GNU bug report logs - #76613
diff -y crashes with apparent memory corruption

Previous Next

Package: diffutils;

Reported by: "Nick Smallbone" <nick <at> smallbone.se>

Date: Thu, 27 Feb 2025 17:59:03 UTC

Severity: normal

Merged with 77265

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#76613: closed (diff -y crashes with apparent memory corruption)
Date: Sat, 01 Mar 2025 07:17:02 +0000

[Message part 1 (text/plain, inline)]
Your message dated Fri, 28 Feb 2025 23:16:07 -0800
with message-id <93e018b2-adc6-458c-924b-0938aeb90d0f <at> cs.ucla.edu>
and subject line Re: [bug-diffutils] bug#76613: bug#76613: diff -y crashes with apparent memory corruption
has caused the debbugs.gnu.org bug report #76613,
regarding diff -y crashes with apparent memory corruption
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
76613: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=76613
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: "Nick Smallbone" <nick <at> smallbone.se>
To: bug-diffutils <at> gnu.org
Subject: diff -y crashes with apparent memory corruption
Date: Thu, 27 Feb 2025 11:04:03 +0100

Hi,

I'm running diffutils-3.11, downloaded from ftp.gnu.org and built with ./configure && make (no options given).

I'm seeing the problem that diff -y is crashing with various malloc-related errors. Here is an example. First I create two files a and b like so:

% seq 1 100 > a
% seq 1 100 | grep -v 50 > b

Then I run diff -y a b, which crashes with an error in free():

% diff -y a b
free(): corrupted unsorted chunks
zsh: IOT instruction  src/diff -y ~/a ~/b

I haven't looked into the source to find out the problem, but I did compile a debug build and run it under Valgrind. It detected some memory corruption - here is the report:

==9602== Memcheck, a memory error detector
==9602== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==9602== Using Valgrind-3.24.0 and LibVEX; rerun with -h for copyright info
==9602== Command: src/diff -y /home/nick/a /home/nick/b
==9602== 
==9602== Invalid write of size 8
==9602==    at 0x40EC8A: find_and_hash_each_line (io.c:1017)
==9602==    by 0x40FBAA: read_files (io.c:1366)
==9602==    by 0x40596C: diff_2_files (analyze.c:463)
==9602==    by 0x409B1F: compare_prepped_files (diff.c:1371)
==9602==    by 0x40ADBF: compare_files (diff.c:1633)
==9602==    by 0x408834: main (diff.c:881)
==9602==  Address 0x4b12f80 is 0 bytes after a block of size 656 alloc'd
==9602==    at 0x4850C7C: realloc (vg_replace_malloc.c:1801)
==9602==    by 0x41A8A6: rpl_realloc (stdlib.h:2066)
==9602==    by 0x41CE27: xrealloc (xmalloc.c:66)
==9602==    by 0x41D196: xpalloc (xmalloc.c:271)
==9602==    by 0x40EC4A: find_and_hash_each_line (io.c:1013)
==9602==    by 0x40FBAA: read_files (io.c:1366)
==9602==    by 0x40596C: diff_2_files (analyze.c:463)
==9602==    by 0x409B1F: compare_prepped_files (diff.c:1371)
==9602==    by 0x40ADBF: compare_files (diff.c:1633)
==9602==    by 0x408834: main (diff.c:881)
==9602== 
--9602-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--9602-- si_code=1;  Faulting address: 0x9622BA0;  sp: 0x1002cf6e20

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==9602==    at 0x5804AE1F: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==9602==    by 0x58004E0C: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==9602==    by 0x58005203: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==9602==    by 0x58097E37: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)
==9602==    by 0x580E1E1A: ??? (in /usr/libexec/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 9602)
==9602==    at 0x4850A5F: calloc (vg_replace_malloc.c:1675)
==9602==    by 0x4160B0: icalloc (ialloc.h:91)
==9602==    by 0x41D239: xicalloc (xmalloc.c:304)
==9602==    by 0x41D1E7: xizalloc (xmalloc.c:289)
==9602==    by 0x405E39: diff_2_files (analyze.c:529)
==9602==    by 0x409B1F: compare_prepped_files (diff.c:1371)
==9602==    by 0x40ADBF: compare_files (diff.c:1633)
==9602==    by 0x408834: main (diff.c:881)
client stack range: [0x1FFEFFD000 0x1FFF000FFF] client SP: 0x1FFEFFEDA0
valgrind stack range: [0x1002BF7000 0x1002CF6FFF] top usage: 7272 of 1048576

Nick



[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Collin Funk <collin.funk1 <at> gmail.com>
Cc: 76613-done <at> debbugs.gnu.org, Nick Smallbone <nick <at> smallbone.se>
Subject: Re: [bug-diffutils] bug#76613: bug#76613: diff -y crashes with
 apparent memory corruption
Date: Fri, 28 Feb 2025 23:16:07 -0800

On 2025-02-27 20:35, Collin Funk wrote:
> I've attached a patch that satisfies sanitizers

Thanks, that looks good, and I installed that one-line change along with 
a NEWS file notice and a test case. And thanks to Nick for reporting 
this. Closing the bug report.
This bug report was last modified 55 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.