[Qemu-devel] test-qmp-commands reads freed memory

[Qemu-devel] test-qmp-commands reads freed memory

[Peter Maydell]

The test-qmp-commands test binary seems to read from freed
memory. This triggers the MacOSX malloc implementation's
assertions. git bisect blames

commit c2216a8a7a587e594f50bebbdf81fcf168444b68
Author: Markus Armbruster <armbru@redhat.com>
Date:   Sat Mar 1 08:40:29 2014 +0100

    tests/qapi-schema: Cover simple argument types

    Signed-off-by: Markus Armbruster <armbru@redhat.com>
    Reviewed-by: Eric Blake <eblake@redhat.com>
    Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

Valgrind will spot it:

cam-vm-266:precise:qemu$ valgrind build/x86/tests/test-qmp-commands
==15391== Memcheck, a memory error detector
==15391== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==15391== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==15391== Command: build/x86/tests/test-qmp-commands
==15391==
/0.15/dispatch_cmd: OK
/0.15/dispatch_cmd_error: OK
/0.15/dispatch_cmd_io: ==15391== Invalid read of size 8
==15391==    at 0x1344F6: qobject_decref (qobject.h:97)
==15391==    by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==  Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391==    at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391==    by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391==    by 0x134580: qobject_decref (qobject.h:100)
==15391==    by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==
==15391== Invalid write of size 8
==15391==    at 0x134502: qobject_decref (qobject.h:97)
==15391==    by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==  Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391==    at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391==    by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391==    by 0x134580: qobject_decref (qobject.h:100)
==15391==    by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==
==15391== Invalid read of size 8
==15391==    at 0x13450A: qobject_decref (qobject.h:97)
==15391==    by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==  Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391==    at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391==    by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391==    by 0x134580: qobject_decref (qobject.h:100)
==15391==    by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391==    by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391==    by 0x13540D: main (test-qmp-commands.c:229)
==15391==
OK


thanks
-- PMM

Re: [Qemu-devel] test-qmp-commands reads freed memory

[Luiz Capitulino]

On Sat, 8 Mar 2014 14:40:27 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:

> The test-qmp-commands test binary seems to read from freed
> memory. This triggers the MacOSX malloc implementation's
> assertions. git bisect blames

Can you try the patch below? For the clang ones, I'll have to install it etc,
so it will take a bit longer.

I wonder how this didn't explode...

diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
index 8e62c2d..554e222 100644
--- a/tests/test-qmp-commands.c
+++ b/tests/test-qmp-commands.c
@@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
 
     ret3 = qobject_to_qint(test_qmp_dispatch(req));
     assert(qint_get_int(ret3) == 66);
-    QDECREF(ret);
+    QDECREF(ret3);
 
     QDECREF(req);
 }

Re: [Qemu-devel] test-qmp-commands reads freed memory

[Peter Maydell]

On 8 March 2014 16:09, Luiz Capitulino <lcapitulino@redhat.com> wrote:
> On Sat, 8 Mar 2014 14:40:27 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
>> The test-qmp-commands test binary seems to read from freed
>> memory. This triggers the MacOSX malloc implementation's
>> assertions. git bisect blames
>
> Can you try the patch below? For the clang ones, I'll have to install it etc,
> so it will take a bit longer.
>
> I wonder how this didn't explode...
>
> diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
> index 8e62c2d..554e222 100644
> --- a/tests/test-qmp-commands.c
> +++ b/tests/test-qmp-commands.c
> @@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
>
>      ret3 = qobject_to_qint(test_qmp_dispatch(req));
>      assert(qint_get_int(ret3) == 66);
> -    QDECREF(ret);
> +    QDECREF(ret3);
>
>      QDECREF(req);
>  }

Yep, seems to work (both MacOSX and valgrind are happier).

Tested-by: Peter Maydell <peter.maydell@linaro.org>

-- PMM

[Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free

[Luiz Capitulino]

The ret variable is freed twice, but on the second time we actually want
to free ret3 instead. Don't know why this didn't explode.

Reported-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
 tests/test-qmp-commands.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
index 8e62c2d..554e222 100644
--- a/tests/test-qmp-commands.c
+++ b/tests/test-qmp-commands.c
@@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
 
     ret3 = qobject_to_qint(test_qmp_dispatch(req));
     assert(qint_get_int(ret3) == 66);
-    QDECREF(ret);
+    QDECREF(ret3);
 
     QDECREF(req);
 }
-- 
1.8.1.4

Re: [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

On 03/08/2014 10:27 AM, Luiz Capitulino wrote:
> The ret variable is freed twice, but on the second time we actually want
> to free ret3 instead. Don't know why this didn't explode.
> 
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Tested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> ---
>  tests/test-qmp-commands.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]