panic while deleting rows from shared-memory speedtable
bovine opened this issue · comments
While using "search -delete" on a shared-memory table, I'm getting a panic:
PANIC: Trying to free pointer outside mapped memory!
The table was created with:
InFlight create inflight master name "birdseye.inflight" file "/path/whatever.inflight" panic false size 256M
And the code that is doing the deleting is something like this:
set query [list [list in fp $delfp]]
#logger "DEBUG: trimming: $query"
logger "DEBUG: trimming: count = [inflight count]"
set inflightTrimmed [inflight search -compare $query -delete 1]
The logging output and debug dump is as follows. The 2nd line ("memory =") is something I added to shared/shared.c to debug the address being accessed. As you can see, the memory is outside of the shared-memory range, and the "data =" line is the text that is at that address. It appears to be the list the arguments that I passed as "$delfp" in the -compare above.
01/10/2011 15:20:01 DEBUG: trimming: count = 2813
memory = 0x800d8c030, shm->map = 0xa0000000, map_size = 268435456
data = CCA1311-1294466541-airline-0173 ASH1015-1294526758-62-0 CCA134-1294466541-airline-0201 ANA884-1294467664-airline-0264 LOF7757-1294449951-81-0 CCA1507-1294466541-airline-0319 BTA2706-1294355100-schedule-0026 SKW667T-1294511756-189-0 CCA1102-1294466541-airline-0032
PANIC: Trying to free pointer outside mapped memory!
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x800d02180 (LWP 100316)]
0x0000000800a33cfc in kill () from /lib/libc.so.7
(gdb) bt
#0 0x0000000800a33cfc in kill () from /lib/libc.so.7
#1 0x0000000800a32b6b in abort () from /lib/libc.so.7
#2 0x0000000801623344 in shmpanic (s=Variable "s" is not available.
) at shared.c:1221
#3 0x0000000801623bdf in shmfree (shm=0x800ed7430,
memory=0x800d8c030 "CCA1311-1294466541-airline-0173 ASH1015-1294526758-62-0 CCA134-1294466541-airline-0201 ANA884-1294467664-airline-0264 LOF7757-1294449951-81-0 CCA1507-1294466541-airline-0319 BTA2706-1294355100-schedul"...) at shared.c:769
#4 0x0000000801623cd0 in InFlight_deleteKey (ctable=Variable "ctable" is not available.
) at stobj/birdseye/birdseye-1.0.c:7162
#5 0x00000008016242ce in InFlight_delete (ctable=0xa0000048, vRow=0x801515c00, indexCtl=-1) at stobj/birdseye/birdseye-1.0.c:7192
#6 0x0000000801633749 in ctable_SetupAndPerformSearch (interp=0x800d25800, objv=Variable "objv" is not available.
) at ctable_search.c:2397
#7 0x000000080163e699 in InFlightObjCmd (cData=0xa0000048, interp=0x800d25800, objc=6, objv=0x800d37880) at stobj/birdseye/birdseye-1.0.c:18513
#8 0x0000000800661343 in TclEvalObjvInternal () from /usr/local/lib/libtcl85.so
#9 0x00000008006a7637 in TclExecuteByteCode () from /usr/local/lib/libtcl85.so
The autogenerated birdseye-1.0.c line 7162 is something like this:
void InFlight_deleteKey(CTable *ctable, struct InFlight *row, int free_shared)
{
if(!row->hashEntry.key)
return;
#ifdef WITH_SHARED_TABLES
if(ctable->share_type == CTABLE_SHARED_MASTER) {
if(free_shared)
shmfree(ctable->share, (void *)row->hashEntry.key);
} else
#endif
ckfree(row->hashEntry.key);
row->hashEntry.key = NULL;
}
Which was called by:
void InFlight_delete(CTable *ctable, void *vRow, int indexCtl) {
struct InFlight *row = vRow;
// 'final' means 'shared memory will be deleted anyway, just zero out'
int final = indexCtl == CTABLE_INDEX_DESTROY_SHARED;
int is_master = ctable->share_type == CTABLE_SHARED_MASTER;
int is_shared = ctable->share_type != CTABLE_SHARED_NONE;
// If there's an index, AND we're not deleting all indices
if (indexCtl == CTABLE_INDEX_NORMAL) {
ctable_RemoveFromAllIndexes (ctable, (void *)row);
InFlight_deleteKey(ctable, row, TRUE);
ctable_DeleteHashEntry (ctable->keyTablePtr, (ctable_HashEntry *)row);
} else
InFlight_deleteKey(ctable, row, indexCtl != CTABLE_INDEX_DESTROY_SHARED);
indexCtl was CTABLE_INDEX_PRIVATE (-1) during the above panic
fixed by 2011-01-11 commit