3.0.x HEAD crashing
a.cudbardb at freeradius.org
Wed Jun 18 19:03:19 CEST 2014
On 18 Jun 2014, at 16:45, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:
> So run under valgrind, I'm reliably seeing use-after-free errors like this:
> Invalid read of size 4
> at 0x36AD402D84: talloc_get_name (talloc.c:349)
> by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
> by 0x4E470EC: fr_verify_vp (debug.c:829)
Set envvar TALLOC_FREE_FILL=B
Talloc should now abort a little more gracefully.
If it doesn't then lib/debug.c:828
if (*((uint8_t const *)vp) == 0x42) fr_debug_break();
If you run it under gdb, it should break when it sees a VALUE_PAIR which
has already been freed unless that memory has already been overwritten.
You could also try:
if (*(((uint8_t const *)vp) - 1) == 0x42) fr_debug_break();
Which is less likely to be overwritten as it should be talloc header memory.
Then see debug.c:
add a call to that in pairalloc
Follow the instructions in the doxygen header, you should be able to a
basic backtrace for how the memory was originally allocated.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Freeradius-Devel