3.0.x HEAD crashing

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jun 18 19:03:19 CEST 2014


On 18 Jun 2014, at 16:45, Phil Mayers <p.mayers at IMPERIAL.AC.UK> wrote:

> So run under valgrind, I'm reliably seeing use-after-free errors like this:
> 
> Invalid read of size 4
>   at 0x36AD402D84: talloc_get_name (talloc.c:349)
>   by 0x36AD4057EA: _talloc_get_type_abort (talloc.c:1206)
>   by 0x4E470EC: fr_verify_vp (debug.c:829)

Git pull.

Set envvar TALLOC_FREE_FILL=B

Talloc should now abort a little more gracefully.

If it doesn't then lib/debug.c:828

if (*((uint8_t const *)vp) == 0x42) fr_debug_break();

If you run it under gdb, it should break when it sees a VALUE_PAIR which
has already been freed unless that memory has already been overwritten.

You could also try:

if (*(((uint8_t const *)vp) - 1) == 0x42) fr_debug_break();

Which is less likely to be overwritten as it should be talloc header memory.

Then see debug.c:
fr_backtrace_attach()

add a call to that in pairalloc

Follow the instructions in the doxygen header, you should be able to a
basic backtrace for how the memory was originally allocated.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140618/c88f86c9/attachment-0001.pgp>


More information about the Freeradius-Devel mailing list