我有一个不断抛出分段错误的测试用例。当我使用gdb
尝试查找segfaulting的位置时,我发现它在被测试的代码中调用free()失败了。
现在问题是,传递给free()
的参数是使用malloc()
分配的,之后没有调整(AFAICT)。
以下是相关代码:
structure.h
#pragma once
//=== Includes
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "kv/backend.h"
#include "xm.h"
#include "constants.h"
//=== Defines
#define STRUCTURE_TYPE_NULL (0x00) // invalid - we should never see this
#define STRUCTURE_TYPE_SUB (0x01) // substructure
#define STRUCTURE_TYPE_I64 (0x02) // 64b signed integer
#define STRUCTURE_TYPE_U64 (0x03) // 64b unsigned integer
#define STRUCTURE_TYPE_H64 (0x04) // 64b translate to hex (ie: 0x'...')
#define STRUCTURE_TYPE_F64 (0x05) // 64b IEEE 754 double float
#define STRUCTURE_TYPE_BLOB (0x06) // variable length binary blob
#define STRUCTURE_TYPE_STRING (0x07) // variable length null terminated string
#define STRUCTURE_TYPE_TIME (0x08) // 64b packed YMDhms time
#define STRUCTURE_TYPE_UNIXTIME (0x09) // 64b signed unix time
//=== Structures
typedef struct {
int64_t year :35;
uint64_t month :4;
uint64_t day :5;
uint64_t hour :5;
uint64_t minute :6;
uint64_t second :6;
} structure_time;
typedef struct structure_struct {
uint8_t *key;
union {
int64_t i64;
uint64_t u64;
uint64_t h64;
double f64;
uint8_t *blob;
uint8_t *string;
structure_time time;
int64_t unixtime;
struct structure_struct *children;
};
union {
uint16_t len; // blob + string (includes NULL terminator)
uint16_t count; // children
};
uint8_t type;
} structure;
//=== Special
static inline int cmp_structure (const void *arg1, const void *arg2) {
const structure *a = arg1;
const structure *b = arg2;
return strcmp (a->key, b->key); // compare keys
}
#define SORT_NAME structure
#define SORT_TYPE structure
#define SORT_CMP(x, y) cmp_structure (&x, &y)
#include "../deps/sort/sort.h"
//=== Functions
static inline void StructureSortChildren (structure *s) {
structure_tim_sort (s->children, s->count);
return;
}
int StructureAddChildren (structure *parent, const structure *children, int count);
void StructureFree (structure *s);
structure.c
#include "structure.h"
int StructureAddChildren (structure *parent, const structure *children, int count) {
if (parent->type != STRUCTURE_TYPE_SUB)
return 1; // yeah lets not cause a memory issue
// realloc () may lose data
structure *tmp = malloc ((parent->count + count) * sizeof (structure *));
if (!tmp)
return -1; // memory failure
// copy over the old children
memcpy (tmp, parent->children, parent->count * sizeof (structure));
if (parent->count > 0)
free (parent->children); // segfault occurs here
parent->children = tmp;
// copy over the new children
memcpy (&parent->children[parent->count], children, count * sizeof (structure));
parent->count += count;
// resort the array to allow bsearch() to find members
structure_tim_sort (parent->children, parent->count);
return 0;
}
test_structure.c
#include "test.h"
#include "../structure.h"
const char *key[4] = { "head", "number", "integer", "string" };
const char *text = "text";
void printstructure (const structure *s) {
switch (s->type) {
case STRUCTURE_TYPE_SUB: {
printf ("Structure:\n" \
"\tType:\t%s\n" \
"\tKey:\t%s\n" \
"\tnumber Count:\t%i\n\n",
"(Sub)Structure", s->key, s->count);
break;
}
case STRUCTURE_TYPE_STRING: {
// assert (s->len == (strlen (s->string) + 1)); // NULL terminator
printf ("Structure:\n" \
"\tType:\t%s\n" \
"\tKey:\t%s\n" \
"\tValue:\t%s\n" \
"\tLength:\t%i\n\n",
"String", s->key, s->string, s->len);
break;
}
case STRUCTURE_TYPE_I64: {
printf ("Structure:\n" \
"\tType:\t%s\n" \
"\tKey:\t%s\n" \
"\tValue:\t%i\n\n",
"64-Bit Signed Integer", s->key, (int) s->i64);
break;
}
case STRUCTURE_TYPE_F64: {
printf ("Structure:\n" \
"\tType:\t%s\n" \
"\tKey:\t%s\n" \
"\tValue:\t%f\n\n",
"64-Bit FP Number", s->key, (float) s->f64);
break;
}
}
return;
}
void test (void) {
structure *head, *number, *integer, *string;
// basic allocations
head = malloc (sizeof (structure));
head->key = strdup (key[0]);
head->type = STRUCTURE_TYPE_SUB;
head->count = 0;
number = malloc (sizeof (structure));
number->key = strdup (key[1]);
number->type = STRUCTURE_TYPE_F64;
number->f64 = 3.1415;
integer = malloc (sizeof (structure));
integer->key = strdup (key[2]);
integer->type = STRUCTURE_TYPE_I64;
integer->i64 = -42;
string = malloc (sizeof (structure));
string->key = strdup (key[3]);
string->type = STRUCTURE_TYPE_STRING;
string->string = strdup (text);
string->len = strlen (text) + 1; // NULL terminator
// lets see the current states
printf ("\n---Structures Built---\n\n");
printstructure (head);
printstructure (number);
printstructure (integer);
printstructure (string);
// lets put them together
// head +> number
// -> integer
// -> string
StructureAddChildren (head, integer, 1);
StructureAddChildren (head, string, 1);
StructureAddChildren (head, number, 1); // the SEGFAULT occurs on this call
...
}
int main (int argc, char *argv) {
test ();
return 0;
}
现在,SEGFAULT发生在StructureAddChildren()
的第三次调用上。具体来说,就行了
StructureAddChildren (head, number, 1); // the SEGFAULT occurs on this call
test_structure.c
的,一旦调用StructureAddChildren
,就会出现SEGFAULT
free (parent->children); // segfault occurs here
来自structure.c
。
我无法想象导致SEGFAULT的原因,因为StructureAddChildren()
是分配内存的唯一点,没有别的东西与指针混淆(写入它)。
总的来说,导致SEGFAULT的原因是什么?如何解决?
答案 0 :(得分:3)
在StructureAddChildren()
中为新(和旧)结构分配内存时,您应使用sizeof(structure *)
计算新大小,而应为sizeof(structure)
。结果,分配的空间不足,以后写入超出分配的空间。更正的行应为:
structure *tmp = malloc ((parent->count + count) * sizeof (structure));
答案 1 :(得分:2)
malloc
函数中StructureAddChildren
的大小可能有误,请尝试使用sizeof(structure)
替换原sizeof(structure*)
// realloc () may lose data
structure *tmp = malloc ((parent->count + count) * sizeof (structure));//!!!
if (!tmp)
return -1; // memory failure