Ticket #2713 (new defect)

Opened 1 year ago

Last modified 11 months ago

memory allocation bug

Reported by: vincent@vinc17.org Assigned to: mutt-dev
Priority: minor Milestone:
Component: mutt Version: 1.5.16
Keywords: Cc:

Description 

Will malloc checking, Mutt aborts on my mail archives. More precisely, in gdb:

set env MallocLogFile /tmp/malloc.log
set env MallocGuardEdges 1
set env MallocPreScribble 1
set env MallocScribble 1
set env MallocCheckHeapStart 1060820
set env MallocCheckHeapEach 1
set env MallocCheckHeapAbort 1
set env MallocBadFreeAbort 1
run -F /dev/null -f ~/Mail/oldarc

Then I get:

Reading /Users/vinc17/Mail/oldarc... 20370
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x900029c8 in strlen ()
(gdb) bt
#0  0x900029c8 in strlen ()
#1  0x90130748 in _simple_vdprintf ()
#2  0x9012bc44 in malloc_printf ()
#3  0x90116bcc in szone_check ()
#4  0x90002c1c in malloc ()
#5  0x0006b538 in safe_malloc (siz=1) at lib.c:149
#6  0x0006b744 in safe_strdup (s=0x995f4 "plain") at lib.c:220
#7  0x0004c154 in mutt_read_rfc822_header (f=0xa000db34, hdr=0x15dc280, user_hdrs=0, weed=0) at parse.c:1319
#8  0x0003d9b4 in maildir_parse_message (magic=4, fname=0xbfffd218 "/Users/vinc17/Mail/oldarc/cur/1076519289.5337_386.ay:2,S", is_old=1, _h=0x15dc280) at mh.c:603
#9  0x0003ddf0 in maildir_delayed_parsing (ctx=0x11062e0, md=0x0, progress=0xbfffd38c) at mh.c:990
#10 0x0004022c in mh_read_dir (ctx=0x11062e0, subdir=0xa1a70 "cur") at mh.c:1047
#11 0x000402a0 in maildir_read_dir (ctx=0x11062e0) at mh.c:1059
#12 0x000411cc in mx_open_mailbox (path=0xb0cb4 "", flags=0, pctx=0x20) at mx.c:691
#13 0x00037730 in main (argc=5, argv=0xbfffe104) at main.c:960

/tmp/malloc.log contains:
[...]
mutt(28682) malloc: MallocCheckHeap: PASSED check at 1060835th operation
mutt(28682) malloc: MallocCheckHeap: PASSED check at 1060836th operation
mutt(28682) malloc: *** invariant broken for 0x1861400 (2 free in a row)
mutt(28682) malloc: *** small region 2 incorrect szo

Then I don't know how to debug this. The bug is always reproducible, but on a smaller mailbox containing hundreds of messages around the one that appears in the backtrace, it no longer occurs.
>How-To-Repeat:
>Fix:
Unknown

Change History

2007-09-11 03:53:03 changed by pdmef

  • version changed from 1.5.13 (2007-01-26) to 1.5.16.

Same here with hg tip, it dies while scanning the maildir. However, it dies with a bus error rather than a segfault (what I would have expected), so I think it might be due to system limits, malloc guard or something like that.

Your observation about it not happening on a smaller mailbox seems to support that.

The offending part starts at: 

hdr->content->subtype = safe_strdup ("plain");

Looking at safe_strdup(): 

if (!s || !*s)
  return 0;
l = strlen (s) + 1;
p = (char *)safe_malloc (l);

Here, l can only be 1 if strlen(s) is 0. However, s and *s are checked before already, so that l must be > 1 which it isn't according to your backtrace.

Either I don't see the obvious or the code is perfectly fine (which I assume). That supports my guess that something with malloc guard is wrong, not mutt.