- **status**: assigned --> review
---
** [tickets:#3337] mds: mdstest api coredump when when use MDS queue
ownership**
**Status:** review
**Milestone:** 5.23.07
**Created:** Wed Apr 26, 2023 09:19 AM UTC by PhanTranQuocDat
**Last Updated:** Wed Apr 26, 2023 09:28 AM UTC
**Owner:** PhanTranQuocDat
**Attachments:**
-
[bt_core.1682494999.mdstest.694.SC-1](https://sourceforge.net/p/opensaf/tickets/3337/attachment/bt_core.1682494999.mdstest.694.SC-1)
(16.0 kB; application/octet-stream)
Steps to reproduce
------------------
run: mdstest 18
Observed behaviour
------------------
Test case failed with "double free" report.
CAUSE:
-------------------
When receive message, mds will go through process to send data to upper layer.
If mds queue ownership is used, message will be put to mailbox through
mds_mcm_mailbox_post() and only be read when invoke mds_mailbox_proc().
After put message to mailbox, the send-data process is considered done, mds
will delete the buffer previously allocated. This delete is wrong as latter,
when message is invoke through mds_mailbox_proc, the receiver will read
(invalid read) and try to free the message once again, causing "double free"
error.
Error messages
------------------
backtrace:
**Thread 1 (Thread 0x7fa902c5bd40 (LWP 694)):
**#0 GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
set = {val = {0, 0, 0, 0, 140363863464240, 140363863369568,
3472368028161671168, 0, 0, 206158430216, 140723921026448, 140723921026256, 0,
0, 0, 0}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007fa901fc67f1 in GI_abort () at abort.c:79
save_stage = 1
act = {sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0},
sa_mask = {val = {0 <repeats 14 times>, 140723921025600, 140723921025888}},
sa_flags = -682427840, sa_restorer = 0x1000}
sigs = {val = {32, 0 <repeats 15 times>}}
cnt = <optimized out>
set = <optimized out>
cnt = <optimized out>
set = <optimized out>
#2 0x00007fa90200f837 in libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7fa90213ca7b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
ap = {{gp_offset = 24, fp_offset = 32681, overflow_arg_area =
0x7ffcd752fb70, reg_save_area = 0x7ffcd752fb00}}
fd = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
on_2 = <optimized out>
next = <optimized out>
str = <optimized out>
len = <optimized out>
newp = <optimized out>
iov = <optimized out>
total = <optimized out>
cnt = <optimized out>
buf = <optimized out>
wp = <optimized out>
old = <optimized out>
cnt = <optimized out>
result = <optimized out>
#3 0x00007fa9020168ba in malloc_printerr (str=str@entry=0x7fa90213e6e8
"free(): double free detected in tcache 2") at malloc.c:5342
No locals.
#4 0x00007fa90201e0ed in _int_free (have_lock=0, p=0x7fa8f4001f50,
av=0x7fa8f4000020) at malloc.c:4195
tmp = <optimized out>
tmp = <optimized out>
e = <optimized out>
e = <optimized out>
tc_idx = <optimized out>
tc_idx = <optimized out>
fb = <optimized out>
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
fwd = <optimized out>
size = <optimized out>
nextchunk = <optimized out>
bck = <optimized out>
size = <optimized out>
fb = <optimized out>
nextchunk = <optimized out>
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
tc_idx = <optimized out>
e = <optimized out>
tmp = <optimized out>
idx = <optimized out>
old = <optimized out>
old2 = <optimized out>
fail = <optimized out>
ignore1 = <optimized out>
ignore2 = <optimized out>
ignore3 = <optimized out>
ignore = <optimized out>
atg1_result = <optimized out>
ret = <optimized out>
ret = <optimized out>
ret = <optimized out>
ret = <optimized out>
ignore1 = <optimized out>
ignore2 = <optimized out>
ignore3 = <optimized out>
heap = <optimized out>
ignore = <optimized out>
#5 GI_libc_free (mem=0x7fa8f4001f60) at malloc.c:3134
ar_ptr = 0x7fa8f4000020
p = 0x7fa8f4001f50
hook = <optimized out>
mem = 0x7fa8f4001f60
ar_ptr = <optimized out>
p = <optimized out>
hook = <optimized out>
x = <optimized out>
ar_ptr = <optimized out>
p = <optimized out>
hook = <optimized out>
x = <optimized out>
#6 0x00007fa9025fc2fa in mds_free_direct_buff (buff=<optimized out>) at
src/mds/mds_papi.c:336
No locals.
#7 0x000055bdc36727d0 in tet_mds_cb_direct_rcv
(mds_to_svc_info=0x7ffcd752fc20) at src/mds/apitest/mdstipc_conf.c:2196
No locals.
#8 0x00007fa9025f1671 in mds_mailbox_proc (msgelem=0x7fa8f4002510,
svc_cb=svc_cb@entry=0x55bdc555e060) at src/mds/mds_c_sndrcv.c:6991
status = 1
cbinfo = {i_yr_svc_hdl = 0, i_yr_svc_id = 512, i_op =
MDS_CALLBACK_DIRECT_RECEIVE, info = {cpy = {i_msg = 0x7fa8f4001f60, i_last =
15, i_to_svc_id = 0, o_cpy = 0x0, i_rem_svc_pvt_ver = 200 '\310', o_msg_fmt_ver
= 0}, enc = {i_msg = 0x7fa8f4001f60, i_to_svc_id = 15, io_uba = 0x0,
i_rem_svc_pvt_ver = 200 '\310', o_msg_fmt_ver = 0}, dec = {io_uba =
0x7fa8f4001f60, i_fr_svc_id = 15, i_is_resp = false, o_msg = 0x0, i_node_id =
200, i_msg_fmt_ver = 0, i_node_name =
"\000\000\000\001\000\000\000\000\000\000\266\002\000\000\017\001\002\000\266\002\000\000\017\001\002\000\000\002\000\000\001\000\000\000\017\001\002",
'\000' <repeats 217 times>}, enc_flat = {i_msg = 0x7fa8f4001f60, i_to_svc_id =
15, io_uba = 0x0, i_rem_svc_pvt_ver = 200 '\310', o_msg_fmt_ver = 0}, dec_flat
= {io_uba = 0x7fa8f4001f60, i_fr_svc_id = 15, i_is_resp = false, o_msg = 0x0,
i_node_id = 200, i_msg_fmt_ver = 0, i_node_name =
"\000\000\000\001\000\000\000\000\000\000\266\002\000\000\017\001\002\000\266\002\000\000\017\001\002\000\000\002\000\000\001\000\000\000\017\001\002",
'\000' <repeats 217 times>}, receive = {i_msg = 0x7fa8f4001f60, i_rsp_reqd =
15, i_msg_ctxt = {length = 0 '\000', data = '\000' <repeats 11 times>},
i_fr_dest = 200, i_fr_svc_id = 256, i_fr_anc = 564113889559222, i_to_dest =
564113889559222, i_to_svc_id = 512, i_priority = MDS_SEND_PRIORITY_LOW,
i_node_id = 131343, i_node_name = '\000' <repeats 254 times>, sender_pwe_hdl =
0, i_msg_fmt_ver = 1, pid = 0, uid = 0, gid = 0}, direct_receive =
{i_direct_buff = 0x7fa8f4001f60 "\200\362UŽU", i_direct_buff_len = 15,
i_rsp_reqd = false, i_msg_ctxt = {length = 0 '\000', data = '\000' <repeats 11
times>}, i_fr_dest = 200, i_fr_svc_id = 256, i_fr_anc = 564113889559222,
i_to_dest = 564113889559222, i_to_svc_id = 512, i_priority =
MDS_SEND_PRIORITY_LOW, i_node_id = 131343, i_node_name = '\000' <repeats 254
times>, sender_pwe_hdl = 0, i_msg_fmt_ver = 1}, svc_evt = {i_change =
4093648736, i_dest = 15, i_anc = 0, i_role = 200, i_node_id = 0, i_pwe_id =
256, i_svc_id = 0, i_your_id = 694, svc_pwe_hdl = 131343, i_rem_svc_pvt_ver =
182 '\266', i_dest_details =
"\002\000\000\017\001\002\000\000\002\000\000\001\000\000\000\017\001\002",
'\000' <repeats 261 times>...}, sys_evt = {i_change = 4093648736, i_node_id =
32680, i_evt_mask = 15}, quiesced_ack = {i_dummy = 4093648736}, node_evt =
{node_chg = (unknown: 4093648736), node_id = 32680, addr_family = 15, length =
0, ip_addr_len = 0, ip_addr =
"\000\000\000\000\000\000\000\000\000\000\310\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000\266\002\000\000\017\001\002\000\266\002\000\000\017\001\002\000\000\002\000",
i_node_name_len = 1, i_node_name = "\000\000\017\001\002", '\000' <repeats 249
times>}, msg_loss_evt = {i_dest = 140363624882016, i_pwe_id = 15, i_svc_id = 0,
i_vdest_id = 0}}}
svc_id = 512
svc_hdl = 562945658454528**
## localcbptr = 0x55bdc3672d20 <tetmdssvccallback>
###9 0x00007fa9025f1adb in mdsretrieve (info=info@entry=0x7ffcd752fe70) at
src/mds/mdscsndrcv.c:6732
## svcid = 512
## localmbx = 4290772993
## msgelem = <optimized out>
## hdl = 0x55bdc555e060
## svccb = 0x55bdc555e060
###10 0x00007fa9025fc0a8 in ncsmdsapi
(svctomdsinfo=svctomdsinfo@entry=0x7ffcd752fe70) at src/mds/mdspapi.c:169
## status = <optimized out>
###11 0x000055bdc3671ed5 in mdsserviceretrieve (mdshdl=<optimized out>,
svcid=svcid@entry=512, dispatchFlags=dispatchFlags@entry=SADISPATCHALL) at
src/mds/apitest/mdstipcconf.c:1765
## svctomdsinfo = {imdshdl = 131071, isvcid = 512, iop = MDSRETRIEVE,
info = {svcinstall = {iyrsvchdl = 94270237179906, iinstallscope = 33621800,
isvccb = 0x55bdc555ce90, odest = 140363859832577, oanc = 100, imdsqownership =
96, oselobj = {raiseobj = 32681, rmvobj = 37151392}, imdssvcpvtver = 169
'\251', ifailnoactivesends = 127, imsglossindication = false}, svcuninstall =
{imsgfreecb = 0x55bd00000002}, svcsubscribe = {iscope = NCSMDSSCOPEINTRANODE,
inumsvcs = 189 '\275', isvcids = 0x7fa902010728 <IOnewfilesync+184>},
redsubscribe = {iscope = NCSMDSSCOPEINTRANODE, inumsvcs = 189 '\275', isvcids =
0x7fa902010728 <IOnewfilesync+184>}, svccancel = {inumsvcs = 2 '\002', isvcids
= 0x7fa902010728 <IOnewfilesync+184>}, svcsyssubscribe = {ievtmap = 2}, svcsend
= {imsg = 0x55bd00000002, itosvc = 33621800, ipriority = 32681, isendtype =
3310734992, info = {snd = {itodest = 140363859832577}, sndrsp = {itodest =
140363859832577, itimetowait = 100, orsp = 0x7fa902372760 <IO21stdout>, buff =
0x7fa90236e2a0 <IOfilejumps> "", len = 26368, omsgfmtver = 20151}, sndrack =
{isenderdest = 140363859832577, itimetowait = 100, imsgctxt = {length = 96 '`',
data = "'7\002\251\177\000\000\240\342\066\002\251"}}, sndack = {itodest =
140363859832577, itimetowait = 100}, rsp = {isenderdest = 140363859832577,
imsgctxt = {length = 100 'd', data =
"\000\000\000\000\000\000\000`'7\002\251"}}, red = {itovdest = 140363859832577,
itoanc = 100}, redrsp = {itovdest = 140363859832577, itoanc = 100, itimetowait
= 140363863369568, orsp = 0x7fa90236e2a0 <IOfilejumps>, buff =
0xe53e2484eb76700 <error: Cannot access memory at address 0xe53e2484eb76700>,
len = 6096, omsgfmtver = 50108}, redrack = {itovdest = 140363859832577, itoanc
= 100, itimetowait = 140363863369568, imsgctxt = {length = 160 '\240', data =
"\342\066\002\251\177\000\000\000g\267NH"}}, redack = {itovdest =
140363859832577, itoanc = 100, itimetowait = 140363863369568}, rrsp = {itodest
= 140363859832577, itoanc = 100, imsgctxt = {length = 96 '`', data =
"'7\002\251\177\000\000\240\342\066\002\251"}}, bcast = {ibcastscope =
33632001}, rbcast = {ibcastscope = 33632001}}}, svcdirectsend = {idirectbuff =
0x55bd00000002 <error: Cannot access memory at address 0x55bd00000002>,
idirectbufflen = 1832, itosvc = 32681, ipriority = 3310734992, isendtype =
21949, imsgfmtver = 12033, info = {snd = {itodest = 100}, sndrsp = {itodest =
100, itimetowait = 140363863369568, orsp = 0x7fa90236e2a0 <IOfilejumps>, buff =
0xe53e2484eb76700 <error: Cannot access memory at address 0xe53e2484eb76700>,
len = 6096, omsgfmtver = 50108}, sndrack = {isenderdest = 100, itimetowait =
140363863369568, imsgctxt = {length = 160 '\240', data =
"\342\066\002\251\177\000\000\000g\267NH"}}, sndack = {itodest = 100,
itimetowait = 140363863369568}, rsp = {isenderdest = 100, imsgctxt = {length =
96 '`', data = "'7\002\251\177\000\000\240\342\066\002\251"}}, red = {itovdest
= 100, itoanc = 140363863369568}, redrsp = {itovdest = 100, itoanc =
140363863369568, itimetowait = 140363863351968, orsp = 0xe53e2484eb76700, buff
= 0x55bdc3bc17d0 <gltetvdest+272> "d", len = 26368, omsgfmtver = 20151},
redrack = {itovdest = 100, itoanc = 140363863369568, itimetowait =
140363863351968, imsgctxt = {length = 0 '\000', data =
"g\267NH\342S\016\320\027\274ý"}}, redack = {itovdest = 100, itoanc =
140363863369568, itimetowait = 140363863351968}, rrsp = {itodest = 100, itoanc
= 140363863369568, imsgctxt = {length = 160 '\240', data =
"\342\066\002\251\177\000\000\000g\267NH"}}, bcast = {ibcastscope = 100},
rbcast = {ibcastscope = 100}}}, retrievemsg = {idispatchFlags = SADISPATCHALL},
chgrole = {newrole = VDESTRLSTANDBY}, querydest = {idest = 94270237179906,
isvcid = 33621800, iqueryforrole = 169, info = {queryforanc = {ivdestrl =
3310734992, oanc = 140363859832577}, queryforrole = {ianc = 94273547914896,
ovdestrl = 33632001}}, olocal = 100, onodeid = 0, oadest = 140363863369568},
querypwe = {opweid = 2, oabsolute = false, info = {absinfo = {oadest =
140363859822376}, virtinfo = {ovdest = 140363859822376, oanc = 94273547914896,
orole = 33632001}}}, subscribenode = {idummy = 2}, unsubscribenode = {idummy =
2}}}
###12 0x000055bdc365b4ad in tetcleanupsetup () at
src/mds/apitest/mdstipcapi.c:3339
## i = 512
## id = <optimized out>
## FAIL = 0
###13 0x000055bdc366a8a1 in tetdirectbroadcasttosvctp6 () at
src/mds/apitest/mdstipcapi.c:12780
## FAIL = 0
## svcids = {512}
###14 0x000055bdc3672ef9 in runtestcase (suite=<optimized out>,
tcase=<optimized out>) at src/osaf/apitest/utest.c:178
## No locals.
###15 0x000055bdc367333e in testrun (suite=18, tcase=6) at
src/osaf/apitest/utest.c:226
## i = <optimized out>
## j = <optimized out>
###16 0x000055bdc3650859 in main (argc=3, argv=0x7ffcd75300c8) at
src/mds/apitest/mdstest.c:92
## suite = <optimized out>
## tcase = <optimized out>
## rc = <optimized out>***
---
Sent from sourceforge.net because [email protected] is
subscribed to https://sourceforge.net/p/opensaf/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/opensaf/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list._______________________________________________
Opensaf-tickets mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-tickets
