gdb and memory caching?

Julien ÉLIE julien at trigofacile.com
Mon Nov 2 21:09:20 UTC 2009 

Hi,

Trying to debug keyword generation code because of a
    *** glibc detected *** free(): invalid next size (fast): 0x083338b8 ***
I had last night when freeing hc->Value, I do not understand the output given
by gdb:

(gdb) step
246         strlcpy(hc->Value + l, ",\377", innconf->keylimit + 1 - l);
(gdb)
strlcpy (dst=0x8312a15 "", src=0x80a2af2 ",ÿ", size=1) at strlcpy.c:31

hc->Value is a pointer to the value of the Keywords: header.
l is the length of that value.
We see that "hc->Value + l" is 0x8312a15, which is '\0'.
That's fine.  We are at the end of the header.

innconf->keylimit = 5
And the header is "12345" at 0x8312a10.


Then, what I do not understand is that gdb mentions that l is 7
whereas it was changed to 5.
Is it a gdb bug?  (Very strange.)
Isn't gdb returning the current value of l?

247         for (chase = hc->Value + l + 2, word_index = 0;
(gdb) print l
$7 = 7
(gdb) print  hc->Value + l + 2
$9 = 0x8312a19 ""
(gdb) print  hc->Value + l
$11 = 0x8312a17 "\b\020"
(gdb) print hc->Value
$12 = 0x8312a10 "12345"
(gdb) print innconf->keylimit + 1 - l
$13 = 4294967295
(gdb) print innconf->keylimit
$14 = 5
(gdb) print strlen(hc->Value)
$17 = 5
(gdb) print hc->Length
$18 = 5

chase has the right value computed with l=5 (and not 7):

(gdb) s
256             *chase++ = ',';
(gdb) print l
$25 = 7
(gdb) print chase
$26 = 0x8312a17 "\b\020"
(gdb) s
257             strlcpy(chase, word[word_vec[word_index].index],
(gdb) print chase
$27 = 0x8312a18 "\020"
(gdb) print hc->Value
$28 = 0x8312a10 "12345"
(gdb) print hc->Value + 5
$29 = 0x8312a15 ""
(gdb) print hc->Value + 6
$30 = 0x8312a16 "\024,\020"



    /* Scribble onto end of Keywords: after a magic separator. */
    strlcpy(hc->Value + l, ",\377", innconf->keylimit + 1 - l);
    for (chase = hc->Value + l + 2, word_index = 0;
        word_index < distinct_words;
        word_index++) {

        /* Add to list. */
        *chase++ = ',';
        strlcpy(chase, word[word_vec[word_index].index],
                innconf->keylimit + 1 - (chase - hc->Value));
        chase += word_vec[word_index].length;

        if (chase - hc->Value > (innconf->keylimit - (MAX_WORD_LENGTH + 4)))
            break;
    }

chase is first set to "hc->Value + l + 2" even though it is beyond
the end of hc->Value; then a "," is added even though it is beyond
the end of hc->Value; and the comparison might be unsigned (size_t)
and therefore be wrong if the second member is negative.

I believe such things could trigger that error off:
    *** glibc detected *** free(): invalid next size (fast): 0x083338b8 ***
though I am not sure.  I do not manage to reproduce the crash; it does
not seem to be deterministic but depends on the contents of the allocated
memory.  I also wonder the difference between "(fast)" and "(normal)"...

-- 
Julien ÉLIE

« A man inserted an 'ad' in the classifieds: "Wife wanted".
  Next day he received a hundred letters.  They all said
  the same thing:  "You can have mine." »

More information about the inn-workers mailing list