memory leak in Fedora 30

[superm1]

fwupd CI is reporting this issue:

14/16 dell-self-test                          FAIL     0.12 s (exit status 1)
15/16 synapticsmst-self-test                  OK       0.04 s 
16/16 uefi-self-test                          OK       0.07 s 
Ok:                   14
Expected Fail:         0
Fail:                  1
Unexpected Pass:       0
Skipped:               1
Timeout:               0
The output from the failed tests:
14/16 dell-self-test                          FAIL     0.12 s (exit status 1)
--- command ---
/build/build/meson-private/dist-build/plugins/dell/dell-self-test
--- stdout ---
/fwupd/plugin{dell:tpm}: OK
/fwupd/plugin{dell:dock}: OK
--- stderr ---
ERROR:esys:src/tss2-esys/esys_tcti_default.c:210:get_tcti_default() No standard TCTI could be loaded 
ERROR:esys:src/tss2-esys/esys_context.c:68:Esys_Initialize() Initialize default tcti. ErrorCode (0x00070002) 
ERROR:esys:src/tss2-esys/esys_tcti_default.c:210:get_tcti_default() No standard TCTI could be loaded 
ERROR:esys:src/tss2-esys/esys_context.c:68:Esys_Initialize() Initialize default tcti. ErrorCode (0x00070002) 
ERROR:esys:src/tss2-esys/esys_tcti_default.c:210:get_tcti_default() No standard TCTI could be loaded 
ERROR:esys:src/tss2-esys/esys_context.c:68:Esys_Initialize() Initialize default tcti. ErrorCode (0x00070002) 
ERROR:esys:src/tss2-esys/esys_tcti_default.c:210:get_tcti_default() No standard TCTI could be loaded 
ERROR:esys:src/tss2-esys/esys_context.c:68:Esys_Initialize() Initialize default tcti. ErrorCode (0x00070002) 
=================================================================
==3002==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 546 byte(s) in 1 object(s) allocated from:
    #0 0x7f04b4a68e56 in __interceptor_calloc (/lib64/libasan.so.5+0x10de56)
    #1 0x7f04b4375fd5  (/lib64/libsmbios_c.so.2+0x28fd5)
    #2 0x554245445f435f52  (<unknown module>)
Direct leak of 73 byte(s) in 2 object(s) allocated from:
    #0 0x7f04b4a68c58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58)
    #1 0x7f04b4143137 in __vasprintf_internal (/lib64/libc.so.6+0x7a137)
SUMMARY: AddressSanitizer: 619 byte(s) leaked in 3 allocation(s).
-------

CI doesn't run on Dell systems, but it seems that there is a memory leak somewhere in a failure path.

[superm1]

The memory leak is specifically from calling sysinfo_get_dell_system_id

Here is the libsmbios debugging output:

memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
init_mem_struct_filename: 
reopen:  file: /dev/mem,  rw: 0
closefds: 
init_mem_struct_filename: out:
copy_mmap: buffer(0x7ffd9960542c) offset(884804) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(884804), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(901188) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(901188), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
sysinfo_get_dell_system_id: calling id_byte function: get_dell_id_byte_from_oem_item
smbios_table_factory: 
init_smbios_struct: 
smbios_get_table_firm_tables: Using /sys/firmware/dmi/tables/smbios_entry_point for entry point
smbios_get_table_firm_tables: Using /sys/firmware/dmi/tables/DMI for DMI
smbios_get_table_firm_tables: 
smbios_verify_smbios: SMBIOS TEP csum 0.
validate_dmi_tep: DMI TEP csum 0.
smbios_verify_smbios: Major version: 3 Minor version: 2
smbios_get_table_firm_tables:  out: 0
do_smbios_fixups
do_dell_check_type_fixup
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960507c) offset(1040502) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960507c), offset(1040502), length(11), mmoff(118)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
smbios_struct_get_string_number(0x6230000028f0, 1)
smbios_struct_get_string_number(0x6230000028f0, 2)
sysinfo_get_dell_system_id: calling id_byte function: get_id_byte_from_mem_diamond
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(884804) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(884804), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(901188) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(901188), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
sysinfo_get_dell_system_id: calling id_byte function: get_dell_id_byte_from_oem_item
smbios_table_factory: 
smbios_struct_get_string_number(0x6230000028f0, 1)
smbios_struct_get_string_number(0x6230000028f0, 2)
sysinfo_get_dell_system_id: calling id_byte function: get_id_byte_from_mem_diamond
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(884804) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(884804), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(901188) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(901188), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
sysinfo_get_dell_system_id: calling id_byte function: get_dell_id_byte_from_oem_item
smbios_table_factory: 
smbios_struct_get_string_number(0x6230000028f0, 1)
smbios_struct_get_string_number(0x6230000028f0, 2)
sysinfo_get_dell_system_id: calling id_byte function: get_id_byte_from_mem_diamond
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(884804) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(884804), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
memory_obj_factory: 1
return_mem: 
memory_obj_factory: 2
copy_mmap: buffer(0x7ffd9960542c) offset(901188) length(11) rw(0)
copy_mmap: ->rw: 0  fd: (nil)
reopen:  file: /dev/mem,  rw: 0
copy_mmap: Start of copy loop
copy_mmap: 	LOOP: bytesCopied(0) length(11)
remap: 
copy_mmap: 	lastMapping(0x7f6b9562d000)
trycopy: 		buffer(0x7ffd9960542c), offset(901188), length(11), mmoff(68)
trycopy: 		COPYING(11)
copy_mmap: 		 out: lastMapping(0x7f6b9562d000)
closefds: 
closefds: 		munmap(0x7f6b9562d000)
memory_obj_free:   m(0x7f6b995a20c0)  singleton(0x7f6b995a20c0)
linux_cleanup:  memory
closefds: 
sysinfo_get_dell_system_id: calling id_byte function: get_dell_id_byte_from_oem_item
smbios_table_factory: 
smbios_struct_get_string_number(0x6230000028f0, 1)
smbios_struct_get_string_number(0x6230000028f0, 2)

[awehrfritz]

Is this still an issue? There were a few recent PRs that may be relevant to this issue, though the issue was not mentioned. As this is the roadblock for a new release, I would be interested in helping to resolve this.

[superm1]

I haven't checked again lately, but given this is specifically in the error path I don't think the recent PRs will have solved it.

Help is certainly welcome if you have the time and ability.

To summarize the issue see this commit in fwupd that works around it: fwupd/fwupd@66dd3a0#diff-a60e5446a876ad45a9fd10a068b50816

Basically running any simple C application that calls sysinfo_get_dell_system_id when compiled with address sanitizer turned on on a non-Dell system (or even a VM/locked down container on a Dell system) should repro it.

[superm1]

I looked at this a little bit today and as far as I an tell it seems that the singleton that gets created and re-used by default all over never gets freed.

[superm1]

And that code and approach has been around since the beginning of libsmbios (eefc88b). I'd suspect sorting this out will require a pretty big overhaul.

[awehrfritz]

Thanks @superm1, much appreciated!

Do you reckon you (or someone in your team at Dell*) get this overhaul done in the near future or would it be better to release a new point version of the lib to at least get the new battery feature out there and into the next round of disto releases?

*I reckon such kind of a rewrite would require someone with intimate knowledge of the lib (and it’s history) and thus would be difficult for a casual contributor to carry out.

[superm1]

I think given the situation we'll tag a release now with this problem in it still, and it will have to be solved in the future.

I'll try to find someone with some cycles to work on this issue for the future.

The people who originally worked on libsmbios are now working on other things or other companies, so it is likely to be someone new will need to do it.