core dump in fio-1.16.9 from ljzhang,Yaxin Hu,Jianchao Tang on 2007-07-26 (fio-devel)

From: ljzhang,Yaxin Hu,Jianchao Tang <nonggia_at_sjtu.edu.cn>
Date: Thu, 26 Jul 2007 13:11:10 +0800

1. The job file causing the problem:
----------ranmap-------------------
[global]
directory=./temp
nrfiles=1
rw=randread
size=64K
bsrange=1k-32k
thread
[ranmap]
description="Over-bounded in mark_random_map()."
-----------------------------------------

Running the job file, we have a high possibility to get a core dump like
this:
----------------------------------------
nonggia_at_nonggia-desktop:~/fio$ fio --version
fio 1.16.9
nonggia_at_nonggia-desktop:~/fio$ fio ranmap
ranmap: (g=0): rw=randread, bs=1K-32K/4K-4K, ioengine=sync, iodepth=1
Starting 1 thread
file:io_u.c:64, assert idx < f->num_maps failed
Segmentation fault (core dumped)
nonggia_at_nonggia-desktop:~/fio$ gdb fio core.6135
... ...
Core was generated by `fio ranmap'.
Program terminated with signal 11, Segmentation fault.
#0 0x0805b69f in mark_random_map (td=0xb7be3000, io_u=0x8073f08) at
io_u.c:64
64 fio_assert(td, idx < f->num_maps);
(gdb) bt
#0 0x0805b69f in mark_random_map (td=0xb7be3000, io_u=0x8073f08) at
io_u.c:64
#1 0x0805c42c in fill_io_u (td=0xb7be3000, io_u=0x8073f08) at
io_u.c:348
#2 0x0805cb5f in set_io_u_file (td=0xb7be3000, io_u=0x8073f08) at
io_u.c:588
#3 0x0805cde4 in get_io_u (td=0xb7be3000) at io_u.c:672
#4 0x0804cadd in do_io (td=0xb7be3000) at fio.c:437
#5 0x0804e1b1 in thread_main (data=0xb7be3000) at fio.c:873
#6 0xb7ef7504 in start_thread ()
from /lib/tls/i686/cmov/libpthread.so.0
#7 0xb7e5551e in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) p io_u->offset
$1 = 41984
(gdb) p io_u->buflen
$2 = 27648
(gdb) p io_u->file->real_file_size
$3 = 65536

2. Reason for the core dump:
The io_u->offset+io_u->buflen was too large to be map in the map file.
They just produced an idx out of the file_map's range.

3. Fix suggestion:
Here is the patch:
-----------------------------------------------------
diff -Nraup fio-7.25/io_u.c fio-7.25-ranmap/io_u.c
--- fio-7.25/io_u.c 2007-07-25 14:25:05.000000000 +0800
+++ fio-7.25-ranmap/io_u.c 2007-07-25 20:35:41.000000000 +0800
@@ -30,7 +30,7 @@ static int random_map_free(struct thread
        unsigned int idx = RAND_MAP_IDX(td, f, block);
        unsigned int bit = RAND_MAP_BIT(td, f, block);

- return (f->file_map[idx] & (1UL << bit)) == 0;
+ return (idx < f->num_maps) && ((f->file_map[idx] & (1UL << bit))
==
0);
}

/*
@@ -61,7 +61,8 @@ static void mark_random_map(struct threa
                idx = RAND_MAP_IDX(td, f, block);
                bit = RAND_MAP_BIT(td, f, block);

- fio_assert(td, idx < f->num_maps);
+ if(idx >= f->num_maps)
+ break;

                f->file_map[idx] |= (1UL << bit);
                block++;
------------------------------------------------------

text/x-patch attachment: ranmap.patch__charset_UTF-8

Received on Thu Jul 26 2007 - 07:11:10 CEST

This archive was generated by hypermail 2.2.0 : Thu Jul 26 2007 - 09:00:02 CEST