VPP-1844 - [VPP-1844] mhash fuction (mhash_set_mem) have code bug,Low probability of code exception

[vvalderrv]

• The following is my GDB debugging process,

#0 0x00007fd94f4bb5d7 in raise () from /lib64/libc.so.6
#1 0x00007fd94f4bce08 in abort () from /lib64/libc.so.6
#2 0x00000000008b5185 in os_panic () at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdp/vnet/main.c:306
#3 0x00007fd95017c823 in debugger () at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/error.c:81
#4 0x00007fd95017cc2c in _clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7fd95022f440 "%s:%d (%s) assertion `%s' fails")
at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/error.c:139
#5 0x00007fd9501ae621 in _vec_resize (v=0x7fd90f8a6f10, length_increment=1, data_bytes=16, header_bytes=0, data_align=0)
at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/vec.h:134
#6 0x00007fd9501b13a3 in mhash_unset (h=0x7fd8cdd11a50 <vfi_main+16>, key=0x7fd8de7de180, old_value=0x0)
at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/mhash.c:372
(gdb) f 6
#6 0x00007fd9501b13a3 in mhash_unset (h=0x7fd8cdd11a50 <vfi_main+16>, key=0x7fd8de7de180, old_value=0x0)
at /home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/mhash.c:372
372/home/code/flexedge-v3.0/debug/data-plane/hdp/build-data/../hdpinfra/hdpinfra/mhash.c: No such file or directory.
(gdb) p &*h
$1 =

{key_vector_or_heap = 0x7fd8ddc5ce68 "r", key_vector_free_indices = 0x7fd90f8a6f10, key_tmps = 0x7fd9061fb4f0, n_key_bytes = 12, hash_seed = 0, lock = 0, hash = 0x7fd8dd30ef78, format_key = 0x0}

(gdb) set print pretty on
(gdb) pset print pretty on p *h
$2 =

{ key_vector_or_heap = 0x7fd8ddc5ce68 "r", key_vector_free_indices = 0x7fd90f8a6f10, key_tmps = 0x7fd9061fb4f0, n_key_bytes = 12, hash_seed = 0, lock = 0, hash = 0x7fd8dd30ef78, format_key = 0x0 }

(gdb) p ((vec_header_t *) (v) - 1)->lenkey_vector_free_indices
No symbol "key_vector_free_indices" in current context.
(gdb) p ((vec_header_t *) (key_vector_free_indices) - 1)>lenh>
$3 = 3
(gdb) p 0x7fd90f8a6f10 - 24
$4 = 140570245361400
(gdb) p 0x7fd90f8a6f10 - 24x /x $4
0x7fd90f8a6ef8:0x0000052a
(gdb) p ./x 0x7fd90f8a6f10 - 24
$5 = 0x7fd90f8a6ef8
(gdb) p /x 0x7fd90f8a6f10 - 240x7fd90f8a6f10 - 0x7fd90f8a6f1008
$6 = 8
(gdb) p (p ()m)h)e)a)p))e)l)t))t) ))$5 -16)($5-16)
$7 = (mheap_elt_t *) 0x7fd90f8a6ee8
(gdb) p * $7
$8 = {
prev_n_user_data = 0,
prev_is_free = 0,
n_user_data = 0,
is_free = 0,
{
user_data = 0x7fd90f8a6ef8,
free_elt =

{ next_uoffset = 1322, prev_uoffset = 2 }

}
}
(gdb) p clib_per_cpu_mheaps[cpu]]]]0]
$9 = (void *) 0x7fd8ce6e0000
(gdb) p clib_per_cpu_mheaps[0]0x7fd8ce6e0000 0x7fd8ce6e0000 0x7fd8ce6e0000 =0x7fd8ce6e0000 0x7fd8ce6e0000 -0x7fd8ce6e0000 0-0x7fd8ce6e0000 x-0x7fd8ce6e0000 7-0x7fd8ce6e0000 f-0x7fd8ce6e0000d-0x7fd8ce6e00009-0x7fd8ce6e00000-0x7fd8ce6e0000f-0x7fd8ce6e00008-0x7fd8ce6e0000a-0x7fd8ce6e00006-0x7fd8ce6e0000e-0x7fd8ce6e0000f-0x7fd8ce6e00008-0x7fd8ce6e0000
$10 = 1092382456
(gdb) p 0x7fd90f8a6ef8-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000-0x7fd8ce6e0000 -0x7fd8ce6e0000 -0x7fd8ce6e0000 -0x7fd8ce6e0000 -0x7fd8ce6e0000 -0x7fd8ce6e0000 0-0x7fd8ce6e0000 x-0x7fd8ce6e0000 7-0x7fd8ce6e0000 f-0x7fd8ce6e0000d-0x7fd8ce6e00009-0x7fd8ce6e00000-0x7fd8ce6e0000f-0x7fd8ce6e00008-0x7fd8ce6e0000a-0x7fd8ce6e00006-0x7fd8ce6e0000f-0x7fd8ce6e00001-0x7fd8ce6e00000-0x7fd8ce6e0000 -0x7fd8ce6e0000-0x7fd8ce6e0000 -0x7fd8ce6e00008-0x7fd8ce6e0000 -0x7fd8ce6e0000
$11 = 1092382472
(gdb)
$12 = 1092382472
(gdb) p (mheap_elt_t *) ($5 + %6 - 16)912
A syntax error in expression, near `%12 - 16)'.
(gdb) p (mheap_elt_t *) ($9 + %12 - 16)$
$13 = (mheap_elt_t *) 0x7fd90f8a6ef8
(gdb) p \\\*$13
$14 = {
prev_n_user_data = 1322,
prev_is_free = 0,
n_user_data = 2,
is_free = 0,
{
user_data = 0x7fd90f8a6f08,
free_elt =

{ next_uoffset = 3, prev_uoffset = 0 }

}
}
(gdb) p ((void *) e- e->prev_n_user_data * 8)- 16);$13$13
Junk after end of expression.
(gdb) p ((void *)$13- $13->prev_n_user_data * 8)- 16)(
$15 = (void *) 0x7fd90f8a4598
(gdb) p ()()m)h)e)a)p))e)l)t))t) )*)$15
A syntax error in expression, near `'.
(gdb) pp ((mheap_elt_t *)$15)$15
A syntax error in expression, near `)$15'.
(gdb) p ((mheap_elt_t *))$15$15
$16 = (mheap_elt_t *) 0x7fd90f8a4598
(gdb) p *$16
$17 = {
prev_n_user_data = 2107,
prev_is_free = 1,
n_user_data = 1322,
is_free = 0,
{
user_data = 0x7fd90f8a45a8,
free_elt =

{ next_uoffset = 0, prev_uoffset = 140570098223472 }

}
}
(gdb) (mheap_elt_t *) (e->user_data + e->n_user_data)$13->n_user_data)$>n_user_data)1>n_user_data)3->n_user_data)
Undefined command: "". Try "help".
(gdb) (mheap_elt_t *) ($13->user_data + $13->n_user_data)p
$18 = (mheap_elt_t *) 0x7fd90f8a6f18
(gdb) p *18
Cannot access memory at address 0x12
(gdb) p *18$18
$19 = {
prev_n_user_data = 0,
prev_is_free = 0,
n_user_data = 4555,
is_free = 1,
{
user_data = 0x7fd90f8a6f28,
free_elt =

{ next_uoffset = 18446744073709551615, prev_uoffset = 18446744073709551615 }

}
}
(gdb) p *$1818(mheap_elt_t *) ($13->user_data + $13->n_user_data)>n_user_data)8>n_user_data)8
$20 = (mheap_elt_t *) 0x7fd90f8afd80
(gdb) p *$20
$21 = {
prev_n_user_data = 4555,
prev_is_free = 1,
n_user_data = 4001,
is_free = 0,
{
user_data = 0x7fd90f8afd90,
free_elt =

{ next_uoffset = 2000, prev_uoffset = 949187772415 }

}
}

 

$13 and $18  is two adjacent mheap_elt_t struct; $13  can only store two ints data;but  this have three ints data. 

bug  in function mhash_set_mem ,set  _vec_len (h->key_vector_free_indices) = l + 1; not l + 1,is l,