memory corruption

From: some one <solrak29 yahoo com>
To: Jan Kratochvil <lace jankratochvil net>
Cc: orbit-list gnome org
Subject: memory corruption
Date: Thu, 20 Nov 2003 07:07:15 -0800 (PST)
I dont understand how I am causing memory corruption.
My application is just a copy of the echo example with
a few changes to use a different IOR file and call to
function generated by my IDL in the client_run
function.

The function I am calling takes a pointer to struct as
an argument and returns a pointer to a struct.  Before
calling my function I allocate the struct using
function calls from the header file produced by the
IDL.  Here is a snippet:

CisFigration_v0_BlockSeq* blocks =
CisFiguration_v0_BlockSeq__alloc();

blocks->_maximum = 0;
blocks->_length = 0;

CisFiguration_v0_FiguredBlockSeq* block =
CisFiguration_v0_Figuration_figureBlocks( service,
blocks, ev );

Here is the stack trace again:

#0  0x401ca179 in chunk_alloc () from /lib/libc.so.6
(gdb) where
#0  0x401ca179 in chunk_alloc () from /lib/libc.so.6
#1  0x401cb32b in calloc () from /lib/libc.so.6
#2  0x400e5adf in g_malloc0 (n_bytes=28) at gmem.c:153
#3  0x400353a6 in ORBit_alloc_by_tc (tc=0x4005b8c0) at
allocators.c:362
#4  0x4002f73f in ORBit_small_alloc (tc=0x21) at
orbit-small.c:44
#5  0x4003cf61 in IOP_ObjectKey_demarshal (buf=0x1c)
at iop-profiles.c:1015
#6  0x4003dc27 in IOP_TAG_INTERNET_IOP_demarshal (p=0,
pbuf=0x21, orb=0x8051ca0) at iop-profiles.c:1569
#7  0x4003dd78 in IOP_profile_demarshal (buf=0x50,
orb=0x1c) at iop-profiles.c:1616
#8  0x4003deb2 in ORBit_demarshal_IOR (orb=0x8051ca0,
buf=0x805d2d0, ret_type_id=0x0,
ret_profiles=0xbffff6c8) at iop-profiles.c:1676
#9  0x40032811 in ORBit_handle_location_forward
(buf=0x805d2d0, obj=0x1c) at corba-object.c:350
#10 0x4003016d in orbit_small_demarshal
(obj=0x8052400, cnx=0x504f4947, recv_buffer=0x805d2d0,
ev=0xbffff880, ret=0xbffff844, 
    m_data=0x804a0c0, args=0xbffff840) at
orbit-small.c:532
#11 0x40030371 in ORBit_small_invoke_stub
(obj=0x8052400, m_data=0x804a0c0, ret=0xbffff844,
args=0xbffff840, ctx=0x0, ev=0xbffff880)
    at orbit-small.c:645
#12 0x40030230 in ORBit_small_invoke_stub_n
(object=0x21, methods=0x804a124, index=1347373383,
ret=0x21, args=0x21, ctx=0x21, ev=0x50)
    at orbit-small.c:571
#13 0x40043a72 in ORBit_c_stub_invoke (obj=0x8052400,
methods=0x21, method_index=33, ret=0xbffff844,
args=0xbffff840, ctx=0x0, ev=0xbffff880, 
    class_id=33, method_offset=33, skel_impl=0x804a124
<CisFiguration_v0_Figuration__iinterface+4>) at
poa.c:2492
#14 0x080493c1 in
CisFiguration_v0_Figuration_figureBlocks
(_obj=0x8052400, blocks=0x8052434, ev=0xbffff880) at
cisFiguration-stubs.c:13
#15 0x0804923b in client_run
(figuration_service=0x8052400, ev=0xbffff880) at
testfiguration.c:165
#16 0x08049317 in main (argc=1, argv=0xbffff944) at
testfiguration.c:192
#17 0x4016d0c4 in __libc_start_main () from
/lib/libc.so.6

here is the output from valgrind :

==25704== Memcheck, a.k.a. Valgrind, a memory error
detector for x86-linux.
==25704== Copyright (C) 2002-2003, and GNU GPL'd, by
Julian Seward.
==25704== Using valgrind-2.0.0, a program supervision
framework for x86-linux.
==25704== Copyright (C) 2000-2003, and GNU GPL'd, by
Julian Seward.
==25704== Estimated CPU clock rate is 2007 MHz
==25704== For more details, rerun with: -v
==25704== 
==25704== valgrind's libpthread.so: KLUDGED call to:
pthread_getschedparam
Reading service reference from file FOSfiguration.IOR

** (process:25704): WARNING **: Ignoring incoming
code_sets component
==25704== Invalid read of size 1
==25704==    at 0x402590AE: giop_recv_buffer_unuse
(giop-recv-buffer.c:471)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    by 0x40270A71: ORBit_c_stub_invoke
(poa.c:2492)
==25704==    Address 0x415CBFC4 is 100 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid read of size 4
==25704==    at 0x40259115: giop_recv_buffer_unuse
(giop-recv-buffer.c:472)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    by 0x40270A71: ORBit_c_stub_invoke
(poa.c:2492)
==25704==    Address 0x415CBFA8 is 72 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid write of size 4
==25704==    at 0x40259120: giop_recv_buffer_unuse
(giop-recv-buffer.c:473)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    by 0x40270A71: ORBit_c_stub_invoke
(poa.c:2492)
==25704==    Address 0x415CBFA8 is 72 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid read of size 4
==25704==    at 0x402590B8: giop_recv_buffer_unuse
(giop-recv-buffer.c:476)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    by 0x40270A71: ORBit_c_stub_invoke
(poa.c:2492)
==25704==    Address 0x415CBFBC is 92 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid read of size 1
==25704==    at 0x402590D7: giop_recv_buffer_unuse
(giop-recv-buffer.c:493)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    by 0x40270A71: ORBit_c_stub_invoke
(poa.c:2492)
==25704==    Address 0x415CBF67 is 7 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid read of size 4
==25704==    at 0x402588DB:
giop_IOP_ServiceContextList_free
(giop-recv-buffer.c:95)
==25704==    by 0x402590F7: giop_recv_buffer_unuse
(giop-recv-buffer.c:495)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    by 0x4025D22F: ORBit_small_invoke_stub_n
(orbit-small.c:571)
==25704==    Address 0x415CBF7C is 28 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== Invalid free() / delete / delete[]
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025D333: ORBit_small_invoke_stub
(orbit-small.c:641)
==25704==    Address 0x415CBF60 is 0 bytes inside a
block of size 104 free'd
==25704==    at 0x40027DAF: free
(vg_replace_malloc.c:231)
==25704==    by 0x40320BF3: g_free (gmem.c:186)
==25704==    by 0x402590CC: giop_recv_buffer_unuse
(giop-recv-buffer.c:510)
==25704==    by 0x4025F86D:
ORBit_handle_location_forward (corba-object.c:361)
==25704== 
==25704== More than 30000 total errors detected.  I'm
not reporting any more.
==25704== Final error counts will be inaccurate.  Go
fix your program!

--- Jan Kratochvil <lace@jankratochvil.net> wrote:
> ...
> > Here is the stack trace i get everytime :
> > 
> > #0  0x401ca179 in chunk_alloc () from
> /lib/libc.so.6
> 
> This is general memory corruption problem due to
> memory corruption occuring in
> the code executed (probably) before ORBit call. Try
> to minimize any code around
> ORBit use as I expect you are corrupting memory
> there. It may be hard to catch
> such bug, maybe Valgrind would be really helpful for
> you here.
> 
> 
> 
> Lace


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]