[BusyBox 0001272]: ash crashes on mpc8349 powerpc platform - free invalid pointer

Tue Mar 13 01:30:36 UTC 2007

The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=1272 
====================================================================== 
Reported By:                Franklin
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   1272
Category:                   Standards Compliance
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             03-12-2007 18:30 PDT
Last Modified:              03-12-2007 18:30 PDT
====================================================================== 
Summary:                    ash crashes on mpc8349 powerpc platform - free
invalid pointer
Description: 
I used to post a message on mailing list, and now I think it should be a
bug.

Recently I'm playing embedded system running on mpc8349 (powerpc).
I built the toolchain myself, including glibc-2.4, binutils-2.17 and
gcc-4.1.1
Then I downloaded the busybox 1.4.1 and built it.  However, when running 
starting script, it shown the following messages and the system was
unusable:

*** glibc detected *** -sh: free(): invalid pointer: 0x1007f1a8 ***
======= Backtrace: =========
/usr/powerpc/lib/libc.so.6[0xfe016ec]
/usr/powerpc/lib/libc.so.6(__libc_free+0xc0)[0xfe03120]
-sh[0x10045138]
-sh[0x100527b4]
-sh[0x10050490]
-sh[0x10050650]
-sh[0x100517ac]
-sh[0x10051d2c]
-sh[0x100042bc]
-sh[0x1000449c]
/usr/powerpc/lib/libc.so.6[0xfda9750]
/usr/powerpc/lib/libc.so.6[0xfda9974]

I tried to hack into shells/ash.c, added some debug messages and found
that, 
in the popstackmark() in ash.c (about line 8315+), 

        while (stackp != mark->stackp) {
                sp = stackp;
                stackp = sp->prev;
                ckfree(sp);
        }

in some cases the mark->stackp became NULL, so the stackp would never be
equal 
to mark->stackp, then finally it will try to free the stackbase, which is
a 
static non-pointer struct variable, and glibc complains about it.

I don't know what cases cause the mark->stackp become NULL. I think that
the 
mark itself might be invalid too.  Right now I just added a 

if (!mark->stackp) return;

before the while loop, and the shell goes well.  It is a ugly solution,
but I have no idea about how to dig more.
====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
03-12-07 18:30  Franklin       New Issue                                    
03-12-07 18:30  Franklin       Status                   new => assigned     
03-12-07 18:30  Franklin       Assigned To               => BusyBox         
03-12-07 18:30  Franklin       File Added: busybox.log                      
======================================================================