Libical 3.0.0 Release (I mean it this time :)

Milan Crha mcrha at redhat.com
Tue Oct 24 00:21:53 PDT 2017 

On Mon, 2017-10-23 at 12:27 -0400, Allen Winter wrote:
> I tried clang's thread sanitizer on the regression test

	Hi,
I do not think it's a regression from any recent change, the issue had
been there for a long time, it's only hard to reproduce due to its
nature.

> Is there anyway to mockup a small test program that shows the
> problem?

Sure thing, here you are.

The first comment contains a command to compile & run it. It doesn't
crash always, because the behavior depends on thread interleaving, thus
I run it for 10 times.

It's harder to reproduce under valgrind, due to all the memory checking
it does (and slows things down). I've got only one hit [1] out of those
ten runs under valgrind, while it crashes (segfaults) about half time
without valgrind.

The second comment contains commands to compile & run with an address
sanitizer, which can catch the issue as well. I saw plain segfaults
with it, but also complete reports about double-free. [2]

Please note that I'm not touching icaltimezone directly, I only call
icaltime_convert_to_zone() with different dates, which causes
recalculation of the icaltimezone::changes array.

The other thread contains a naive fix which avoids the crash.
	Bye,
	Milan

[1] Valgrind output:
 Thread 3:
 Invalid read of size 8
    at 0x4E73103: icalcomponent_get_next_property (icalcomponent.c:433)
    by 0x4E887E2: icaltimezone_expand_vtimezone (icaltimezone.c:697)
    by 0x4E881AD: icaltimezone_expand_changes (icaltimezone.c:476)
    by 0x4E8814D: icaltimezone_ensure_coverage (icaltimezone.c:457)
    by 0x4E88B13: icaltimezone_get_utc_offset (icaltimezone.c:789)
    by 0x4E889F6: icaltimezone_convert_time (icaltimezone.c:752)
    by 0x4E85548: icaltime_convert_to_zone (icaltime.c:981)
    by 0x400820: test_tread (icaltm.c:23)
    by 0x54F636C: start_thread (in /usr/lib64/libpthread-2.25.so)
    by 0x581EBBE: clone (in /usr/lib64/libc-2.25.so)
  Address 0x8c4cc80 is 32 bytes inside a block of size 80 free'd
    at 0x4C2FD18: free (vg_replace_malloc.c:530)
    by 0x4E72AE4: icalcomponent_free (icalcomponent.c:236)
    by 0x4E72A05: icalcomponent_free (icalcomponent.c:213)
    by 0x4E87A90: icaltimezone_get_vtimezone_properties (icaltimezone.c:278)
    by 0x4E8A611: icaltimezone_load_builtin_timezone (icaltimezone.c:1800)
    by 0x4E880D5: icaltimezone_ensure_coverage (icaltimezone.c:439)
    by 0x4E88B13: icaltimezone_get_utc_offset (icaltimezone.c:789)
    by 0x4E889F6: icaltimezone_convert_time (icaltimezone.c:752)
    by 0x4E85548: icaltime_convert_to_zone (icaltime.c:981)
    by 0x400820: test_tread (icaltm.c:23)
    by 0x54F636C: start_thread (in /usr/lib64/libpthread-2.25.so)
    by 0x581EBBE: clone (in /usr/lib64/libc-2.25.so)
  Block was alloc'd at
    at 0x4C2EB6B: malloc (vg_replace_malloc.c:299)
    by 0x4E7268C: icalcomponent_new_impl (icalcomponent.c:93)
    by 0x4E7271C: icalcomponent_new (icalcomponent.c:114)
    by 0x4E8687C: icaltzutil_fetch_timezone (icaltz-util.c:464)
    by 0x4E8A5E7: icaltimezone_load_builtin_timezone (icaltimezone.c:1792)
    by 0x4E880D5: icaltimezone_ensure_coverage (icaltimezone.c:439)
    by 0x4E88B13: icaltimezone_get_utc_offset (icaltimezone.c:789)
    by 0x4E889F6: icaltimezone_convert_time (icaltimezone.c:752)
    by 0x4E85548: icaltime_convert_to_zone (icaltime.c:981)
    by 0x400820: test_tread (icaltm.c:23)
    by 0x54F636C: start_thread (in /usr/lib64/libpthread-2.25.so)
    by 0x581EBBE: clone (in /usr/lib64/libc-2.25.so)

[2] One of Address Sanitizer outputs:
==4795==ERROR: AddressSanitizer: attempting double-free on 0x619000016d80 in thread T1:
    #0 0x7fe15146e4b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
    #1 0x7fe151146dcb in icalarray_free icalarray.c:97
    #2 0x7fe15115d1fd in icaltimezone_expand_changes icaltimezone.c:485
    #3 0x7fe15115d14d in icaltimezone_ensure_coverage icaltimezone.c:457
    #4 0x7fe15115db13 in icaltimezone_get_utc_offset icaltimezone.c:789
    #5 0x7fe15115d9f6 in icaltimezone_convert_time icaltimezone.c:752
    #6 0x7fe15115a548 in icaltime_convert_to_zone icaltime.c:981
    #7 0x400e24 in test_tread icaltm.c:23
    #8 0x7fe150ac436c in start_thread (/lib64/libpthread.so.0+0x736c)
    #9 0x7fe14f8d9bbe in __GI___clone (/lib64/libc.so.6+0x110bbe)

0x619000016d80 is located 0 bytes inside of 1152-byte region [0x619000016d80,0x619000017200)
freed by thread T2 here:
    #0 0x7fe15146e4b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
    #1 0x7fe151146dcb in icalarray_free icalarray.c:97
    #2 0x7fe15115d1fd in icaltimezone_expand_changes icaltimezone.c:485
    #3 0x7fe15115d14d in icaltimezone_ensure_coverage icaltimezone.c:457
    #4 0x7fe15115db13 in icaltimezone_get_utc_offset icaltimezone.c:789
    #5 0x7fe15115d9f6 in icaltimezone_convert_time icaltimezone.c:752
    #6 0x7fe15115a548 in icaltime_convert_to_zone icaltime.c:981
    #7 0x400e24 in test_tread icaltm.c:23
    #8 0x7fe150ac436c in start_thread (/lib64/libpthread.so.0+0x736c)

previously allocated by thread T2 here:
    #0 0x7fe15146e850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7fe151146bf0 in icalarray_alloc_chunk icalarray.c:52
    #2 0x7fe1511471dc in icalarray_expand icalarray.c:183
    #3 0x7fe151146e3c in icalarray_append icalarray.c:110
    #4 0x7fe15115d665 in icaltimezone_expand_vtimezone icaltimezone.c:661
    #5 0x7fe15115d1ad in icaltimezone_expand_changes icaltimezone.c:476
    #6 0x7fe15115d14d in icaltimezone_ensure_coverage icaltimezone.c:457
    #7 0x7fe15115db13 in icaltimezone_get_utc_offset icaltimezone.c:789
    #8 0x7fe15115d9f6 in icaltimezone_convert_time icaltimezone.c:752
    #9 0x7fe15115a548 in icaltime_convert_to_zone icaltime.c:981
    #10 0x400e24 in test_tread icaltm.c:23
    #11 0x7fe150ac436c in start_thread (/lib64/libpthread.so.0+0x736c)

Thread T1 created by T0 here:
    #0 0x7fe1513c7a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
    #1 0x400fcd in main icaltm.c:38
    #2 0x7fe14f7e9509 in __libc_start_main (/lib64/libc.so.6+0x20509)

Thread T2 created by T0 here:
    #0 0x7fe1513c7a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
    #1 0x400fcd in main icaltm.c:38
    #2 0x7fe14f7e9509 in __libc_start_main (/lib64/libc.so.6+0x20509)

SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.4+0xde4b8) in __interceptor_free
==4795==ABORTING
Aborted (core dumped)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icaltm.c
Type: text/x-csrc
Size: 1315 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/libical-devel/attachments/20171024/d489ae19/attachment.bin>

More information about the libical-devel mailing list