Assertion error in lmm_add_free

[lxylxy123456]

I recently encountered assertion error in the following line in lmm_add_free():

oskit/lmm/lmm_add_free.c

Line 33 in c9e5fcd

assert(max >= min);

This error happens when the caller calls lmm_add_free(lmm, (void *)0x2345, 2). Suppose alignment is 8. Then:

• On line 23 min = 0x2345
• On line 24 max = 0x2347
• On line 31 min = 0x2348
• On line 32 max = 0x2340
• On line 33 assertion error is triggered, since max >= min is false (0x2340 >= 0x2348 is false)

[lxylxy123456]

I have created PR #2 that fixes this bug.

[npe9]

What sort of environment are you compiling in?

[lxylxy123456]

I am compiling using GCC 12. The target machine is i386 (Intel, 32 bits, BIOS). This bug is reporducible on real hardware and on QEMU.

I found this bug while taking an operating systems class in a university. The class website contains more information about the environment.

[npe9]

Gotcha, you're still going to have to be very specific. I've got two little kids so I don't have many cycles for deep dives. Can I get your exact command lines to start? both gcc and qemu?

[npe9]

Also roping in @bford because he's the subject matter expert here.

[lxylxy123456]

The bug is triggered while the lmm library is used by the code provided by my class. Unfortunately this code is not publicly available. I think it is easier to reproduce this bug by running lmm in a Linux process.

The source code is in: https://gist.github.com/lxylxy123456/1cb7c1319aaf37373c6712e7cfae35ad

I am using GCC 12.2.1, Fedora 37 (Linux kernel 6.0). This program should be able to run on other operating systems.

Steps to reproduce:

• Clone https://github.com/OSPreservProject/oskit to current directory
• Put this file to "a.c"
• Run:

  ./configure
  cd lmm
  make
  cd ..
  gcc -I . a.c -o a lmm/liboskit_lmm.a
  ./a
  

The program output looks like

mem = 0x4040c0
lmm_init
lmm_add_region
lmm_add_free(&lmm, mem + 8, 4096 - 8)
lmm_add_free(&lmm, mem + 1, 3)
a: a.c:23: panic: Assertion `0' failed.
Aborted (core dumped)

Using GDB, the backtrace is:

#0  0x00007ffff7e4fe7c in __pthread_kill_implementation ()
   from /lib64/libc.so.6
#1  0x00007ffff7dffaa6 in raise () from /lib64/libc.so.6
#2  0x00007ffff7de97fc in abort () from /lib64/libc.so.6
#3  0x00007ffff7de971b in __assert_fail_base.cold () from /lib64/libc.so.6
#4  0x00007ffff7df8656 in __assert_fail () from /lib64/libc.so.6
#5  0x00000000004011b8 in panic (
    fmt=0x4020a0 "lmm_add_free.c:%u: failed assertion `max >= min'") at a.c:23
#6  0x0000000000401375 in lmm_add_free (lmm=<optimized out>, 
    block=<optimized out>, size=<optimized out>) at lmm_add_free.c:33
#7  0x0000000000401255 in main () at a.c:36

If you change line 34 from if (1) to if (0), then the assertion failure disappears

mem = 0x4040c0
lmm_init
lmm_add_region
lmm_add_free(&lmm, mem + 8, 4096 - 8)
lmm_alloc
result: 0x4040d0

Please let me know if you need any other information. Than you.

[npe9]

Excellent, thank you. I'll look at it and merge it when I reproduce it.