非常奇怪的一个关于malloc crash 问题

hongbupt

我在项目中遇到一个关于malloc的crash. 大家遇到过这样的问题吗？你们是怎么解决的啊？我的是嵌入式linux,我的项目是关于交换机协议栈。 我把gdb bt 粘上来大家看看。谢谢。

#0  0x48126694 in malloc () from /lib/libc.so.0
#1  0x1010fc34 in insertSll (svlan=1056, segment=0x10e583a
    at vsp_seltbl.c:259
#2  0x1011063c in vspUpdateSegmentTbl (port=7, segId=0, sllList=
      {head = 0x11a46370, count = 44}) at vsp_seltbl.c:461
#3  0x1010f9c4 in vspCfgSelTbl (port=7, segId=0, numSvlans=768,
    svlanWt=0x10f46e18 '\001' <repeats 200 times>...,
    activeList=0x10f45918 "Àÿÿ\003ðÿÿ\017" at vsp_seltbl.c:223
#4  0x1010ec94 in vspPortBulkSelTblCfg (port=7, partition=1, priority=0,
    numSvlan=768, svlanWt=0x10f46e18 '\001' <repeats 200 times>...,
    activeList=0x10f45918 "Àÿÿ\003ðÿÿ\017" at vsp_carving.c:316
#5  0x109c535c in hapiFcBulkSelTblUpdate (slot=0, port=7, partition=1,
    priority=0, numSvlan=768,
    svlanWt=0x10f46e18 '\001' <repeats 200 times>...,
    activeList=0x10f45918 "Àÿÿ\003ðÿÿ\017" at efx500.c:78
#6  0x10122d54 in fcBulk () at fc.c:1508
#7  0x1011fb1c in fcSetAdminMode (mode=0) at fc.c:483
#8  0x1011c634 in fcapiSpineSetAdminMode (mode=0) at fc_api.c:51
#9  0x109bb064 in usmDbSwDevCtrlSpineModeSet (mode=0) at usmdb_fc.c:39
#10 0x101c9818 in commandSpineMode (ewsContext=0x11a5de68, argc=3,
    argv=0x11a76dec, index=1) at cli_config.c:21242
#11 0x1016e5a4 in ewsCliData (context=0x11a5de68,
    datap=0x4 <Address 0x4 out of bounds>, bytesp=0xbc3ff748,
---Type <return> to continue, or q <return> to quit---
    menu=<value optimized out> at ews_cli.c:2495
#12 0x10212830 in ewaNetTelnetData (handle=0x11a17328, datap=0x11a2f8cc "\r",
    bytesp=0xbc3ff74 at cli_lvl7.c:329
#13 0x1017e8e0 in ewsTelnetParse (context=0x11a5de6 at ews_tel.c:459
#14 0x1017593c in ewsParse (context=0x3fce3a0) at ews_pars.c:1640
#15 0x1017439c in ewsRun () at ews.c:574
#16 0x10167e34 in ewmain () at ewmain.c:1214
#17 0x1017f29c in emweb_main (argc=1, argv=<value optimized out>
    at ewtask.c:659
#18 0x100ad568 in osapi_task_wrapper (arg=0x115ba5f0) at osapi_task.c:216
#19 0x4801b468 in pthread_start_thread () from /lib/libpthread.so.0
#20 0x4801b4ac in pthread_start_thread_event () from /lib/libpthread.so.0
#21 0x480f4f44 in clone () from /lib/libc.so.0
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

lipingtababa

你的栈的层次真够深的

是怎么core掉的 你没有贴出来

hongbupt

你说是怎么core掉是什么意思啊，我就是通过脚本程序跑出来了。每次crash 栈地方还不一样。不过都是malloc crash

NeteLife

看一下传给malloc的size是多少，在这里crash掉，并不一定是这里出了问题，可能是其它地方引起的，而程序执行到这里，crash了而已。如果可以还原场景的话，查起来可能会简单一点，不然，这样的bug很难查。

hongbupt

很可能就是在某个内存处做了下溢操作，结果导致内存链表混乱，在malloc 时就Crash 了，但是这样的问题太难找了

ynchnluiti

从中看到这么一句

#11 0x1016e5a4 in ewsCliData (context=0x11a5de68,
    datap=0x4 <Address 0x4 out of bounds>, bytesp=0xbc3ff748,

hongbupt

太仔细了，非常感谢，也许就是这个导致的，我马上测试一下