ 0 (0) ---
> > waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], WNOHANG) = 4518
> > waitpid(-1, 0xbfa3e120, WNOHANG) = -1 ECHILD (No child processes)
> > rt_sigaction(SIGCHLD, {0x804ba60, [], SA_RESTART}, {0x804ba60, [], SA_RESTART}, 8) = 0
> > sigreturn() = ? (mask now [])
> > close(7) = 0
> > fcntl64(5, F_GETFL) = 0 (flags O_RDONLY)
> > fstat64(5, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f26000
> > _llseek(5, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> > close(9) = 0
> > fcntl64(10, F_GETFL) = 0x1 (flags O_WRONLY)
> > fstat64(10, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
> > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f25000
> > _llseek(10, 0, 0xbfa3e33c, SEEK_CUR) = -1 ESPIPE (Illegal seek)
> > write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
> > --- SIGPIPE (Broken pipe) @ 0 (0) ---
> > close(5) = 0
> > munmap(0xb7f26000, 4096) = 0
> > write(10, "foo\n", 4) = -1 EPIPE (Broken pipe)
> > close(10) = 0
> > munmap(0xb7f25000, 4096) = 0
> > kill(4518, SIGKILL) = -1 ESRCH (No such process)
> > rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
> > sigreturn() = ? (mask now [])
> > --- SIGPIPE (Broken pipe) @ 0 (0) ---
> > rt_sigaction(SIGPIPE, {0x804c3c0, [], SA_RESTART}, {0x804c3c0, [], SA_RESTART}, 8) = 0
> > sigreturn() = ? (mask now [])
> > --- SIGSEGV (Segmentation fault) @ 0 (0) ---
> > +++ killed by SIGSEGV +++
>
> Note that at this point the segfault happens in malloc called by putenv
> (which itself is called by the / command).
>
> I've run this through gdb with handle SIGPIPE nopass, and then I
> wouldn't get the segfault. Digging a bit in the SIGPIPE handler showed
> me that it calls init_migemo(), which itself calls fclose(), which
> is not safe since that function is not in the list of signal-safe
> functions. I commented these fclose() calls, and now I can't reproduce
> the bug any more. I'll keep that "fixed" version of w3m for some more
> long-term testing, but I really think the problem is here: I guess that
> fclose() frees something, so that it may corrupt the heap, thus the
> segfault on the next malloc (which happens to be due to searching the
> page). So the solution is probably to have the signal handler just set
> a variable and move the call to init_migemo into the main stream of
> instruction.
I'd wonder what's going to be left open as a result of those two
"fclose()" calls not happening. Is there a signal-safe way of releasing
those handles? I'd hate to see you create more problems by fixing this
one. :)
Regards,
--
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *
Information forwarded to debian-bugs-dist@lists.debian.org, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#372171; Package w3m.
(full text, mbox, link).
Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Fumitoshi UKAI <ukai@debian.or.jp>.
(full text, mbox, link).
Message #39 received at 372171@bugs.debian.org (full text, mbox, reply):
Ben Okopnik, le Sat 12 Jan 2008 13:38:25 -0500, a écrit :
> > I've run this through gdb with handle SIGPIPE nopass, and then I
> > wouldn't get the segfault. Digging a bit in the SIGPIPE handler showed
> > me that it calls init_migemo(), which itself calls fclose(), which
> > is not safe since that function is not in the list of signal-safe
> > functions. I commented these fclose() calls, and now I can't reproduce
> > the bug any more. I'll keep that "fixed" version of w3m for some more
> > long-term testing, but I really think the problem is here: I guess that
> > fclose() frees something, so that it may corrupt the heap, thus the
> > segfault on the next malloc (which happens to be due to searching the
> > page). So the solution is probably to have the signal handler just set
> > a variable and move the call to init_migemo into the main stream of
> > instruction.
>
> I'd wonder what's going to be left open as a result of those two
> "fclose()" calls not happening. I'd hate to see you create more
> problems by fixing this one. :)
Sure, my patch wasn't meant to be any proper fix, but just a way to show
the precise bits that poses problem.
> Is there a signal-safe way of releasing those handles?
No, the FILE structure is essentially a non-signal-safe structure. The
only proper solution (which should probably be made upstream) is to set
a volatile variable from the handler, and from the main loop detect that
and call the fclose.
Regards,
Samuel
Forcibly Merged 372171 475199.
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Sat, 03 Jul 2010 05:54:05 GMT) (full text, mbox, link).
Removed tag(s) unreproducible and moreinfo.
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Sat, 03 Jul 2010 07:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#372171; Package w3m.
(Tue, 20 Jul 2010 16:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to d+deb@vdr.jp:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Tue, 20 Jul 2010 16:03:07 GMT) (full text, mbox, link).
Message #48 received at 372171@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
forcemerge 372171 475199 532921
retitle 372171 w3m: searching without migemo causes segfault
thanks
--
Regards,
dai
GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'w3m: searching without migemo causes segfault' from 'w3m: Searching on the page causes segfault'
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Tue, 20 Jul 2010 16:03:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#372171; Package w3m.
(Thu, 12 Aug 2010 03:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to d+deb@vdr.jp:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Thu, 12 Aug 2010 03:18:06 GMT) (full text, mbox, link).
Message #57 received at 372171@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 372171 + help
thanks
There is another reason that w3m SEGV without migemo.
Simply uninstalling migemo, w3m does not SEGV on my environment.
Upstream maintainer also says unreproducible.
So, I need more info for fixing this bug.
--
Regards,
dai
GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E
[signature.asc (application/pgp-signature, inline)]
Added tag(s) help.
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Thu, 12 Aug 2010 03:18:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Tatsuya Kinoshita <tats@debian.org>:
Bug#372171; Package w3m.
(Fri, 11 Nov 2011 01:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to d+deb@vdr.jp:
Extra info received and forwarded to list. Copy sent to Tatsuya Kinoshita <tats@debian.org>.
(Fri, 11 Nov 2011 01:42:03 GMT) (full text, mbox, link).
Message #64 received at 372171@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 372171 unreproducible moreinfo
severity 372171 normal
thanks
--
Regards,
dai
GPG Fingerprint = 0B29 D88E 42E6 B765 B8D8 EA50 7839 619D D439 668E
[signature.asc (application/pgp-signature, inline)]
Added tag(s) unreproducible and moreinfo.
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Fri, 11 Nov 2011 01:42:05 GMT) (full text, mbox, link).
Severity set to 'normal' from 'important'
Request was from d+deb@vdr.jp
to control@bugs.debian.org.
(Fri, 11 Nov 2011 01:42:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jun 5 03:07:45 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.