View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000671LDMud 3.3Runtimepublic2009-09-04 08:322009-09-08 15:48
Reporterfavoretti Assigned Tozesstra  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.3.719 
Target Version3.3.720Fixed in Version3.3.720 
Summary0000671: Crash in xml_generate / xml_parse
Descriptionbeen trying to run the example of xml_generate:

exec xml_generate(({ "abc", ([ "xyz" : "cde" ]), 0 }));

crashed immediately with the following in stack trace:

(gdb) bt
#0 0x00000000004c07f5 in remove_from_free_list (ptr=0x1b3a6f8) at smalloc.c:2148
0000001 0x00000000004c1075 in add_large_free (ptr=0x1b3a6f8, block_size=0) at smalloc.c:2854
0000002 0x00000000004c3789 in mem_free (ptr=0x1b3a700) at smalloc.c:1871
0000003 0x00007fcf6bd82edb in xmlCleanupCharEncodingHandlers () from /usr/lib/libxml2.so.2
0000004 0x00007fcf6bd8bed3 in xmlCleanupParser () from /usr/lib/libxml2.so.2
0000005 0x000000000049a083 in xml_cleanup (arg=<value optimized out>) at pkg-xml2.c:277
0000006 0x000000000049a2c1 in f_xml_generate (sp=0x713000) at pkg-xml2.c:457
0000007 0x000000000044ee88 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:8276
0000008 0x00000000004579e7 in apply_low (fun=0x7fcf35b27c30, ob=0x1d0a0, num_arg=0, b_ign_prot=false, allowRefs=false, b_ign_shadows=false) at interpret.c:17442
0000009 0x0000000000447584 in int_apply (fun=0x1b3a6f8, ob=0x0, num_arg=1809604848, b_ign_prot=<value optimized out>, b_use_default=true,
    b_ign_shadows=<value optimized out>) at interpret.c:17546
0000010 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
0000011 0x00000000004579e7 in apply_low (fun=0x7fcf35b27db0, ob=0x177c0, num_arg=1, b_ign_prot=false, allowRefs=false, b_ign_shadows=false) at interpret.c:17442
0000012 0x0000000000447584 in int_apply (fun=0x1b3a6f8, ob=0x0, num_arg=1809604848, b_ign_prot=<value optimized out>, b_use_default=true,
    b_ign_shadows=<value optimized out>) at interpret.c:17546
0000013 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
#14 0x00000000004ad303 in catch_instruction (flags=0, offset=<value optimized out>, i_sp=0x7e3d50, i_pc=0x7fcf45cd949e "e?\037\001\037", i_fp=<value optimized out>,
    reserve_cost=150000, i_context=0x0) at simulate.c:455
#15 0x000000000044a9a2 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:9730
#16 0x00000000004579e7 in apply_low (fun=0x7fcf4315bb00, ob=0x21480, num_arg=1, b_ign_prot=false, allowRefs=false, b_ign_shadows=false) at interpret.c:17442
#17 0x0000000000447584 in int_apply (fun=0x1b3a6f8, ob=0x0, num_arg=1809604848, b_ign_prot=<value optimized out>, b_use_default=true,
    b_ign_shadows=<value optimized out>) at interpret.c:17546
#18 0x000000000044d623 in eval_instruction (first_instruction=<value optimized out>, initial_sp=<value optimized out>) at interpret.c:16645
#19 0x00000000004579e7 in apply_low (fun=0x7fcf431c0c88, ob=0x24210, num_arg=1, b_ign_prot=false, allowRefs=false, b_ign_shadows=false) at interpret.c:17442
#20 0x0000000000447584 in int_apply (fun=0x1b3a6f8, ob=0x0, num_arg=1809604848, b_ign_prot=<value optimized out>, b_use_default=true,
    b_ign_shadows=<value optimized out>) at interpret.c:17546
#21 0x00000000004480cb in sapply_int (fun=0x7fcf431c0c88, ob=0x7fcf48cb90a8, num_arg=1, b_find_static=false, b_use_default=true) at interpret.c:17707
#22 0x000000000040741d in parse_command (buff=0x7fff7500d1a0 "exec xml_generate(({ \"abc\", ([ \"xyz\" : \"cde\" ]), 0 }));", from_efun=false) at actions.c:1158
#23 0x0000000000408711 in execute_command (str=0x7fff7500d1a0 "exec xml_generate(({ \"abc\", ([ \"xyz\" : \"cde\" ]), 0 }));", ob=0x7fcf48cb90a8) at actions.c:1333
#24 0x000000000040f2bf in backend () at backend.c:696
#25 0x0000000000464f36 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:688
TagsNo tags attached.

Relationships

related to 0000687 new LDMud RfC: Change defaults concerning MALLOC_SBRK / SBRK_OK 

Activities

zesstra

2009-09-04 09:10

administrator   ~0001248

Mhmm. Unfortunately, I can't reproduce this.
I checked 3.3.719 and 3.3/trunk.

# uname -a
Linux mg 2.6.26-2-amd64 0000001 SMP Fri Aug 14 07:12:04 UTC 2009 x86_64 GNU/Linux
# file ldmud
ldmud: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
# ldd ldmud
[...]
    libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00007f66a8721000)

xml_generate(({ "abc", ([ "xyz" : "cde" ]), 0 })); returns the string
   "<?xml version=\"1.0\"?>\n<abc xyz=\"cde\"/>\n"

Please tell us more about your environment/platform.
 

favoretti

2009-09-04 11:25

reporter   ~0001252

Hi there,

We're running batmud, www.bat.org, with our custom lib.
The system is debian lenny 64-bit.
batmud64:/bat/mudlib# dpkg -l | grep libxml
ii libxml2 2.6.32.dfsg-5+lenny1 GNOME XML library
ii libxml2-dev 2.6.32.dfsg-5+lenny1 Development files for the GNOME XML library

Linux batmud64 2.6.26-2-amd64 0000001 SMP Sun Jul 26 20:35:48 UTC 2009 x86_64 GNU/Linux

batmud64:/bat/bin# file ldmud
ldmud: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped
batmud64:/bat/bin# ldd ldmud
        linux-vdso.so.1 => (0x00007fff933ff000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00007f9d8afc0000)
        libm.so.6 => /lib/libm.so.6 (0x00007f9d8ad3d000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f9d8ab05000)
        libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x00007f9d8a89e000)
        libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 (0x00007f9d8a493000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00007f9d8a137000)
        libc.so.6 => /lib/libc.so.6 (0x00007f9d89de4000)
        libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00007f9d8b2e7000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007f9d89bc8000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00007f9d899b1000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f9d897ad000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9d8b1d8000)

zesstra

2009-09-04 11:49

administrator   ~0001254

Well. I tested on Lenny 64-bit as well, kernel, libxml2 (and probably other libs as well) being exactly the same.
Was that a plaing 3.3.719 without any modifications?
What is probably different is the driver configuration we use. I would suggest to attach your config.h, machine.h (and Makefile in case you changed anything there) to this issue and then I may try again with that configuration.

favoretti

2009-09-04 11:51

reporter   ~0001255

It is a bit modified source, but nothing that would affect smalloc. Our configuration is in your trunk under src/settings/bat. I only added enable_use_xml=xml2

zesstra

2009-09-04 12:07

administrator   ~0001256

Mhmm. Checked with your settings/bat with added enable_use_xml=xml2, but still no luck.
I don't have the Batmud lib, so I just used a master which calls
debug_message(xml_generate(({ "abc", ([ "xyz" : "cde" ]), 0 }))); in
inaugurate_master() and shuts down. The outout on the console is:
<?xml version="1.0"?>
<abc xyz="cde"/>

zesstra

2009-09-04 12:10

administrator   ~0001257

Ahhh. Now it clears up a bit. I checked settings/bat and recognized that it configures the sysmalloc allocator, while the stacktrace above references the smalloc allocator. I changed the settings file to smalloc and can now reproduce the issue.
I will have a look at the details without any optimization later this evening, but it may take some time to track the root cause. (If anyone else wants to have look as well: feel free).

favoretti

2009-09-04 12:24

reporter   ~0001258

aha. Thanks :) Keep me posted.

favoretti

2009-09-04 15:04

reporter   ~0001259

One more thing to add. Compiled with enable_use_xml=iksemel doesn't crash.

zesstra

2009-09-04 16:02

administrator   ~0001260

Ok, this issue should be fixed in r2725 (trunk of 3.3 (in 3.3.720)) and r2727 on trunk.
The cause was a wrong sequence in initializing libxml2 and later memory was free'd with our allocator that was allocated by the system malloc.
That error emerged only in configurations where the system malloc was not replaced by our own allocator functions.
Thank you for reporting.

zesstra

2009-09-08 15:48

administrator   ~0001262

FYI: Although not strictly related to this issue here, there was a second issue in the package which could cause memory corruption and subsequent crashes. That was caused by using memory for libxml2 which was subject to our garbage collector and would be free'd by that during a GC run. That second issue is fixed by r2729 (3.3/trunk) and r2730 (on trunk).
You might want to get that patch as well.

Issue History

Date Modified Username Field Change
2009-09-04 08:32 favoretti New Issue
2009-09-04 09:10 zesstra Note Added: 0001248
2009-09-04 09:10 zesstra Status new => feedback
2009-09-04 11:25 favoretti Note Added: 0001252
2009-09-04 11:49 zesstra Note Added: 0001254
2009-09-04 11:51 favoretti Note Added: 0001255
2009-09-04 12:07 zesstra Note Added: 0001256
2009-09-04 12:10 zesstra Note Added: 0001257
2009-09-04 12:10 zesstra Status feedback => confirmed
2009-09-04 12:24 favoretti Note Added: 0001258
2009-09-04 15:04 favoretti Note Added: 0001259
2009-09-04 16:02 zesstra Note Added: 0001260
2009-09-04 16:02 zesstra Status confirmed => resolved
2009-09-04 16:02 zesstra Fixed in Version => 3.3.720
2009-09-04 16:02 zesstra Resolution open => fixed
2009-09-04 16:02 zesstra Assigned To => zesstra
2009-09-08 15:48 zesstra Note Added: 0001262
2009-09-08 15:48 zesstra Target Version => 3.3.720
2009-09-08 15:48 zesstra Summary 64-bit compilation crashes on xml_generate => Crash in xml_generate / xml_parse
2009-10-04 16:03 zesstra Relationship added related to 0000687