Control: tags 926658 + patch upstream fixed-upstream
Dear Maintainer, I just tried to help triage this issue. I think this is related to upstream bug [1] and was already fixed in the 5.2 branch by commit [2]. A package built with this patch does just show the 'undefined variable' error, but not the double free fault. Kind regards, Bernhard [1] https://sourceforge.net/p/gnuplot/bugs/2115/ [2] https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/
# Buster amd64 real hardware 2019-04-09 apt update apt dist-upgrade ######### mkdir /home/benutzer/926658_gnuplot-crash -p cd /home/benutzer/926658_gnuplot-crash debootstrap --arch=amd64 buster chroot http://192.168.178.25:9999/debian-10-buster-deb.debian.org/ mount --rbind /proc chroot/proc cp -a ../rr*.deb chroot/ # workaround https://github.com/mozilla/rr/issues/2342 env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l root apt install locales dpkg-reconfigure locales nano /etc/inputrc adduser benutzer mv /etc/apt/sources.list /etc/apt/sources.list.d/buster-approx.list echo "deb-src http://192.168.178.25:9999/debian-10-buster-deb.debian.org buster main" >> /etc/apt/sources.list.d/buster-approx.list echo "deb http://192.168.178.25:9999/debian-10-buster-debug.mirrors.debian.org buster-debug main" >> /etc/apt/sources.list.d/buster-approx.list apt update apt install dpkg-dev devscripts mc wget unzip rr gdb gnuplot gnuplot-qt-dbgsym dpkg -i /*.deb # workaround https://github.com/mozilla/rr/issues/2342 echo 1 > /proc/sys/kernel/perf_event_paranoid env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l benutzer mkdir /home/benutzer/source/gnuplot/orig -p cd /home/benutzer/source/gnuplot/orig apt source gnuplot cd mkdir /home/benutzer/source/libc6/orig -p cd /home/benutzer/source/libc6/orig apt source libc6 cd wget "https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=926658;filename=test-files.zip;msg=10"; -O test-files.zip unzip test-files.zip cd test-files rr record gnuplot call.gpi rr replay set width 0 set pagination off directory /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps directory /home/benutzer/source/libc6/orig/glibc-2.28/malloc cont bt reverse-finish reverse-finish reverse-finish reverse-finish reverse-finish reverse-finish reverse-finish print a->v.string_val print &(a->v.string_val) b __GI___libc_free if mem==0x564e97351a60 watch *0x564e9734ed90 reverse-cont bt reverse-finish print a->v.string_val print &(a->v.string_val) reverse-cont bt ######### benutzer@willi-laptop:~$ gnuplot --version gnuplot 5.2 patchlevel 6 benutzer@willi-laptop:~/test-files$ rr record gnuplot call.gpi rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/gnuplot-0'. Plotting $tag statistics... "./tags.gpi" line 27: undefined variable: date_min free(): double free detected in tcache 2 Abgebrochen benutzer@willi-laptop:~/test-files$ rr replay ... Reading symbols from /usr/bin/gnuplot-qt...(no debugging symbols found)...done. Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal] Remote debugging using 127.0.0.1:16489 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/75/5312dcb2382eb2fde78494879bb2104028ae80.debug...done. done. 0x00007f088a6fd090 in _start () from /lib64/ld-linux-x86-64.so.2 (rr) set width 0 (rr) set pagination off (rr) cont Continuing. Plotting $tag statistics... "./tags.gpi" line 27: undefined variable: date_min free(): double free detected in tcache 2 Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden. (rr) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f08888d2535 in __GI_abort () at abort.c:79 #2 0x00007f0888929778 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007f088892fe6a in malloc_printerr (str=str@entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341 #4 0x00007f088893194d in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=<optimized out>) at malloc.c:4193 #5 0x0000564e95fbb8bd in ?? () #6 0x0000564e95fbbd6b in ?? () #7 0x0000564e95fec887 in ?? () #8 0x0000564e95fece8d in ?? () #9 0x0000564e95f9b3bd in ?? () #10 0x00007f08888d409b in __libc_start_main (main=0x564e95f9b000, argc=2, argv=0x7ffe67c3fb68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe67c3fb58) at ../csu/libc-start.c:308 #11 0x0000564e95f9c76a in ?? () # With debug symbols benutzer@willi-laptop:~$ rr replay GNU gdb (Debian 8.2.1-2) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/gnuplot-qt...Reading symbols from /usr/lib/debug/.build-id/4f/e8eca6bda32081f21f1443346a77fbc6ae7b83.debug...done. done. Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal] Remote debugging using 127.0.0.1:7991 Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/.build-id/75/5312dcb2382eb2fde78494879bb2104028ae80.debug...done. done. 0x00007f088a6fd090 in _start () from /lib64/ld-linux-x86-64.so.2 (rr) set width 0 (rr) set pagination off (rr) directory /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps Source directories searched: /home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps:$cdir:$cwd (rr) directory /home/benutzer/source/libc6/orig/glibc-2.28/malloc Source directories searched: /home/benutzer/source/libc6/orig/glibc-2.28/malloc:/home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps:$cdir:$cwd (rr) cont Continuing. Plotting $tag statistics... "./tags.gpi" line 27: undefined variable: date_min free(): double free detected in tcache 2 Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 return ret; # Second free of 0x564e97351a60 (rr) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f08888d2535 in __GI_abort () at abort.c:79 #2 0x00007f0888929778 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007f088892fe6a in malloc_printerr (str=str@entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341 #4 0x00007f088893194d in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=<optimized out>) at malloc.c:4193 #5 0x0000564e95fbb8bd in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423 #6 0x0000564e95fbbd6b in gpfree_string (a=<optimized out>) at ../../../src/eval.c:422 #7 gpfree_array (a=a@entry=0x564e9734edc0) at ../../../src/eval.c:446 #8 0x0000564e95fec887 in lf_pop () at ../../../src/misc.c:515 #9 0x0000564e95fece8d in load_file_error () at ../../../src/misc.c:626 #10 0x0000564e95f9b3bd in main (argc=2, argv=0x7ffe67c3fb68) at ../../../src/plot.c:555 (rr) reverse-finish Run back to call of #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 Program received signal SIGABRT, Aborted. __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 return ret; (rr) reverse-finish Run back to call of #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 0x00007f08888d2530 in __GI_abort () at abort.c:79 79 abort.c: Datei oder Verzeichnis nicht gefunden. (rr) reverse-finish Run back to call of #0 0x00007f08888d2530 in __GI_abort () at abort.c:79 __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 181 abort (); (rr) reverse-finish Run back to call of #0 __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 0x00007f088892fe65 in malloc_printerr (str=str@entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341 warning: Source file is more recent than executable. 5341 __libc_message (do_abort, "%s\n", str); (rr) reverse-finish Run back to call of #0 0x00007f088892fe65 in malloc_printerr (str=str@entry=0x7f0888a35f58 "free(): double free detected in tcache 2") at malloc.c:5341 0x00007f0888931948 in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=0) at malloc.c:4193 4193 malloc_printerr ("free(): double free detected in tcache 2"); (rr) reverse-finish Run back to call of #0 0x00007f0888931948 in _int_free (av=0x7f0888a6bc40 <main_arena>, p=0x564e97351a50, have_lock=0) at malloc.c:4193 0x00007f0888934c39 in __GI___libc_free (mem=<optimized out>) at malloc.c:3116 3116 _int_free (ar_ptr, p, 0); (rr) reverse-finish Run back to call of #0 0x00007f0888934c39 in __GI___libc_free (mem=<optimized out>) at malloc.c:3116 0x0000564e95fbb8b8 in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423 423 free(a->v.string_val); (rr) print a->v.string_val $1 = 0x564e97351a60 "`\354\064\227NV" (rr) print &(a->v.string_val) $2 = (char **) 0x564e9734ed90 (rr) b __GI___libc_free if mem==0x564e97351a60 Breakpoint 1 at 0x7f0888934be0: file malloc.c, line 3083. (rr) watch *0x564e9734ed90 Hardware watchpoint 2: *0x564e9734ed90 (rr) reverse-cont Continuing. Breakpoint 1, __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083 3083 = atomic_forced_read (__free_hook); # First free of 0x564e97351a60 (rr) bt #0 __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083 #1 0x0000564e95fbb8bd in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423 #2 0x0000564e95fbbd6b in gpfree_string (a=<optimized out>) at ../../../src/eval.c:422 #3 gpfree_array (a=a@entry=0x564e9734edc0) at ../../../src/eval.c:446 #4 0x0000564e95febe1a in prepare_call (calltype=calltype@entry=1) at ../../../src/misc.c:235 #5 0x0000564e95fecb9a in load_file (fp=0x564e97352cb0, name=0x564e9734ec20 "common.gpi", calltype=calltype@entry=1) at ../../../src/misc.c:354 #6 0x0000564e95fab084 in load_command () at ../../../src/command.c:1585 #7 0x0000564e95fad6f0 in command () at ../../../src/command.c:629 #8 do_line () at ../../../src/command.c:419 #9 0x0000564e95feccef in load_file (fp=0x564e97351650, name=name@entry=0x564e97351630 "./tags.gpi", calltype=calltype@entry=2) at ../../../src/misc.c:448 #10 0x0000564e95faa8bd in call_command () at ../../../src/command.c:988 #11 0x0000564e95fad6f0 in command () at ../../../src/command.c:629 #12 do_line () at ../../../src/command.c:419 #13 0x0000564e95feccef in load_file (fp=0x564e972ef260, name=<optimized out>, calltype=<optimized out>) at ../../../src/misc.c:448 #14 0x0000564e95f9b69c in main (argc=1, argv=0x7ffe67c3fb70) at ../../../src/plot.c:654 (rr) reverse-finish Run back to call of #0 __GI___libc_free (mem=0x564e97351a60) at malloc.c:3083 0x0000564e95fbb8b8 in gpfree_string (a=0x564e9734ed88) at ../../../src/eval.c:423 423 free(a->v.string_val); (rr) print a->v.string_val $3 = 0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat" (rr) print &(a->v.string_val) $4 = (char **) 0x564e9734ed90 (rr) reverse-cont Continuing. Hardware watchpoint 2: *0x564e9734ed90 Old value = -1758127520 New value = 1819309422 0x0000564e95fbbc92 in Gstring (a=a@entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410 410 a->v.string_val = s ? s : strdup(""); # Save pointer to 0x564e97351a60 in 0x564e9734ed90 (rr) bt #0 0x0000564e95fbbc92 in Gstring (a=a@entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410 #1 0x0000564e95febf5c in prepare_call (calltype=calltype@entry=2) at ../../../src/misc.c:253 #2 0x0000564e95fecb9a in load_file (fp=0x564e97351650, name=name@entry=0x564e97351630 "./tags.gpi", calltype=calltype@entry=2) at ../../../src/misc.c:354 #3 0x0000564e95faa8bd in call_command () at ../../../src/command.c:988 #4 0x0000564e95fad6f0 in command () at ../../../src/command.c:629 #5 do_line () at ../../../src/command.c:419 #6 0x0000564e95feccef in load_file (fp=0x564e972ef260, name=<optimized out>, calltype=<optimized out>) at ../../../src/misc.c:448 #7 0x0000564e95f9b69c in main (argc=1, argv=0x7ffe67c3fb70) at ../../../src/plot.c:654 (rr) print s $5 = 0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat" (rr) reverse-finish Run back to call of #0 0x0000564e95fbbc92 in Gstring (a=a@entry=0x564e9734ed88, s=0x564e97351a60 "ambiguous-paragraph-in-dep5-copyright.dat") at ../../../src/eval.c:410 0x0000564e95febf57 in prepare_call (calltype=calltype@entry=2) at ../../../src/misc.c:253 253 Gstring(&ARGV[argindex], gp_strdup(udv->udv_value.v.string_val)); (rr) print udv->udv_value.v.string_val $6 = 0x564e97351a20 "ambiguous-paragraph-in-dep5-copyright.dat" https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/ https://sourceforge.net/p/gnuplot/bugs/2115/ ######### cd /home/benutzer/source/gnuplot/ git clone https://git.code.sf.net/p/gnuplot/gnuplot-main gnuplot-gnuplot-main cd gnuplot-gnuplot-main git show 732014eefd41235a143626d2bc02d3d34934e1b3 > ../732014eefd41235a143626d2bc02d3d34934e1b3.patch cd .. cp -a orig try1 cd try1 cd try1/gnuplot-5.2.6+dfsg1/ patch -p1 < ../../732014eefd41235a143626d2bc02d3d34934e1b3.patch dpkg-buildpackage -b dpkg -i /home/benutzer/source/gnuplot/try1/{gnuplot-qt,gnuplot-qt-dbgsym}_5.2.6+dfsg1-1_amd64.deb /home/benutzer/source/gnuplot/try1/{gnuplot,gnuplot-data}_5.2.6+dfsg1-1_all.deb benutzer@willi-laptop:~$ rr record gnuplot call.gpi rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/gnuplot-1'. line 0: Cannot open script file 'call.gpi'
