(ITS#4976) memory corruption in test008-concurrency - openldap-bugs

20 May 2007

Full_Name: Hallvard B Furuseth
Version: HEAD, RE23
OS: Linux
URL: 
Submission from: (NULL) (129.240.202.105)
Submitted by: hallvard
Slapd sometimes crashes with memory corruption in test008-concurrency.
./configure LIBS="-lmcheck" (a glibc memory checking library)
provokes the bug regularly: it dumps core after reporting "memory
clobbered before allocated block" somewhere in the test output.
It still happens with no avoidable non-OpenLDAP packages (testing with
back-null or back-ldif):
bash$ ./configure --disable-backends --enable-null --disable-overlays \
    --without-cyrus-sasl --without-tls --quiet LIBS="-lmcheck"
"configure --without-threads" seems to prevent the crash, so I presume
it's thread-related.  So far, Valgrind has prevented it too:-(
If someone has Purify, maybe that can find it.
Patch needed to test with back-null:

--- tests/data/slapd.conf~	2007-01-06 20:35:00 +0100
+++ tests/data/slapd.conf	2007-05-19 19:45:23 +0200
@@ -40,3 +40,6 @@
 suffix		"dc=example,dc=com"
-directory	@TESTDIR@/db.1.a
+#bdb#directory	@TESTDIR@/db.1.a
+#hdb#directory	@TESTDIR@/db.1.a
+#ldif#directory	@TESTDIR@/db.1.a
+#null#bind	on
 rootdn		"cn=Manager,dc=example,dc=com"
--- tests/scripts/acfilter.sh~	2007-01-06 20:35:00 +0100
+++ tests/scripts/acfilter.sh	2007-05-19 20:01:19 +0200
@@ -15,4 +15,5 @@
 #
-# Strip comments
+# Strip comments, or remove everything with back-null
 #
-grep -v '^#'
+
+test "$BACKEND" = "null" || grep -v '^#'
Test loop:
cd tests
try() {
    ulimit -c unlimited
    echo ./run -b $1 test008
    nice ./run -b $1 test008 && test "`echo core*`" = "core*"
}
(declare -i n=0; while try null && try ldif; do n=$n+1; echo "#$n done"; done)
I don't see anything from the backtraces, they report when
the problem is noticed instead of when it is created.  E.g.:
#0  0x0039e7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x003df7a5 in raise () from /lib/tls/libc.so.6
#2  0x003e1209 in abort () from /lib/tls/libc.so.6
#3  0x00413a1a in __libc_message () from /lib/tls/libc.so.6
#4  0x00413a54 in __libc_fatal () from /lib/tls/libc.so.6
#5  0x0041fddf in mabort () from /lib/tls/libc.so.6
#6  0x0041f655 in freehook () from /lib/tls/libc.so.6
#7  0x0041a5e5 in free () from /lib/tls/libc.so.6
#8  0x080fea27 in ber_bvarray_free (a=0x0) at memory.c:744
#9  0x0806a34e in attr_clean (a=0x4dfff4) at attr.c:134
#10 0x0806a454 in attrs_free (a=0x8e56204) at attr.c:194
#11 0x0806b0c9 in entry_clean (e=0x8e4bdd4) at entry.c:473
#12 0x0806b142 in entry_free (e=0x8e4bdd4) at entry.c:483
#13 0x0806e898 in be_entry_release_rw (op=0x8e84c78, e=0x8e4bdd4, rw=6)
    at backend.c:797
#14 0x08069221 in do_add (op=0x8e84c78, rs=0xb59fe154) at add.c:197
#15 0x080626e7 in connection_operation (ctx=0xb59fe228, arg_v=0x8e84c78)
    at connection.c:1145
#16 0x08062d44 in connection_read_thread (ctx=0xb59fe228, argv=0xa)
    at connection.c:1271
#17 0x080dc75a in ldap_int_thread_pool_wrapper (xpool=0x8e04fe8) at tpool.c:725
#18 0x006193cc in start_thread () from /lib/tls/libpthread.so.0
#19 0x00480c3e in clone () from /lib/tls/libc.so.6

    