* [Qemu-devel] test-qmp-commands reads freed memory
@ 2014-03-08 14:40 Peter Maydell
2014-03-08 16:09 ` Luiz Capitulino
0 siblings, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2014-03-08 14:40 UTC (permalink / raw
To: QEMU Developers; +Cc: Markus Armbruster, Luiz Capitulino
The test-qmp-commands test binary seems to read from freed
memory. This triggers the MacOSX malloc implementation's
assertions. git bisect blames
commit c2216a8a7a587e594f50bebbdf81fcf168444b68
Author: Markus Armbruster <armbru@redhat.com>
Date: Sat Mar 1 08:40:29 2014 +0100
tests/qapi-schema: Cover simple argument types
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Valgrind will spot it:
cam-vm-266:precise:qemu$ valgrind build/x86/tests/test-qmp-commands
==15391== Memcheck, a memory error detector
==15391== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==15391== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==15391== Command: build/x86/tests/test-qmp-commands
==15391==
/0.15/dispatch_cmd: OK
/0.15/dispatch_cmd_error: OK
/0.15/dispatch_cmd_io: ==15391== Invalid read of size 8
==15391== at 0x1344F6: qobject_decref (qobject.h:97)
==15391== by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391== Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391== at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391== by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391== by 0x134580: qobject_decref (qobject.h:100)
==15391== by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391==
==15391== Invalid write of size 8
==15391== at 0x134502: qobject_decref (qobject.h:97)
==15391== by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391== Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391== at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391== by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391== by 0x134580: qobject_decref (qobject.h:100)
==15391== by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391==
==15391== Invalid read of size 8
==15391== at 0x13450A: qobject_decref (qobject.h:97)
==15391== by 0x134FFD: test_dispatch_cmd_io (test-qmp-commands.c:144)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391== Address 0x5ea26a8 is 8 bytes inside a block of size 4,120 free'd
==15391== at 0x4C2A82E: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15391== by 0x13B741: qdict_destroy_obj (qdict.c:477)
==15391== by 0x134580: qobject_decref (qobject.h:100)
==15391== by 0x134F41: test_dispatch_cmd_io (test-qmp-commands.c:136)
==15391== by 0x4E9A65A: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9A7D5: ??? (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x4E9AB2A: g_test_run_suite (in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4)
==15391== by 0x13540D: main (test-qmp-commands.c:229)
==15391==
OK
thanks
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] test-qmp-commands reads freed memory
2014-03-08 14:40 [Qemu-devel] test-qmp-commands reads freed memory Peter Maydell
@ 2014-03-08 16:09 ` Luiz Capitulino
2014-03-08 16:41 ` Peter Maydell
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Capitulino @ 2014-03-08 16:09 UTC (permalink / raw
To: Peter Maydell; +Cc: QEMU Developers, Markus Armbruster
On Sat, 8 Mar 2014 14:40:27 +0000
Peter Maydell <peter.maydell@linaro.org> wrote:
> The test-qmp-commands test binary seems to read from freed
> memory. This triggers the MacOSX malloc implementation's
> assertions. git bisect blames
Can you try the patch below? For the clang ones, I'll have to install it etc,
so it will take a bit longer.
I wonder how this didn't explode...
diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
index 8e62c2d..554e222 100644
--- a/tests/test-qmp-commands.c
+++ b/tests/test-qmp-commands.c
@@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
ret3 = qobject_to_qint(test_qmp_dispatch(req));
assert(qint_get_int(ret3) == 66);
- QDECREF(ret);
+ QDECREF(ret3);
QDECREF(req);
}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] test-qmp-commands reads freed memory
2014-03-08 16:09 ` Luiz Capitulino
@ 2014-03-08 16:41 ` Peter Maydell
2014-03-08 17:27 ` [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free Luiz Capitulino
0 siblings, 1 reply; 5+ messages in thread
From: Peter Maydell @ 2014-03-08 16:41 UTC (permalink / raw
To: Luiz Capitulino; +Cc: QEMU Developers, Markus Armbruster
On 8 March 2014 16:09, Luiz Capitulino <lcapitulino@redhat.com> wrote:
> On Sat, 8 Mar 2014 14:40:27 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
>> The test-qmp-commands test binary seems to read from freed
>> memory. This triggers the MacOSX malloc implementation's
>> assertions. git bisect blames
>
> Can you try the patch below? For the clang ones, I'll have to install it etc,
> so it will take a bit longer.
>
> I wonder how this didn't explode...
>
> diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
> index 8e62c2d..554e222 100644
> --- a/tests/test-qmp-commands.c
> +++ b/tests/test-qmp-commands.c
> @@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
>
> ret3 = qobject_to_qint(test_qmp_dispatch(req));
> assert(qint_get_int(ret3) == 66);
> - QDECREF(ret);
> + QDECREF(ret3);
>
> QDECREF(req);
> }
Yep, seems to work (both MacOSX and valgrind are happier).
Tested-by: Peter Maydell <peter.maydell@linaro.org>
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free
2014-03-08 16:41 ` Peter Maydell
@ 2014-03-08 17:27 ` Luiz Capitulino
2014-03-10 15:49 ` Eric Blake
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Capitulino @ 2014-03-08 17:27 UTC (permalink / raw
To: Peter Maydell; +Cc: QEMU Developers, Markus Armbruster
The ret variable is freed twice, but on the second time we actually want
to free ret3 instead. Don't know why this didn't explode.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
---
tests/test-qmp-commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test-qmp-commands.c b/tests/test-qmp-commands.c
index 8e62c2d..554e222 100644
--- a/tests/test-qmp-commands.c
+++ b/tests/test-qmp-commands.c
@@ -141,7 +141,7 @@ static void test_dispatch_cmd_io(void)
ret3 = qobject_to_qint(test_qmp_dispatch(req));
assert(qint_get_int(ret3) == 66);
- QDECREF(ret);
+ QDECREF(ret3);
QDECREF(req);
}
--
1.8.1.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free
2014-03-08 17:27 ` [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free Luiz Capitulino
@ 2014-03-10 15:49 ` Eric Blake
0 siblings, 0 replies; 5+ messages in thread
From: Eric Blake @ 2014-03-10 15:49 UTC (permalink / raw
To: Luiz Capitulino, Peter Maydell; +Cc: QEMU Developers, Markus Armbruster
[-- Attachment #1: Type: text/plain, Size: 616 bytes --]
On 03/08/2014 10:27 AM, Luiz Capitulino wrote:
> The ret variable is freed twice, but on the second time we actually want
> to free ret3 instead. Don't know why this didn't explode.
>
> Reported-by: Peter Maydell <peter.maydell@linaro.org>
> Tested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
> ---
> tests/test-qmp-commands.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Reviewed-by: Eric Blake <eblake@redhat.com>
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-03-10 15:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-08 14:40 [Qemu-devel] test-qmp-commands reads freed memory Peter Maydell
2014-03-08 16:09 ` Luiz Capitulino
2014-03-08 16:41 ` Peter Maydell
2014-03-08 17:27 ` [Qemu-devel] [PATCH] tests: test-qmp-commands: Fix double free Luiz Capitulino
2014-03-10 15:49 ` Eric Blake
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.