|
From: Marcin S. <mar...@in...> - 2015-09-14 12:43:37
|
From: Marcin Ślusarz <mar...@in...>
The error looks like this:
"Memcheck: mc_malloc_wrappers.c:244 (in_block_list): Assertion 'found_mc == mc' failed.
host stacktrace:
at 0x38083468: show_sched_status_wrk (m_libcassert.c:343)
by 0x38083584: report_and_quit (m_libcassert.c:415)
by 0x38083711: vgPlain_assert_fail (m_libcassert.c:481)
by 0x380504D3: in_block_list (mc_malloc_wrappers.c:244)
by 0x3805052C: live_block (mc_malloc_wrappers.c:257)
by 0x38050674: vgMemCheck_allocated_at (mc_malloc_wrappers.c:273)
by 0x38079DDE: describe_addr (mc_errors.c:1072)
by 0x3807B393: vgMemCheck_update_Error_extra (mc_errors.c:1141)
by 0x3807F55A: vgPlain_maybe_record_error (m_errormgr.c:813)
by 0x3807A95A: vgMemCheck_record_address_error (mc_errors.c:760)"
---
NEWS | 2 ++
memcheck/mc_malloc_wrappers.c | 14 +++++++++++
memcheck/tests/mempool2.c | 12 ++++++++++
memcheck/tests/mempool2.stderr.exp | 49 ++++++++++++++++++++++++--------------
4 files changed, 59 insertions(+), 18 deletions(-)
diff --git NEWS NEWS
index 7119ab8..88012e9 100644
--- NEWS
+++ NEWS
@@ -375,6 +375,8 @@ where XXXXXX is the bug number as listed below.
350811 Remove reference to --db-attach which has been removed.
350813 Memcheck/x86: enable handwritten assembly helpers for x86/Solaris too
350854 hard-to-understand code in VG_(load_ELF)()
+350928 Fix assertion failure (in_block_list: found_mc == mc) when user allocates
+ in recently freed space and touches noaccess space close to it.
351140 arm64 syscalls setuid (146) and setresgid (149) not implemented
351386 Solaris: Cannot run ld.so.1 under Valgrind
351474 Fix VG_(iseqsigset) as obvious
diff --git memcheck/mc_malloc_wrappers.c memcheck/mc_malloc_wrappers.c
index 08fcc2d..469d0bd 100644
--- memcheck/mc_malloc_wrappers.c
+++ memcheck/mc_malloc_wrappers.c
@@ -241,6 +241,20 @@ static Bool in_block_list (const VgHashTable *block_list, MC_Chunk* mc)
if (found_mc->szB != mc->szB
|| found_mc->allockind != mc->allockind)
return False;
+
+ /* If a user freed and allocated again in the same spot (through
+ * VALGRIND_MEMPOOL_FREE/ALLOC), we might arrive here with
+ * a dead chunk which has the same address as an alive one. */
+ if (mc->allockind == MC_AllocCustom && found_mc != mc) {
+ const int l = (mc->szB >= MC_(clo_freelist_big_blocks) ? 0 : 1);
+ MC_Chunk *c = freed_list_start[l];
+ do {
+ if (c == mc)
+ return False;
+ c = c->next;
+ } while (c);
+ }
+
tl_assert (found_mc == mc);
return True;
} else
diff --git memcheck/tests/mempool2.c memcheck/tests/mempool2.c
index 8fa3d5c..3bdad63 100644
--- memcheck/tests/mempool2.c
+++ memcheck/tests/mempool2.c
@@ -183,6 +183,18 @@ void test(void)
// claim res is used, so gcc can't nuke this all
__asm__ __volatile__("" : : "r"(res));
+ {
+ char tmp[100];
+ VALGRIND_CREATE_MEMPOOL(tmp, 0, 0);
+ VALGRIND_MEMPOOL_ALLOC(tmp, tmp + 8, 16);
+ VALGRIND_MEMPOOL_FREE(tmp, tmp + 8);
+ VALGRIND_MEMPOOL_ALLOC(tmp, tmp + 8, 16);
+ VALGRIND_MAKE_MEM_NOACCESS(tmp, 8);
+ fprintf(stderr,
+ "\n------ write to noaccess space close to reallocated object ------\n\n");
+ tmp[7] = 0x66;
+ }
+
fprintf(stderr,
"\n------ done ------\n\n");
pop(p1, 0);
diff --git memcheck/tests/mempool2.stderr.exp memcheck/tests/mempool2.stderr.exp
index 16b1f38..b374e44 100644
--- memcheck/tests/mempool2.stderr.exp
+++ memcheck/tests/mempool2.stderr.exp
@@ -3,57 +3,57 @@
Invalid read of size 1
at 0x........: test (mempool2.c:135)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 1 bytes before a block of size 10 client-defined
at 0x........: allocate (mempool2.c:108)
by 0x........: test (mempool2.c:130)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Invalid read of size 1
at 0x........: test (mempool2.c:136)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 0 bytes after a block of size 10 client-defined
at 0x........: allocate (mempool2.c:108)
by 0x........: test (mempool2.c:130)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
------ out of range reads in mmap-backed pool ------
Invalid read of size 1
at 0x........: test (mempool2.c:140)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 1 bytes before a block of size 20 client-defined
at 0x........: allocate (mempool2.c:108)
by 0x........: test (mempool2.c:131)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Invalid read of size 1
at 0x........: test (mempool2.c:141)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 0 bytes after a block of size 20 client-defined
at 0x........: allocate (mempool2.c:108)
by 0x........: test (mempool2.c:131)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
------ read free in malloc-backed pool ------
Illegal memory pool address
at 0x........: test (mempool2.c:145)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 0 bytes inside a block of size 32 alloc'd
at 0x........: malloc (vg_replace_malloc.c:...)
by 0x........: make_pool (mempool2.c:46)
by 0x........: test (mempool2.c:122)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
------ read free in mmap-backed pool ------
Illegal memory pool address
at 0x........: test (mempool2.c:150)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is in a rwx anonymous segment
@@ -61,19 +61,19 @@ Illegal memory pool address
Illegal memory pool address
at 0x........: test (mempool2.c:155)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 0 bytes inside a block of size 32 alloc'd
at 0x........: malloc (vg_replace_malloc.c:...)
by 0x........: make_pool (mempool2.c:46)
by 0x........: test (mempool2.c:122)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
------ double free in mmap-backed pool ------
Illegal memory pool address
at 0x........: test (mempool2.c:159)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is in a rwx anonymous segment
@@ -81,17 +81,30 @@ Illegal memory pool address
Invalid read of size 1
at 0x........: test (mempool2.c:178)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 1 bytes before a block of size 10 client-defined
at 0x........: test (mempool2.c:171)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Invalid read of size 1
at 0x........: test (mempool2.c:179)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
Address 0x........ is 0 bytes after a block of size 10 client-defined
at 0x........: test (mempool2.c:171)
- by 0x........: main (mempool2.c:196)
+ by 0x........: main (mempool2.c:208)
+
+
+------ write to noaccess space close to reallocated object ------
+
+Invalid write of size 1
+ at 0x........: test (mempool2.c:195)
+ by 0x........: main (mempool2.c:208)
+ Address 0x........ is 1 bytes before a block of size 16 free'd
+ at 0x........: test (mempool2.c:190)
+ by 0x........: main (mempool2.c:208)
+ Block was alloc'd at
+ at 0x........: test (mempool2.c:189)
+ by 0x........: main (mempool2.c:208)
------ done ------
--
2.5.0
--------------------------------------------------------------------
Intel Technology Poland sp. z o.o.
ul. Slowackiego 173 | 80-298 Gdansk | Sad Rejonowy Gdansk Polnoc | VII Wydzial Gospodarczy Krajowego Rejestru Sadowego - KRS 101882 | NIP 957-07-52-316 | Kapital zakladowy 200.000 PLN.
Ta wiadomosc wraz z zalacznikami jest przeznaczona dla okreslonego adresata i moze zawierac informacje poufne. W razie przypadkowego otrzymania tej wiadomosci, prosimy o powiadomienie nadawcy oraz trwale jej usuniecie; jakiekolwiek
przegladanie lub rozpowszechnianie jest zabronione.
This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). If you are not the intended recipient, please contact the sender and delete all copies; any review or distribution by
others is strictly prohibited.
|