On Sun, Sep 18, 2011 at 09:37:22AM -0500, Adam Litke wrote:

I am getting SIGABRT and SIGSEGV in libvirtd when trying to catch blockJob events.

When running under valgrind I get the following: ==19819== Thread 1: ==19819== Invalid free() / delete / delete[] ==19819== at 0x4C282ED: free (vg_replace_malloc.c:366) ==19819== by 0x4E7B48: virFree (memory.c:310) ==19819== by 0x7669C32: virDomainEventFree (domain_event.c:510) ==19819== by 0x766AFE2: virDomainEventQueueDispatch (domain_event.c:1154) ==19819== by 0x766B19D: virDomainEventStateFlush (domain_event.c:1195) ==19819== by 0x483E15: qemuDomainEventFlush (qemu_domain.c:134) ==19819== by 0x507535: virEventPollRunOnce (event_poll.c:421) ==19819== by 0x4E6D44: virEventRunDefaultImpl (event.c:247) ==19819== by 0x44813C: virNetServerRun (virnetserver.c:701) ==19819== by 0x41FECE: main (libvirtd.c:1564) ==19819== Address 0x131b0a30 is 0 bytes inside a block of size 15 free'd ==19819== at 0x4C282ED: free (vg_replace_malloc.c:366) ==19819== by 0x7FB006C: xdr_string (xdr.c:722) ==19819== by 0x43A5FD: xdr_remote_nonnull_string (remote_protocol.c:30) ==19819== by 0x442E2B: xdr_remote_domain_event_block_job_msg (remote_protocol.c:4000) ==19819== by 0x7FAF6C4: xdr_free (xdr.c:72) ==19819== by 0x431BDA: remoteRelayDomainEventBlockJob (remote.c:363)

Hum, I wonder if remoteRelayDomainEventBlockJob shouldn't strdup the path string instead of using it directly in the remote_domain_event_block_job_msg block. As a result since we now free the datapointed by the xdr message within remoteDispatchDomainEventSend() , this errors wasn't shown before but leads to a double free now. BTW it seems we don't check all allocations in the xdr code (on purpose ?) for example make_nonnull_domain() doesn't check a strdup. Could you check the following patch ? Daniel diff --git a/daemon/remote.c b/daemon/remote.c index 38bbb10..1d9156c 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -356,7 +356,11 @@ static int remoteRelayDomainEventBlockJob(virConnectPtr conn ATTRIBUTE_UNUSED, /* build return data */ memset(&data, 0, sizeof data); make_nonnull_domain(&data.dom, dom); - data.path = (char*)path; + data.path = strdup(path); + if (data.path == NULL) { + virReportOOMError(); + return -1; + } data.type = type; data.status = status; -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/