Memory Leak in 4.10 completely breaks WMS mode

[jentzd@…]

I have traced down that 4.10 has a memory leak when in WMS mode using gdb. 4.8.4
works perfectly fine.

The memory leak is so bad that even gmake `testcopy;./testcopy` segfaults on a
free when reading. WMS mode in 4.10 is completely unusable on linux.

[dmorissette]

Can you please provide more details on the lead, GDB trace, steps to reproduce?

Without any information to reproduce this we cannot do anything.

[dmorissette]

Can you please provide more details on the leak, GDB trace, steps to reproduce?

Without any information to reproduce this we cannot do anything.

[jentzd@…]

Sure, I have been able to reproduce on several linux i386 boxes.

./configure --with-proj=/usr --with-gdal=/usr/bin/gdal-config
--with-ogr=/usr/bin/gdal-config --enable-debug

gmake
gmake testcopy
./testcopy


[jcdxdev@dave mapserver]$ ./testcopy
*** glibc detected *** ./testcopy: free(): invalid next size (fast): 0x09d1ead0 ***
======= Backtrace: =========
/lib/libc.so.6[0x541809d]
/lib/libc.so.6(cfree+0x90)[0x541b6f0]
./testcopy[0x8087e1e]
./testcopy[0x8058abe]
./testcopy[0x8058ecf]
./testcopy[0x804ebbd]
/lib/libc.so.6(__libc_start_main+0xdc)[0x53c7f2c]
./testcopy[0x804ea61]
======= Memory map: ========
00110000-00135000 r-xp 00000000 fd:00 5297647    /usr/lib/libpng12.so.0.10.0
00135000-00136000 rwxp 00024000 fd:00 5297647    /usr/lib/libpng12.so.0.10.0
00136000-0013e000 r-xp 00000000 fd:00 5297776    /usr/lib/libgif.so.4.1.3
0013e000-0013f000 rwxp 00007000 fd:00 5297776    /usr/lib/libgif.so.4.1.3
0013f000-00152000 r-xp 00000000 fd:00 5297780    /usr/lib/libdapserver.so.2.0.0
00152000-00153000 rwxp 00013000 fd:00 5297780    /usr/lib/libdapserver.so.2.0.0
00153000-0015e000 r-xp 00000000 fd:00 17122447   /lib/libgcc_s-4.1.1-20070105.so.1
0015e000-0015f000 rwxp 0000a000 fd:00 17122447   /lib/libgcc_s-4.1.1-20070105.so.1
00166000-00167000 r-xp 00166000 00:00 0          [vdso]
00170000-001ed000 r-xp 00000000 fd:00 5297645    /usr/lib/libfreetype.so.6.3.10
001ed000-001f0000 rwxp 0007d000 fd:00 5297645    /usr/lib/libfreetype.so.6.3.10
001f0000-00225000 r-xp 00000000 fd:00 5280212    /usr/lib/libproj.so.0.5.2
00225000-00227000 rwxp 00035000 fd:00 5280212    /usr/lib/libproj.so.0.5.2
00227000-00271000 r-xp 00000000 fd:00 5276980    /usr/lib/libjasper.so.1.0.0
00271000-00274000 rwxp 0004a000 fd:00 5276980    /usr/lib/libjasper.so.1.0.0
00274000-0027b000 rwxp 00274000 00:00 0 
0027b000-002ab000 r-xp 00000000 fd:00 5276652    /usr/lib/libidn.so.11.5.19
002ab000-002ac000 rwxp 0002f000 fd:00 5276652    /usr/lib/libidn.so.11.5.19
002ac000-002ed000 r-xp 00000000 fd:00 17122440   /lib/libssl.so.0.9.8b
002ed000-002f1000 rwxp 00040000 fd:00 17122440   /lib/libssl.so.0.9.8b
002f1000-00358000 r-xp 00000000 fd:00 9854098    /opt/jcdx/lib/libsqlite3.so
00358000-0035a000 rwxp 00066000 fd:00 9854098    /opt/jcdx/lib/libsqlite3.so
0036f000-0037e000 r-xp 00000000 fd:00 5603172    /usr/X11R6/lib/libXpm.so.4.11
0037e000-0037f000 rwxp 0000e000 fd:00 5603172    /usr/X11R6/lib/libXpm.so.4.11
0037f000-0045f000 r-xp 00000000 fd:00 5283533    /usr/lib/libstdc++.so.6.0.8
0045f000-00462000 r-xp 000e0000 fd:00 5283533    /usr/lib/libstdc++.so.6.0.8
00462000-00464000 rwxp 000e3000 fd:00 5283533    /usr/lib/libstdc++.so.6.0.8
00464000-0046a000 rwxp 00464000 00:00 0 
00482000-004a3000 r-xp 00000000 fd:00 5297694    /usr/lib/libjpeg.so.62.0.0
004a3000-004a4000 rwxp 00020000 fd:00 5297694    /usr/lib/libjpeg.so.62.0.0
004a4000-005c0000 r-xp 00000000 fd:00 17122439   /lib/libcrypto.so.0.9.8b
005c0000-005d2000 rwxp 0011c000 fd:00 17122439   /lib/libcrypto.so.0.9.8b
005d2000-005d6000 rwxp 005d2000 00:00 0 
005d6000-005fd000 r-xp 00000000 fd:00 5297646    /usr/lib/libfontconfig.so.1.1.0
005fd000-00605000 rwxp 00027000 fd:00 5297646    /usr/lib/libfontconfig.so.1.1.0
0060a000-00674000 r-xp 00000000 fd:00 5285099    /usr/lib/libodbc.so.1.0.0
00674000-00679000 rwxp 00069000 fd:00 5285099    /usr/lib/libodbc.so.1.0.0
00679000-00698000 r-xp 00000000 fd:00 14174696   /lib/libexpat.so.0.5.0
00698000-0069a000 rwxp 0001e000 fd:00 14174696   /lib/libexpat.so.0.5.0
006c5000-006e4000 r-xp 00000000 fd:00 5286488    /usr/lib/libpq.so.4.1
006e4000-006e5000 rwxp 0001f000 fd:00 5286488    /usr/lib/libpq.so.4.1
0072c000-00745000 r-xp 00000000 fd:00 14174689   /lib/ld-2.5.so
00745000-00746000 r-xp 00018000 fd:00 14174689   /lib/ld-2.5.so
00746000-00747000 rwxp 00019000 fd:00 14174689   /lib/ld-2.5.so
00747000-00874000 r-xp 00000000 fd:00 5297669    /usr/lib/libxml2.so.2.6.27
00874000-00879000 rwxp 0012c000 fd:00 5297669    /usr/lib/libxml2.so.2.6.27
00879000-0087a000 rwxp 00879000 00:00 0 
00888000-008ad000 r-xp 00000000 fd:00 14174695   /lib/libm-2.5.so
008ad000-008ae000 r-xp 00024000 fd:00 14174695   /lib/libm-2.5.so
008ae000-008af000 rwxp 00025000 fd:00 14174695   /lib/libm-2.5.so
008b1000-008b3000 r-xp 00000000 fd:00 14174691   /lib/libdl-2.5.so
008b3000-008b4000 r-xp 00001000 fd:00 14174691   /lib/libdl-2.5.so
008b4000-008b5000 rwxp 00002000 fd:00 14174691   /lib/libdl-2.5.so
008b7000-008c9000 r-xp 00000000 fd:00 5297644    /usr/lib/libz.so.1.2.3
008c9000-008ca000 rwxp 00011000 fd:00 5297644    /usr/lib/libz.so.1.2.3
008cc000-008df000 r-xp 00000000 fd:00 17121135   /lib/libpthread-2.5.so
008df000-008e0000 r-xp 00012000 fd:00 17121135   /lib/libpthread-2.5.so
008e0000-008e1000 rwxp 00013000 fd:00 17121135   /lib/libpthread-2.5.so
008e1000-008e3000 rwxp 008e1000 00:00 0 
008ea000-008f1000 r-xp 00000000 fd:00 17122422   /lib/librt-2.5.so
008f1000-008f2000 r-xp 00006000 fd:00 17122422   /lib/librt-2.5.so
008f2000-008f3000 rwxp 00007000 fd:00 17122422   /lib/librt-2.5.so
008f5000-00907000 r-xp 00000000 fd:00 5297774    /usr/lib/libodbcinst.so.1.0.0
00907000-00908000 rwxp 00011000 fd:00 5297774    /usr/lib/libodbcinst.so.1.0.0
0090e000-00910000 r-xp 00000000 fd:00 17122438   /lib/libcom_err.so.2.1
00910000-00911000 rwxp 00001000 fd:00 17122438   /lib/libcom_err.so.2.1
009f4000-00a01000 r-xp 00000000 fd:00 5603152    /usr/X11R6/lib/libXext.so.6.4
00a01000-00a02000 rwxp 0000c000 fd:00 5603152    /usr/X11R6/lib/libXext.so.6.4
00a1b000-00a3a000 r-xp 00000000 fd:00 5285765    /usr/lib/libgd.so.2.0.0
00a3a000-00a5a000 rwxp 0001e000 fd:00 5285765    /usr/lib/libgd.so.2.0.0
00a5a000-00a6e000 rwxp 00a5a000 00:00 0 
00a87000-00aa4000 r-xp 00000000 fd:00 5277123    /usr/lib/libogdi.so.3.2
00aa4000-00aa5000 rwxp 0001d000 fd:00 5277123    /usr/lib/libogdi.so.3.2
00aa7000-00ab3000 r-xp 00000000 fd:00 5297757    /usr/lib/libgeos_c.so.1.1.1
00ab3000-00ab4000 rwxp 0000c000 fd:00 5297757    /usr/lib/libgeos_c.so.1.1.1
00ac3000-00afe000 r-xp 00000000 fd:00 5280364    /usr/lib/libcurl.so.3.0.0
00afe000-00aff000 rwxp 0003b000 fd:00 5280364    /usr/lib/libcurl.so.3.0.0
00b0b000-00b1e000 r-xp 00000000 fd:00 17122436   /lib/libnsl-2.5.so
00b1e000-00b1f000 r-xp 00012000 fd:00 17122436   /lib/libnsl-2.5.so
00b1f000-00b20000 rwxp 00013000 fd:00 17122436   /lib/libnsl-2.5.so
00b20000-00b22000 rwxp 00b20000 00:00 0 
00b24000-00b33000 r-xp 00000000 fd:00 17122437   /lib/libresolv-2.5.so
00b33000-00b34000 r-xp 0000e000 fd:00 17122437   /lib/libresolv-2.5.so
00b34000-00b35000 rwxp 0000f000 fd:00 17122437   /lib/libresolv-2.5.so
00b35000-00b37000 rwxp 00b35000 00:00 0 
00b39000-00b75000 r-xp 00000000 fd:00 5297764    /usr/lib/libdapclient.so.1.0.1
00b75000-00b77000 rwxp 0003c000 fd:00 5297764    /usr/lib/libdapclient.so.1.0.1
00b7a000-00bfe000 r-xp 00000000 fd:00 5297679    /usr/lib/libkrb5.so.3.2
00bfe000-00c00000 rwxp 00084000 fd:00 5297679    /usr/lib/libkrb5.so.3.2
00c02000-00c2c000 r-xp 00000000 fd:00 5297680    /usr/lib/libgssapi_krb5.so.2.2
00c2c000-00c2d000 rwxp 00029000 fd:00 5297680    /usr/lib/libgssapi_krb5.so.2.2
00c2f000-00c36000 r-xp 00000000 fd:00 5297677    /usr/lib/libkrb5support.so.0.1
00c36000-00c37000 rwxp 00006000 fd:00 5297677    /usr/lib/libkrb5support.so.0.1
00c39000-00c46000 r-xp 00000000 fd:00 5297781    /usr/lib/librx.so.0.0.0
00c46000-00c47000 rwxp 0000d000 fd:00 5297781    /usr/lib/librx.so.0.0.0
00c4b000-00c70000 r-xp 00000000 fd:00 5297678    /usr/lib/libk5crypto.so.3.0
00c70000-00c71000 rwxp 00025000 fd:00 5297678    /usr/lib/libk5crypto.so.3.0
00c78000-00d3d000 r-xp 00000000 fd:00 5603140    /usr/X11R6/lib/libX11.so.6.2
00d3d000-00d40000 rwxp 000c5000 fd:00 5603140    /usr/X11R6/lib/libX11.so.6.2
00d40000-01187000 r-xp 00000000 fd:00 5297422    /usr/lib/libgdal.so.1.11.0
01187000-011d4000 rwxp 00446000 fd:00 5297422    /usr/lib/libgdal.so.1.11.0
011d4000-01254000 rwxp 011d4000 00:00 0 
02e01000-02f20000 r-xp 00000000 fd:00 5734609   
/usr/lib/mysql/libmysqlclient.so.15.0.0
02f20000-02f62000 rwxp 0011e000 fd:00 5734609   
/usr/lib/mysql/libmysqlclient.so.15.0.0
02f62000-02f63000 rwxp 02f62000 00:00 0 
048ec000-04a2b000 r-xp 00000000 fd:00 5297699    /usr/lib/libhdf5.so.0.0.0
04a2b000-04a2f000 rwxp 0013e000 fd:00 5297699    /usr/lib/libhdf5.so.0.0.0
04a31000-04b80000 r-xp 00000000 fd:00 5297777    /usr/lib/libcfitsio.so.0
04b80000-04b83000 rwxp 0014e000 fd:00 5297777    /usr/lib/libcfitsio.so.0
04b83000-04bf8000 rwxp 04b83000 00:00 0 
04bfa000-04cb7000 r-xp 00000000 fd:00 5297779    /usr/lib/libdap.so.6.0.1
04cb7000-04cba000 rwxp 000bd000 fd:00 5297779    /usr/lib/libdap.so.6.0.1
04cba000-04cbb000 rwxp 04cba000 00:00 0 
04ccc000-04d22000 r-xp 00000000 fd:00 5284736    /usr/lib/libtiff.so.3.8.2
04d22000-04d24000 rwxp 00056000 fd:00 5284736    /usr/lib/libtiff.so.3.8.2
05248000-05347000 r-xp 00000000 fd:00 5278134    /usr/lib/libgeos.so.2.2.3
05347000-0534c000 rwxp 000ff000 fd:00 5278134    /usr/lib/libgeos.so.2.2.3
053b2000-054e9000 r-xp 00000000 fd:00 14174690   /lib/libc-2.5.so
054e9000-054eb000 r-xp 00137000 fd:00 14174690   /lib/libc-2.5.so
054eb000-054ec000 rwxp 00139000 fd:00 14174690   /lib/libc-2.5.so
054ec000-054ef000 rwxp 054ec000 00:00 0 
0563d000-05642000 r-xp 00000000 fd:00 14174698   /lib/libcrypt-2.5.so
05642000-05643000 r-xp 00004000 fd:00 14174698   /lib/libcrypt-2.5.so
05643000-05644000 rwxp 00005000 fd:00 14174698   /lib/libcrypt-2.5.so
05644000-0566b000 rwxp 05644000 00:00 0 
0566d000-05a3b000 r-xp 00000000 fd:00 5297775    /usr/lib/libxerces-c.so.27.0
05a3b000-05a6e000 rwxp 003cd000 fd:00 5297775    /usr/lib/libxerces-c.so.27.0
05a6e000-05a6f000 rwxp 05a6e000 00:00 0 
08048000-080f7000 r-xp 00000000 fd:00 18464151   /home/jcdxdev/mapserver/testcopy
080f7000-080fa000 rw-p 000af000 fd:00 18464151   /home/jcdxdev/mapserver/testcopy
080fa000-080fb000 rw-p 080fa000 00:00 0 
09d1d000-09d5f000 rw-p 09d1d000 00:00 0 
b7e00000-b7e21000 rw-p b7e00000 00:00 0 
b7e21000-b7f00000 ---p b7e21000 00:00 0 
b7fc2000-b7fce000 rw-p b7fc2000 00:00 0 
b7fde000-b7fdf000 rw-p b7fde000 00:00 0 
bfd72000-bfd88000 rw-p bfd72000 00:00 0          [stack]
Aborted


Also - If I comment out the free that it is crashing on, it does work, but then
crashed later on in a different spot (either malloc or free). This same thing
happens when I put the mapserv binary into place in apache and run it against
the itasca map set - same free that it crases on - then if i comment it out it
just crashes later on.

Hope that helps!

[dmorissette]

I don't think this is specific to the WMS since testcopy reproduces it. Changing
component to mapserver core.

Unfortunately I do not get a crash on my system with testcopy from v.4.10.1,
just an error from valgrind in the exit from main() but that doesn't help much.

Can you tell us on which line it crashes for you? i.e. which free() call you
commented out?

[dmorissette]

Running valgrind on 'mapserv' itself without any argument gives me a similar
free() error on exit from main (actually exit() is called inside loadParams()
but that doens't matter). I get the exact same thing with both 4.10 and the
current CVS HEAD (4.99). Unfortunately that doesn't give me enough info to
isolate the source of the problem.

Can anyone reproduce this on another system and get more details from valgrind?


$ valgrind ./mapserv
==11020== Memcheck, a memory error detector.
==11020== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==11020== Using LibVEX rev 1471, a library for dynamic binary translation.
==11020== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==11020== Using valgrind-3.1.0-Debian, a dynamic binary instrumentation framework.
==11020== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==11020== For more details, rerun with: -v
==11020==
This script can only be used to decode form results and
should be initiated as a CGI process via a httpd server.
==11020== Invalid free() / delete / delete[]
==11020==    at 0x401CFCF: free (vg_replace_malloc.c:235)
==11020==    by 0x4EBE22B: (within /lib/tls/i686/cmov/libc-2.3.6.so)
==11020==    by 0x4EBDC41: __libc_freeres (in /lib/tls/i686/cmov/libc-2.3.6.so)
==11020==    by 0x401931E: _vgw_freeres (vg_preloaded.c:62)
==11020==    by 0x4E414F3: _Exit (in /lib/tls/i686/cmov/libc-2.3.6.so)
==11020==    by 0x80552BE: loadParams (cgiutil.c:134)
==11020==    by 0x8052CB2: main (mapserv.c:1232)
==11020==  Address 0x4EE4A90 is not stack'd, malloc'd or (recently) free'd
==11020==
==11020== ERROR SUMMARY: 4 errors from 1 contexts (suppressed: 69 from 1)
==11020== malloc/free: in use at exit: 2,196 bytes in 5 blocks.
==11020== malloc/free: 6 allocs, 5 frees, 2,716 bytes allocated.
==11020== For counts of detected errors, rerun with: -v
==11020== searching for pointers to 5 not-freed blocks.
==11020== checked 1,416,408 bytes.
==11020==
==11020== LEAK SUMMARY:
==11020==    definitely lost: 0 bytes in 0 blocks.
==11020==      possibly lost: 0 bytes in 0 blocks.
==11020==    still reachable: 2,196 bytes in 5 blocks.
==11020==         suppressed: 0 bytes in 0 blocks.
==11020== Reachable blocks (those to which a pointer was found) are not shown.
==11020== To see them, rerun with: --show-reachable=ye

[jentzd@…]

It is not specific to WMS, just that WMS is non functional because of it, sorry
if I was not clear.

The memory leak is happening before the free I comment out, I can get memory
related crashes in at least 5 separate code locations if I comment out the free,
depending on what I am trying to do. So far as I can tell, 4.8.4 has none of
these issues.

-Dave

[fwarmerdam]

I don't see this problem with the cvs head version and I don't seem to have
"testcopy". 

[dmorissette]

Frank: you need to 'make testcopy' to get it.

The Valgrind error on 'mapserv' that I reported in comment #5 seems to be caused
by duplicate versions of GD dependencies (libjeg, libpng, freetype, etc.) on my
syste,: I use FGS and when inside my FGS environment I get the valgrind error,
but outside of it I get no error.

I'll have to test some more to figure what's going on on my system, but was
wondering if Dave might be having a similar duplicate libraries issue.

[jentzd@…]

The free which I alluded too was line 263 of mapfile.c

ms_regfree(&re);

Commenting it out gets me further - but doesn't address the problem.

I have tested on a vanilla install of fedora core 6 using only yum/rpm to
satisfy the requirements for map server(and it is quite an impressive list at
that). Nothing other than mapserver is compiled.

[dmorissette]

I have re-tested this with testcopy with MapServer 4.10.0, 4.10.1 and 5.0-beta2 and cannot reproduce the free() errors reported in this ticket with any version. The only memory issue I could find with Valgrind was an uninitialised memory access in v5.0.0-beta2 which I documented and fixed in ticket #2194 and is most likely unrelated.

In all cases I was using the following options:

./configure --with-gd=../gd-2.0.35 --with-proj=/usr/ --enable-debug

Since we cannot reproduce this issue, and nobody reported similar issues with MapServer since 4.10.0 we have to conclude that the problem is not with MapServer but with the build environment that has something specific that we can't find that triggers some memory management issues.

Closing as worksforme. Sorry. :(