[krbdev.mit.edu #3087]

D.H.Davis@bath.ac.uk via RT rt-comment at krbdev.mit.edu
Tue Jul 5 12:17:08 EDT 2005 

>Date: Wed, 8 Jun 2005 20:43:23 -0400 (EDT)
>Message-Id: <rt-3087-14175.17.5894218187344 at krbdev.mit.edu>
>Subject: [krbdev.mit.edu #3087] 
>In-Reply-To: <rt-3087 at krbdev.mit.edu>
>From: Ken Raeburn via RT <rt-comment at krbdev.mit.edu>
>RT-Ticket: krbdev.mit.edu #3087
>Reply-To: rt-comment at krbdev.mit.edu
>To: D.H.Davis at bath.ac.uk
>
>> Running kinit, klist, kadmin, telnet etc all produce messages
>> similar to:
>> 
>> klist in free(): error: chunk is already free
>> Abort trap
>
>I've tried static builds on x86-linux, and can't find any problems
>using valgrind or electric fence.  I've also tried alpha-netbsd2.0
>with shared libraries and enabled debugging options in the native
>malloc, still no hints.
>
>> anquetil.bath.ac.uk ?// MALLOC_OPTIONS=a /kerberosV/bin/klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_526)
>> 
>> 
>> Kerberos 4 ticket cache: /tmp/tkt526
>> klist: You have no tickets cached
>> klist in free(): warning: chunk is already free
>> klist in free(): warning: chunk is already free
>> klist in free(): warning: chunk is already free
>> klist in free(): warning: chunk is already free
>> klist in free(): warning: chunk is already free
>> klist in free(): warning: chunk is already free
>> anquetil.bath.ac.uk ?//
>> 
>> Note that the command always seems to work OK and the error seems to
>> occur as part of the cleanup before the command exits.  This is most
>> noticable with the telnet command.  The failure occurs after the
>> connection to the remote site has been closed.
>> 
>> Running a simple program under gdb gives:
>> 
>> 
>> a.out in free(): error: chunk is already free
>> 
>> Program received signal SIGABRT, Aborted.
>> 0x0e16b71d in kill () from /usr/lib/libc.so.34.2
>> (gdb) bt
>> #0  0x0e16b71d in kill () from /usr/lib/libc.so.34.2
>> #1  0x0e19830f in abort () from /usr/lib/libc.so.34.2
>> #2  0x0e16fb71 in execve () from /usr/lib/libc.so.34.2
>> #3  0x00000002 in ?? ()
>> #4  0xcfbf82bc in ?? ()

Apologies for the *long* delay in replying.  I've been sidetracked
by looking at email issues.

>This stack trace is pretty clearly corrupted.
>
>Could you try running the program under GDB, with a breakpoint in
>remove_error_table, and each time it's hit, print out the argument
>passed in and the stack trace?

Done.  The results are appended below.  It's pretty obvious that
I'm getting stack trace corruption.

I note that the last five calls to remove_error_table correspond
to lines 83 to 87 of lib/krb5/krb5_libinit.c:


#if !USE_BUNDLE_ERROR_STRINGS
    remove_error_table(&et_krb5_error_table);
    remove_error_table(&et_kv5m_error_table);
    remove_error_table(&et_kdb5_error_table);
    remove_error_table(&et_asn1_error_table);
    remove_error_table(&et_k524_error_table);
#endif


*but* the pointer passed as the argument appears to be the same
in each case:


#0  remove_error_table (et=0x3c010770) at error_message.c:322
                           ^^^^^^^^^^
                           |||||||||| same pointer in the last 5 calls


Is this reasonable?

>I'd also be interested in seeing the order in which
>profile_library_finalizer and com_err_terminate get called
>(profile_library_finalizer should be first), and the value of the
>variable 'terminated' in error_message.c when the problem happens.

I've printed out the value of 'terminated' whenever it seems
possible.  The order in which profile_library_finalizer and
com_err_terminate are called seems reversed.  It's com_err_terminate
that's called first and then profile_library_finalizer.

I note that I can circumvent this problem by configuring with:


LDFLAGS=-lpthread \
CC=cc CFLAGS="-O2 -g -fPIC -DUSE_BUNDLE_ERROR_STRINGS=1" \

...


Is this a reasonable thing to do?  It certainly seems to work!


Script started on Tue Jul  5 14:36:39 2005
merckx.bath.ac.uk ?// MALLOC_OPTIONS=a gdb a.out
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-openbsd3.7"...
(gdb) break remove_error_table
Breakpoint 1 at 0x1c05d78d: file error_message.c, line 322.
(gdb) break com_err_terminate
Breakpoint 2 at 0x1c05cf3d: file error_message.c, line 64.
(gdb) break profile_library_finalizer
Breakpoint 3 at 0x1c02401d: file prof_file.c, line 59.
(gdb) run
Starting program: /home/ccsdhd/k5login/a.out 

Enter username: ccsdhd

Enter password: 
Password for ccsdhd looks OK.

Breakpoint 2, com_err_terminate () at error_message.c:64
64          if (! INITIALIZER_RAN(com_err_initialize) || PROGRAM_EXITING())
(gdb) print terminated
$1 = 0
(gdb) bt
#0  com_err_terminate () at error_message.c:64
#1  0x1c0027c8 in __register_frame_info ()
#2  0x1c05eb85 in __fini ()
#3  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#4  0x1c002759 in ___start ()
#5  0x1c0026bf in _start ()
#6  0x00000000 in ?? ()
#7  0xcfbfdff0 in ?? ()
#8  0x00000000 in ?? ()
#9  0x00000001 in ?? ()
#10 0xcfbf6984 in ?? ()
#11 0x00000000 in ?? ()
#12 0xcfbf699f in ?? ()
#13 0xcfbf69d4 in ?? ()
#14 0xcfbf69ee in ?? ()
#15 0xcfbf6a09 in ?? ()
#16 0xcfbf6a1a in ?? ()
#17 0xcfbf6a24 in ?? ()
#18 0xcfbf6a2d in ?? ()
#19 0xcfbf6a4e in ?? ()
#20 0xcfbf6a61 in ?? ()
#21 0xcfbf6a72 in ?? ()
#22 0xcfbf6a85 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.

Breakpoint 3, profile_library_finalizer () at prof_file.c:59
59          if (! INITIALIZER_RAN(profile_library_initializer) || PROGRAM_EXITING())
(gdb) bt
#0  profile_library_finalizer () at prof_file.c:59
#1  0x1c0027c8 in __register_frame_info ()
#2  0x1c05eb85 in __fini ()
#3  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#4  0x1c002759 in ___start ()
#5  0x1c0026bf in _start ()
#6  0x00000000 in ?? ()
#7  0xcfbfdff0 in ?? ()
#8  0x00000000 in ?? ()
#9  0x00000001 in ?? ()
#10 0xcfbf6984 in ?? ()
#11 0x00000000 in ?? ()
#12 0xcfbf699f in ?? ()
#13 0xcfbf69d4 in ?? ()
#14 0xcfbf69ee in ?? ()
#15 0xcfbf6a09 in ?? ()
#16 0xcfbf6a1a in ?? ()
#17 0xcfbf6a24 in ?? ()
#18 0xcfbf6a2d in ?? ()
#19 0xcfbf6a4e in ?? ()
#20 0xcfbf6a61 in ?? ()
#21 0xcfbf6a72 in ?? ()
#22 0xcfbf6a85 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.

Breakpoint 1, remove_error_table (et=0x3c005c07) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$2 = 1
(gdb) bt
#0  remove_error_table (et=0x3c005c07) at error_message.c:322
#1  0x1c0240e3 in profile_library_finalizer () at prof_file.c:63
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Breakpoint 1, remove_error_table (et=0x3c010770) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$3 = 1
(gdb) bt
#0  remove_error_table (et=0x3c010770) at error_message.c:322
#1  0x1c017701 in krb5int_lib_fini () at krb5_libinit.c:83
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Breakpoint 1, remove_error_table (et=0x3c010770) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$4 = 1
(gdb) bt
#0  remove_error_table (et=0x3c010770) at error_message.c:322
#1  0x1c01770d in krb5int_lib_fini () at krb5_libinit.c:84
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Breakpoint 1, remove_error_table (et=0x3c010770) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$5 = 1
(gdb) bt
#0  remove_error_table (et=0x3c010770) at error_message.c:322
#1  0x1c017719 in krb5int_lib_fini () at krb5_libinit.c:85
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Breakpoint 1, remove_error_table (et=0x3c010770) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$6 = 1
(gdb) bt
#0  remove_error_table (et=0x3c010770) at error_message.c:322
#1  0x1c017725 in krb5int_lib_fini () at krb5_libinit.c:86
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Breakpoint 1, remove_error_table (et=0x3c010770) at error_message.c:322
322         if (CALL_INIT_FUNCTION(com_err_initialize))
(gdb) print terminated
$7 = 1
(gdb) bt
#0  remove_error_table (et=0x3c010770) at error_message.c:322
#1  0x1c017731 in krb5int_lib_fini () at krb5_libinit.c:87
#2  0x1c0027c8 in __register_frame_info ()
#3  0x1c05eb85 in __fini ()
#4  0x0c82616a in exit () from /usr/lib/libc.so.34.2
#5  0x1c002759 in ___start ()
#6  0x1c0026bf in _start ()
#7  0x00000000 in ?? ()
#8  0xcfbfdff0 in ?? ()
#9  0x00000000 in ?? ()
#10 0x00000001 in ?? ()
#11 0xcfbf6984 in ?? ()
#12 0x00000000 in ?? ()
#13 0xcfbf699f in ?? ()
#14 0xcfbf69d4 in ?? ()
#15 0xcfbf69ee in ?? ()
#16 0xcfbf6a09 in ?? ()
#17 0xcfbf6a1a in ?? ()
#18 0xcfbf6a24 in ?? ()
#19 0xcfbf6a2d in ?? ()
#20 0xcfbf6a4e in ?? ()
#21 0xcfbf6a61 in ?? ()
#22 0xcfbf6a72 in ?? ()
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) c
Continuing.
a.out in free(): warning: chunk is already free

Program exited with code 036.
(gdb) q
merckx.bath.ac.uk ?// exit

Script done on Tue Jul  5 14:39:38 2005
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101

More information about the krb5-bugs mailing list