Open rwhitworth opened 7 years ago
oetiker
commented
7 years ago please compile rrdtool master to run your tests ... there has been a bunch of fixes for edgecases, so chances are that some of the issues you are finding are already addressed.
rwhitworth
commented
7 years ago Unfortunately these tests (all three github issues) were all run against the master branch git commit of 46b2f25284847658a64b005abd0328f024d3086f.
I have never used Valgrind before, but I'll take a look. Is there a particular set of command line options or configuration that you suggest?
Thanks for being willing to look at these issue with me!
oetiker
commented
7 years ago Hi @rwhitworth ... cool so we have real bugs to fix ... using valgrind is really simple ... basically you do
valgrind ./rrdtool dump ...
the thing will run a little slower but cry wolf as soon as it goes off the rails ... there are some options to customize the behaviour but for starters this should do.
you should compile rrdtool with -g option to include debugging code ...
rwhitworth
commented
7 years ago I haven't checked all the files, but here is a representative sample of the unique errors.
# valgrind --leak-check=yes ../../rrdtool-1.x/src/.libs/rrdtool dump id\:000001\,sig\:08\,src\:000000\,op\:havoc\,rep\:4
==19386== Memcheck, a memory error detector
==19386== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19386== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==19386== Command: ../../rrdtool-1.x/src/.libs/rrdtool dump id:000001,sig:08,src:000000,op:havoc,rep:4
==19386==
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rrd SYSTEM "http://oss.oetiker.ch/rrdtool/rrdtool.dtd">
<!-- Round Robin Database Dump -->
<rrd>
<version>0003</version>
<step>1</step> <!-- Seconds -->
<lastupdate>0</lastupdate> <!-- 1969-12-31 19:00:00 EST -->
<ds>
<name> watts </name>
<type> GAUGE </type>
<minimal_heartbeat>3</minimal_heartbeat>
<min>0.0000000000e+00</min>
<max>2.4000000000e+01</max>
<!-- PDP Status -->
<last_ds></last_ds>
<value>-1.0565890623e+270</value>
<unknown_sec> 0 </unknown_sec>
</ds>
<!-- Round Robin Archives -->
<rra>
<cf></cf>
<pdp_per_row>0</pdp_per_row> <!-- 0 seconds -->
<params>
<xff>0.0000000000e+00</xff>
</params>
<cdp_prep>
<ds>
<primary_value>0.0000000000e+00</primary_value>
<secondary_value>0.0000000000e+00</secondary_value>
<value>-1.0565890623e+270</value>
<unknown_datapoints>127</unknown_datapoints>
</ds>
</cdp_prep>
<database>
==19386==
==19386== Process terminating with default action of signal 8 (SIGFPE)
==19386== Integer divide by zero at address 0x803F6AA1E
==19386== at 0x4E422AF: rrd_dump_cb_r (rrd_dump.c:411)
==19386== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19386== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19386== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19386== by 0x402DE0: main (rrd_tool.c:551)
==19386==
==19386== HEAP SUMMARY:
==19386== in use at exit: 16,800 bytes in 9 blocks
==19386== total heap usage: 45 allocs, 36 frees, 23,375 bytes allocated
==19386==
==19386== LEAK SUMMARY:
==19386== definitely lost: 0 bytes in 0 blocks
==19386== indirectly lost: 0 bytes in 0 blocks
==19386== possibly lost: 0 bytes in 0 blocks
==19386== still reachable: 16,800 bytes in 9 blocks
==19386== suppressed: 0 bytes in 0 blocks
==19386== Reachable blocks (those to which a pointer was found) are not shown.
==19386== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==19386==
==19386== For counts of detected and suppressed errors, rerun with: -v
==19386== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Floating point exception# valgrind --leak-check=yes ../../rrdtool-1.x/src/.libs/rrdtool dump id\:000001\,sig\:11\,src\:000000\,op\:flip1\,pos\:31
==19387== Memcheck, a memory error detector
==19387== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19387== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==19387== Command: ../../rrdtool-1.x/src/.libs/rrdtool dump id:000001,sig:11,src:000000,op:flip1,pos:31
==19387==
[SNIP SNIP long output SNIP SNIP]
==19387== Invalid read of size 8
==19387== at 0x4E4038F: rrd_dump_cb_r (rrd_dump.c:141)
==19387== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19387== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19387== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19387== by 0x402DE0: main (rrd_tool.c:551)
==19387== Address 0x4025010 is not stack'd, malloc'd or (recently) free'd
==19387==
==19387==
==19387== Process terminating with default action of signal 11 (SIGSEGV)
==19387== Access not within mapped region at address 0x4025010
==19387== at 0x4E4038F: rrd_dump_cb_r (rrd_dump.c:141)
==19387== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19387== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19387== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19387== by 0x402DE0: main (rrd_tool.c:551)
==19387== If you believe this happened as a result of a stack
==19387== overflow in your program's main thread (unlikely but
==19387== possible), you can try to increase the size of the
==19387== main thread stack using the --main-stacksize= flag.
==19387== The main thread stack size used in this run was 8388608.
==19387==
==19387== HEAP SUMMARY:
==19387== in use at exit: 16,800 bytes in 9 blocks
==19387== total heap usage: 45 allocs, 36 frees, 23,375 bytes allocated
==19387==
==19387== LEAK SUMMARY:
==19387== definitely lost: 0 bytes in 0 blocks
==19387== indirectly lost: 0 bytes in 0 blocks
==19387== possibly lost: 0 bytes in 0 blocks
==19387== still reachable: 16,800 bytes in 9 blocks
==19387== suppressed: 0 bytes in 0 blocks
==19387== Reachable blocks (those to which a pointer was found) are not shown.
==19387== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==19387==
==19387== For counts of detected and suppressed errors, rerun with: -v
==19387== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault# valgrind --leak-check=yes ../../rrdtool-1.x/src/.libs/rrdtool dump id\:000002\,sig\:11\,src\:000008\,op\:havoc\,rep\:128
==19394== Memcheck, a memory error detector
==19394== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19394== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==19394== Command: ../../rrdtool-1.x/src/.libs/rrdtool dump id:000002,sig:11,src:000008,op:havoc,rep:128
==19394==
==19394== Invalid read of size 8
==19394== at 0x4EA8A89: rrd_open (rrd_open.c:450)
==19394== by 0x4E3FB07: rrd_dump_cb_r (rrd_dump.c:93)
==19394== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19394== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19394== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19394== by 0x402DE0: main (rrd_tool.c:551)
==19394== Address 0x41c1008 is not stack'd, malloc'd or (recently) free'd
==19394==
==19394==
==19394== Process terminating with default action of signal 11 (SIGSEGV)
==19394== Access not within mapped region at address 0x41C1008
==19394== at 0x4EA8A89: rrd_open (rrd_open.c:450)
==19394== by 0x4E3FB07: rrd_dump_cb_r (rrd_dump.c:93)
==19394== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19394== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19394== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19394== by 0x402DE0: main (rrd_tool.c:551)
==19394== If you believe this happened as a result of a stack
==19394== overflow in your program's main thread (unlikely but
==19394== possible), you can try to increase the size of the
==19394== main thread stack using the --main-stacksize= flag.
==19394== The main thread stack size used in this run was 8388608.
==19394==
==19394== HEAP SUMMARY:
==19394== in use at exit: 12,448 bytes in 8 blocks
==19394== total heap usage: 36 allocs, 28 frees, 16,085 bytes allocated
==19394==
==19394== LEAK SUMMARY:
==19394== definitely lost: 0 bytes in 0 blocks
==19394== indirectly lost: 0 bytes in 0 blocks
==19394== possibly lost: 0 bytes in 0 blocks
==19394== still reachable: 12,448 bytes in 8 blocks
==19394== suppressed: 0 bytes in 0 blocks
==19394== Reachable blocks (those to which a pointer was found) are not shown.
==19394== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==19394==
==19394== For counts of detected and suppressed errors, rerun with: -v
==19394== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault# valgrind --leak-check=yes ../../rrdtool-1.x/src/.libs/rrdtool dump id\:000009\,sig\:06\,src\:000182\,op\:havoc\,rep\:2
==19400== Memcheck, a memory error detector
==19400== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19400== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==19400== Command: ../../rrdtool-1.x/src/.libs/rrdtool dump id:000009,sig:06,src:000182,op:havoc,rep:2
==19400==
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rrd SYSTEM "http://oss.oetiker.ch/rrdtool/rrdtool.dtd">
<!-- Round Robin Database Dump -->
<rrd>
<version>0003</version>
<step>0</step> <!-- Seconds -->
<lastupdate>4244635647</lastupdate> <!-- 2104-07-04 13:27:27 EDT -->
<!-- Round Robin Archives -->
</rrd>
==19400== Invalid free() / delete / delete[] / realloc()
==19400== at 0x4C29E90: free (vg_replace_malloc.c:473)
==19400== by 0x4EA9D50: free_rrd_ptr_if_not_mmapped (rrd_open.c:884)
==19400== by 0x4EA9D50: rrd_free (rrd_open.c:900)
==19400== by 0x4E42730: rrd_dump_cb_r (rrd_dump.c:439)
==19400== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19400== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19400== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19400== by 0x402DE0: main (rrd_tool.c:551)
==19400== Address 0x4023088 is not stack'd, malloc'd or (recently) free'd
==19400==
==19400== Invalid free() / delete / delete[] / realloc()
==19400== at 0x4C29E90: free (vg_replace_malloc.c:473)
==19400== by 0x4EA9E32: free_rrd_ptr_if_not_mmapped (rrd_open.c:884)
==19400== by 0x4EA9E32: rrd_free (rrd_open.c:902)
==19400== by 0x4E42730: rrd_dump_cb_r (rrd_dump.c:439)
==19400== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19400== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19400== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19400== by 0x402DE0: main (rrd_tool.c:551)
==19400== Address 0x4023088 is not stack'd, malloc'd or (recently) free'd
==19400==
==19400== Invalid free() / delete / delete[] / realloc()
==19400== at 0x4C29E90: free (vg_replace_malloc.c:473)
==19400== by 0x4EA9F14: free_rrd_ptr_if_not_mmapped (rrd_open.c:884)
==19400== by 0x4EA9F14: rrd_free (rrd_open.c:904)
==19400== by 0x4E42730: rrd_dump_cb_r (rrd_dump.c:439)
==19400== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19400== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19400== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19400== by 0x402DE0: main (rrd_tool.c:551)
==19400== Address 0x4023088 is not stack'd, malloc'd or (recently) free'd
==19400==
==19400==
==19400== HEAP SUMMARY:
==19400== in use at exit: 16,736 bytes in 7 blocks
==19400== total heap usage: 46 allocs, 42 frees, 23,391 bytes allocated
==19400==
==19400== LEAK SUMMARY:
==19400== definitely lost: 0 bytes in 0 blocks
==19400== indirectly lost: 0 bytes in 0 blocks
==19400== possibly lost: 0 bytes in 0 blocks
==19400== still reachable: 16,736 bytes in 7 blocks
==19400== suppressed: 0 bytes in 0 blocks
==19400== Reachable blocks (those to which a pointer was found) are not shown.
==19400== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==19400==
==19400== For counts of detected and suppressed errors, rerun with: -v
==19400== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)# valgrind --leak-check=yes ../../rrdtool-1.x/src/.libs/rrdtool dump id\:000016\,sig\:08\,src\:000215\,op\:havoc\,rep\:4
==19411== Memcheck, a memory error detector
==19411== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==19411== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==19411== Command: ../../rrdtool-1.x/src/.libs/rrdtool dump id:000016,sig:08,src:000215,op:havoc,rep:4
==19411==
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE rrd SYSTEM "http://oss.oetiker.ch/rrdtool/rrdtool.dtd">
<!-- Round Robin Database Dump -->
<rrd>
<version>0003</version>
<step>9223372036854775809</step> <!-- Seconds -->
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x53C5A63: __strftime_internal (strftime_l.c:961)
==19411== by 0x53C7275: strftime_l (strftime_l.c:481)
==19411== by 0x4E3FFF5: rrd_dump_cb_r (rrd_dump.c:127)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x53C5AAD: __strftime_internal (strftime_l.c:995)
==19411== by 0x53C7275: strftime_l (strftime_l.c:481)
==19411== by 0x4E3FFF5: rrd_dump_cb_r (rrd_dump.c:127)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x53C5AB1: __strftime_internal (strftime_l.c:999)
==19411== by 0x53C7275: strftime_l (strftime_l.c:481)
==19411== by 0x4E3FFF5: rrd_dump_cb_r (rrd_dump.c:127)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x53C5AFD: __strftime_internal (strftime_l.c:1024)
==19411== by 0x53C7275: strftime_l (strftime_l.c:481)
==19411== by 0x4E3FFF5: rrd_dump_cb_r (rrd_dump.c:127)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x4ED3BD0: fmtstr (rrd_snprintf.c:984)
==19411== by 0x4ECD7D2: rrd_vsnprintf (rrd_snprintf.c:873)
==19411== by 0x4ED46BD: rrd_snprintf (rrd_snprintf.c:1575)
==19411== by 0x4E40021: rrd_dump_cb_r (rrd_dump.c:131)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x4ED415B: fmtstr (rrd_snprintf.c:997)
==19411== by 0x4ECD7D2: rrd_vsnprintf (rrd_snprintf.c:873)
==19411== by 0x4ED46BD: rrd_snprintf (rrd_snprintf.c:1575)
==19411== by 0x4E40021: rrd_dump_cb_r (rrd_dump.c:131)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Conditional jump or move depends on uninitialised value(s)
==19411== at 0x4C2C1B8: strlen (vg_replace_strmem.c:412)
==19411== by 0x4E40029: rrd_dump_cb_r (rrd_dump.c:131)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== Syscall param write(buf) points to uninitialised byte(s)
==19411== at 0x53EFC00: __write_nocancel (syscall-template.S:81)
==19411== by 0x5388422: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1253)
==19411== by 0x5387AE2: new_do_write (fileops.c:530)
==19411== by 0x5389254: _IO_do_write@@GLIBC_2.2.5 (fileops.c:503)
==19411== by 0x5388950: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1324)
==19411== by 0x537EAAC: fwrite (iofwrite.c:43)
==19411== by 0x4E4003D: rrd_dump_cb_r (rrd_dump.c:131)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411== Address 0x402403d is not stack'd, malloc'd or (recently) free'd
==19411==
<lastupdate>-122356620464403123</lastupdate> <!-- 417642315-67147582-00 10:11:55 LMT -->
<!-- Round Robin Archives -->
<rra>
<cf>MMMMMMMMM</cf>
<pdp_per_row>0</pdp_per_row> <!-- 0 seconds -->
<params>
<xff>0.0000000000e+00</xff>
</params>
<cdp_prep>
</cdp_prep>
<database>
==19411==
==19411== Process terminating with default action of signal 8 (SIGFPE)
==19411== Integer divide by zero at address 0x803F56EB6
==19411== at 0x4E422AF: rrd_dump_cb_r (rrd_dump.c:411)
==19411== by 0x4E429FB: rrd_dump_opt_r (rrd_dump.c:482)
==19411== by 0x4E43331: rrd_dump (rrd_dump.c:590)
==19411== by 0x404C88: HandleInputLine (rrd_tool.c:682)
==19411== by 0x402DE0: main (rrd_tool.c:551)
==19411==
==19411== HEAP SUMMARY:
==19411== in use at exit: 16,816 bytes in 10 blocks
==19411== total heap usage: 46 allocs, 36 frees, 23,391 bytes allocated
==19411==
==19411== LEAK SUMMARY:
==19411== definitely lost: 0 bytes in 0 blocks
==19411== indirectly lost: 0 bytes in 0 blocks
==19411== possibly lost: 0 bytes in 0 blocks
==19411== still reachable: 16,816 bytes in 10 blocks
==19411== suppressed: 0 bytes in 0 blocks
==19411== Reachable blocks (those to which a pointer was found) are not shown.
==19411== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==19411==
==19411== For counts of detected and suppressed errors, rerun with: -v
==19411== Use --track-origins=yes to see where uninitialised values come from
==19411== ERROR SUMMARY: 42 errors from 8 contexts (suppressed: 0 from 0)
Floating point exception
Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to
rrdtool dumpcommand. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/rrdtool-1.x-fuzz/tree/master/2017-05-07-rrdtool-dump.The files can be executed as
./rrdtool dump id_filenameto cause seg faults.Let me know if I can provide any more information to help narrow down this issue.