Re: [libvirt] [ruby-libvirt] Don't free more entries than we retrieved
On Tue, Jan 07, 2014 at 03:38:48PM -0500, Chris Lalancette wrote:
On Tue, Jan 7, 2014 at 3:24 PM, Guido Günther <agx(a)sigxcpu.org>
wrote:
> The vir*List* functions return the number of fetched entries. We mustn't
> free more, otherwise we'll crash like
>
> #0 0xb779d424 in __kernel_vsyscall ()
> #1 0xb733981f in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #2 0xb733ccd3 in __GI_abort () at abort.c:90
> #3 0xb7376275 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb74767d0 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:199
> #4 0xb7380e52 in malloc_printerr (action=<optimized out>, str=<optimized
out>, ptr=0xb7087000) at malloc.c:4923
> #5 0xb7381b90 in _int_free (av=0xb74b7440 <main_arena>, p=0xb7086ff8,
have_lock=0) at malloc.c:3779
> #6 0xb75c059f in ruby_xfree () from /usr/lib/libruby-1.9.1.so.1.9
> #7 0xb7076448 in ruby_libvirt_generate_list () from
/usr/lib/ruby/vendor_ruby/1.9.1/i486-linux/_libvirt.so
> ...
>
> since we're trying to free random addresses.
Hm, this is pretty weird. At all ruby_libvirt_generate_list() call
sites, there is a line of code that precedes it that checks for r < 0.
If r is less than 0, then we generate an exception, which means that
the code that follows should never be called, and thus we should never
need this patch.
The check for < 0 might be superfluos but freeing num entries instead of
only r ones looks wrong to me since r is the number of allocated names,
not num. I'm happy to send a patch dropping the < 0 part.
Can you explain a bit more why this patch helps, and/or give me a
test
case that will cause it to fail?
I've been running test_nodedevice as non root which triggered this.
Cheers,
-- Guido
Thanks,
Chris