coredump with "Address out of bounds at sds.h:87"

[Jiancong]

Hi, I've used hiredis 0.14 in my c++ program on centos. The machine info is
[xiejiancong@client-nlp-240-159 lib]$ cat /proc/version
Linux version 4.9.0 (root@l22-240-159) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Fri Jan 20 15:36:24 CST 2017

And the coredump stack is as following. Is anyone know what it is? I rebuilt the hiredis with noopt version.

(gdb) bt
#0 0x00007fb736a6a4d4 in sdslen (s=0x0) at sds.h:87
#1 0x00007fb736a6b442 in sdscatlen (s=0x0, t=0x1ade8fc0, len=190) at sds.c:377
#2 0x00007fb736a6a0b4 in redisAppendCommand (c=0x4c4dc0c,
cmd=0x1ade8fc0 "*9\r\n$4\r\nMGET\r\n$15\r\naee_10001-38608\r\n$15\r\naee_10001-38599\r\n$15\r\naee_10001-38612\r\n$15\r\naee_10001-38611\r\n$15\r\naee_10001-38486\r\n$15\r\naee_10001-38610\r\n$15\r\naee_10001-38609\r\n$15\r\naee_10001-38600\r\n", len=190)
at hiredis.c:896
#3 0x00007fb736a6a1c2 in redisvAppendCommand (c=0x4c4dc0c,
format=0x1ade8dd8 "MGET aee_10001-38608 aee_10001-38599 aee_10001-38612 aee_10001-38611 aee_10001-38486 aee_10001-38610 aee_10001-38609 aee_10001-38600 ", ap=0x7ffd34d4b670) at hiredis.c:928
#4 0x00007fb736a6a3ac in redisvCommand (c=0x4c4dc0c,
format=0x1ade8dd8 "MGET aee_10001-38608 aee_10001-38599 aee_10001-38612 aee_10001-38611 aee_10001-38486 aee_10001-38610 aee_10001-38609 aee_10001-38600 ", ap=0x7ffd34d4b670) at hiredis.c:989
#5 0x00007fb736a6a46b in redisCommand (c=0x4c4dc0c,
format=0x1ade8dd8 "MGET aee_10001-38608 aee_10001-38599 aee_10001-38612 aee_10001-38611 aee_10001-38486 aee_10001-38610 aee_10001-38609 aee_10001-38600 ") at hiredis.c:997
#6 0x0000000000541625 in index_service::CallData::EEScoreRetrieval (this=0x1ad8a5f0, biztypes=0x1ad8a5f0, bizids=0x1ad8a6e0,
number=8, prefix=0x591e87 "aee", indexitems=0x1ad8a9b0) at calldata.cpp:692
#7 0x0000000000542d53 in index_service::CallData::HandleRequest (this=0x1ad8a5f0, searcher=..., request=...,
items_ptr=0x1ade68f0, deviceid="E47167379FE87FDA15F9D664287C3B82D70E5AC4", itemdq_size=1000, msg_obj=...) at calldata.cpp:1002
#8 0x00000000005438af in index_service::CallData::Proceed (this=0x1ad8a5f0, searcher=...) at calldata.cpp:1112
#9 0x0000000000547d73 in index_service::IndexServerImpl::HandleEventLoop (this=0x7ffd34d4c7c0, searcher=...)
at index_server.cpp:209
#10 0x0000000000547ac1 in index_service::IndexServerImpl::Run (this=0x7ffd34d4c7c0) at index_server.cpp:172
#11 0x000000000054ae12 in main (argc=7, argv=0x7ffd34d4d578) at index_main.cpp:49

[michael-grunder]

Your string is NULL:

// s = 0x0
#0 0x00007fb736a6a4d4 in sdslen (s=0x0) at sds.h:87
#1 0x00007fb736a6b442 in sdscatlen (s=0x0, t=0x1ade8fc0, len=190) at sds.c:377

Then sdslen attempts to do this:

unsigned char flags = s[-1];

Resulting in your bad access.

I don't know why your string is NULL but having seen this issue before I have a guess. If you're trying to share multiple redisContext structs between threads it could cause an issue like that, and it's also possible for NULL to be returned in an OOM situation but hiredis typically handles that gracefully (by immediately aborting).

I'd try running my program under Valgrind or ASAN (clang's Address Sanitizer) and see if it gives you a hint.

[michael-grunder]

@Jiancong Were you able to find the problem? I'm going to close this issue because I don't think it's a bug in hiredis but I can help you track it down with more information.