Weirdly enough, a small apparently elegant looking code working fine on my box and when statically compiled on my box works fine on all others boxens I tested. But trouble striked when of my colleague svn co'd my code and tried writing some plugin. The blue sky turned grey for me as it began crashing in bootstrapping of the app itself, apparently in a linked list implementation of circular queue.

After considerable amount of fiddling with..

neo@sauron ~/ROOT/work/v2/production $ cat > gdb
break *(start_loader+116)
command 1
p entry
p entry->name
p entry->func
p entry->next
p entry->prev
continue
end

(gdb) source ./gdb
Breakpoint 1 at 0x80ca831: file ra_loader.c, line 128.
(gdb) r
.
.
Breakpoint 1, 0x080ca831 in start_loader () at ra_loader.c:128
128           if(strncmp(entry->name, "bootstrap", strlen("bootstrap")) == 0)
{
$141 = (struct load_entry_t *) 0x828d8f0
$142 = 0x4fe1 

$143 = (void (*)()) 0x4fe1
$144 = (struct load_entry_t *) 0xb7ee552c
$145 = (struct load_entry_t *) 0x0

Program received signal SIGSEGV, Segmentation fault.
0x080ca831 in start_loader () at ra_loader.c:128
128           if(strncmp(entry->name, "bootstrap", strlen("bootstrap")) == 0)
{

Initially looked like heap overflow somewhere which resulted in pointer overwrites, but after considerable effort, found its the same common flaw in pointer link/unlink of list blocks.

Lesson learned: try not to write up a quick queue/list implementation playing with malloc'd ptrs, prefer using well tested ones.. probably `man queue` (sys/queue.h) and rtfm helps..

http://www.gnu.org/software/libc/manual/html_node/Tracing-malloc.html#Tracing-malloc

posted at: 18:17 | path: / | permanent link to this entry