On Sun, Feb 08, 2015 at 10:33:40PM +0100, Dilyan Palauzov wrote:
> I use git 2.2.2 and on my system git annotate crashed with the following
> log.
I couldn't reproduce it with a few simple examples. Is it possible for
you to show us the repository and command that caused this?
> (gdb) bt full
> #0 0x00007fe420649655 in raise () from /lib64/libc.so.6
> No symbol table info available.
> #1 0x00007fe42064aad8 in abort () from /lib64/libc.so.6
> No symbol table info available.
> #2 0x00007fe42068928b in __libc_message () from /lib64/libc.so.6
> No symbol table info available.
> #3 0x00007fe42068ee36 in malloc_printerr () from /lib64/libc.so.6
> No symbol table info available.
> #4 0x00007fe42068fbb3 in _int_free () from /lib64/libc.so.6
> No symbol table info available.
> #5 0x000000000041335a in strbuf_release (sb=0x7fff44797480) at strbuf.c:32
> sb = 0x7fff44797480
So presumably the sb->buf we pass to free() is not valid. Given the
address of the strbuf, and the address of the commit_info here:
> #6 commit_info_destroy (ci=0x7fff447973e0) at builtin/blame.c:1646
> No locals.
we are at offset 160, which is almost certainly the ci->summary strbuf.
Which is:
> summary = {
> alloc = 26,
> len = 25,
> buf = 0xe05b50 <incomplete sequence \330>
> }
The alloc/len look reasonable, but the buffer looks odd (it should
probably have some actual text in it). I don't see anywhere in the code
that we assign to that buffer or do anything questionable, though. We
just strbuf_add and then eventually strbuf_release it. You cannot even
get into this situation by calling strbuf_release twice, as it sets the
pointer to a known value after it is freed.
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html