[GNC] double free in gnc_import_exists_online_id (4.12)

Sat Nov 26 20:41:15 EST 2022

> On Nov 26, 2022, at 2:35 PM, Dong Lin via gnucash-user <gnucash-user at gnucash.org> wrote:
> 
> I was chasing an issue in duplicate transaction handling in 4.8 (Ubuntu 22.04).  Encountered a double free crash while running 4.12.
> This is triggered by importing the same QFX file twice (or two distinct files with duplicate transactions).
> Valgrind reported the following:
> ==1315253== Invalid free() / delete / delete[] / realloc()==1315253==    at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)==1315253==    by 0x6819CEF: gnc_import_exists_online_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x682426C: gnc_gen_trans_list_add_trans_with_ref_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x6824158: gnc_gen_trans_list_add_trans (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x11AEB20A: runMatcher (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB679: gnc_file_ofx_import_process_file (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB93A: gnc_file_ofx_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEBCFB: gnc_plugin_ofx_cmd_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x5AB4D2E: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD0B75: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD2553: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x515403E: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5AD263F: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5435CBB: gtk_widget_activate (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x53039CD: gtk_menu_shell_activate_item (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5303CA2: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5483EB7: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5AD263F: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x544B723: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x52EE67F: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x52EF529: gtk_main_do_event (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x6B3D742: ??? (in /usr/lib/x86_64-linux-gnu/libgdk-3.so.0.2404.29)==1315253==  Address 0x14a1abd0 is 0 bytes inside a block of size 15 free'd==1315253==    at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)==1315253==    by 0x4C336C9: ??? (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.1)==1315253==    by 0x4C33C6F: g_hash_table_insert (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.1)==1315253==    by 0x6819CDF: gnc_import_exists_online_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x682426C: gnc_gen_trans_list_add_trans_with_ref_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x6824158: gnc_gen_trans_list_add_trans (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x11AEB20A: runMatcher (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB679: gnc_file_ofx_import_process_file (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB93A: gnc_file_ofx_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEBCFB: gnc_plugin_ofx_cmd_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x5AB4D2E: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD0B75: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD2553: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x515403E: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5AD263F: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5435CBB: gtk_widget_activate (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x53039CD: gtk_menu_shell_activate_item (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5303CA2: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5483EB7: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5AD263F: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x544B723: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x52EE67F: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==  Block was alloc'd at==1315253==    at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)==1315253==    by 0x4C4E718: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.1)==1315253==    by 0x4C63573: g_strdup (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.1)==1315253==    by 0x5AE067C: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AC7830: g_object_get_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5F4C2BD: qof_instance_get (in /disk2/nbu/src/gnucash.git/build-4.12/lib/libgnc-engine.so)==1315253==    by 0x681CE35: gnc_import_get_split_online_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x6819CC3: gnc_import_exists_online_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x682426C: gnc_gen_trans_list_add_trans_with_ref_id (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x6824158: gnc_gen_trans_list_add_trans (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgnc-generic-import.so)==1315253==    by 0x11AEB20A: runMatcher (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB679: gnc_file_ofx_import_process_file (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEB93A: gnc_file_ofx_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x11AEBCFB: gnc_plugin_ofx_cmd_import (in /disk2/nbu/src/gnucash.git/build-4.12/lib/gnucash/libgncmod-ofx.so)==1315253==    by 0x5AB4D2E: g_closure_invoke (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD0B75: ??? (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD2553: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x515403E: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5AD263F: g_signal_emit_valist (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5AD27A2: g_signal_emit (in /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.1)==1315253==    by 0x5435CBB: gtk_widget_activate (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x53039CD: gtk_menu_shell_activate_item (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5303CA2: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)==1315253==    by 0x5483EB7: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29)
> 
> 
> I tried running gdb on the binary but for some reason GNC crashed while running inside of GDB.Thread 1 "gnucash" received signal SIGSEGV, Segmentation fault.0x00007ffff5bb68f2 in GC_find_limit_with_bound () from /lib/x86_64-linux-gnu/libgc.so.1
> (gdb) bt#0  0x00007ffff5bb68f2 in GC_find_limit_with_bound () at /lib/x86_64-linux-gnu/libgc.so.1#1  0x00007ffff5bb69da in GC_init_linux_data_start () at /lib/x86_64-linux-gnu/libgc.so.1#2  0x00007ffff5bb7f67 in GC_init () at /lib/x86_64-linux-gnu/libgc.so.1#3  0x00007ffff7c7ac8e in  () at /lib/x86_64-linux-gnu/libguile-3.0.so.1#4  0x00007ffff7cde90f in  () at /lib/x86_64-linux-gnu/libguile-3.0.so.1#5  0x00007ffff7cdecde in  () at /lib/x86_64-linux-gnu/libguile-3.0.so.1#6  0x00007ffff5bb680b in GC_call_with_stack_base () at /lib/x86_64-linux-gnu/libgc.so.1#7  0x00007ffff7cd9dbc in scm_with_guile () at /lib/x86_64-linux-gnu/libguile-3.0.so.1#8  0x00007ffff7c7abd9 in scm_boot_guile () at /lib/x86_64-linux-gnu/libguile-3.0.so.1#9  0x000055555558bd62 in Gnucash::Gnucash::start(int, char**) (this=0x7fffffffe340, argc=1, argv=0x7fffffffe708)    at /home/dong/src/gnucash.git/gnucash/gnucash/gnucash.cpp:333#10 0x000055555558bf46 in main(int, char**) (argc=1, argv=0x7fffffffe708)    at /home/dong/src/gnucash.git/gnucash/gnucash/gnucash.cpp:357
> 
> 
> info on my environment:
> ; lsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription:    Ubuntu 22.04.1 LTSRelease:        22.04Codename:       jammy; ; git log -1
> ebd340674e Sat Sep 24 14:06:53 2022 -0700 John Ralls                 Release GnuCash 4.12
> 

That's https://bugs.gnucash.org/show_bug.cgi?id=798629. It's already fixed in git.

> I am unfamiliar with scm or guile,  if there is a way to avoid the segv in startup,  I can look into this further.

It doesn't have anything to do with Guile. That just shows up in the stack traces because we run the event loop inside of it to support some scripting features.

> Is there a way I can make a statically linked debug binary?

You can try by changing https://github.com/Gnucash/gnucash/blob/8cf137740b9c42f3745342681adaebe06794c86d/CMakeLists.txt#L604 to OFF, but I've never tried to build a statically linked GnuCash. Telling Cmake to do a debug build is usually sufficient, though sometimes when a bug is hard to figure out I'll also disable optimization by tacking -O0 to the end of CMAKE_C_FLAGS and CMAKE_CXX_FLAGS.

Regards,
John Ralls