Bug 810100 - occasional segfault while running networkxml2argvtest
occasional segfault while running networkxml2argvtest
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libvirt (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Laine Stump
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-05 03:03 EDT by Laine Stump
Modified: 2012-06-20 02:51 EDT (History)
9 users (show)

See Also:
Fixed In Version: libvirt-0.9.10-11.el6
Doc Type: Bug Fix
Doc Text:
(This is a bug in a test program that is only run by libvirt developers. No tech note is needed.)
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 02:51:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Laine Stump 2012-04-05 03:03:05 EDT
Running networkxml2argvtest on an i686 build is causing a segfault (encountered while building an i686 rpm).

When run under valgrind, we can see that the function replaceTokens is "doing bad things":

==12693== Invalid write of size 1
==12693==    at 0x4A09D65: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:796)
==12693==    by 0x416622: replaceTokens (networkxml2argvtest.c:40)
==12693==    by 0x416718: testCompareXMLToArgvFiles (networkxml2argvtest.c:65)
==12693==    by 0x416907: testCompareXMLToArgvHelper (networkxml2argvtest.c:118)
==12693==    by 0x416F39: virtTestRun (testutils.c:141)
==12693==    by 0x4169CC: mymain (networkxml2argvtest.c:150)
==12693==    by 0x418097: virtTestMain (testutils.c:696)
==12693==    by 0x416B4B: main (networkxml2argvtest.c:163)
==12693==  Address 0x4c65aec is 284 bytes inside a block of size 289 free'd
==12693==    at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==12693==    by 0x42C54A: virReallocN (memory.c:161)
==12693==    by 0x4165F5: replaceTokens (networkxml2argvtest.c:37)
==12693==    by 0x416718: testCompareXMLToArgvFiles (networkxml2argvtest.c:65)
==12693==    by 0x416907: testCompareXMLToArgvHelper (networkxml2argvtest.c:118)
==12693==    by 0x416F39: virtTestRun (testutils.c:141)
==12693==    by 0x4169CC: mymain (networkxml2argvtest.c:150)
==12693==    by 0x418097: virtTestMain (testutils.c:696)
==12693==    by 0x416B4B: main (networkxml2argvtest.c:163)

Examination of the code reveals that it is computing pointers into a region of memory, then realloc'ing that region (potentially moving it), then continuing to use the pointers without recomputing them to account for the movement. (see token_start and token_end).
Comment 1 Laine Stump 2012-04-05 07:17:54 EDT
Fix committed upstream:

commit bde32b1ada0d0c8d9e3f82bebe19472b620ef54e
Author: Laine Stump <laine@laine.org>
Date:   Thu Apr 5 03:18:33 2012 -0400

    test: fix segfault in networkxml2argvtest
    
    This bug resolves https://bugzilla.redhat.com/show_bug.cgi?id=810100
    
    rpm builds for i686 were failing with a segfault in
    networkxml2argvtest. Running under valgrind showed that a region of
    memory was being referenced after it had been freed (as the result of
    realloc - see the valgrind report in the BZ).
    
    The problem (in replaceTokens() - added in commit 22ec60, meaning this
    bug was in 0.9.10 and 0.9.11) was that the pointers token_start and
    token_end were being computed based on the value of *buf, then *buf
    was being realloc'ed (potentially moving it), then token_start and
    token_end were used without recomputing them to account for movement
    of *buf.
    
    The solution is to change the code so that token_start and token_end
    are offsets into *buf rather than pointers. This way there is only a
    single pointer to the buffer, and nothing needs readjusting after a
    realloc. (You may note that some uses of token_start/token_end didn't
    need to be changed to add in "*buf +" - that's because there ended up
    being a +*buf and -*buf which canceled each other out).
Comment 3 Daniel Veillard 2012-04-09 04:14:46 EDT
ACK this hit the last 6.3 build and I had to disable that test.

Daniel
Comment 6 Alex Jia 2012-04-12 07:17:15 EDT
I can reproduce the issues on RHEL6(2.6.32-262.el6.i686) with libvirt-0.9.10-9.el6.src.rpm, and the reproducible rate is 11/90 for me, the error as follows:

TEST: networkxml2argvtest
      ./bin/sh: line 5:  1933 Segmentation fault      (core dumped) abs_top_builddir=`cd '..'; pwd` abs_top_srcdir=`cd '..'; pwd` abs_builddir=`pwd` abs_srcdir=`cd '.'; pwd` CONFIG_HEADER="`cd '..'; pwd`/config.h" PATH="`cd '..'; pwd`/daemon:`cd '..'; pwd`/tools:`cd '..'; pwd`/tests:$PATH" SHELL="/bin/sh" LIBVIRT_DRIVER_DIR="/root/rpmbuild/BUILD/libvirt-0.9.10/src/.libs" LC_ALL=C ${dir}$tst
FAIL: networkxml2argvtest

And I can't reproduce it with libvirt-0.9.10-11.el6.src.rpm on the same test environment(running 100 times networkxml2argvtest), so the bug has been verified, move the bug to VERIFIED status.
Comment 7 Laine Stump 2012-05-08 14:11:36 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
(This is a bug in a test program that is only run by libvirt developers. No tech note is needed.)
Comment 9 errata-xmlrpc 2012-06-20 02:51:55 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0748.html

Note You need to log in before you can comment on or make changes to this bug.