Bug 6636 - Deallocation of a pointer not malloced
Summary: Deallocation of a pointer not malloced
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.0.7
Hardware: PPC Mac OS X
: P3 major (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
Depends on:
Reported: 2009-08-13 15:56 UTC by Aaro Koskinen
Modified: 2009-12-13 00:34 UTC (History)
0 users

See Also:

Fix a bogus free() in uncache_tmp_xattrs() (289 bytes, patch)
2009-08-14 09:10 UTC, Wayne Davison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Aaro Koskinen 2009-08-13 15:56:16 UTC
(The OS version is Mac OS X 10.4.11 with all updates as of today and rsync is compiled with Apple's gcc powerpc-apple-darwin8-gcc-4.0.1 (build 5370).)

When I'm running rsync with the following options:

-X -a -v -n --exclude-from=... --delete --backup --backup-dir=...

I occasionally get the following errors from the Mac OS X malloc():

rsync(486) malloc: ***  Deallocation of a pointer not malloced: 0x4aeb54; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

It can be reproduced with dry runs. But if the file system is modifed, it can also go away.

The stack trace from where the printout comes (strings replaced with "..."):

(gdb) bt
#0  0x9012b760 in malloc_printf ()
#1  0x90005f5c in free ()
#2  0x00037fd4 in uncache_tmp_xattrs () at xattrs.c:754
#3  0x00023c08 in make_backup (fname=0xbfffd118 "...") at backup.c:369
#4  0x0000bbb8 in delete_item (fbuf=0xbfffd118 "...", mode=33152, flags=17448) at generator.c:198
#5  0x0000b970 in delete_dir_contents (fname=0xbfffd118 "...", flags=4) at generator.c:304
#6  0x0000bab8 in delete_item (fbuf=0xbfffd118 "...", mode=16832, flags=2) at generator.c:179
#7  0x0000c2a8 in delete_in_dir (fbuf=0x4fdf88 "...", file=0x6, fs_dev=0x11b05e0) at generator.c:536
#8  0x00011288 in generate_files (f_out=1, local_name=0x4aeb54 "...") at generator.c:2245
#9  0x0001d004 in do_recv (f_in=0, f_out=1, local_name=0x0) at main.c:830
#10 0x0001da00 in start_server (f_in=0, f_out=1, argc=1, argv=0xbfffe444) at main.c:940
#11 0x0001ed50 in child_main (argc=18633264, argv=0x8000) at main.c:947
#12 0x00039858 in local_child (argc=2, argv=0xbfffe440, f_in=0xbfffe030, f_out=0xbfffe034, child_main=0x1ed30 <child_main>) at pipe.c:156
#13 0x0001ebcc in main (argc=2, argv=0x3002b0) at main.c:463
Comment 1 Wayne Davison 2009-08-14 09:10:55 UTC
Created attachment 4559 [details]
Fix a bogus free() in uncache_tmp_xattrs()

This patch corrects the free() in uncache_tmp_xattrs() to free the right pointer.  I used valgrind to get it to complain about the bogus free, and verified that the new free is correct.
Comment 2 Wayne Davison 2009-08-14 09:11:40 UTC
This fix is checked into git.
Comment 3 Wayne Davison 2009-12-13 00:34:20 UTC
Fix will be released in 3.0.7.