panic while deleting rows from shared-memory speedtable
bovine opened this issue · comments
While using "search -delete" on a shared-memory table, I'm getting a panic:
PANIC: Trying to free pointer outside mapped memory!
The table was created with:
InFlight create inflight master name "birdseye.inflight" file "/path/whatever.inflight" panic false size 256M
And the code that is doing the deleting is something like this:
set query [list [list in fp $delfp]]
#logger "DEBUG: trimming: $query"
logger "DEBUG: trimming: count = [inflight count]"
set inflightTrimmed [inflight search -compare $query -delete 1]
The logging output and debug dump is as follows. The 2nd line ("memory =") is something I added to shared/shared.c to debug the address being accessed. As you can see, the memory is outside of the shared-memory range, and the "data =" line is the text that is at that address. It appears to be the list the arguments that I passed as "$delfp" in the -compare above.
01/10/2011 15:20:01 DEBUG: trimming: count = 2813 memory = 0x800d8c030, shm->map = 0xa0000000, map_size = 268435456 data = CCA1311-1294466541-airline-0173 ASH1015-1294526758-62-0 CCA134-1294466541-airline-0201 ANA884-1294467664-airline-0264 LOF7757-1294449951-81-0 CCA1507-1294466541-airline-0319 BTA2706-1294355100-schedule-0026 SKW667T-1294511756-189-0 CCA1102-1294466541-airline-0032 PANIC: Trying to free pointer outside mapped memory! Program received signal SIGABRT, Aborted. [Switching to Thread 0x800d02180 (LWP 100316)] 0x0000000800a33cfc in kill () from /lib/libc.so.7 (gdb) bt #0 0x0000000800a33cfc in kill () from /lib/libc.so.7 #1 0x0000000800a32b6b in abort () from /lib/libc.so.7 #2 0x0000000801623344 in shmpanic (s=Variable "s" is not available. ) at shared.c:1221 #3 0x0000000801623bdf in shmfree (shm=0x800ed7430, memory=0x800d8c030 "CCA1311-1294466541-airline-0173 ASH1015-1294526758-62-0 CCA134-1294466541-airline-0201 ANA884-1294467664-airline-0264 LOF7757-1294449951-81-0 CCA1507-1294466541-airline-0319 BTA2706-1294355100-schedul"...) at shared.c:769 #4 0x0000000801623cd0 in InFlight_deleteKey (ctable=Variable "ctable" is not available. ) at stobj/birdseye/birdseye-1.0.c:7162 #5 0x00000008016242ce in InFlight_delete (ctable=0xa0000048, vRow=0x801515c00, indexCtl=-1) at stobj/birdseye/birdseye-1.0.c:7192 #6 0x0000000801633749 in ctable_SetupAndPerformSearch (interp=0x800d25800, objv=Variable "objv" is not available. ) at ctable_search.c:2397 #7 0x000000080163e699 in InFlightObjCmd (cData=0xa0000048, interp=0x800d25800, objc=6, objv=0x800d37880) at stobj/birdseye/birdseye-1.0.c:18513 #8 0x0000000800661343 in TclEvalObjvInternal () from /usr/local/lib/libtcl85.so #9 0x00000008006a7637 in TclExecuteByteCode () from /usr/local/lib/libtcl85.so
The autogenerated birdseye-1.0.c line 7162 is something like this:
void InFlight_deleteKey(CTable *ctable, struct InFlight *row, int free_shared) { if(!row->hashEntry.key) return; #ifdef WITH_SHARED_TABLES if(ctable->share_type == CTABLE_SHARED_MASTER) { if(free_shared) shmfree(ctable->share, (void *)row->hashEntry.key); } else #endif ckfree(row->hashEntry.key); row->hashEntry.key = NULL; }
Which was called by:
void InFlight_delete(CTable *ctable, void *vRow, int indexCtl) { struct InFlight *row = vRow; // 'final' means 'shared memory will be deleted anyway, just zero out' int final = indexCtl == CTABLE_INDEX_DESTROY_SHARED; int is_master = ctable->share_type == CTABLE_SHARED_MASTER; int is_shared = ctable->share_type != CTABLE_SHARED_NONE; // If there's an index, AND we're not deleting all indices if (indexCtl == CTABLE_INDEX_NORMAL) { ctable_RemoveFromAllIndexes (ctable, (void *)row); InFlight_deleteKey(ctable, row, TRUE); ctable_DeleteHashEntry (ctable->keyTablePtr, (ctable_HashEntry *)row); } else InFlight_deleteKey(ctable, row, indexCtl != CTABLE_INDEX_DESTROY_SHARED);
indexCtl was CTABLE_INDEX_PRIVATE (-1) during the above panic
fixed by 2011-01-11 commit