[systemd-devel] sd-resolve reference counting

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Thu Jul 17 21:06:08 PDT 2014 

Hi,
running systemd-timesyncd from current git under valgrind yields:

==16536== Thread 2 sd-resolve:
==16536== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==16536==    at 0x5765FAD: ??? (syscall-template.S:81)
==16536==    by 0x112A36: thread_worker.3172 (sd-resolve.c:308)
==16536==    by 0x575F0A3: start_thread (pthread_create.c:309)
==16536==    by 0x5A5A04C: clone (clone.S:111)
==16536==  Address 0x735397c is on thread 2's stack
==16536== 

and 

==16536== Thread 1:
==16536== Invalid read of size 1
==16536==    at 0x114BE5: complete_query.3430 (sd-resolve.c:783)
==16536==    by 0x116682: sd_resolve_process (sd-resolve.c:957)
==16536==    by 0x10FD10: io_callback.3175 (sd-resolve.c:1379)
==16536==    by 0x1191FF: source_dispatch.6446 (sd-event.c:2004)
==16536==    by 0x116D89: sd_event_run.constprop.8 (sd-event.c:2291)
==16536==    by 0x10C89E: main (sd-event.c:2310)
==16536==  Address 0x5f28470 is 16 bytes inside a block of size 104 free'd
==16536==    at 0x4C29730: free (vg_replace_malloc.c:468)
==16536==    by 0x114053: sd_resolve_query_unref (sd-resolve.c:1324)
==16536==    by 0x114BDD: complete_query.3430 (sd-resolve.c:781)
==16536==    by 0x116682: sd_resolve_process (sd-resolve.c:957)
==16536==    by 0x10FD10: io_callback.3175 (sd-resolve.c:1379)
==16536==    by 0x1191FF: source_dispatch.6446 (sd-event.c:2004)
==16536==    by 0x116D89: sd_event_run.constprop.8 (sd-event.c:2291)
==16536==    by 0x10C89E: main (sd-event.c:2310)
==16536== 

The first one, I'm not sure what's wrong. Maybe valgrind is complaining
about some padding that is not initalized.

But the second one is an error in reference counting: when alloc_query
creates a query, it sets n_ref=1, and this reference is "given" to
the caller. If the caller then decides to unref the query at some
point, complete_query operates without a valid reference. In this
case, manager_resolve_handler does this unref.

So, is the caller supposed to keep a reference to the query for
sd-resolve all the time? In this case it would seem pointless to
do the reference counting. Otherwise, sd-resolve needs to keep
a reference to all queries is keeps in the query array. But then
I don't see the point of floating queries, since it would be enough
to simply look at the reference count, and destroy the query after
the callback if caller failed to keep a reference.

Zbyszek

More information about the systemd-devel mailing list