[Gluster-devel] memory corruption in release-3.3
Emmanuel Dreyfus
manu at netbsd.org
Sat May 19 10:29:55 UTC 2012
Emmanuel Dreyfus <manu at netbsd.org> wrote:
> Second crash flavor (it looks more like a double free)
Here it is again at a different place. This is in loc_wipe, where
loc->path is free'ed.
Looking at the code, I see that there are places where loc->path is
allocated by gf_strdup(). I see other places where it is copied from
another buffer. Since this is done without reference counts, it seems
likely that there is a double free somewhere. Opinions?
(gdb) bt
#0 0xbb92652a in ?? () from /lib/libc.so.12
#1 0xbb92891b in free () from /lib/libc.so.12
#2 0xbbbb376f in __gf_free (free_ptr=0xb8250040) at mem-pool.c:258
#3 0xbbb85269 in loc_wipe (loc=0xba4cd010) at xlator.c:534
#4 0xbaa5e68a in client_local_wipe (local=0xba4cd010) at
client-helpers.c:125
#5 0xbaa614d5 in client3_1_open_cbk (req=0xb92010d8, iov=0xb92010f8,
count=1, myframe=0xbb77fa20) at client3_1-fops.c:421
#6 0xbbb69716 in rpc_clnt_handle_reply (clnt=0xba3c51c0,
pollin=0xbb77d220) at rpc-clnt.c:788
#7 0xbbb699b3 in rpc_clnt_notify (trans=0xbb70ec00, mydata=0xba3c51e0,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at rpc-clnt.c:907
#8 0xbbb65989 in rpc_transport_notify (this=0xbb70ec00,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at
rpc-transport.c:489
#9 0xbaa9327e in socket_event_poll_in () from
/usr/local/lib/glusterfs/3.3git/rpc-transport/socket.so
#10 0xbaa937f5 in socket_event_handler () from
/usr/local/lib/glusterfs/3.3git/rpc-transport/socket.so
#11 0xbbbb270f in event_dispatch_poll_handler (event_pool=0xbb73b080,
ufds=0xbb77e6a0, i=3) at event.c:357
#12 0xbbbb297b in event_dispatch_poll (event_pool=0xbb73b080) at
event.c:437
#13 0xbbbb2ca7 in event_dispatch (event_pool=0xbb73b080) at event.c:947
#14 0x08050078 in main ()
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org
More information about the Gluster-devel
mailing list