[Bug 1518462] Re: assert in malloc.h at realloc

Launchpad Bug Tracker 1518462 at bugs.launchpad.net
Fri Nov 20 22:11:18 UTC 2015 

This bug was fixed in the package lxcfs - 0.12-0ubuntu3

---------------
lxcfs (0.12-0ubuntu3) xenial; urgency=medium

  * 0001-work-around-weird-glibc-assert.patch (LP: #1518462)

 -- Serge Hallyn <serge.hallyn at ubuntu.com>  Fri, 20 Nov 2015 15:18:32
-0600

** Changed in: lxcfs (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1518462

Title:
  assert in malloc.h at realloc

Status in glibc package in Ubuntu:
  New
Status in lxcfs package in Ubuntu:
  Fix Released

Bug description:
  Take the 0.12.0ubuntu2 lxcfs source, build it on i386, run it (say
  lxcfs /var/lib/lxcfs), then run the tests/test_proc script (cd tests;
  sudo ./test_proc).  The assertion

    assert ((old_top == initial_top (av) && old_size == 0) ||
            ((unsigned long) (old_size) >= MINSIZE &&
             prev_inuse (old_top) &&
             ((unsigned long) old_end & pagemask) == 0));

  is triggered.  A rebuild with some printfs shows that:

  old_top 3063975608 inittop 3063939136 old_size 24
  minsize 16
  previnuse yes
  old_end 3063975632 pagemask 4095 mask 3792

  Just catting the proc/meminfo file triggers:

  
  [New Thread 0xb73ffb40 (LWP 14303)]
  *** Error in `/home/ubuntu/orig/lxcfs-0.12/lxcfs': realloc(): invalid next size: 0xb7420978 ***

  The lxcfs code which is triggering this is:

  static void append_line(char **contents, char *line, size_t *len)
  {
          size_t newlen = *len + strlen(line);
          if (!*contents) {
                  do {
                          *contents = malloc(*len + 1);
                  } while (!*contents);
          } else {
                  char *tmp;
                  do {
                          tmp = realloc(*contents, newlen + 1);
                  } while (!tmp);
                  *contents = tmp;
          }
          strcpy(*contents + *len, line);
          *len = newlen;
  }

  gdb shows reasonable values for *len, newlen, and *contents and line.

  I'm working around it by increasing the size by which we realloc,
  which seems to work fine, although it seems like that cannot be the
  root cause since a simple reproducer doesn't work to reproduce this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1518462/+subscriptions

More information about the foundations-bugs mailing list