A user reported an error to me where the line
read(unit_chk) ((kpt_latt(i,nkp),i=1,3),nkp=1,num_kpts)
failed with the error (similar to Why do I get a C malloc assertion failure?)
malloc.c:2365: sysmalloc: Assertion `(old_top == (((mbinptr)
(((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct
malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >=
(unsigned long)((((__builtin_offsetof (struct malloc_chunk,
fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) -
1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask)
== 0)' failed.
Abort
As far as I know, the error occurs only for a specific set of inputs. Also, when the read() is changed to the equivalent
((kpt_latt(i,nkp),i=1,3),nkp=1,(num_kpts-1)), &
kpt_latt(1,num_kpts),kpt_latt(2,num_kpts),kpt_latt(3,num_kpts)
the error disappears. Even compiling with a different compiler version (IntelStudio 2013 SP1 composer_xe_2013_sp1.2.144 instead of IntelStudio 2015 composer_xe_2015.6.233) made the error disappear. (This is all from the user's reports -- I have not yet reproduced the error.)
When the program is run through valgrind, it reports
valgrind: m_mallocfree.c:268 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
Before that, there area a couple of messages that Conditional jump or move depends on uninitialised value(s), Use of uninitialised value of size 8 and Invalid read of size 8; and one Invalid write of size 1 on the statement cited above.
The array that is being read into is allocated to the proper size just one line before:
allocate(kpt_latt(3,num_kpts))
read(unit_chk) ((kpt_latt(i,nkp),i=1,3),nkp=1,num_kpts)
EDIT: The user has reported back with a possible solution. The array kpt_latt that is being read was declared with a wrong data type, namely as integer while the data in the file was written as real. This is an error of course; but is it realistic that this caused the failed malloc() assertion?
Fine print: We are talking about a default-kind integer (4 bytes) and a double precision real (8 bytes) here. The resulting bogus values in kpt_latt were not noticed because the program does not actually use them. I still have not reproduced the error myself, so I have to rely on what the user tells me.
Related
I'm building a 64bit C++ code on VS 2015.
DWORD blockLength;
blockLength = strlen((LPCSTR)sourceVar); // sourceVar is of type Cstring, build warning here.
// Allocate memory.
defaultBuffer = new unsigned char[blockLength + 1];
sprintf_s(reinterpret_cast<char*>(defaultBuffer), (blockLength + 1), "%s", (LPCSTR)sourceVar);
// Decrypt data
if (!someMethod(someParameter, 0, 1, 0, defaultBuffer, &blockLength))
{
// Do something
}
When I run the code from HP-fortify, I don't see any build warnings or any fortify issues.
However, when I build the code separately, I see this warning on 2nd line -
warning C4267: '=': conversion from 'size_t' to 'DWORD', possible loss of data
Now, when I make these code changes -
blockLength = sourceVar.GetLength();
The build warning is gone. However, when I run this new code against HP-Fortify, I now see following error at sprintf_s line -
Buffer Overflow
(Input Validation and Representation, Data Flow) -
The function writes outside the bounds of allocated memory, which could corrupt data, cause the program to crash, or lead to the execution of malicious code.
In 64-bit mode a size_t will be 64-bits, but a DWORD will always be 32-bit...
So assigning a 64-bits value to 32 bits value looses the top 32-bits of the size_t, hence the warning.
Why you only get it in release mode - no idea.
blockLength = static_cast<int>(strlen((LPCSTR)sourceVar));
Using static_cast fixed the issue. There are no errors in HP Fortify and no warnings while building.
I've been trying to decompile an exe file (or just one function, for all I care), and I've been running into the following error:
Decompilation failure:
FFFFFF: wrong basic type sizes in compiler settings
According to the manual, I should check these settings:
Some basic type sizes are incorrect. The decompiler requires that
sizeof(int) == 4
sizeof(bool) == 4
sizeof(enum) == 4
sizeof(long) == 4
sizeof(near pointer) == 4
Please check the type sizes in the Options, Compiler dialog box and modify them if they are incorrect.
I have checked these settings, and they are set to the specified settings. Please note that I am missing the "sizeof(near pointer)" but I have a sizeof(short) and a sizeof(longlong) that aren't specified in the manual.
I'd be grateful for a fast resolution to this problem.
I am using memcmp for comparing the char pointer to empty string as:
if((0 == memcmp("", pcNewBeginPtr, 1))){
// do some stuff
}
I am able to compare this, but while running through Valgrind, I get this error message:
Invalid read of size 1 at this line.
Amazingly, you could read the docs to see what the "invalid read" message means. E.g. you don't legitimately have read access to the memory at pcNewBeginPtr: it's already been freed, wasn't validly initialised to point at a char buffer, points to a local variable in a scope that's already exited etc....
You might read some other questions: e.g. here.
My server daemon works fine on most machines however on one I am getting:
malloc.c:3074: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1)
- 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) ||
((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct
malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) -
1)))&& ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
gdb backtrace:
#4 0x002a8300 in sYSMALLOc (av=<value optimised out>, bytes=<value optimised out>) at malloc.c:3071
#5 _int_malloc (av=<value optimised out>, bytes=<value optimised out>) at malloc.c:4702
#6 0x002a9898 in *__GI___libc_malloc (bytes=16) at malloc.c:3638
#7 0x0804d575 in xmpp_ctx_new (mem=0x0, log=0x0) at src/ctx.c:383
#8 0x0804916e in main (argc=1, argv=0xbffff834) at ../src/adminbot.c:277
Any ideas what to try else ? I am unable to find a bug in my code, it could be a bug in the XMPP library and I need to determine that.
Thanks.
This is almost certainly due to a heap corruption bug in your code (writing just before or just after an allocated block).
Since you are apparently on Linux, the tool to use here is Valgrind. It should point you straight at the problem, and it should do so even on machines where your daemon "works".
Trying anything other than Valgrind for this kind of problem is likely a waste of time.
The assertion almost certainly indicates some kind of memory corruption prior to a call to malloc. Given that the assertion is tripping in xmpp_ctx_new, which appears to be a very early call in the libstrophe XMPP library, I'd say it's very likely that the bug is in your code (though it may not be if you're allocating several XMPP contexts - not sure if there's any reason to do that).
If you're only allocating one XMPP context, you can isolate the bug to your code by inserting a call to malloc(sizeof(xmpp_ctx_t)) prior to calling xmpp_ctx_new, and you'll see the problem isn't in libstrophe. (Incidentally, I'm pretty sure the problem won't be in this call to xmpp_ctx_new because I google'd the source to the function (mem=0x0 looked likely to cause problems), and saw that it basically reduced to malloc and a few initializers - reading the source is generally a good strategy for looking for bugs in OSS.)
Hi when I was trying to execute my program(c++) i was getting the following error:
a.out: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted
and when i traced my program using cout's, I could find that, it is because of the following line
BNode* newNode=new BNode();
If i remove this line I was not getting the error.
Can any one please help in this regard...
The shown line of code is ok in general. The heap probably was corrupted before. I would use a memory checker like valgrind to find out where.
Without a memory checking tool you just have to look hard at your code and find the error.
Sometimes a binary search strategy helps. Deliberately deactivate parts of your code and narrow down. Don't be fooled by false positives like the line you posted.
Another alternative is to switch to a programming language with automatic memory management.
The error message means that the integrity of the program heap was violated. The heap was broken. The line you removed... maybe it was the culprit, maybe it was not to blame. Maybe the heap was damaged by some code before that (or even well before that) and the new that you removed simply revealed the problem, not caused it. There's no way to say from what you posted.
So, it is possible that you actually changed nothing by removing that line. The error could still be there, and the program will simply fail in some other place. Buffer overrun, double free or something like that is normally to blame for the invalidated heap. Run your code through some static or dynamic checker to look for these problems (valgrind, coverity etc.)