Crash after saving to a git repo

Linus Torvalds torvalds at linux-foundation.org
Mon Mar 31 08:25:42 PDT 2014 

On Mon, Mar 31, 2014 at 5:50 AM, Anton Lundin <glance at acc.umu.se> wrote:
>
> I managed to run the save step via valgrind and noticed:
>
> Invalid free() / delete / delete[] / realloc()
>    at 0x4C2B68C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
>    by 0x5E0030D: set_error (in /usr/lib/x86_64-linux-gnu/libgit2.so.0.19.0)
>    by 0x5E0042F: giterr_set (in /usr/lib/x86_64-linux-gnu/libgit2.so.0.19.0)
>    by 0x5E1E348: git_futils_find_in_dirlist (in /usr/lib/x86_64-linux-gnu/libgit2.so.0.19.0)
>    by 0x5E15692: git_repository_config__weakptr (in /usr/lib/x86_64-linux-gnu/libgit2.so.0.19.0)
>    by 0x5E15978: git_repository_open_ext (in /usr/lib/x86_64-linux-gnu/libgit2.so.0.19.0)
>    by 0x4DB6AD: is_git_repository (save-git.c:1010)
>    by 0x4DD3C0: save_dives_logic (save-xml.c:606)
>    by 0x4DD00D: save_dives (save-xml.c:500)
>    by 0x49EA1E: MainWindow::file_save_as() (mainwindow.cpp:937)
>    by 0x49A189: MainWindow::on_actionSaveAs_triggered() (mainwindow.cpp:185)
>    by 0x50E914: MainWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) (moc_mainwindow.cpp:273)
>  Address 0x14dd6760 is 1,024 bytes inside a block of size 2,032 alloc'd
>    at 0x4C2C510: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
>    by 0xE2F2668: g_malloc0 (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3992.0)
>    by 0xE2BF015: ??? (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3992.0)
>    by 0xE308374: g_slice_alloc (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3992.0)
>    by 0xE2DC17D: g_hash_table_new_full (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3992.0)
>    by 0xE2FC494: g_quark_from_static_string (in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3992.0)
>    by 0xE05E4AB: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.3992.0)
>    by 0x4010139: call_init.part.0 (dl-init.c:78)
>    by 0x4010222: _dl_init (dl-init.c:36)
>    by 0x4001309: ??? (in /lib/x86_64-linux-gnu/ld-2.19.so)

This very much *looks* like a libgit2 bug. Now, it's obviously
possible that somebody else did the real invalid free(), then
re-allocated something, and then libgit2 did what *should* have been
the real free, but quite frankly, with valgrind claiming that the
allocation was originally done by _dl_init(), I doubt it. It smells
more like libgit2 used to have some static string for the error
message, and it tried to free() that when it sets a new error message.

The fact that it goes away when you update libgit2 obviously also
implies that this is a libgit2 issue.

That said, I looked at libgit2:src/errors.c, and I certainly don't see
anything obvious. All the accesses seem to be through a properly
malloc'ed area (either using strdup() or using the libgit2 version of
our "struct membuffer"-like allocation wrappers.

Does this trigger on the very first save (after you've loaded from
XML) or have you done some git-load/save op before? I'm wondering if
we maybe don't clean up some state properly, but my primary guess is
that it's just a libgit2 bug.

                     Linus

More information about the subsurface mailing list