Skip to content

debug help wanted corrupted size vs. prev_size in jsoncpp #825

New issue
New issue
Closed
Closed
debug help wanted corrupted size vs. prev_size in jsoncpp#825
Labels
not-a-bug
@xjtuwjp

Description

@xjtuwjp
xjtuwjp
opened on Sep 28, 2018

We're using libjsoncpp for parsing json output from QEMU, after update from Debian Jessie(libjsoncpp 0.6.0~rc2-3.1 ) to Stretch (libjsoncpp 1.7.4-3), we hit Sigabort, full call trace is below:

'''
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
set = {__val = {0, 140692451321689, 0, 140692450891799, 140692454200832, 3432, 140692454181120, 140692454184000, 94362861470688, 140692450888546, 7795484802351636512, 872, 0, 3432, 0, 140692475821120}}
pid =
tid =
#1 0x00007ff5838af42a in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x5d6f7364765b2020, sa_sigaction = 0x5d6f7364765b2020}, sa_mask = {__val = {7378697629483820554, 3472328296331896422, 7378697629483806000, 3472609797883717222, 2337500343188860976, 3472328296227680304, 3467824696768081952, 2314885530818453536, 2314885530818453536, 7166204968890474528, 3472385308382489697, 3467895053655089200, 2319406791738273840, 3689890873941307440, 2314885530820031794, 140736086339232}}, sa_flags = 82, sa_restorer = 0x7fffac6eeea0}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ff5838ebc00 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ff5839e0d98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffac6eeeb0, reg_save_area = 0x7fffac6eee40}}
fd = 2
on_2 =
list =
nlist =
cp =
written =
#3 0x00007ff5838f1fc6 in malloc_printerr (action=3, str=0x7ff5839dd8de "corrupted size vs. prev_size", ptr=, ar_ptr=) at malloc.c:5049
buf = "000055d290c6c4f0"
cp =
ar_ptr =
ptr =
str = 0x7ff5839dd8de "corrupted size vs. prev_size"
action = 3
#4 0x00007ff5838f462f in _int_malloc (av=av@entry=0x7ff583c14b00 <main_arena>, bytes=bytes@entry=88) at malloc.c:3765
p = 0x55d290c6c4f0
iters =
nb = 96
idx = 7
bin =
victim = 0x55d290c6c4f0
size =
victim_index =
remainder =
remainder_size = 416
block =
bit =
map =
fwd =
bck =
errstr = 0x0
func = "_int_malloc"
#5 0x00007ff5838f5f64 in __GI___libc_malloc (bytes=bytes@entry=88) at malloc.c:2928
ar_ptr = 0x7ff583c14b00 <main_arena>
victim =
hook =
func = "__libc_malloc"
#6 0x00007ff5840dd7a8 in operator new (sz=sz@entry=88) at ../../../../src/libstdc++-v3/libsupc++/new_op.cc:50
p =
#7 0x00007ff5845fc3d6 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<Json::Value::CZString const, Json::Value> > >::allocate (this=, _n=1) at /usr/include/c++/6/ext/new_allocator.h:104
No locals.
#8 std::allocator_traits<std::allocator<std::Rb_tree_node<std::pair<Json::Value::CZString const, Json::Value> > > >::allocate (a=..., n=1) at /usr/include/c++/6/bits/alloc_traits.h:416
No locals.
#9 std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::M_get_node (this=) at /usr/include/c++/6/bits/stl_tree.h:505
No locals.
#10 std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::M_create_node<std::pair<Json::Value::CZString const, Json::Value>&> (this=) at /usr/include/c++/6/bits/stl_tree.h:559
tmp =
#11 std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::Alloc_node::operator()<std::pair<Json::Value::CZString const, Json::Value>&> (this=, arg=...) at /usr/include/c++/6/bits/stl_tree.h:473
No locals.
#12 std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::M_insert<std::pair<Json::Value::CZString const, Json::Value>&, std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::Alloc_node> (node_gen=..., v=..., p=0x55d290c6b870, x=, this=0x55d290c6b9f0) at /usr/include/c++/6/bits/stl_tree.h:1510
insert_left = false
z =
#13 std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::M_insert_unique<std::pair<Json::Value::CZString const, Json::Value>&, std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::Alloc_node> (this=0x55d290c6b9f0, position=..., position@entry=..., v=..., node_gen=...) at /usr/include/c++/6/bits/stl_tree.h:1979
res =
#14 0x00007ff5845fc57e in std::Rb_tree<Json::Value::CZString, std::pair<Json::Value::CZString const, Json::Value>, std::Select1st<std::pair<Json::Value::CZString const, Json::Value> >, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::M_insert_unique<std::pair<Json::Value::CZString const, Json::Value>&> (x=..., pos=..., this=) at /usr/include/c++/6/bits/stl_tree.h:950
No locals.
#15 std::map<Json::Value::CZString, Json::Value, std::lessJson::Value::CZString, std::allocator<std::pair<Json::Value::CZString const, Json::Value> > >::insert<std::pair<Json::Value::CZString const, Json::Value>&, void> (x=..., position=..., this=) at /usr/include/c++/6/bits/stl_map.h:794
No locals.
#16 Json::Value::operator[] (this=0x55d290c6bad0, index=index@entry=1) at ./src/lib_json/json_value.cpp:988
key = {cstr = 0x0, {index = 1, storage = {policy = 1, length = 0}}}
it =
defaultValue = {first = {cstr = 0x0, {index = 1, storage = {policy = 1, length = 0}}}, second = {static null = @0x55d290c4bcf0, static nullRef = @0x55d290c4bcf0, static minLargestInt = -9223372036854775808, static maxLargestInt = 9223372036854775807, static maxLargestUInt = 18446744073709551615, static minInt = -2147483648, static maxInt = 2147483647, static maxUInt = 4294967295, static minInt64 = -9223372036854775808, static maxInt64 = 9223372036854775807, static maxUInt64 = 18446744073709551615, value = {int = 0, uint = 0, real = 0, bool = false, string = 0x0, map = 0x0}, type = Json::nullValue, allocated = 0, comments = 0x0, start = 0, limit = 0}}
#17 0x00007ff5845fc927 in Json::Value::operator[] (this=, index=index@entry=1) at ./src/lib_json/json_value.cpp:996
No locals.
#18 0x00007ff5845f03d0 in Json::Reader::readArray (this=this@entry=0x7fffac6ef9e0, tokenStart=...) at ./src/lib_json/json_reader.cpp:531
value =
ok =
token = {type = Json::Reader::tokenArraySeparator, start = 0x55d290c6b050 ", {"arch": "x86", "current": false, "CPU": 1, "qom_path": "/machine/unattached/device[2]", "pc": -2123711472, "halted": false, "thread_id": 17412}, {"arch": "x86", "current": false, "CPU": 2, "qom_pat"..., end = 0x55d290c6b051 " {"arch": "x86", "current": false, "CPU": 1, "qom_path": "/machine/unattached/device[2]", "pc": -2123711472, "halted": false, "thread_id": 17412}, {"arch": "x86", "current": false, "CPU": 2, "qom_path"...}
badTokenType =
init = {static null = @0x55d290c4bcf0, static nullRef = @0x55d290c4bcf0, static minLargestInt = -9223372036854775808, static maxLargestInt = 9223372036854775807, static maxLargestUInt = 18446744073709551615, static minInt = -2147483648, static maxInt = 2147483647, static maxUInt = 4294967295, static minInt64 = -9223372036854775808, static maxInt64 = 9223372036854775807, static maxUInt64 = 18446744073709551615, value = {int = 0, uint = 0, real = 0, bool = false, string = 0x0, map = 0x0}, type = Json::nullValue, allocated = 0, comments = 0x0, start = 0, limit = 0}
index = 2
#19 0x00007ff5845f023b in Json::Reader::readValue (this=this@entry=0x7fffac6ef9e0) at ./src/lib_json/json_reader.cpp:186
token = {type = Json::Reader::tokenArrayBegin, start = 0x55d290c6afbc "[{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU": 1, "qom_p"..., end = 0x55d290c6afbd "{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU": 1, "qom_pa"...}
successful = true
#20 0x00007ff5845efb73 in Json::Reader::readObject (this=this@entry=0x7fffac6ef9e0, tokenStart=...) at ./src/lib_json/json_reader.cpp:496
colon = {type = Json::Reader::tokenMemberSeparator, start = 0x55d290c6afba ": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU": 1, "qom"..., end = 0x55d290c6afbb " [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU": 1, "qom"...}
value =
ok =
comma = {type = 2428943056, start = 0x0, end = 0x7fffac6ef720 "\373\006"}
finalizeTokenOk =
initialTokenOk = true
tokenName = {type = Json::Reader::tokenString, start = 0x55d290c6afb2 ""return": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU":"..., end = 0x55d290c6afba ": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU": 1, "qom"...}
name = {static npos = 18446744073709551615, M_dataplus = {<std::allocator> = {<gnu_cxx::new_allocator> = {}, }, M_p = 0x7fffac6ef610 "return"}, M_string_length = 6, {M_local_buf = "return\000\000\200\273\026\204\365\177\000", M_allocated_capacity = 121437875889522}}
init = {static null = @0x55d290c4bcf0, static nullRef = @0x55d290c4bcf0, static minLargestInt = -9223372036854775808, static maxLargestInt = 9223372036854775807, static maxLargestUInt = 18446744073709551615, static minInt = -2147483648, static maxInt = 2147483647, static maxUInt = 4294967295, static minInt64 = -9223372036854775808, static maxInt64 = 9223372036854775807, static maxUInt64 = 18446744073709551615, value = {int = 1787, uint = 1787, real = 8.8289530911830757e-321, bool = 251, string = 0x6fb <error: Cannot access memory at address 0x6fb>, map = 0x6fb}, type = Json::nullValue, allocated = 0, comments = 0x0, start = 0, limit = 0}
#21 0x00007ff5845f0033 in Json::Reader::readValue (this=this@entry=0x7fffac6ef9e0) at ./src/lib_json/json_reader.cpp:182
token = {type = Json::Reader::tokenObjectBegin, start = 0x55d290c6afb0 "{ "return": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU"..., end = 0x55d290c6afb1 " "return": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU""...}
successful = true
#22 0x00007ff5845f0756 in Json::Reader::parse (this=this@entry=0x7fffac6ef9e0, beginDoc=0x55d290c6afb0 "{ "return": [{"arch": "x86", "current": true, "CPU": 0, "qom_path": "/machine/unattached/device[0]", "pc": 140043817632820, "halted": false, "thread_id": 17411}, {"arch": "x86", "current": false, "CPU"..., endDoc=0x55d290c6b6b9 "", root=..., collectComments=, collectComments@entry=true) at ./src/lib_json/json_reader.cpp:142
successful =
token = {type = 2892953920, start = 0x55d290c6f9d0 "\230O\301\203\365\177", end = 0x55d290c6fbd0 " "/machia\003"}
#23 0x00007ff5845f08f0 in Json::Reader::parse (this=0x7fffac6ef9e0, document=..., root=..., collectComments=collectComments@entry=true) at ./src/lib_json/json_reader.cpp:105
documentCopy = {static npos = 18446744073709551615, _M_dataplus = {<std::allocator> = {<__gnu_cxx::new_allocator> = {}, }, _M_p = 0x7fffac6ef890 ""}, _M_string_length = 0, {_M_local_buf = "\000\000\000\000\000\000\000\000w\000\000\000|\000\000", _M_allocated_capacity = 0}}
end =

'''

Metadata

Metadata

Assignees

No one assigned

    Labels

    not-a-bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions