From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933974AbdABTjb (ORCPT ); Mon, 2 Jan 2017 14:39:31 -0500 Received: from mail.kernel.org ([198.145.29.136]:45822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932733AbdABTjL (ORCPT ); Mon, 2 Jan 2017 14:39:11 -0500 Date: Mon, 2 Jan 2017 16:39:04 -0300 From: Arnaldo Carvalho de Melo To: Krister Johansen Cc: Namhyung Kim , Masami Hiramatsu , =?iso-8859-1?Q?Fr=E9d=E9ric?= Weisbecker , linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 perf/core] perf script: fix a use after free crash. Message-ID: <20170102193904.GC27864@kernel.org> References: <20161007022200.GB31113@sejong> <20161011092839.GC7837@templeofstupid.com> <20161026002010.GD2525@templeofstupid.com> <20161026134453.GA4936@kernel.org> <20161111004046.GA2185@templeofstupid.com> <20161122190106.GE5390@kernel.org> <20161229013947.GA2341@templeofstupid.com> <20170102151514.GB21178@kernel.org> <20170102173530.GA27864@kernel.org> <20170102173657.GB27864@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170102173657.GB27864@kernel.org> X-Url: http://acmel.wordpress.com User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Mon, Jan 02, 2017 at 02:36:57PM -0300, Arnaldo Carvalho de Melo escreveu: > Em Mon, Jan 02, 2017 at 02:35:30PM -0300, Arnaldo Carvalho de Melo escreveu: > > Em Mon, Jan 02, 2017 at 12:15:14PM -0300, Arnaldo Carvalho de Melo escreveu: > { > zfree(&iter->priv); > iter->he = NULL; > + map__zput(al->map); What this pairs to? I was expecting that since this is called via: hist_entry_iter__add() { err2 = iter->ops->finish_entry(iter, al); } Then it would have to match something done earlier in hist_entry_iter__add(), most likely by some iter->ops->() method, but I couldn'd find anything to that extent, can you clarify? - Arnaldo > return 0; > } > > > perf: util/map.c:246: map__exit: Assertion `!(!((&map->rb_node)->__rb_parent_color == (unsigned long)(&map->rb_node)))' failed. > > > > Thread 1 "perf" received signal SIGABRT, Aborted. > > 0x00007ffff522691f in raise () from /lib64/libc.so.6 > > (gdb) bt > > #0 0x00007ffff522691f in raise () from /lib64/libc.so.6 > > #1 0x00007ffff522851a in abort () from /lib64/libc.so.6 > > #2 0x00007ffff521eda7 in __assert_fail_base () from /lib64/libc.so.6 > > #3 0x00007ffff521ee52 in __assert_fail () from /lib64/libc.so.6 > > #4 0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246 > > #5 0x0000000000504ea5 in map__delete (map=0x2393790) at util/map.c:252 > > #6 0x0000000000504f0a in map__put (map=0x2393790) at util/map.c:259 > > #7 0x000000000052fa01 in __map__zput (map=0x7fffffff8230) at util/map.h:161 > > #8 0x000000000053295b in iter_finish_cumulative_entry (iter=0x7fffffff8260, al=0x7fffffff8220) at util/hist.c:983 > > #9 0x0000000000532b53 in hist_entry_iter__add (iter=0x7fffffff8260, al=0x7fffffff8220, max_stack_depth=127, arg=0x7fffffffa7b0) at util/hist.c:1059 > > #10 0x000000000044f5cf in perf_event__process_sample (tool=0x7fffffffa7b0, event=0x7ffff7e24578, evsel=0x21515d0, sample=0x7fffffff8410, machine=0x21b2bf8) > > at builtin-top.c:774 > > #11 0x000000000044f8ee in perf_top__mmap_read_idx (top=0x7fffffffa7b0, idx=2) at builtin-top.c:840 > > #12 0x000000000044fa0d in perf_top__mmap_read (top=0x7fffffffa7b0) at builtin-top.c:857 > > #13 0x0000000000450080 in __cmd_top (top=0x7fffffffa7b0) at builtin-top.c:1002 > > #14 0x00000000004514e0 in cmd_top (argc=0, argv=0x7fffffffe130, prefix=0x0) at builtin-top.c:1330 > > #15 0x00000000004b5af5 in run_builtin (p=0xa0baf8 , argc=6, argv=0x7fffffffe130) at perf.c:358 > > #16 0x00000000004b5d62 in handle_internal_command (argc=6, argv=0x7fffffffe130) at perf.c:420 > > #17 0x00000000004b5ea7 in run_argv (argcp=0x7fffffffdf8c, argv=0x7fffffffdf80) at perf.c:466 > > #18 0x00000000004b6290 in main (argc=6, argv=0x7fffffffe130) at perf.c:610 > > (gdb) fr 4 > > #4 0x0000000000504e57 in map__exit (map=0x2393790) at util/map.c:246 > > 246 BUG_ON(!RB_EMPTY_NODE(&map->rb_node)); > > (gdb) p map > > $1 = (struct map *) 0x2393790 > > (gdb) p *map > > $2 = {{rb_node = {__rb_parent_color = 37304353, rb_right = 0x0, rb_left = 0x0}, node = {next = 0x2393821, prev = 0x0}}, start = 140434683187200, > > end = 140434690723840, type = 0 '\000', erange_warned = false, priv = 0, prot = 5, flags = 2, pgoff = 0, reloc = 0, maj = 253, min = 0, ino = 132875, > > ino_generation = 3472328296227680304, map_ip = 0x504125 , unmap_ip = 0x504174 , dso = 0x22b3890, groups = 0x2385290, refcnt = { > > counter = 0}} > > (gdb)