[Fontconfig] Possible memory problem

Behdad Esfahbod behdad at cs.toronto.edu
Sun Dec 4 22:47:25 PST 2005 

On Mon, 5 Dec 2005, Patrick Lam wrote:

> Hi Behdad,
>
> Behdad Esfahbod wrote:
> > /lib/libc.so.6[0xdc7124]
> > /lib/libc.so.6(__libc_free+0x77)[0xdc765f]
> > /home/behdad/.local/lib/libfontconfig.so.1(FcValueListDestroy+0x1d0)[0x7172ec]
> > /home/behdad/.local/lib/libfontconfig.so.1(FcPatternDestroy+0x155)[0x717750]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4a746]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4a97a]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4b698]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4ea73]
>
> Is it an invalid pointer rather than, say, a double free?  I'd be
> interested in knowing what the pointer actually looks like (i.e. is it
> like 0, or like some number which obviously isn't a pointer, like 0x25?)

I attached a debugger and the pointer indeed points to a font
name, "Nimbus something" in this case.  More below.

>   This should never happen, because here .bank is saying that it's a
> dynamic FcValueListPtr and .u.dyn is not actually a pointer.
>
> The code at fault has to be,
> 	if (l.bank == FC_BANK_DYNAMIC)
> 	    free(l.u.dyn);
>
> unless something is getting inlined.  Installing fontconfig compiled
> with -O0 would actually be helpful here, too, just so that I know it's
> actually FcValueListDestroy and not one of its callees.

Ok, cvs up'ed, make clean, reconfigure with gcc -g -O0, make,
make install, fc-cache.  glibc backtrace:

*** glibc detected *** /usr/lib/firefox-1.0.7/firefox-bin:
free(): invalid pointer: 0x0a02d080 ***
======= Backtrace: =========
/lib/libc.so.6[0x100f124]
/lib/libc.so.6(__libc_free+0x77)[0x100f65f]
/home/behdad/.local/lib/libfontconfig.so.1(FcStrFree+0x46)[0x74df8e]
/home/behdad/.local/lib/libfontconfig.so.1(FcValueListDestroy+0x74)[0x749414]
/home/behdad/.local/lib/libfontconfig.so.1(FcPatternDestroy+0xb8)[0x749bbc]


and gdb:

(gdb) bt
#0  0x005d1402 in __kernel_vsyscall ()
#1  0x00e2e118 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#2  0x00e2f888 in *__GI_abort () at ../sysdeps/generic/abort.c:88
#3  0x00e6322a in __libc_message (do_abort=2,
    fmt=0xf201c0 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00e69124 in _int_free (av=0xf2c880, mem=0x8e83340) at malloc.c:5578
#5  0x00e6965f in *__GI___libc_free (mem=0x8e83340) at malloc.c:3419
#6  0x008b0f8e in FcStrFree (s=0x8e83340 "Nimbus Roman No9 L") at fcstr.c:63
#7  0x008ac414 in FcValueListDestroy (l=
        {bank = 0, u = {stat = 149435064, dyn = 0x8e832b8}}) at fcpat.c:153
#8  0x008acbbc in FcPatternDestroy (p=0x8e60d68) at fcpat.c:318
#9  0x0209f746 in NSGetModule ()
   from /usr/lib/firefox-1.0.7/components/libgfx_gtk.so
#10 0x0209f97a in NSGetModule ()
   from /usr/lib/firefox-1.0.7/components/libgfx_gtk.so


So, no, it's not the line you pointed at, but the one in case
FcTypeString.

--behdad
http://behdad.org/

"Commandment Three says Do Not Kill, Amendment Two says Blood Will Spill"
	-- Dan Bern, "New American Language"

More information about the Fontconfig mailing list