#225 [BUG] segfault somewhere in readline.c

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:id	tickets sorted by id (creation time)
Combine keywords for powerful searching.
Use advanced searching »

#225 open

[BUG] segfault somewhere in readline.c

Reported by Charles Comstock | January 11th, 2008 @ 02:42 PM | in 1.0 preview

after running

$ shotgun/rubinius -ryaml

Type YAML::du and tab complete, and then add an m for YAML::dum and tab complete for a stack trace like this:

Note that requiring yaml is not necessary for reproduce. This occurs on x86 ubuntu 7.10.

irb(main):002:0> a = [1,2,3]
=> [1, 2, 3]
irb(main):003:0> a.m*** glibc detected *** rubinius: free(): invalid next size (fast): 0x08891398 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d7ed65]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d82800]
/lib/libreadline.so.5[0xb6fcb7ce] 
/lib/libreadline.so.5(rl_complete_internal+0x118)[0xb6fcd918]
/lib/libreadline.so.5(rl_complete+0x8e)[0xb6fcdd6e]
/lib/libreadline.so.5(_rl_dispatch_subseq+0xc8)[0xb6fc57d8]
/lib/libreadline.so.5(_rl_dispatch+0x34)[0xb6fc5bb4]
/lib/libreadline.so.5(readline_internal_char+0xb5)[0xb6fc5f45]
/lib/libreadline.so.5(readline+0x67)[0xb6fc6397]
/home/clgc/rubinius/lib/ext/readline/readline.so[0xb6ffc573]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(_nmc_start+0x316)[0xb7f19d56]
/lib/tls/i686/cmov/libc.so.6(makecontext+0x44)[0xb7d4f5d4]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(cpu_perform_system_primitive+0x4d)[0xb7ed041d]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(cpu_run+0xd204)[0xb7ec6704]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(machine_run+0x30)[0xb7f02570]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(machine_run_file+0x6a)[0xb7f0289a]
/home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so(environment_load_machine+0xa9)[0xb7ee3f69]
rubinius[0x8048a84]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7d2b050]
rubinius[0x8048771]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:03 11092771   /home/clgc/rubinius/shotgun/rubinius.bin
08049000-0804a000 rw-p 00000000 08:03 11092771   /home/clgc/rubinius/shotgun/rubinius.bin
0804a000-0807f000 rw-p 0804a000 00:00 0
0807f000-08081000 rwxp 0807f000 00:00 0
08081000-08088000 rw-p 08081000 00:00 0
08088000-0808a000 rwxp 08088000 00:00 0
0808a000-080a9000 rw-p 0808a000 00:00 0
080a9000-080ab000 rwxp 080a9000 00:00 0
080ab000-080ac000 rw-p 080ab000 00:00 0
080ac000-080ae000 rwxp 080ac000 00:00 0
080ae000-080b2000 rw-p 080ae000 00:00 0
080b2000-080b4000 rwxp 080b2000 00:00 0
080b4000-081b9000 rw-p 080b4000 00:00 0
081b9000-081ba000 rwxp 081b9000 00:00 0
081ba000-0893f000 rw-p 081ba000 00:00 0
b6e00000-b6e21000 rw-p b6e00000 00:00 0
b6e21000-b6f00000 ---p b6e21000 00:00 0
b6f10000-b6f1a000 r-xp 00000000 08:03 11386974   /lib/libgcc_s.so.1
b6f1a000-b6f1b000 rw-p 0000a000 08:03 11386974   /lib/libgcc_s.so.1
b6f2d000-b6f2e000 rw-p b6f2d000 00:00 0
b6f2e000-b6f35000 r--s 00000000 08:03 4836536    /usr/lib/gconv/gconv-modules.cache
b6f35000-b6f74000 r--p 00000000 08:03 10748653   /usr/lib/locale/en_US.utf8/LC_CTYPE
b6f74000-b6fb0000 r-xp 00000000 08:03 11386894   /lib/libncurses.so.5.6
b6fb0000-b6fb8000 rw-p 0003b000 08:03 11386894   /lib/libncurses.so.5.6
b6fb8000-b6fe4000 r-xp 00000000 08:03 11386999   /lib/libreadline.so.5.2
b6fe4000-b6fe8000 rw-p 0002c000 08:03 11386999   /lib/libreadline.so.5.2
b6fe8000-b6fe9000 rw-p b6fe8000 00:00 0
b6ffb000-b6ffe000 r-xp 00000000 08:03 12109734   /home/clgc/rubinius/lib/ext/readline/readline.so
b6ffe000-b6fff000 rw-p 00002000 08:03 12109734   /home/clgc/rubinius/lib/ext/readline/readline.so
b6fff000-b7100000 rw-p b6fff000 00:00 0
b7100000-b7180000 r-xp b7100000 00:00 0
b7180000-b7c86000 rw-p b7180000 00:00 0
b7c86000-b7c9a000 r-xp 00000000 08:03 11387243   /lib/tls/i686/cmov/libpthread-2.6.1.so
b7c9a000-b7c9c000 rw-p 00013000 08:03 11387243   /lib/tls/i686/cmov/libpthread-2.6.1.so
b7c9c000-b7c9f000 rw-p b7c9c000 00:00 0
b7c9f000-b7ca6000 r-xp 00000000 08:03 11387247   /lib/tls/i686/cmov/librt-2.6.1.so
b7ca6000-b7ca8000 rw-p 00006000 08:03 11387247   /lib/tls/i686/cmov/librt-2.6.1.so
b7ca8000-b7cad000 r-xp 00000000 08:03 11387217   /lib/tls/i686/cmov/libcrypt-2.6.1.so
b7cad000-b7caf000 rw-p 00004000 08:03 11387217   /lib/tls/i686/cmov/libcrypt-2.6.1.so
b7caf000-b7cd6000 rw-p b7caf000 00:00 0
b7cd6000-b7cd8000 r-xp 00000000 08:03 11387219   /lib/tls/i686/cmov/libdl-2.6.1.so
b7cd8000-b7cda000 rw-p 00001000 08:03 11387219   /lib/tls/i686/cmov/libdl-2.6.1.so
b7cda000-b7cfd000 r-xp 00000000 08:03 11387221   /lib/tls/i686/cmov/libm-2.6.1.so
b7cfd000-b7cff000 rw-p 00023000 08:03 11387221   /lib/tls/i686/cmov/libm-2.6.1.so
b7cff000-b7d13000 r-xp 00000000 08:03 4834964    /usr/lib/libz.so.1.2.3.3
b7d13000-b7d14000 rw-p 00013000 08:03 4834964    /usr/lib/libz.so.1.2.3.3
b7d14000-b7d15000 rw-p b7d14000 00:00 0
b7d15000-b7e59000 r-xp 00000000 08:03 11387213   /lib/tls/i686/cmov/libc-2.6.1.so
b7e59000-b7e5a000 r--p 00143000 08:03 11387213   /lib/tls/i686/cmov/libc-2.6.1.so
b7e5a000-b7e5c000 rw-p 00144000 08:03 11387213   /lib/tls/i686/cmov/libc-2.6.1.so
b7e5c000-b7e5f000 rw-p b7e5c000 00:00 0
b7e5f000-b7e70000 r-xp b7e5f000 00:00 0
b7e71000-b7f99000 r-xp 00000000 08:03 11832208   /home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so
b7f99000-b7fa1000 rw-p 00128000 08:03 11832208   /home/clgc/rubinius/shotgun/lib/librubinius-0.8.0.so
b7fa1000-b7fa5000 rw-p b7fa1000 00:00 0
b7fa5000-b7fbf000 r-xp 00000000 08:03 11387115   /lib/ld-2.6.1.so
b7fbf000-b7fc1000 rw-p 00019000 08:03 11387115   /lib/ld-2.6.1.so
bfe2b000-bfe3e000 rwxp bfe2b000 00:00 0          [stack]
bfe3e000-bfe41000 rw-p bfe3e000 00:00 0
ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]

Comments and changes to this ticket

Brian Ford January 13th, 2008 @ 11:17 PM
- → State changed from “new” to “open”
Was this only YAML or tab completion in general?
Charles Comstock January 14th, 2008 @ 09:06 AM
tab completion in general, it seemed more reproducable with YAML, but it's definitely not dependent on it.
Brian Ford January 20th, 2008 @ 12:57 PM
- → Title changed from “segfault somewhere in readline.c” to “[BUG] segfault somewhere in readline.c”
zimbatm January 26th, 2008 @ 08:12 AM
A simpler case :
```
./shotgun/rubinius
irb(main):001:0> l<TAB>
```
zimbatm January 26th, 2008 @ 09:16 AM
```
*** glibc detected *** rubinius: free(): invalid next size (fast): 0x08891398 ***
```
I found that 0x08891398 is to the return value of lib/ext/readline/readline.c:180.
Because readline_attempted_completion_function is the callback method which gets called when you hit the tab, I started to look if some kind of results could break it.
I tried all single letters of the alphabet, the same way as the previous post. Curiously, some of them break, some of them not, in a reproducible manner. I could not determine what causes the error. Attached, a file with all alphabet characters with their result.
- single_letter.txt 2.5 KB
Ryan Davis February 29th, 2008 @ 02:30 PM
- → Milestone changed from “1.0” to “1.0 preview”
- → Assigned user changed from “” to “Evan Phoenix”
Wilson Bilkovich June 25th, 2008 @ 09:35 AM
- → Tag changed from “” to “segfault”
I believe this was fixed along the way. I can no longer reproduce it.
Anyone else have an opinion?

Charles Comstock June 25th, 2008 @ 09:51 AM

No, don't close it. I still get segfaults if I just do bin/rbx, A[tab]

$ bin/rbx
irb(main):001:0> A*** glibc detected *** bin/rbx: free(): invalid next size (fast): 0x08b54aa8 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7d2ba85]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d2f4f0]
/lib/libreadline.so.5[0xb6ec07ce]
/lib/libreadline.so.5(rl_complete_internal+0x118)[0xb6ec2918]
/lib/libreadline.so.5(rl_complete+0x8e)[0xb6ec2d6e]
/lib/libreadline.so.5(_rl_dispatch_subseq+0xc8)[0xb6eba7d8]
/lib/libreadline.so.5(_rl_dispatch+0x34)[0xb6ebabb4]
/lib/libreadline.so.5(readline_internal_char+0xb5)[0xb6ebaf45]
/lib/libreadline.so.5(readline+0x67)[0xb6ebb397]
/home/clgc/languages/rubinius/lib/ext/readline/readline.so[0xb6edf0d3]
/home/clgc/languages/rubinius/shotgun/lib/librubinius-local-dev.so(_nmc_start+0x333)[0xb7ea4803]
/lib/tls/i686/cmov/libc.so.6(makecontext+0x44)[0xb7cfb074]
[0x0]
======= Memory map: ========
08048000-08049000 r-xp 00000000 08:03 11829276   /home/clgc/languages/rubinius/shotgun/rubinius.local.bin
08049000-0804a000 rw-p 00000000 08:03 11829276   /home/clgc/languages/rubinius/shotgun/rubinius.local.bin
0804a000-08d7d000 rw-p 0804a000 00:00 0          [heap]
b6d00000-b6d21000 rw-p b6d00000 00:00 0 
b6d21000-b6e00000 ---p b6d21000 00:00 0 
... snipped ...

So it's definitely still a bug as of the latest git, rebuilt from distclean just a moment ago. I'm on Ubuntu Hardy 8.04 on 32bit i686.

Please Login or create a free account to add a new comment.

You can update this ticket by sending an email to from your email client. (help)

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

People watching this ticket

Attachments

single_letter.txt 2.5 KB

rubinius

[BUG] segfault somewhere in readline.c

Comments and changes to this ticket

Brian Ford January 13th, 2008 @ 11:17 PM

Charles Comstock January 14th, 2008 @ 09:06 AM

Brian Ford January 20th, 2008 @ 12:57 PM

zimbatm January 26th, 2008 @ 08:12 AM

zimbatm January 26th, 2008 @ 09:16 AM

Ryan Davis February 29th, 2008 @ 02:30 PM

Wilson Bilkovich June 25th, 2008 @ 09:35 AM

Charles Comstock June 25th, 2008 @ 09:51 AM

Create your profile

Your Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Keyword searching

[BUG] segfault somewhere in readline.c

Comments and changes to this ticket

Create your profile

Your Ticket Bins (Sort)

People watching this ticket

Attachments

Tags