search

lpereira / lwan

Experimental, scalable, high performance HTTP server
https://lwan.ws
GNU General Public License v2.0
5.92k stars 549 forks source link

Uninitialized Jump/Free #96

Closed dallbee closed 9 years ago

dallbee commented 9 years ago

Caught something when running the framework through valgrind.

Valgrind's error:

==15072== Conditional jump or move depends on uninitialised value(s)
==15072==    at 0x499AF8: strbuf_free (strbuf.c:130)
==15072==    by 0x4AFDFE: coro_run_deferred (lwan-coro.c:152)
==15072==    by 0x4B260A: coro_free (lwan-coro.c:276)
==15072==    by 0x48B76F: destroy_coro (lwan-thread.c:118)
==15072==    by 0x48B76F: death_queue_kill_waiting (lwan-thread.c:228)
==15072==    by 0x488A60: thread_io_loop (lwan-thread.c:330)
==15072==    by 0x5257373: start_thread (in /usr/lib/libpthread-2.21.so)
==15072==    by 0x654D27C: clone (in /usr/lib/libc-2.21.so)
==15072==  Uninitialised value was created by a stack allocation
==15072==    at 0x4AF3C0: ??? (in /home/dylan/Projects/allbee.org/build/lwan)
==15072== 
==15072== Use of uninitialised value of size 8
==15072==    at 0x548AC5F: free (in /usr/lib/libtcmalloc_minimal.so.4.2.6)
==15072==    by 0x499C15: strbuf_free (strbuf.c:131)
==15072==    by 0x4AFDFE: coro_run_deferred (lwan-coro.c:152)
==15072==    by 0x4B260A: coro_free (lwan-coro.c:276)
==15072==    by 0x48B76F: destroy_coro (lwan-thread.c:118)
==15072==    by 0x48B76F: death_queue_kill_waiting (lwan-thread.c:228)
==15072==    by 0x488A60: thread_io_loop (lwan-thread.c:330)
==15072==    by 0x5257373: start_thread (in /usr/lib/libpthread-2.21.so)
==15072==    by 0x654D27C: clone (in /usr/lib/libc-2.21.so)
==15072==  Uninitialised value was created by a stack allocation
==15072==    at 0x4AF3C0: ??? (in /home/dylan/Projects/allbee.org/build/lwan)
==15072== 
==15072== Conditional jump or move depends on uninitialised value(s)
==15072==    at 0x548AC6D: free (in /usr/lib/libtcmalloc_minimal.so.4.2.6)
==15072==    by 0x499C15: strbuf_free (strbuf.c:131)
==15072==    by 0x4AFDFE: coro_run_deferred (lwan-coro.c:152)
==15072==    by 0x4B260A: coro_free (lwan-coro.c:276)
==15072==    by 0x48B76F: destroy_coro (lwan-thread.c:118)
==15072==    by 0x48B76F: death_queue_kill_waiting (lwan-thread.c:228)
==15072==    by 0x488A60: thread_io_loop (lwan-thread.c:330)
==15072==    by 0x5257373: start_thread (in /usr/lib/libpthread-2.21.so)
==15072==    by 0x654D27C: clone (in /usr/lib/libc-2.21.so)
==15072==  Uninitialised value was created by a stack allocation
==15072==    at 0x4AF3C0: ??? (in /home/dylan/Projects/allbee.org/build/lwan)
==15072== 
==15072== Use of uninitialised value of size 8
==15072==    at 0x548AD87: free (in /usr/lib/libtcmalloc_minimal.so.4.2.6)
==15072==    by 0x499C15: strbuf_free (strbuf.c:131)
==15072==    by 0x4AFDFE: coro_run_deferred (lwan-coro.c:152)
==15072==    by 0x4B260A: coro_free (lwan-coro.c:276)
==15072==    by 0x48B76F: destroy_coro (lwan-thread.c:118)
==15072==    by 0x48B76F: death_queue_kill_waiting (lwan-thread.c:228)
==15072==    by 0x488A60: thread_io_loop (lwan-thread.c:330)
==15072==    by 0x5257373: start_thread (in /usr/lib/libpthread-2.21.so)
==15072==    by 0x654D27C: clone (in /usr/lib/libc-2.21.so)
==15072==  Uninitialised value was created by a stack allocation
==15072==    at 0x4AF3C0: ??? (in /home/dylan/Projects/allbee.org/build/lwan)
==15072== 
==15072== Conditional jump or move depends on uninitialised value(s)
==15072==    at 0x499CE5: strbuf_free (strbuf.c:132)
==15072==    by 0x4AFDFE: coro_run_deferred (lwan-coro.c:152)
==15072==    by 0x4B260A: coro_free (lwan-coro.c:276)
==15072==    by 0x48B76F: destroy_coro (lwan-thread.c:118)
==15072==    by 0x48B76F: death_queue_kill_waiting (lwan-thread.c:228)
==15072==    by 0x488A60: thread_io_loop (lwan-thread.c:330)
==15072==    by 0x5257373: start_thread (in /usr/lib/libpthread-2.21.so)
==15072==    by 0x654D27C: clone (in /usr/lib/libc-2.21.so)
==15072==  Uninitialised value was created by a stack allocation
==15072==    at 0x4AF3C0: ??? (in /home/dylan/Projects/allbee.org/build/lwan)
==15072==

In strbuf.c:

void
strbuf_free(strbuf_t *s)
{
    if (UNLIKELY(!s))
        return;
    if (!(s->flags & STATIC))
        free(s->value.buffer);
    if (s->flags & DYNAMICALLY_ALLOCATED)
        free(s);
}

I had trouble properly tracing this due to the inline assembly context switch. Reproduceable with a hello world program and two page refreshes. The first page refresh will not produce the error.

lpereira commented 9 years ago

Are you running a Release or a Debug version of Lwan? If it's a Release version, that's expected. If it's a Debug version, I'll need more information about your environment, as I can't reproduce it here.