On Mon, 5 Dec 2005, Patrick Lam wrote:
> Hi Behdad,
>
> Behdad Esfahbod wrote:
> > /lib/libc.so.6[0xdc7124]
> > /lib/libc.so.6(__libc_free+0x77)[0xdc765f]
> > /home/behdad/.local/lib/libfontconfig.so.1(FcValueListDestroy+0x1d0)[0x7172ec]
> > /home/behdad/.local/lib/libfontconfig.so.1(FcPatternDestroy+0x155)[0x717750]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4a746]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4a97a]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4b698]
> > /usr/lib/firefox-1.0.7/components/libgfx_gtk.so[0x3f4ea73]
>
> Is it an invalid pointer rather than, say, a double free? I'd be
> interested in knowing what the pointer actually looks like (i.e. is it
> like 0, or like some number which obviously isn't a pointer, like 0x25?)
I attached a debugger and the pointer indeed points to a font
name, "Nimbus something" in this case. More below.
> This should never happen, because here .bank is saying that it's a
> dynamic FcValueListPtr and .u.dyn is not actually a pointer.
>
> The code at fault has to be,
> if (l.bank == FC_BANK_DYNAMIC)
> free(l.u.dyn);
>
> unless something is getting inlined. Installing fontconfig compiled
> with -O0 would actually be helpful here, too, just so that I know it's
> actually FcValueListDestroy and not one of its callees.
Ok, cvs up'ed, make clean, reconfigure with gcc -g -O0, make,
make install, fc-cache. glibc backtrace:
*** glibc detected *** /usr/lib/firefox-1.0.7/firefox-bin:
free(): invalid pointer: 0x0a02d080 ***
======= Backtrace: =========
/lib/libc.so.6[0x100f124]
/lib/libc.so.6(__libc_free+0x77)[0x100f65f]
/home/behdad/.local/lib/libfontconfig.so.1(FcStrFree+0x46)[0x74df8e]
/home/behdad/.local/lib/libfontconfig.so.1(FcValueListDestroy+0x74)[0x749414]
/home/behdad/.local/lib/libfontconfig.so.1(FcPatternDestroy+0xb8)[0x749bbc]
and gdb:
(gdb) bt
#0 0x005d1402 in __kernel_vsyscall ()
#1 0x00e2e118 in *__GI_raise (sig=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#2 0x00e2f888 in *__GI_abort () at ../sysdeps/generic/abort.c:88
#3 0x00e6322a in __libc_message (do_abort=2,
fmt=0xf201c0 "*** glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4 0x00e69124 in _int_free (av=0xf2c880, mem=0x8e83340) at malloc.c:5578
#5 0x00e6965f in *__GI___libc_free (mem=0x8e83340) at malloc.c:3419
#6 0x008b0f8e in FcStrFree (s=0x8e83340 "Nimbus Roman No9 L") at fcstr.c:63
#7 0x008ac414 in FcValueListDestroy (l=
{bank = 0, u = {stat = 149435064, dyn = 0x8e832b8}}) at fcpat.c:153
#8 0x008acbbc in FcPatternDestroy (p=0x8e60d68) at fcpat.c:318
#9 0x0209f746 in NSGetModule ()
from /usr/lib/firefox-1.0.7/components/libgfx_gtk.so
#10 0x0209f97a in NSGetModule ()
from /usr/lib/firefox-1.0.7/components/libgfx_gtk.so
So, no, it's not the line you pointed at, but the one in case
FcTypeString.
--behdad
http://behdad.org/
"Commandment Three says Do Not Kill, Amendment Two says Blood Will Spill"
-- Dan Bern, "New American Language"
