GNOME Bugzilla – Bug 592990
gnome terminal crashes with glibc detected *** gnome-terminal: double free or corruption
Last modified: 2009-08-26 16:09:30 UTC
Since latest gtk+, glib and vte upgrade, gnome-terminal is seriously broken. I'm using irssi in a screen session, but after some time the output becomes broken (e.g. it shows single message lines in irrsi's window three times). Pressing Ctrl-L to refresh the terminal, than crashes it. Program received signal SIGABRT, Aborted. 0x00007f20a7bf8545 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
+ Trace 217115
Thread 2 (Thread 0x7f209e6d3910 (LWP 12489))
$ rpm -qa "*vte*" "gnome-terminal*" "glib2*" "gtk+2*" gnome-terminal-2.27.91-1mdv2010.0 lib64vte9-0.21.1-1mdv2010.0 vte-debug-0.21.1-1mdv2010.0 gnome-terminal-debug-2.27.91-1mdv2010.0 vte-0.21.1-1mdv2010.0 glib2.0-debug-2.21.5-1mdv2010.0 glib2.0-common-2.21.5-1mdv2010.0 gtk+2.0-debug-2.17.9-1mdv2010.0 python-vte-0.21.1-1mdv2010.0 gtk+2.0-2.17.9-1mdv2010.0 Mandriva 2010.0 Cooker x86_64
Created attachment 141620 [details] Valgrind run Output of $ G_SLICE=always-malloc G_DEBUG=gc-friendly valgrind --tool=memcheck --leak-check=full --leak-resolution=high --num-callers=20 gnome-terminal and letting it run irssi in screen for some time until the terminal becomes more and more garbled.
For this bug, --leak-check=full wasn't needed. But there are indeed some invalid reads appearing in the middle of the valgrind log. Thanks!
On fedora I am also getting these with vte-0.21.1-1.fc12.x86_64 *** glibc detected *** gnome-terminal: realloc(): invalid pointer: 0x0000000001bbbb40 *** .. git bisected to commit 9a3de3c246360025f31ad9d6625f7792960c582e http://git.gnome.org/cgit/vte/commit/?id=9a3de3c246360025f31ad9d6625f7792960c582e
Created attachment 141628 [details] [review] wild guess for a fix Disclaimer: I don't know this code at all and haven't even tried this patch In the commit Yaneti bisected, in the vte_ring_remove case, the last 2 elements of the ring contains identical data after this loop: for (i = position; i < ring->delta + ring->length - 1; i++) { ring->array[i % ring->max] = ring->array[(i + 1) % ring->max]; } _vte_row_data_fini (&ring->array[(ring->delta + ring->length - 1) % ring->max], FALSE); is then called on the last element, but _vte_row_data_fini is a noop when its second argument is FALSE. On the other hand, at the place of the crash, _vte_ring_insert does /* If there was something there before, free it. */ _vte_row_data_fini (&ring->array[position % ring->max], TRUE); Without knowing the code, my guess is that it tries to free what could be in the place where we are going to insert a new element. In vte_ring_remove, we ended up duplicating the same data in 2 different elements so with this kind of cleanup, we'll end up freeing twice the same memory block. The patch attempts to avoid this case by setting the array data to NULL when _vte_row_data_fini is called with its second argument set to FALSE. This way, when we call again _vte_row_data_fini on this element, _vte_row_data_fini won't try to free the memory.
Yep, the fix is correct indeed. Thanks!
I'm now using vte-debug-0.21.2-1mdv2010.0 vte-0.21.2-1mdv2010.0 lib64vte9-0.21.2-1mdv2010.0 python-vte-0.21.2-1mdv2010.0 and the screen still gets corrupt with irssi or just plain vim: press enter to fill the screen with empty lines, than use upper arrow to scroll back. It will start hanging, and in the end it will crash again: Distribution: Mandriva Linux release 2010.0 (Cooker) for x86_64 Gnome Release: 2.27.91 2009-08-25 (Mandriva) BugBuddy Version: 2.27.1 System: Linux 2.6.31-tmb-desktop-0.rc7.1mdv #1 SMP PREEMPT Sat Aug 22 11:51:20 EDT 2009 x86_64 X Vendor: The X.Org Foundation X Vendor Release: 10603000 Selinux: No Accessibility: Enabled GTK+ Theme: Clearlooks Icon Theme: Tango GTK+ Modules: canberra-gtk-module, gail:atk-bridge, gnomebreakpad Memory status: size: 364326912 vsize: 364326912 resident: 138465280 share: 13258752 rss: 138465280 rss_rlim: 18446744073709551615 CPU usage: start_time: 1251271441 rtime: 756 utime: 560 stime: 196 cutime:0 cstime: 0 timeout: 0 it_real_value: 0 frequency: 100 Backtrace was generated from '/usr/bin/gnome-terminal' [?1034h[Thread debugging using libthread_db enabled] [New Thread 0x7f18bcbe96f0 (LWP 26497)] [New Thread 0x7f18b0342910 (LWP 26501)] 0x00007f18baa4d5ad in waitpid () from /lib64/libpthread.so.0
+ Trace 217144
Thread 1 (Thread 0x7f18bcbe96f0 (LWP 26497))
---- Critical and fatal warnings logged during execution ---- ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ** Vte **: _vte_unistr_append_to_string: assertion `s < unistr_next' failed ----------- .xsession-errors (654 sec old) --------------------- ** Message: NP_Initialize succeeded ** Message: NP_Initialize ** Message: NP_Initialize succeeded ** Message: NP_Initialize ** Message: NP_Initialize succeeded ** Message: NP_Initialize ** Message: NP_Initialize succeeded ERROR: ld.so: object '/usr/$LIB/libaoss.so.0' from LD_PRELOAD cannot be preloaded: ignored. ERROR: ld.so: object '/usr/$LIB/libaoss.so.0' from LD_PRELOAD cannot be preloaded: ignored. Gtk-Message: Failed to load module "gail": libgail.so: cannot open shared object file: No such file or directory Gtk-Message: Failed to load module "atk-bridge": libatk-bridge.so: cannot open shared object file: No such file or directory Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so: cannot open shared object file: No such file or directory ** Message: NP_Initialize ** Message: NP_Initialize succeeded LoadPlugin: failed to initialize shared library /usr/lib/mozilla/plugins/libflashplayer.so [/usr/lib/mozilla/plugins/libflashplayer.so: wrong ELF class: ELFCLASS32] --------------------------------------------------
There were 0.21.3 and 0.21.4 releases in the mean time, 0.21.3 had more fixes in the same area, can you still reproduce with the latest cooker package? (which is 0.21.4)
Sorry, I had not noticed that there had been more new releases. It seems to be working fine with 0.21.4.
Yeah, should really be fixed in .4.
*** Bug 593181 has been marked as a duplicate of this bug. ***