[Webkit-unassigned] [Bug 246599] Using bmalloc somehow triggers a crash in glibc's free when running free(NULL) in glib library constructor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 17 18:40:54 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=246599

--- Comment #7 from N4t3R <naterussell83 at gmail.com> ---
```
GNU gdb (GDB) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-slackware-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from epiphany...
[?2004h(gdb) break free
[?2004l
[?2004hMake breakpoint pending on future shared library load? (y or [n]) y
[?2004l
Breakpoint 1 (free) pending.
[?2004h(gdb) run
[?2004l
Starting program: /usr/bin/epiphany www.heise.de
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/debug/libthread_db.so.1".

Breakpoint 1, __GI___libc_free (mem=mem at entry=0x0) at malloc.c:3330
3330      if (mem == 0)                              /* free(0) has no effect */
[?2004h[?2004l
[?2004h(gdb) bt
[?2004l
#0  __GI___libc_free (mem=mem at entry=0x0) at malloc.c:3330
#1  0x00007ffff7339ad5 in g_free (mem=mem at entry=0x0) at ../glib/gmem.c:229
#2  0x00007ffff735085c in slice_config_init (config=0x7ffff74134d0 <allocator+16>)
    at ../glib/gslice.c:440
#3  g_slice_init_nomessage () at ../glib/gslice.c:461
#4  0x00007ffff735187e in thread_memory_from_self () at ../glib/gslice.c:562
#5  thread_memory_from_self () at ../glib/gslice.c:552
#6  g_slice_alloc (mem_size=mem_size at entry=96) at ../glib/gslice.c:1052
#7  0x00007ffff732138e in g_hash_table_new_full
    (hash_func=0x7ffff7322dc0 <g_str_hash>, key_equal_func=0x7ffff7322da0 <g_str_equal>, key_destroy_func=key_destroy_func at entry=0x0, value_destroy_func=value_destroy_func at entry=0x0) at ../glib/ghash.c:1073
#8  0x00007ffff73213f9 in g_hash_table_new
    (hash_func=<optimized out>, key_equal_func=<optimized out>)
    at ../glib/ghash.c:1036
#9  0x00007ffff734360b in g_quark_init () at ../glib/gquark.c:63
#10 0x00007ffff72feec5 in glib_init () at ../glib/glib-init.c:341
#11 glib_init () at ../glib/glib-init.c:330
#12 glib_init_ctor () at ../glib/glib-init.c:455
#13 0x00007ffff7fcfabe in call_init () at /lib64/ld-linux-x86-64.so.2
#14 0x00007ffff7fcfba4 in _dl_init () at /lib64/ld-linux-x86-64.so.2
#15 0x00007ffff7fe5790 in _dl_start_user () at /lib64/ld-linux-x86-64.so.2
#16 0x0000000000000002 in  ()
#17 0x00007fffffffe9bf in  ()
#18 0x00007fffffffe9d1 in  ()
#19 0x0000000000000000 in  ()
[?2004h(gdb) quit
[?2004l
[?2004hA debugging session is active.

        Inferior 1 [process 13899] will be killed.

Quit anyway? (y or n) y
[?2004l

```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221018/cde922f7/attachment.htm>

More information about the webkit-unassigned mailing list