Re: (ITS#7354) segfault with delta-syncrepl MMR

16 Aug 2012


      --On Wednesday, August 15, 2012 9:36 PM +0000 quanah@zimbra.com wrote:
...
--On Wednesday, August 15, 2012 7:46 PM +0000 quanah@OpenLDAP.org wrote:
Full backtrace:
#0  0x00000000004c02b8 in syncrepl_op_modify (op=0x7fd7d8b43460, 
rs=0x7fd7d8b42e40) at syncrepl.c:2133
        sc = 0x10793f8
        mx = 0x1079418
        ml = 0x40
        on = 0x89f2d0
        oex = 0x7fd7d8b42ed0
        si = 0x89ec20
        e = 0x1077ba0
        rc = 0
        match = -256
        mod = 0x12a4c70
        newlist = 0x1077b40
#1  0x00000000004d48f4 in overlay_op_walk (op=0x7fd7d8b43460, 
rs=0x7fd7d8b42e40, which=op_modify, oi=0x89f0f0, on=0x89f2d0) at 
backover.c:661
        func = 0x89f328
        rc = 32768
#2  0x00000000004d4bca in over_op_func (op=0x7fd7d8b43460, 
rs=0x7fd7d8b42e40, which=op_modify) at backover.c:723
        oi = 0x89f0f0
        on = 0x89f2d0
        be = 0x8a2da0
        db = {bd_info = 0x89f2d0, bd_self = 0x8a2da0, be_ctrls = 
"\000\001\001\001\000\001\000\000\001\000\000\001\001\000\001\000\000\001", 
'\000' <repeats 14 times>, "\001",
          be_flags = 563464, be_restrictops = 0, be_requires = 0, 
be_ssf_set = {sss_ssf = 0, sss_transport = 0, sss_tls = 0, sss_sasl = 0, 
sss_update_ssf = 0, sss_update_transport = 0,
            sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0}, 
be_suffix = 0x89c9c0, be_nsuffix = 0x8a8ff0, be_schemadn = {bv_len = 0, 
bv_val = 0x0}, be_schemandn = {
            bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 9, bv_val = 
0x8c50c0 "cn=config"}, be_rootndn = {bv_len = 9, bv_val = 0x8c50a0 
"cn=config"}, be_rootpw = {bv_len = 0,
            bv_val = 0x0}, be_max_deref_depth = 15, be_def_limit = 
{lms_t_soft = -1, lms_t_hard = 0, lms_s_soft = -1, lms_s_hard = 0, 
lms_s_unchecked = -1, lms_s_pr = 0,
            lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl 
= 0x8a90a0, be_dfltaccess = ACL_READ, be_extra_anlist = 0x0, be_update_ndn 
= {bv_len = 0, bv_val = 0x0},
          be_update_refs = 0x0, be_pending_csn_list = 0x862b80, 
be_pcl_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 
0, __kind = 0, __spins = 0, __list = {
                __prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 
times>, __align = 0}, be_syncinfo = 0x89ec20, be_pb = 0x0, be_cf_ocs = 
0x7ffff15e4ac0,
          be_private = 0x7ffff7e30010, be_next = {stqe_next = 0x0}}
        cb = {sc_next = 0x7fd7d8b42eb0, sc_response = 0x4d36c4 
<over_back_response>, sc_cleanup = 0, sc_private = 0x89f0f0}
        sc = 0x35f638a0d3
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#3  0x00000000004d4d35 in over_op_modify (op=0x7fd7d8b43460, 
rs=0x7fd7d8b42e40) at backover.c:762
No locals.
#4  0x00000000004c1353 in syncrepl_message_to_op (si=0x89ec20, 
op=0x7fd7d8b43460, msg=0x1288750) at syncrepl.c:2317
        oes = {oe = {oe_next = {sle_next = 0x0}, oe_key = 0x4c03ac}, oe_si 
= 0x89ec20}
        ber = 0x129a900
        modlist = 0x12a4bb0
        ls = 0x75d400
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0, 
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = 
{sru_search = {r_entry = 0x0,
              r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, 
r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended 
= {r_rspoid = 0x0, r_rspdata = 0x0}},
          sr_flags = 0}
        cb = {sc_next = 0x0, sc_response = 0x4c890b <null_callback>, 
sc_cleanup = 0, sc_private = 0x0}
        text = 0x0
        txtbuf = 
"\000G\264\330\327\177\000\000?8\366\377\177\000\000\200\060\264\330\327\177", 
'\000' <repeats 18 times>, "\001", '\000' <repeats 23 times>"\200, 
\060\264\330\327\177\000\000\000\000\200\000\000\000\000\000\300I\264\330\327\177\000\000\242\032\071\366\377\177", 
'\000' <repeats 18 times>"\300, 
\060\264\330\327\177\000\000\000\000\200\000\000\000\000\000\300I\264\330\327\177\000\000z5\227\367\377\177\000\000p\262|", 
'\000' <repeats 13 times>"\300, 
\355)\001\000\000\000\000\200\351)\001\000\000\000\000\340\060\264\330\327\177\000\000\200\351)\001\000\000\000\000\340\060\264\330\327\177\000\000\314\065\227\367\377\177\000\000\300\355)\001\000\000\000\000\200\351)\001\000\000\000\000 
1\264\330\327\177\000\000mrM\000\000\000\000\000 
1\264\330\327\177\000\000\300\355)\001\000\000\000"
        textlen = 256
        bdn = {bv_len = 46, bv_val = 0x129a09b 
"cn=zqa-129.eng.vmware.com,cn=servers,cn=zimbra"}
        dn = {bv_len = 46, bv_val = 0x1077d68 "x\204\a\001"}
        ndn = {bv_len = 46, bv_val = 0x1077df8 " \321", <incomplete 
sequence \366>}
        bv = {bv_len = 0, bv_val = 0x0}
        bv2 = {bv_len = 0, bv_val = 0x0}
        bvals = 0x1299b40
        rdn = {bv_len = 0, bv_val = 0x0}
        sup = {bv_len = 0, bv_val = 0x0}
        prdn = {bv_len = 0, bv_val = 0x0}
        nrdn = {bv_len = 0, bv_val = 0x0}
        psup = {bv_len = 0, bv_val = 0x0}
        nsup = {bv_len = 0, bv_val = 0x0}
        rc = 0
        deleteOldRdn = 0
        freeReqDn = 1
        do_graduate = 1
#5  0x00000000004bc45f in do_syncrep2 (op=0x7fd7d8b43460, si=0x89ec20) at 
syncrepl.c:986
        match = 0
        cookie = {bv_len = 60, bv_val = 0x1299d49 
"rid=100,sid=001,csn=20120816203158.675452Z#000000#001#000000"}
        rctrls = 0x1299280
        rctrlp = 0x12a4970
        syncUUIDs = 0x0
        bdn = {bv_len = 44, bv_val = 0x129a049 
"reqStart=20120816203158.000011Z,cn=accesslog"}
        syncUUID = {{bv_len = 16, bv_val = 0x1299d37 
"+\366V\204|-\020\061\212\321\061\247?\b", <incomplete sequence \324>}, 
{bv_len = 16171360,
            bv_val = 0x7ffff7b8e345 
"\311\303UH\211\345\350X\275\377\377\311\303UH\211\345H\203\354\020H\211}\370H\213E", 
<incomplete sequence \370\276>}}
        si_tag = 0
        entry = 0x7fd7d8b43240
        punlock = 0
        syncstate = 1
        retdata = 0x100000
        retoid = 0x38 <Address 0x38 out of bounds>
        len = 60
        berbuf = {
          buffer = "\002\000\001", '\000' <repeats 29 times>, 
"0\235)\001\000\000\000\000\205\235)\001\000\000\000\000\205\235)\001", 
'\000' <repeats 28 times>, 
"`3\264\330\327\177\000\000E\343\270\367\377\177\000\000`3\264\330\327\177\000\000\300\362u\000\000\000\000\000`3\264\330\327\177\000\000P\224E\000\000\000\000\000x4\264\330\327\177\000\000E\343\270\367\377\177\000\000\260\063\264\330\327\177\000\000?'\001\000\000\000\000\360\063\264\330\327\177\000\000\2\273\367\377\177\000\000`4\264\330\327\177\000\000T4\264\330\327\177\000\000\000\000\000\000\001\000\000\000`\301\366\000\000\000\000\000\000\000\000\000 
\000\000\000`4\264\330\327\177\000\000\360\063\264\330\327\177\000\000\261\376C\000\000\000\000\000\360\063\264\330\327\177\000\000`\255'\001\000\000\000", 
ialign = 65538, lalign = 65538, falign = 9.18382988e-41, dalign = 
3.2380074297143616e-319, palign = 0x10002 <Address 0x10002 out of bounds>}
        ber = 0x7fd7d8b432d0
        msg = 0x1288750
        syncCookie = {ctxcsn = 0x129edc0, sids = 0x12a2c40, numcsns = 1, 
rid = 100, octet_str = {bv_len = 60,
            bv_val = 0x12a55b0 
"rid=100,sid=001,csn=20120816203158.675452Z#000000#001#000000"}, sid = 1, 
sc_next = {stqe_next = 0x0}}
        syncCookie_req = {ctxcsn = 0x12a4e70, sids = 0x1288a40, numcsns = 
2, rid = 100, octet_str = {bv_len = 101,
            bv_val = 0x12886e0 
"rid=100,sid=002,csn=20120816202735.336631Z#000000#000#000000;20120816202950.988904Z#000000#001#000000"}, 
sid = 2, sc_next = {stqe_next = 0x0}}
        rc = 0
        err = 0
        modlist = 0x0
        m = 0
        tout_p = 0x0
        tout = {tv_sec = 0, tv_usec = 0}
        refreshDeletes = 0
        empty = "empty"
        __PRETTY_FUNCTION__ = "do_syncrep2"
#6  0x00000000004be6ba in do_syncrepl (ctx=0x7fd7d8b43b70, arg=0x89f510) at 
syncrepl.c:1523
        rtask = 0x89f510
        si = 0x89ec20
        conn = {c_struct_state = SLAP_C_UNINITIALIZED, c_conn_state = 
SLAP_C_INVALID, c_conn_idx = -1, c_sd = 0, c_close_reason = 0x0, c_mutex = 
{__data = {__lock = 0, __count = 0,
              __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = 
{__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align 
= 0}, c_sb = 0x0, c_starttime = 0,
          c_activitytime = 0, c_connid = 18446744073709551615, 
c_peer_domain = {bv_len = 0, bv_val = 0x4f9ef0 ""}, c_peer_name = {bv_len = 
0, bv_val = 0x4f9ef0 ""}, c_listener = 0x501e20,
          c_sasl_bind_mech = {bv_len = 0, bv_val = 0x0}, c_sasl_dn = 
{bv_len = 0, bv_val = 0x0}, c_sasl_authz_dn = {bv_len = 0, bv_val = 0x0}, 
c_authz_backend = 0x0, c_authz_cookie = 0x0,
          c_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, 
sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0}, 
sai_ssf = 0, sai_transport_ssf = 0,
            sai_tls_ssf = 0, sai_sasl_ssf = 0}, c_protocol = 0, c_ops = 
{stqh_first = 0x0, stqh_last = 0x0}, c_pending_ops = {stqh_first = 0x0, 
stqh_last = 0x0}, c_write1_mutex = {
            __data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, 
__kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = 
'\000' <repeats 39 times>,
            __align = 0}, c_write1_cv = {__data = {__lock = 0, __futex = 0, 
__total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x0, 
__nwaiters = 0, __broadcast_seq = 0},
            __size = '\000' <repeats 47 times>, __align = 0}, 
c_write2_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers 
= 0, __kind = 0, __spins = 0, __list = {
                __prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 
times>, __align = 0}, c_write2_cv = {__data = {__lock = 0, __futex = 0, 
__total_seq = 0, __wakeup_seq = 0,
              __woken_seq = 0, __mutex = 0x0, __nwaiters = 0, 
__broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0}, 
c_currentber = 0x0, c_writers = 0,
          c_writing = 0 '\000', c_sasl_bind_in_progress = 0 '\000', 
c_writewaiter = 0 '\000', c_is_tls = 0 '\000', c_needs_tls_accept = 0 
'\000', c_sasl_layers = 0 '\000',
          c_sasl_done = 0 '\000', c_sasl_authctx = 0x0, c_sasl_sockctx = 
0x0, c_sasl_extra = 0x0, c_sasl_bindop = 0x0, c_pagedresults_state = {ps_be 
= 0x0, ps_size = 0, ps_count = 0,
            ps_cookie = 0, ps_cookieval = {bv_len = 0, bv_val = 0x0}}, 
c_n_ops_received = 0, c_n_ops_executing = 0, c_n_ops_pending = 0, 
c_n_ops_completed = 0, c_n_get = 0, c_n_read = 0,
          c_n_write = 0, c_extensions = 0x0, c_clientfunc = 0, c_clientarg 
= 0x0, c_send_ldap_result = 0x454b95 <slap_send_ldap_result>,
          c_send_search_entry = 0x45589d <slap_send_search_entry>, 
c_send_search_reference = 0x457b94 <slap_send_search_reference>,
          c_send_ldap_extended = 0x4553fc <slap_send_ldap_extended>, 
c_send_ldap_intermediate = 0x45567a <slap_send_ldap_intermediate>}
        opbuf = {ob_op = {o_hdr = 0x7fd7d8b435d0, o_tag = 102, o_time = 
1345158368, o_tincr = 85, o_bd = 0x7fd7d8b42c30, o_req_dn = {bv_len = 46,
              bv_val = 0x12a4bf0 
"cn=zqa-129.eng.vmware.com,cn=servers,cn=zimbra"}, o_req_ndn = {bv_len = 
46, bv_val = 0x12a4c30 "cn=zqa-129.eng.vmware.com,cn=servers,cn=zimbra"},
            o_request = {oq_add = {rs_modlist = 0x12a4bb0, rs_e = 0x1}, 
oq_bind = {rb_method = 19549104, rb_cred = {bv_len = 1, bv_val = 0x0}, 
rb_edn = {bv_len = 0, bv_val = 0x0},
                rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = 0x0}}, 
oq_compare = {rs_ava = 0x12a4bb0}, oq_modify = {rs_mods = {rs_modlist = 
0x12a4bb0, rs_no_opattrs = 1 '\001'},
                rs_increment = 0}, oq_modrdn = {rs_mods = {rs_modlist = 
0x12a4bb0, rs_no_opattrs = 1 '\001'}, rs_deleteoldrdn = 0, rs_newrdn = 
{bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {
                  bv_len = 0, bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 
0x0}, oq_search = {rs_scope = 19549104, rs_deref = 0, rs_slimit = 1, 
rs_tlimit = 0, rs_limit = 0x0,
                rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 0x0, 
rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 
19549104}, oq_cancel = {rs_msgid = 19549104},
              oq_extended = {rs_reqoid = {bv_len = 19549104, bv_val = 0x1 
<Address 0x1 out of bounds>}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = 
{rs_extended = {rs_reqoid = {
                    bv_len = 19549104, bv_val = 0x1 <Address 0x1 out of 
bounds>}, rs_flags = 0, rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 
0x0}, rs_new = {bv_len = 0,
                  bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, 
o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', 
o_is_auth_check = 0 '\000',
            o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching 
= 0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 1 '\001', 
o_no_subordinate_glue = 0 '\000',
            o_ctrlflag = '\000' <repeats 14 times>, "\002", '\000' <repeats 
16 times>, o_controls = 0x7fd7d8b43718, o_authz = {sai_method = 0, sai_mech 
= {bv_len = 0, bv_val = 0x0},
              sai_dn = {bv_len = 9, bv_val = 0x8c50c0 "cn=config"}, sai_ndn 
= {bv_len = 9, bv_val = 0x8c50a0 "cn=config"}, sai_ssf = 0, 
sai_transport_ssf = 0, sai_tls_ssf = 0,
              sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 
0x10793f8, o_ctrls = 0x0, o_csn = {bv_len = 40, bv_val = 0x1077b08 
"20120816203158.675452Z#000000#001#000000"},
            o_private = 0x0, o_extra = {slh_first = 0x7fd7d8b42ed0}, o_next 
= {stqe_next = 0x0}}, ob_hdr = {oh_opid = 0, oh_connid = 100, oh_conn = 
0x7fd7d8b43820, oh_msgid = 0,
            oh_protocol = 0, oh_tid = 140565030389504, oh_threadctx = 
0x7fd7d8b43b70, oh_tmpmemctx = 0xf6c0e0, oh_tmpmfuncs = 0x75d360, 
oh_counters = 0x760820,
            oh_log_prefix = "conn=-1 op=0", '\000' <repeats 243 times>}, 
ob_controls = {0x0 <repeats 17 times>, 0x7fd7d8b43190, 0x0 <repeats 14 
times>}}
        op = 0x7fd7d8b43460
        rc = 0
        dostop = 0
        s = 15
        i = 1
        defer = 1
        fail = 0
        freeinfo = 0
        be = 0x8a2da0
#7  0x000000000043dfad in connection_read_thread (ctx=0x7fd7d8b43b70, 
argv=0xf) at connection.c:1288
        rc = 0
        cri = {op = 0x0, func = 0x4be0b7 <do_syncrepl>, arg = 0x89f510, ctx 
= 0x7fd7d8b43b70, nullop = 0}
        s = 15
#8  0x00007ffff7b8ccc9 in ldap_int_thread_pool_wrapper (xpool=0x7d4720) at 
tpool.c:688
        pool = 0x7d4720
        task = 0xf6c260
        work_list = 0x7d47b8
        ctx = {ltu_id = 140565030389504, ltu_key = {{ltk_key = 0x4b3757, 
ltk_data = 0xf6c0e0, ltk_free = 0x4b357c <slap_sl_mem_destroy>}, {ltk_key = 
0x7fffda549010, ltk_data = 0x1179400,
              ltk_free = 0x7ffff13c864d <mdb_reader_free>}, {ltk_key = 
0x7febda348010, ltk_data = 0x128a910, ltk_free = 0x7ffff13c864d 
<mdb_reader_free>}, {ltk_key = 0x7ffff13be478,
              ltk_data = 0x7fd7d4935010, ltk_free = 0x7ffff13be455 
<search_stack_free>}, {ltk_key = 0x7ffff13bbe5d, ltk_data = 0x7fd7d5936010,
              ltk_free = 0x7ffff13bbe15 <scope_chunk_free>}, {ltk_key = 
0x0, ltk_data = 0x0, ltk_free = 0} <repeats 24 times>, {ltk_key = 0x0, 
ltk_data = 0x7ffff6696ca9, ltk_free = 0}, {
              ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0}, {ltk_key = 0x0, 
ltk_data = 0x0, ltk_free = 0}}}
        kctx = 0x0
        i = 32
        keyslot = 649
        hash = 423411337
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#9  0x00007ffff66959ca in start_thread (arg=<value optimized out>) at 
pthread_create.c:300
        __res = <value optimized out>
        pd = 0x7fd7d8b44700
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140565030389504, 
7959847170449877608, 8388608, 140565030390208, 4, 140565030389504, 
-7937383527311463832, -7959863823191365016},
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <value optimized out>
        robust = <value optimized out>
        freesize = <value optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#10 0x00007ffff63f2cdd in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
No locals.
#11 0x0000000000000000 in ?? ()
(gdb) print *newlist
$2 = {sml_mod = {sm_desc = 0xf769a0, sm_values = 0x0, sm_nvalues = 0x0, 
sm_numvals = 0, sm_op = 4097, sm_flags = 0, sm_type = {bv_len = 56,
      bv_val = 0x312d61717a3d6e63 <Address 0x312d61717a3d6e63 out of 
bounds>}}, sml_next = 0x40}
(gdb) print *newlist->sml_mod.sm_desc
$3 = {ad_next = 0x0, ad_type = 0xabc2f0, ad_cname = {bv_len = 19, bv_val = 
0xabc1e0 "zimbraSSLPrivateKey"}, ad_tags = {bv_len = 0, bv_val = 0x0}, 
ad_flags = 0, ad_index = 1015}
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: (ITS#7354) segfault with delta-syncrepl MMR