Re: [Gluster-devel] memory corruption in release-3.3

[Emmanuel Dreyfus]

Emmanuel Dreyfus <address@hidden> wrote:

> Second crash flavor (it looks more like a double free)

Here it is again at a different place. This is in loc_wipe, where
loc->path is free'ed.

Looking at the code, I see that there are places where loc->path is
allocated by gf_strdup(). I see other places where it is copied from
another buffer. Since this is done without reference counts, it seems
likely that there is a double free somewhere. Opinions?

(gdb) bt
#0  0xbb92652a in ?? () from /lib/libc.so.12
#1  0xbb92891b in free () from /lib/libc.so.12
#2  0xbbbb376f in __gf_free (free_ptr=0xb8250040) at mem-pool.c:258
#3  0xbbb85269 in loc_wipe (loc=0xba4cd010) at xlator.c:534
#4  0xbaa5e68a in client_local_wipe (local=0xba4cd010) at
client-helpers.c:125
#5  0xbaa614d5 in client3_1_open_cbk (req=0xb92010d8, iov=0xb92010f8,
count=1, myframe=0xbb77fa20) at client3_1-fops.c:421
#6  0xbbb69716 in rpc_clnt_handle_reply (clnt=0xba3c51c0,
pollin=0xbb77d220) at rpc-clnt.c:788
#7  0xbbb699b3 in rpc_clnt_notify (trans=0xbb70ec00, mydata=0xba3c51e0,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at rpc-clnt.c:907
#8  0xbbb65989 in rpc_transport_notify (this=0xbb70ec00,
event=RPC_TRANSPORT_MSG_RECEIVED, data=0xbb77d220) at
rpc-transport.c:489
#9  0xbaa9327e in socket_event_poll_in () from
/usr/local/lib/glusterfs/3.3git/rpc-transport/socket.so
#10 0xbaa937f5 in socket_event_handler () from
/usr/local/lib/glusterfs/3.3git/rpc-transport/socket.so
#11 0xbbbb270f in event_dispatch_poll_handler (event_pool=0xbb73b080,
ufds=0xbb77e6a0, i=3) at event.c:357
#12 0xbbbb297b in event_dispatch_poll (event_pool=0xbb73b080) at
event.c:437
#13 0xbbbb2ca7 in event_dispatch (event_pool=0xbb73b080) at event.c:947
#14 0x08050078 in main ()


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
address@hidden