liuqian1990 / memcached

Automatically exported from code.google.com/p/memcached
0 stars 0 forks source link

Segfault in memcached (slabs.c) 1.4.15, patch provided. #361

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

do_slabs_alloc should return NULL due to failure.

System information:

Red Hat Enterprise Linux Server release 6.2 (Santiago)

memcached was compiled from 1.4.15 source.

backtrace:
#0  do_slabs_alloc (size=95, id=1) at slabs.c:241
#1  slabs_alloc (size=95, id=1) at slabs.c:404
#2  0x000000000040ee04 in do_item_alloc (key=0x7f378c140228 
"ACCT_61_THROTTLE_10_139637137", nkey=29, flags=<value optimized out>, 
exptime=423812, nbytes=3, cur_hv=3270978001) at items.c:150
#3  0x000000000040600c in do_add_delta (c=<value optimized out>, key=<value 
optimized out>, nkey=<value optimized out>, incr=<value optimized out>, 
delta=1, buf=0x7f378d541b60 "1", cas=0x0, hv=2783358649) at memcached.c:3102
#4  0x0000000000410826 in add_delta (c=0x7f3778039d40, key=0x7f3778039f45 
"ACCT_61_THROTTLE_10_139637137", nkey=29, incr=1, delta=<value optimized out>, 
buf=<value optimized out>, cas=0x0) at thread.c:585
#5  0x00000000004096af in process_arithmetic_command (c=0x7f3778039d40, 
tokens=<value optimized out>, ntokens=<value optimized out>, incr=true) at 
memcached.c:3015
#6  0x0000000000409d9c in process_command (c=0x7f3778039d40, command=<value 
optimized out>) at memcached.c:3266
#7  0x000000000040a5e2 in try_read_command (c=0x7f3778039d40) at 
memcached.c:3504
#8  0x000000000040b1e8 in drive_machine (fd=<value optimized out>, which=<value 
optimized out>, arg=0x7f3778039d40) at memcached.c:3824
#9  event_handler (fd=<value optimized out>, which=<value optimized out>, 
arg=0x7f3778039d40) at memcached.c:4065
#10 0x00007f378f752ddc in event_process_active_single_queue (base=0xb88c50, 
flags=0) at event.c:1346
#11 event_process_active (base=0xb88c50, flags=0) at event.c:1416
#12 event_base_loop (base=0xb88c50, flags=0) at event.c:1617
#13 0x000000000041010d in worker_libevent (arg=0xb83fa0) at thread.c:384
#14 0x00000033194077f1 in start_thread () from /lib64/libpthread.so.0
#15 0x00000033190e570d in clone () from /lib64/libc.so.6

Proposed Patch ...

Index: slabs.c
===================================================================
--- slabs.c (revision 17157)
+++ slabs.c (revision 17158)
@@ -235,7 +235,7 @@
     if (! (p->sl_curr != 0 || do_slabs_newslab(id) != 0)) {
         /* We don't have more memory available */
         ret = NULL;
-    } else if (p->sl_curr != 0) {
+    } else if (p->sl_curr != 0 && p->slots != 0) {
         /* return off our freelist */
         it = (item *)p->slots;
         p->slots = it->next;

Original issue reported on code.google.com by robert.w...@acm.org on 16 Apr 2014 at 5:31

GoogleCodeExporter commented 9 years ago
Hi,

I can't accept this. Can you reproduce the crash under 1.4.17 or current master?

There was a bug we've fixed in .16 or .17 which would manifest (on an on-debug 
binary) as p->slots being NULL, but the issue was actually elsewhere. This 
patch would not fix it properly.

If you can reproduce under .17 or master, please run the -debug binary and get 
another backtrace. that will likely show us where the corruption is.

Original comment by dorma...@rydia.net on 16 Apr 2014 at 7:03

GoogleCodeExporter commented 9 years ago
Yeah, .17:

https://github.com/memcached/memcached/commit/cb9c269bd57bb5417b337228cfbb50f4a8
769d09
https://github.com/memcached/memcached/commit/facb719f40ecfcb98271a79561d4b94757
b7a843

fixes for do_add_delta (which your path goes through). Been waiting to see if 
someone can reproduce the crash in that codepath with .17.

Original comment by dorma...@rydia.net on 16 Apr 2014 at 7:08

GoogleCodeExporter commented 9 years ago
I'm going to close this. *please* let us know if the bug is reproducable under 
.17 or newer.

Original comment by dorma...@rydia.net on 20 Apr 2014 at 1:14