---
** [tickets:#3337] mds: mdstest api coredump when when use MDS queue
ownership**
**Status:** assigned
**Milestone:** 5.23.07
**Created:** Wed Apr 26, 2023 09:19 AM UTC by PhanTranQuocDat
**Last Updated:** Wed Apr 26, 2023 09:19 AM UTC
**Owner:** PhanTranQuocDat
Steps to reproduce
------------------
run: mdstest 18
Observed behaviour
------------------
Test case failed with "double free" report.
CAUSE:
-------------------
When receive message, mds will go through process to send data to upper layer.
If mds queue ownership is used, message will be put to mailbox through
mds_mcm_mailbox_post() and only be read when invoke mds_mailbox_proc().
After put message to mailbox, the send-data process is considered done, mds
will delete the buffer previously allocated. This delete is wrong as latter,
when message is invoke through mds_mailbox_proc, the receiver will read
(invalid read) and try to free the message once again, causing "double free"
error.
Error messages
------------------
backtrace:
Thread 1 (Thread 0x7f2aa6d2cb00 (LWP 3398)):
**#0 GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
set = {val = {0, 0, 0, 206158430210, 0, 139821157765124,
562945658454528, 139821157765124, 139821164183276, 139821157854076,
139821164183248, 281470681874431, 131071, 6794816100368768768, 564113889561918,
139821049716696}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007f2aa60fe7f1 in GI_abort () at abort.c:79
save_stage = 1
act = {sigaction_handler = {sa_handler = 0xa03bffff, sa_sigaction =
0xa03bffff}, sa_mask = {val = {1, 564113889561918, 139821157846167,
2199023255553, 139821049716586, 4295032831, 564113889561918, 0,
282333970170112, 2, 2563, 3390, 139821164183768, 1, 139821164183744,
139821164184032}}, sa_flags = -1496137536, sa_restorer = 0x1000}
sigs = {val = {32, 0 <repeats 15 times>}}
cnt = <optimized out>
set = <optimized out>
cnt = <optimized out>
set = <optimized out>
#2 0x00007f2aa6147837 in libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f2aa6274a7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
ap = {{gp_offset = 24, fp_offset = 0, overflow_arg_area =
0x7f2aa6d2c1f0, reg_save_area = 0x7f2aa6d2c180}}
fd = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
on_2 = <optimized out>
next = <optimized out>
str = <optimized out>
len = <optimized out>
newp = <optimized out>
iov = <optimized out>
total = <optimized out>
cnt = <optimized out>
buf = <optimized out>
wp = <optimized out>
old = <optimized out>
cnt = <optimized out>
result = <optimized out>
#3 0x00007f2aa614e8ba in malloc_printerr (str=str@entry=0x7f2aa6276740 "double
free or corruption (fasttop)") at malloc.c:5342
No locals.
#4 0x00007f2aa6259c4b in _int_free (have_lock=0, p=0x7f2aa0002160,
av=0x7f2aa0000020) at malloc.c:4260
idx = <optimized out>
old = <optimized out>
idx = <optimized out>
old = <optimized out>
old2 = <optimized out>
old2 = <optimized out>
fb = <optimized out>
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
fwd = <optimized out>
size = <optimized out>
nextchunk = <optimized out>
bck = <optimized out>
size = <optimized out>
fb = <optimized out>
nextchunk = <optimized out>
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
tc_idx = <optimized out>
e = <optimized out>
tmp = <optimized out>
idx = <optimized out>
old = <optimized out>
old2 = <optimized out>
fail = <optimized out>
ignore1 = <optimized out>
ignore2 = <optimized out>
ignore3 = <optimized out>
ignore = <optimized out>
atg1_result = <optimized out>
ret = <optimized out>
ret = <optimized out>
ret = <optimized out>
ret = <optimized out>
ignore1 = <optimized out>
ignore2 = <optimized out>
ignore3 = <optimized out>
heap = <optimized out>
ignore = <optimized out>
#5 GI_libc_free (mem=0x7f2aa0002170) at malloc.c:3134
ar_ptr = 0x7f2aa0000020
p = 0x7f2aa0002160
hook = <optimized out>
mem = 0x7f2aa0002170
ar_ptr = <optimized out>
p = <optimized out>
hook = <optimized out>
x = <optimized out>
ar_ptr = <optimized out>
p = <optimized out>
hook = <optimized out>
ar_ptr = <optimized out>
p = <optimized out>
hook = <optimized out>
x = <optimized out>
#6 tcache_thread_shutdown () at malloc.c:2979
e = 0x7f2aa0002170
i = <optimized out>
tcache_tmp = <optimized out>
i = <optimized out>
tcache_tmp = <optimized out>
e = <optimized out>
#7 arena_thread_freeres () at arena.c:950
a = <optimized out>
PRETTY_FUNCTION = "arena_thread_freeres"
#8 0x00007f2aa625a562 in libc_thread_freeres () at thread-freeres.c:29
ptr = 0x7f2aa64a5740
<elf_set_libc_thread_subfreeres_element_arena_thread_freeres>
#9 0x00007f2aa64b6700 in start_thread (arg=0x7f2aa6d2cb00) at
pthread_create.c:476
pd = 0x7f2aa6d2cb00
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139821164186368,
-4330361106019401868, 139821164184448, 1, 0, 140731572523136,
4445679699519848308, 4445680733411852148}, mask_was_saved = 0}}, priv = {pad =
{0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#10 0x00007f2aa61df61f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.**
---
Sent from sourceforge.net because [email protected] is
subscribed to https://sourceforge.net/p/opensaf/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/opensaf/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list._______________________________________________
Opensaf-tickets mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-tickets
