From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Slaby Subject: Re: trinity: lots of free(): invalid pointer Date: Mon, 20 Jan 2014 20:51:10 +0100 Message-ID: <52DD7E2E.7000307@suse.cz> References: <52D70DC5.8070104@suse.cz> <20140117190932.GA4300@redhat.com> <52DD799F.7090403@suse.cz> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=I+pQJpzQD9LeMXpheAsXHVfPqJvNyt40Es53LWsnz+c=; b=eihubtrnzdgpgxrq0I5gs36As/xbJwXkSbPZynYszG16ZOw31ajs9tXS1DiUvQbIgB cYsq408w2yLoYbU+hN2duEoV+kB7x387vBu3xuVmlNW1retntQ69/OKRshqD/jF2LyOc wJ7XwzFC3UEks8BtXmExFESx3r8Dvl918hdKXGZdKSyuSGuiNbT2NGLykEvUeZADizS9 8sQVo8CIJBT3MrnSDNlZnaahLCBzoHBBMPAij7+OGW7lOGPf26ZgqRFw8egBKUJ583uF Ja5cX5T098p2MgpuGORRokYZm+I2v30xJXsWWslS9hXJLrHVGa7Z16iquq++iJASB+ti MEXA== In-Reply-To: <52DD799F.7090403@suse.cz> Sender: trinity-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Dave Jones Cc: trinity@vger.kernel.org On 01/20/2014 08:31 PM, Jiri Slaby wrote: > On 01/17/2014 08:09 PM, Dave Jones wrote: >> On Wed, Jan 15, 2014 at 11:37:57PM +0100, Jiri Slaby wrote: >> > Hi Dave, >> > >> > I see lots of $SUBJ generated by the current snapshot of trinity. >> > 0x4120ae below is free in the loop in post_move_pages. So this is >> > perhaps introduced with one of: >> > commit ae3b98fcbf52c808b0a3eb4eb5311c9fdf433f55 >> > Author: Dave Jones >> > Date: Wed Jan 8 11:08:22 2014 -0500 >> > >> > only allocate page_types array once >> > >> > commit 2a749813619348b3bfd144fe04488f698d83accc >> > Author: Dave Jones >> > Date: Tue Jan 7 12:11:11 2014 -0500 >> > >> > teach move_pages about the maps list >> > >> > >> > Any ideas? >> >> I rewrote a bunch of that code a few days ago, are you still seeing it ? >> I'm not able to reproduce it here. A run with -c move_pages runs and runs. > > Yeah, I still see it with the current snapshot. But, not with move_pages > anymore, it seems. There had to be more sources, the current one is > (with -x move_pages): > *** Error in `trinity': double free or corruption (top): > 0x00000000014f9bc0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x740af)[0x7f0c48ba30af] > /lib64/libc.so.6(+0x798de)[0x7f0c48ba88de] > /lib64/libc.so.6(+0x7a5e6)[0x7f0c48ba95e6] > trinity[0x40abc8] > trinity[0x40dabc] > trinity[0x40338a] > trinity[0x40704c] > trinity[0x402c47] > /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f0c48b50b15] > trinity[0x402f13] > > The topmost trinity item 0x40abc8 is "entry->post(childno)". There seems > to be a lost/optimized-out frame between this call and libc :/. Ok, -Og looks better: /lib64/libc.so.6(+0x740af)[0x7f4192eba0af] /lib64/libc.so.6(+0x798de)[0x7f4192ebf8de] /lib64/libc.so.6(+0x7a5e6)[0x7f4192ec05e6] ../trinity/trinity[0x410fa4] ../trinity/trinity[0x40a02f] ../trinity/trinity[0x40cf47] ../trinity/trinity[0x402c3c] ../trinity/trinity[0x4060de] ../trinity/trinity[0x4065df] ../trinity/trinity[0x406700] ../trinity/trinity[0x40bd0c] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f4192e67b15] ../trinity/trinity[0x402779] (gdb) l * 0x410fa4 0x410fa4 is in post_modify_ldt (syscalls/modify_ldt.c:62). 57 58 ptr = (void *) shm->scratch[childno]; 59 60 if (ptr != NULL) 61 free(ptr); 62 } 63 64 struct syscallentry syscall_modify_ldt = { 65 .name = "modify_ldt", 66 .num_args = 3, -- js suse labs