On 25 September 2013 16:59, Irek Szczesniak <[email protected]> wrote: > On Wed, Sep 25, 2013 at 2:45 PM, Roland Mainz <[email protected]> > wrote: >> Hi! >> >> ---- >> >> The following testcase... >> -- snip -- >> typeset -T x_t=( >> bool running=true >> >> function loopme >> { >> compound -A pt=( >> [irc]=( compound events=( bool pollin='true' >> pollhup='true' ) ) >> [userinput]=( compound events=( bool pollin='true' ) ) >> ) >> } >> ) >> >> function main >> { >> x_t foo >> foo.loopme >> } >> >> main >> -- snip -- >> >> ... triggers the following valgrind hit(s) on SuSE 12.3/AMD64/64bit: >> >> -- snip -- >> $ ~/vg/bin/valgrind --read-var-info=yes --num-callers=200 ~/bin/ksh /tmp/y.sh >> ==14220== Memcheck, a memory error detector >> ==14220== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. >> ==14220== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info >> ==14220== Command: /home/test001/bin/ksh /tmp/y.sh >> [snip] >> ==14220== Invalid read of size 8 >> ==14220== at 0x449BF0: nv_name (name.c:3862) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677b0 is 16 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== Invalid read of size 8 >> ==14220== at 0x449BFD: nv_name (name.c:3862) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677b0 is 16 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== Invalid read of size 1 >> ==14220== at 0x449C01: nv_name (name.c:3862) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677e0 is 64 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== Invalid read of size 2 >> ==14220== at 0x49CD8C: nv_type (nvtype.c:1362) >> ==14220== by 0x449C45: nv_name (name.c:3864) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677b8 is 24 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== Invalid read of size 8 >> ==14220== at 0x49CDC9: nv_type (nvtype.c:1367) >> ==14220== by 0x449C45: nv_name (name.c:3864) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677c0 is 32 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== Invalid read of size 2 >> ==14220== at 0x449C4F: nv_name (name.c:3864) >> ==14220== by 0x44DF46: walk_tree (nvtree.c:1190) >> ==14220== by 0x44EA7A: put_tree (nvtree.c:1354) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== Address 0x59677b8 is 24 bytes inside a block of size 74 free'd >> ==14220== at 0x4C29BF2: _ast_free (vg_replace_malloc.c:1001) >> ==14220== by 0x4432E8: nv_delete (name.c:1383) >> ==14220== by 0x4A9300: nv_associative (array.c:1789) >> ==14220== by 0x4A5E57: array_putval (array.c:685) >> ==14220== by 0x494427: nv_putv (nvdisc.c:152) >> ==14220== by 0x4468B2: _nv_unset (name.c:2646) >> ==14220== by 0x446522: table_unset (name.c:2562) >> ==14220== by 0x4498CF: sh_unscope (name.c:3745) >> ==14220== by 0x471DB3: sh_funscope_20120720 (xec.c:4091) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x46CA4D: sh_exec (xec.c:2256) >> ==14220== by 0x471C93: sh_funscope_20120720 (xec.c:4082) >> ==14220== by 0x4709F7: sh_funct (xec.c:3412) >> ==14220== by 0x46A4EC: sh_exec (xec.c:1584) >> ==14220== by 0x40F7A2: exfile (main.c:610) >> ==14220== by 0x40E9ED: sh_main (main.c:382) >> ==14220== by 0x40DB70: main (pmain.c:45) >> ==14220== >> ==14220== >> ==14220== HEAP SUMMARY: >> ==14220== in use at exit: 232,743 bytes in 183 blocks >> ==14220== total heap usage: 691 allocs, 508 frees, 483,318 bytes allocated >> ==14220== >> ==14220== LEAK SUMMARY: >> ==14220== definitely lost: 128 bytes in 2 blocks >> ==14220== indirectly lost: 0 bytes in 0 blocks >> ==14220== possibly lost: 10,570 bytes in 6 blocks >> ==14220== still reachable: 222,045 bytes in 175 blocks >> ==14220== suppressed: 0 bytes in 0 blocks >> ==14220== Rerun with --leak-check=full to see details of leaked memory >> ==14220== >> ==14220== For counts of detected and suppressed errors, rerun with: -v >> ==14220== ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 from 0) >> -- snip -- >> >> I think I reported this bug or a similar one the list a while ago... ;-( > > I've seen that kind of bug before but could never pinpoint a it to a > point where I could create a reduced testcase. The bug seriously > impairs our ability to use the type system in ksh93 so a quick fix > would be appreciated.
I think the common cause are associative compound array + enum (bool). After upgrading to ast-ksh.20130926 we've experienced total chaos because our applications randomly crash; if I use VMALLOC_OPTIONS='abort' we see similar stack traces than those reported here with use-after-free(). Ced -- Cedric Blancher <[email protected]> Institute Pasteur _______________________________________________ ast-developers mailing list [email protected] http://lists.research.att.com/mailman/listinfo/ast-developers
