[Gnash-commit] [bug #40439] Segfault on exit (GC and XML)

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #40439] Segfault on exit (GC and XML)

From:	Sandro Santilli
Subject:	[Gnash-commit] [bug #40439] Segfault on exit (GC and XML)
Date:	Thu, 31 Oct 2013 20:42:29 +0000
User-agent:	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0

URL:
  <http://savannah.gnu.org/bugs/?40439>

                 Summary: Segfault on exit (GC and XML)
                 Project: Gnash - The GNU Flash player
            Submitted by: strk
            Submitted on: Thu 31 Oct 2013 09:42:28 PM CET
                Category: core
                Severity: 6 - Security
                 Release: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

XMLNode destructor calling into a deleted string_table:

==28682== Invalid read of size 8
==28682==    at 0x576DA1B:
boost::multi_index::detail::hashed_index_iterator<boost::multi_index::detail::hashed_index_node<boost::multi_index::detail::hashed_index_node<boost::multi_index::detail::index_node_base<gnash::string_table::svt,
std::allocator<gnash::string_table::svt> > > >,
boost::multi_index::detail::bucket_array<std::allocator<gnash::string_table::svt>
> >
boost::multi_index::detail::hashed_index<boost::multi_index::member<gnash::string_table::svt,
std::string, &gnash::string_table::svt::value>, boost::hash<std::string>,
std::equal_to<std::string>, boost::multi_index::detail::nth_layer<1,
gnash::string_table::svt,
boost::multi_index::indexed_by<boost::multi_index::hashed_unique<boost::multi_index::tag<gnash::string_table::StringValue,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>,
boost::multi_index::member<gnash::string_table::svt, std::string,
&gnash::string_table::svt::value>, mpl_::na, mpl_::na>,
boost::multi_index::hashed_unique<boost::multi_index::tag<gnash::string_table::StringID,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na>,
boost::multi_index::member<gnash::string_table::svt, unsigned long,
&gnash::string_table::svt::id>, mpl_::na, mpl_::na>, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na, mpl_::na,
mpl_::na, mpl_::na>, std::allocator<gnash::string_table::svt> >,
boost::mpl::v_item<gnash::string_table::StringValue,
boost::mpl::vector0<mpl_::na>, 0>,
boost::multi_index::detail::hashed_unique_tag>::find<std::string,
boost::hash<std::string>, std::equal_to<std::string> >(std::string const&,
boost::hash<std::string> const&, std::equal_to<std::string> const&) const
(hashed_index.hpp:443)
==28682==    by 0x576C319: gnash::string_table::find(std::string const&, bool)
(hashed_index.hpp:431)
==28682==    by 0x4F869DE: gnash::arrayKey(gnash::VM&, unsigned long)
(VM.h:295)
==28682==    by 0x4F86E9E: gnash::(anonymous
namespace)::resizeArray(gnash::as_object&, int) (Array_as.cpp:1623)
==28682==    by 0x4F89611: gnash::checkArrayLength(gnash::as_object&,
gnash::ObjectURI const&, gnash::as_value const&) (Array_as.cpp:923)
==28682==    by 0x4ED5D4D: gnash::as_object::set_member(gnash::ObjectURI
const&, gnash::as_value const&, bool) (as_object.cpp:596)
==28682==    by 0x4FFF3F3: gnash::XMLNode_as::updateChildNodes()
(XMLNode_as.cpp:149)
==28682==    by 0x4FFF64A: gnash::XMLNode_as::removeChild(gnash::XMLNode_as*)
(XMLNode_as.cpp:212)
==28682==    by 0x4FFF6C4: gnash::XMLNode_as::~XMLNode_as()
(XMLNode_as.cpp:116)
==28682==    by 0x4FFF7C8: gnash::XMLNode_as::~XMLNode_as()
(XMLNode_as.cpp:120)
==28682==    by 0x4ECD655: gnash::as_object::~as_object()
(checked_delete.hpp:34)
==28682==    by 0x4ECD698: gnash::as_object::~as_object() (as_object.h:174)
==28682==  Address 0x1c86a4c8 is 4,584 bytes inside a block of size 12,352
free'd
==28682==    at 0x4C2B59C: operator delete(void*) (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28682==    by 0x507B0BD: gnash::string_table::~string_table()
(new_allocator.h:100)
==28682==    by 0x507A529: gnash::VM::~VM() (VM.cpp:69)
==28682==    by 0x4F13F92: gnash::movie_root::~movie_root()
(movie_root.cpp:190)
==28682==    by 0x1560B4: gnash::Player::run(int, char**, std::string const&,
std::string const&) (Player.cpp:661)
==28682==    by 0x1321AF: playFile(gnash::Player&, int, char**, std::string
const&) (gnash.cpp:90)
==28682==    by 0x130BD2: main (bind.hpp:457)


Rings a bell, I think recently Bastiaan has been trying to fix something like
this, related to XMLNode deallocation order




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?40439>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #40439] Segfault on exit (GC and XML), Sandro Santilli <=
- [Gnash-commit] [bug #40439] Segfault on exit (GC and XML), Sandro Santilli, 2013/10/31

Prev by Date: [Gnash-commit] [patch #8225] fix cppcheck reports for memtest.cpp
Next by Date: [Gnash-commit] [bug #40439] Segfault on exit (GC and XML)
Previous by thread: [Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-1806-gd966078
Next by thread: [Gnash-commit] [bug #40439] Segfault on exit (GC and XML)
Index(es):
- Date
- Thread