[linux-lvm] [lvm2cmd] Heap destruction by lvm2_exit()?
Hubert Kario
hubert at kario.pl
Tue Jul 31 23:23:26 UTC 2012
Hello everyone!
It seems that I'm using lvm2cmd library in quite specific way, as I call
lvm2_init() and lvm2_exit() multiple times during lifetime of a program,
or more specifically, my application calls lvm2_exit() as soon as it won't
need it for the next 10-15 minutes...
One specific proglem I noticed, that after calling lvm2_exit() valgrind
complains about invalid *writes* while doing printf() of *static* strings.
At first I thought that this was just a false positive, but my application
isn't stable, and when it crashes glibc reports:
free(): invalid next size (fast)
gdb gives stacktrace pointing to freeing memory I'm completely sure is
allocated properly (it's strdup() of a const string, the same one that
previous 30000 allocations have and next 200000 allocations have).
So I've created a simple C program that also causes valgrind to complain as
soon as lvm2_exit() is called (attached below together with valgrind output).
In other words it looks to me like a bug in lvm2cmd library...
Please, keep me in CC as I'm not subscribed to this list
Regards,
Hubert Kario
Example application:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <lvm2cmd.h>
int
main(int argc, char **argv)
{
char *big_alloc = calloc(sizeof(char), 1024*1024*10);
void *handle = lvm2_init();
printf("Some text to output\n");
char *string = strdup("Other text");
printf("Variable before: \"%s\"\n", string);
lvm2_exit(handle);
printf("Variable after: \"%s\"\n", string);
free(string);
free(big_alloc);
return 0;
}
Interesting part of valgrind output:
Variable before: "Other text"
==3565== Invalid write of size 1
==3565== at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x538B607: vfprintf (in /lib/libc-2.15.so)
==3565== by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565== by 0x4007F6: main (test.c:21)
==3565== Address 0x6b4c6a0 is 4,096 bytes inside a block of size 8,192 free'd
==3565== at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565== by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4007E0: main (test.c:19)
==3565==
==3565== Invalid write of size 1
==3565== at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x538E2F8: vfprintf (in /lib/libc-2.15.so)
==3565== by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565== by 0x4007F6: main (test.c:21)
==3565== Address 0x6b4c6b1 is 4,113 bytes inside a block of size 8,192 free'd
==3565== at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565== by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4007E0: main (test.c:19)
==3565==
==3565== Invalid write of size 1
==3565== at 0x53BB944: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x538C6C7: vfprintf (in /lib/libc-2.15.so)
==3565== by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565== by 0x4007F6: main (test.c:21)
==3565== Address 0x6b4c6bb is 4,123 bytes inside a block of size 8,192 free'd
==3565== at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565== by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4007E0: main (test.c:19)
==3565==
==3565== Syscall param write(buf) points to unaddressable byte(s)
==3565== at 0x541F150: __write_nocancel (in /lib/libc-2.15.so)
==3565== by 0x53BAFB2: _IO_file_write@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x53BAE91: new_do_write (in /lib/libc-2.15.so)
==3565== by 0x53BBCB4: _IO_do_write@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x53BB9B1: _IO_file_xsputn@@GLIBC_2.2.5 (in /lib/libc-2.15.so)
==3565== by 0x538C6C7: vfprintf (in /lib/libc-2.15.so)
==3565== by 0x5395B98: printf (in /lib/libc-2.15.so)
==3565== by 0x4007F6: main (test.c:21)
==3565== Address 0x6b4c6a0 is 4,096 bytes inside a block of size 8,192 free'd
==3565== at 0x4C29A9E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3565== by 0x4E48B11: destroy_toolcontext (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4EB5B02: lvm_fin (in /usr/lib/liblvm2cmd.so.2.02)
==3565== by 0x4007E0: main (test.c:19)
==3565==
Variable after: "Other text"
==3934==
==3934== HEAP SUMMARY:
==3934== in use at exit: 0 bytes in 0 blocks
==3934== total heap usage: 2,575 allocs, 2,575 frees, 10,932,044 bytes allocated
==3934==
==3934== All heap blocks were freed -- no leaks are possible
==3934==
==3934== ERROR SUMMARY: 30 errors from 4 contexts (suppressed: 3 from 3)
--
Hubert Kario
hubert at kario.pl kario at wit.edu.pl https://hubert.kario.pl
PGP: 30D7 71F5 2F6F B157 872C D811 A1D0 6BC9 8956 DCFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/linux-lvm/attachments/20120801/44cefb04/attachment.sig>
More information about the linux-lvm
mailing list