Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

memory-corruption in confpars #1

Open
jti-lanl opened this issue Dec 17, 2015 · 0 comments
Open

memory-corruption in confpars #1

jti-lanl opened this issue Dec 17, 2015 · 0 comments
Labels
bug prio_hi
Milestone
Open Science Camp...

Comments

@jti-lanl
Copy link
Contributor

[from email:]

The latest marfs config-blueprint and config-file is working with the Nov 16 version of PA2X.

Updating to the latest causes segfaults in confpars on the blueprint. Basically, the heap is getting corrupted.

The Dec 11 14:12 version (i.e. second-most-recent) has the problem, too. The debugging shown below is with Dec 11 14:12, but I just ran valigrind on
the 12/11 14:31 version (i.e. latest), and it looks the same (same line numbers, etc).

I've been chasing it in the debugger, with the help of the valgrind output below.

Here's a gdb session to catch the problem. The issue is that in readConfigFile() it sometimes happens that ((nl_ptr + strlen(line) +2) >= (conf + f_size +2)). When that happens, conpars is writing into storage it didn't malloc.

Not sure whether it's relevant, but I notice that it appears to be reading from ./parse-inc/config-structs.h, when this corruption happens

For now, it looks like we should stick with the Nov 16 version.

Thanks,
Jeff

(gdb) br 252
Breakpoint 3 at 0x4013a7: file confpars.c, line 252.
(gdb) cond 3 ((nl_ptr + strlen(line) +2) >= (conf + f_size +2))
(gdb) c
Continuing.

Breakpoint 2, readConfigFile (fn=0x7fffffffe0fa "/root/projects/git/marfs/common/configuration/src/marfs_configuration_blueprint.cfg") at confpars.c:242
242 conf = (char *)malloc((size_t)f_size + 2); // alloc 1 byte more for termination
(gdb) c
Continuing.

Breakpoint 2, readConfigFile (fn=0x4052d1 "./parse-inc/config-structs.h") at confpars.c:242
242 conf = (char *)malloc((size_t)f_size + 2); // alloc 1 byte more for termination
(gdb)
Continuing.

Breakpoint 3, readConfigFile (fn=0x4052d1 "./parse-inc/config-structs.h") at confpars.c:252
252 sprintf(nl_ptr, "%s\n", line);
(gdb) list
247 nl_ptr = conf;
248 while (!feof(f_ptr)) {
249 fgets(line, CFG_LINE_SZ, f_ptr);
250 ln_cnt++;
251 prepConfigFileLine(line, ln_cnt);
252 sprintf(nl_ptr, "%s\n", line);
253 nl_ptr += strlen(line)+1;
254 line[0]=0;
255 }
256 }
(gdb) print f_size
$2 = 840
(gdb) print strlen(line)
$3 = 23
(gdb) print nl_ptr
$4 = 0x607a65 ""
(gdb) print conf
$5 = 0x607730 "struct range {\n\n char *min_size;\n\n char *max_size;\n\n char *repo_name;\n\n };\n\n\n\nstruct repo {\n\n char *name;\n\n char *host;\n\n char *host_offset;\n\n char *host_count;\n\n char *update_in_pla"...
(gdb) print (nl_ptr + strlen(line) +2)
$6 = 0x607a7e "s>inodes a\001\v"
(gdb) print (conf + f_size +2)
$7 = 0x607a7a "names>inodes a\001\v"

Here's what valgrind says:

[NOTE: each block of output shows the stack trace where an invalid op occured, combined with the stack trace of where that memory was allocated]

marfs-gpfs-002:~/projects/git/PA2X $ valgrind --leak-check=yes ./confpars ~/projects/git/marfs/common/configuration/src/marfs_configuration_blueprint.cfg

==30303== Memcheck, a memory error detector
==30303== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==30303== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==30303== Command: ./confpars /root/projects/git/marfs/common/configuration/src/marfs_configuration_blueprint.cfg
==30303==
==30303== Invalid write of size 1
==30303== at 0x4A0A0F8: mempcpy (mc_replace_strmem.c:1268)
==30303== by 0x3F4E47465D: _IO_default_xsputn (genops.c:468)
==30303== by 0x3F4E44818F: vfprintf (vfprintf.c:1641)
==30303== by 0x3F4E469608: vsprintf (iovsprintf.c:43)
==30303== by 0x3F4E44F2B7: sprintf (sprintf.c:34)
==30303== by 0x4013C6: readConfigFile (confpars.c:252)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303== Address 0x4c3c0ba is 0 bytes after a block of size 842 alloc'd
==30303== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==30303== by 0x401334: readConfigFile (confpars.c:242)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303==
==30303== Invalid write of size 1
==30303== at 0x3F4E4746A7: _IO_default_xsputn (genops.c:480)
==30303== by 0x3F4E44461E: vfprintf (vfprintf.c:1672)
==30303== by 0x3F4E469608: vsprintf (iovsprintf.c:43)
==30303== by 0x3F4E44F2B7: sprintf (sprintf.c:34)
==30303== by 0x4013C6: readConfigFile (confpars.c:252)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303== Address 0x4c3c0bc is 2 bytes after a block of size 842 alloc'd
==30303== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==30303== by 0x401334: readConfigFile (confpars.c:242)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303==
==30303== Invalid write of size 1
==30303== at 0x3F4E469617: vsprintf (iovsprintf.c:44)
==30303== by 0x3F4E44F2B7: sprintf (sprintf.c:34)
==30303== by 0x4013C6: readConfigFile (confpars.c:252)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303== Address 0x4c3c0bd is 3 bytes after a block of size 842 alloc'd
==30303== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==30303== by 0x401334: readConfigFile (confpars.c:242)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303==
==30303== Invalid write of size 1
==30303== at 0x3F4E4746A7: _IO_default_xsputn (genops.c:480)
==30303== by 0x3F4E44818F: vfprintf (vfprintf.c:1641)
==30303== by 0x3F4E469608: vsprintf (iovsprintf.c:43)
==30303== by 0x3F4E44F2B7: sprintf (sprintf.c:34)
==30303== by 0x4013C6: readConfigFile (confpars.c:252)
==30303== by 0x404474: parseConfigFile (confpars.c:2024)
==30303== by 0x404E98: main (mainpars.c:89)
==30303== Address 0x4c3c0df is not stack'd, malloc'd or (recently) free'd
==30303==
--30303-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--30303-- si_code=80; Faulting address: 0x0; sp: 0x4030b6dd0

valgrind: the 'impossible' happened:
Killed by fatal signal
==30303== at 0x3803EC04: vgPlain_arena_malloc (m_mallocfree.c:291)
==30303== by 0x38003C34: vgMemCheck_new_block (mc_malloc_wrappers.c:263)
==30303== by 0x3800409A: vgMemCheck_malloc (mc_malloc_wrappers.c:301)
==30303== by 0x3807A58A: vgPlain_scheduler (scheduler.c:1665)
==30303== by 0x380A5A29: run_a_thread_NORETURN (syswrap-linux.c:103)

sched status:
running_tid=1

Thread 1: status = VgTs_Runnable
==30303== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
==30303== by 0x4033C4: addToNamesList (confpars.c:1390)
==30303== by 0x40449E: parseConfigFile (confpars.c:2038)
==30303== by 0x404E98: main (mainpars.c:89)

Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using. Thanks.
@brettkettering brettkettering assigned ghost Dec 17, 2015
@ghost ghost removed their assignment Aug 3, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug prio_hi
Projects
None yet
Milestone
Open Science Campaign Storage
Development

No branches or pull requests
2 participants
@brettkettering @jti-lanl