[
https://issues.apache.org/jira/browse/ZOOKEEPER-458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12789773#action_12789773
]
Steven Cheng commented on ZOOKEEPER-458:
----------------------------------------
Valgrind found some interesting things:
{quote}
==2357==
==2357== Invalid write of size 4
==2357== at 0x8080C9C: zookeeper_process (zookeeper.c:1900)
==2357== by 0x806CAD3: yield(_zhandle*, int) (TestClient.cc:107)
==2357== by 0x806CF72: watchCtx::waitForConnected(_zhandle*)
(TestClient.cc:165)
==2357== by 0x8070402: Zookeeper_simpleSystem::testConnectIndex1()
(TestClient.cc:846)
==2357== by 0x80727BF:
CppUnit::TestCaller<Zookeeper_simpleSystem>::runTest() (TestCaller.h:166)
==2357== by 0x8091528: CppUnit::TestCaseMethodFunctor::operator()() const
(in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x809BAAC: CppUnit::DefaultProtector::protect(CppUnit::Functor
const&, CppUnit::ProtectorContext const&) (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x809D402: CppUnit::ProtectorChain::ProtectFunctor::operator()()
const (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x809D0C1: CppUnit::ProtectorChain::protect(CppUnit::Functor
const&, CppUnit::ProtectorContext const&) (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x8098705: CppUnit::TestResult::protect(CppUnit::Functor const&,
CppUnit::Test*, std::string const&) (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x809131E: CppUnit::TestCase::run(CppUnit::TestResult*) (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== by 0x809DBB2:
CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) (in
/home/steven/workspace/zookeeper-trunk-working/build/test/test-cppunit/zktest-st)
==2357== Address 0x44db5f4 is 4 bytes inside a block of size 84 free'd
==2357== at 0x4024836: free (vg_replace_malloc.c:325)
==2357== by 0x804E04B: __wrap_free (LibCMocks.cc:197)
==2357== by 0x8087B5C: free_sync_completion (st_adaptor.c:56)
==2357== by 0x807E1FC: zoo_wexists (zookeeper.c:2909)
==2357== by 0x807E289: zoo_exists (zookeeper.c:2890)
==2357== by 0x806FDF6: Zookeeper_simpleSystem::testConnectIndex1()
(TestClient.cc:840)
{quote}
There are a number that looks like this. In this case it looks like the
sync_completion allocated by zoo_wexists is sticking around somewhere after
zoo_wexists finishes and free()s it, and gets written to by the
zookeeper_process() that gets called by the yield() in waitForConnected() .
> connect_index in zookeeper handle might get out of bound.
> ---------------------------------------------------------
>
> Key: ZOOKEEPER-458
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-458
> Project: Zookeeper
> Issue Type: Bug
> Components: c client
> Reporter: Mahadev konar
> Assignee: Steven Cheng
> Fix For: 3.3.0
>
> Attachments: ZOOKEEPER-458.patch, ZOOKEEPER-458.patch,
> ZOOKEEPER-458.patch, ZOOKEEPER-458.patch, ZOOKEEPER-458.patch,
> ZOOKEEPER-458.patch, ZOOKEEPER-458.patch
>
>
> connect_index in zookeeper handle might get out of bound. the zokoeeper_init
> method checks for index == count and sets it to zero. If the index becomes
> greater than count, then it will go out of bounds.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
