[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] Valgrind, evmap_io_add Invalid write of size 4



On Mon, Jun 16, 2014 at 8:42 AM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> On Sun, Jun 15, 2014 at 10:28 AM, Robin <imer@xxxxxxx> wrote:
>>
>  [...]
>
>> I've just tried it with 2.0.21 (or were you talking about 2.1.x?) and it's
>> still happening.
>>>
>>> ==14175== Invalid write of size 4

I assume you're compiling for a 32-bit architecture here.  If not, my
analysis below is wrong.

>>> ==14175==    at 0x5348E76: evmap_io_add (evmap.c:328)
>
> If I'm matching the line number to the version properly, line 328 is:

Whoa, sorry, premature send. :(

If I'm matching the line number to the version properly, line 328 is:
        TAILQ_INSERT_TAIL(&ctx->events, ev, ev_io_next);

Is that what you have?  (In other words, if you match the failing line
number to the code you compiled, is that the line you're seeing?)

The TAILQ_INSERT_TAIL macro is defined as:

#define TAILQ_INSERT_TAIL(head, elm, field) do { \
        (elm)->field.tqe_next = NULL; \
        (elm)->field.tqe_prev = (head)->tqh_last; \
        *(head)->tqh_last = (elm); \
        (head)->tqh_last = &(elm)->field.tqe_next; \
} while (0)

So the only pointers accessed there are fields in ev->ev_io_next,
fields in ctx->events, and (indirectly) whatever the tqh_last pointer
points to.

I think it's unlikely that "ev->ev_io_next" or "ctx->events" would be
freed or invalid, since they're part of the ev and ctx structures
respectively, and those structures are used elsewhere in
evmap_io_add().

What seems more likely to me is that the ctx->events.tqh_last point
has become corrupt, and no longer points to a valid event pointer.
The most common way for this to happen would be if one of the events
for this fd has been freed without first removing it from the
event_base with event_del().  It might also happen, I think, if you
use event_assign() or event_set() to change an event's configuration
without first removing it from the event_base with event_del().

hope this helps,
-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.