All geek questions in one place

Segfault while recording in realloc'd area

I have a very nasty problem. My application runs on several machines flawlessly for a month. However, there is one machine on which my application crashes almost every day due to segfault. It always crashes from the same instruction address:

segfault at 7fec33ef36a8 ip 000000000041c16d sp 00007fec50a55c80 error 6 in myapp[400000+f8000]

This address indicates a memcpy call.

Below is an excerpt # 1 from my application:

 .... uint32_t size = messageSize - sizeof(uint64_t) + 1; stack->trcData = (char*)Realloc(stack->trcData,(stack->trcSize + size + sizeof(uint32_t))); char* buffer = stack->trcData + stack->trcSize; uint32_t n_size = htonl(size); memcpy(buffer,&n_size,sizeof(uint32_t)); /* ip 000000000041c16d points here*/ buffer += sizeof(uint32_t); .... stack->trcSize += size + sizeof(uint32_t); ....

where stack is the structure:

 struct Stack{ char* trcData; uint32_t trcSize; /* ... some other elements */ };

and Realloc - Realloc wrapper:

 #define Realloc(x,y) _Realloc((x),(y),__LINE__) void* _Realloc(void* ptr,size_t size,int line){ void *tmp = realloc(ptr,size); if(tmp == NULL){ fprintf(stderr,"R%i: Out of memory: trying to allocate: %lu.\n",line,size); exit(EXIT_FAILURE); } return tmp; }

messageSize is of type uint32_t and its value is always greater than 44 bytes. Code number 1 runs in a loop. stack->trcData is just a buffer that collects some data until a condition is met. stack->trcData always initialized to NULL . Application compiled with gcc with -O3 optimization enabled. When I run it in gdb , of course, it does not crash, as I expected;)

I have run out of ideas why myapp crashes during a memcpy call. Realloc returns without errors, so I assume that it has allocated enough space, and I can write in this area. Valgrind

 valgrind --leak-check=full --track-origins=yes --show-reachable=yes myapp

shows completely invalid read / write.

Is it possible that on this particular machine the memory itself is damaged, and this often leads to crashes? Or maybe I'm corrupt memory somewhere else in myapp, but if so, why isn't it crashing before when an invalid write is completed?

Thanks in advance for your help.

Mounting part:

 41c164: 00 41c165: 48 01 d0 add %rdx,%rax 41c168: 44 89 ea mov %r13d,%edx 41c16b: 0f ca bswap %edx 41c16d: 89 10 mov %edx,(%rax) 41c16f: 0f b6 94 24 47 10 00 movzbl 0x1047(%rsp),%edx 41c176: 00

I'm not sure if this information is important, but all the computers that run my application have Intel processors, while the problem is AMD related.

+6
source share
1 answer

This is the cause of my problem. The fact is, at some step, the step stack->trcSize + size exceeds UINT32_MAX. This means that Realloc actually compressed by stc->trcData . Then I define a buffer that is now far behind the selection. Therefore, when I write to the buffer, I get segfault. I checked it, and that really was the reason.

0
source

Source: https://habr.com/ru/post/953056/

More articles:


All Articles