[linux-lvm] [lvm2cmd] Heap destruction by lvm2_exit()?

Hubert Kario hubert at kario.pl
Tue Jul 31 23:23:26 UTC 2012 

Hello everyone!

It seems that I'm using lvm2cmd library in quite specific way, as I call
lvm2_init() and lvm2_exit() multiple times during lifetime of a program,
or more specifically, my application calls lvm2_exit() as soon as it won't
need it for the next 10-15 minutes...

One specific proglem I noticed, that after calling lvm2_exit() valgrind
complains about invalid *writes* while doing printf() of *static* strings.

At first I thought that this was just a false positive, but my application
isn't stable, and when it crashes glibc reports:

	free(): invalid next size (fast)

gdb gives stacktrace pointing to freeing memory I'm completely sure is
allocated properly (it's strdup() of a const string, the same one that
previous 30000 allocations have and next 200000 allocations have).

So I've created a simple C program that also causes valgrind to complain as
soon as lvm2_exit() is called (attached below together with valgrind output).
In other words it looks to me like a bug in lvm2cmd library...

Please, keep me in CC as I'm not subscribed to this list

Regards,
Hubert Kario


Example application:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <lvm2cmd.h>

int
main(int argc, char **argv)
{
    char *big_alloc = calloc(sizeof(char), 1024*1024*10);

    void *handle = lvm2_init();

    printf("Some text to output\n");

    char *string = strdup("Other text");

    printf("Variable before: \"%s\"\n", string);

    lvm2_exit(handle);

    printf("Variable after: \"%s\"\n", string);

    free(string);
    free(big_alloc);

    return 0;
}

Interesting part of valgrind output:

Variable before: "Other text"
==3565== Invalid write of size 1
==3565==    at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x538B607: vfprintf (in /lib/libc-2.15.so)
==3565==    by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565==    by 0x4007F6: main (test.c:21)
==3565==  Address 0x6b4c6a0 is 4,096 bytes inside a block of size 8,192 free'd
==3565==    at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565==    by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4007E0: main (test.c:19)
==3565== 
==3565== Invalid write of size 1
==3565==    at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x538E2F8: vfprintf (in /lib/libc-2.15.so)
==3565==    by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565==    by 0x4007F6: main (test.c:21)
==3565==  Address 0x6b4c6b1 is 4,113 bytes inside a block of size 8,192 free'd
==3565==    at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565==    by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4007E0: main (test.c:19)
==3565== 
==3565== Invalid write of size 1
==3565==    at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x538C6C7: vfprintf (in /lib/libc-2.15.so)
==3565==    by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565==    by 0x4007F6: main (test.c:21)
==3565==  Address 0x6b4c6bb is 4,123 bytes inside a block of size 8,192 free'd
==3565==    at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565==    by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4007E0: main (test.c:19)
==3565== 
==3565== Syscall param write(buf) points to unaddressable byte(s)
==3565==    at 0x541F150: __write_nocancel (in /lib/libc-2.15.so)
==3565==    by 0x53BAFB2: _IO_file_write@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x53BAE91: new_do_write (in /lib/libc-2.15.so)
==3565==    by 0x53BBCB4: _IO_do_write@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x53BB9B1: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565==    by 0x538C6C7: vfprintf (in /lib/libc-2.15.so)
==3565==    by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565==    by 0x4007F6: main (test.c:21)
==3565==  Address 0x6b4c6a0 is 4,096 bytes inside a block of size 8,192 free'd
==3565==    at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565==    by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565==    by 0x4007E0: main (test.c:19)
==3565== 
Variable after: "Other text"
==3934== 
==3934== HEAP SUMMARY:
==3934==     in use at exit: 0 bytes in 0 blocks
==3934==   total heap usage: 2,575 allocs, 2,575 frees, 10,932,044 bytes allocated
==3934== 
==3934== All heap blocks were freed -- no leaks are possible
==3934== 
==3934== ERROR SUMMARY: 30 errors from 4 contexts (suppressed: 3 from 3)
-- 
Hubert Kario
hubert at kario.pl     kario at wit.edu.pl    https://hubert.kario.pl
PGP: 30D7 71F5 2F6F B157 872C  D811 A1D0 6BC9 8956 DCFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/linux-lvm/attachments/20120801/44cefb04/attachment.sig>

More information about the linux-lvm mailing list