[Gluster-devel] memory corruption in release-3.3

Emmanuel Dreyfus manu at netbsd.org
Sat May 19 10:29:55 UTC 2012

Emmanuel Dreyfus <manu at netbsd.org> wrote:

> Second crash flavor (it looks more like a double free)

Here it is again at a different place. This is in loc_wipe, where
loc->path is free'ed.

Looking at the code, I see that there are places where loc->path is
allocated by gf_strdup(). I see other places where it is copied from
another buffer. Since this is done without reference counts, it seems
likely that there is a double free somewhere. Opinions?

(gdb) bt
#0  0xbb92652a in ?? () from /lib/libc.so.12
#1  0xbb92891b in free () from /lib/libc.so.12
#2  0xbbbb376f in __gf_free (free_ptr=0xb8250040) at mem-pool.c:258
#3  0xbbb85269 in loc_wipe (loc=0xba4cd010) at xlator.c:534
#4  0xbaa5e68a in client_local_wipe (local=0xba4cd010) at
#5  0xbaa614d5 in client3_1_open_cbk (req=0xb92010d8, iov=0xb92010f8,
count=1, myframe=0xbb77fa20) at client3_1-fops.c:421
#6  0xbbb69716 in rpc_clnt_handle_reply (clnt=0xba3c51c0,
pollin=0xbb77d220) at rpc-clnt.c:788
#7  0xbbb699b3 in rpc_clnt_notify (trans=0xbb70ec00, mydata=0xba3c51e0,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at rpc-clnt.c:907
#8  0xbbb65989 in rpc_transport_notify (this=0xbb70ec00,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at
#9  0xbaa9327e in socket_event_poll_in () from
#10 0xbaa937f5 in socket_event_handler () from
#11 0xbbbb270f in event_dispatch_poll_handler (event_pool=0xbb73b080,
ufds=0xbb77e6a0, i=3) at event.c:357
#12 0xbbbb297b in event_dispatch_poll (event_pool=0xbb73b080) at
#13 0xbbbb2ca7 in event_dispatch (event_pool=0xbb73b080) at event.c:947
#14 0x08050078 in main ()

Emmanuel Dreyfus
manu at netbsd.org

More information about the Gluster-devel mailing list