[Serdev] 0.9.3: Crash inside qm_detach_free()

Andrei Pelinescu-Onciul andrei at iptel.org
Wed Jun 15 15:24:16 UTC 2005


On Jun 15, 2005 at 19:04, Dmitry Semyonov <dsemyonov at dins.ru> wrote:
> Hello all.
> 
> I recently encountered SER crash due to the fact that frag->nxt_free 
> of 'frag' argument of qm_detach_free() was equal to zero:
> {size = 48, u = {nxt_free = 0x0, is_free = 0}
> 
> This obviously happened due to the following condition inside 
> qm_find_free() function:
> if (f->size>=size){ *h=hash; return f; }

No it's not obvious :-)

It probably is some memory corruption (somebody overwrites the beginning
of the fragment).
> 
> So my question is, shouldn't a check like (f->is_free) be added 
> to the condition? Doesn't the described bug look like corrupted 
> memory? (I use modified SER, so this could be the root of the 
> problem.)

All the fragements in qm_find_free() should be free (it iterates over
the free fragments lists). is_free and nxt_free are part of the same
union (if nxt_free !=0 => is_free !=0 , because the nxt_free member is
set only when the fragment is in a free list).

Try to enable memory debugging: compile with -DDBG_QM_MALLOC, set
memlog=1 in the cfg and watch for huge log files :-)
ser should do some extra sanity checks in this mode and it should catch
lots of memory corruption errors. The information printed in log is very
helpfull (you can grep arround for fragment addresses and see who and
from where has got the previous/next frag).



Andrei




More information about the Serdev mailing list