Re: (ITS#7837) slapd seg faults in slapo-rwm - openldap-bugs

14 Apr 2014


      michael@stroeder.com wrote:
...
Full_Name: Michael Ströder
Version: 2.4.39 with patches
OS:
URL:
Submission from: (NULL) (212.227.35.93)
slapd occasionally seg faults.
We can't reproduce it with a certain configuration.
This is a custom Debian Wheezy package based on OpenLDAP 2.4.39
linked against OpenSSL under a separate prefix.
slapo-rwm is patched according to ITS#7723 but I can't tell whether
it's related to ITS#7723 or not. Hence the separate ITS.
What behavior do you get by reverting the #7723 patch?
...
master commit for the reference counting patch used:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=5f524c446...
Here's the stack trace (obfuscated filter and search base):
Program terminated with signal 11, Segmentation fault.
#0  0x00007f8ca2d8a29d in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt full
#0  0x00007f8ca2d8a29d in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1  0x00000000004f776b in rewrite_var_cmp (c1=0x7f8abaffb680, c2=0x7f8a884fba80)
at var.c:43
         v1 = 0x7f8abaffb680
         v2 = 0x7f8a884fba80
         __PRETTY_FUNCTION__ = "rewrite_var_cmp"
#2  0x0000000000500920 in avl_find (root=0x7f8a892823b0, data=0x7f8abaffb680,
fcmp=0x4f76a8 <rewrite_var_cmp>) at avl.c:545
         cmp = 0
#3  0x00000000004f797e in rewrite_var_find (tree=0x7f8a892823b0,
name=0x7f8c9ff4b319 "searchFilter") at var.c:115
         var = {lv_name = 0x7f8c9ff4b319 "searchFilter", lv_flags = -1534643252,
lv_value = {bv_len = 140233568059984, bv_val = 0x7f8a89523fa0 ""}}
         __PRETTY_FUNCTION__ = "rewrite_var_find"
#4  0x00000000004f5f51 in rewrite_session_var_set_f (info=0x1b4f770,
cookie=0x7f8c9fee2510, name=0x7f8c9ff4b319 "searchFilter",
     value=0x7f8aac1d93a0
"(&(member=uid=xxxxx,cn=yyyyy,ou=zzzzz)(objectClass=posixGroup)(cn=*))",
flags=15) at session.c:222
         session = 0x7f8a89523f90
         var = 0x1ffb
         __PRETTY_FUNCTION__ = "rewrite_session_var_set_f"
#5  0x00007f8c9ff41836 in rwm_op_search (op=0x7f8aadb03a70, rs=0x7f8abaffcac0)
at rwm.c:955
         on = 0x1b4f530
         rwmap = 0x1b4f710
         rc = 32652
         dc = {rwmap = 0x7f8abaffb960, conn = 0x0, ctx = 0xffffffffffffffa8
<Address 0xffffffffffffffa8 out of bounds>, rs = 0x2e90e50}
         fstr = {bv_len = 0, bv_val = 0x0}
         f = 0x0
         an = 0x0
         text = 0x0
         roc = 0x7f8aac1d95e8
#6  0x00000000004cf13b in overlay_op_walk (op=0x7f8aadb03a70, rs=0x7f8abaffcac0,
which=op_search, oi=0x1b4d270, on=0x1b4f530) at backover.c:661
         func = 0x1b4f588
         rc = 32768
#7  0x00000000004cf3ef in over_op_func (op=0x7f8aadb03a70, rs=0x7f8abaffcac0,
which=op_search) at backover.c:723
         oi = 0x1b4d270
         on = 0x1b4f530
         be = 0x772340
         db = {bd_info = 0x1b4f530, bd_self = 0x772340, be_ctrls = "\000", '\001'
<repeats 16 times>, '\000' <repeats 15 times>, be_flags = 131840, be_restrictops
= 0, be_requires = 19, be_ssf_set = {
             sss_ssf = 128, sss_transport = 0, sss_tls = 0, sss_sasl = 0,
sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 0,
sss_update_sasl = 0, sss_simple_bind = 0},
           be_suffix = 0x1acae40, be_nsuffix = 0x1acae90, be_schemadn = {bv_len =
12, bv_val = 0x1ba32d0 "cn=Subschema"}, be_schemandn = {bv_len = 12, bv_val =
0x1ba2c80 "cn=subschema"}, be_rootdn = {
             bv_len = 0, bv_val = 0x0}, be_rootndn = {bv_len = 0, bv_val = 0x0},
be_rootpw = {bv_len = 0, bv_val = 0x0}, be_max_deref_depth = 0, be_def_limit =
{lms_t_soft = 3600, lms_t_hard = 0,
             lms_s_soft = 500, lms_s_hard = 0, lms_s_unchecked = -1, lms_s_pr =
0, lms_s_pr_hide = 0, lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x1b54bd0,
be_dfltaccess = ACL_READ,
           be_extra_anlist = 0x0, be_update_ndn = {bv_len = 0, bv_val = 0x0},
be_update_refs = 0x0, be_pending_csn_list = 0x0, be_pcl_mutex = {__data =
{__lock = 0, __count = 0, __owner = 0, __nusers = 0,
               __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}},
__size = '\000' <repeats 39 times>, __align = 0}, be_syncinfo = 0x0, be_pb =
0x0, be_cf_ocs = 0x768e88, be_private = 0x0,
           be_next = {stqe_next = 0x1acaee0}}
         cb = {sc_next = 0x0, sc_response = 0x4ce266 <over_back_response>,
sc_cleanup = 0, sc_private = 0x1b4d270}
         sc = 0x7f8aac1d9578
         rc = 32768
         __PRETTY_FUNCTION__ = "over_op_func"
#8  0x00000000004cf4cf in over_op_search (op=0x7f8aadb03a70, rs=0x7f8abaffcac0)
at backover.c:750
No locals.
#9  0x0000000000440982 in do_search (op=0x7f8aadb03a70, rs=0x7f8abaffcac0) at
search.c:247
         base = {bv_len = 8, bv_val = 0x7f8a8801d589 "ou=zzzzz"}
         siz = 7
         off = 0
         i = 7
#10 0x000000000043d2da in connection_operation (ctx=0x7f8abaffcba0,
arg_v=0x7f8aadb03a70) at connection.c:1155
         rc = 80
         cancel = 32650
         op = 0x7f8aadb03a70
         rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un =
{sru_search = {r_entry = 0x0, r_attr_flags = 0,
               r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref
= 0x0}, sru_sasl = {r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata
= 0x0}}, sr_flags = 0}
         tag = 99
         opidx = SLAP_OP_SEARCH
         conn = 0x7f8c9fee2510
         memctx = 0x7f8aac028250
         memctx_null = 0x0
         memsiz = 1048576
         __PRETTY_FUNCTION__ = "connection_operation"
#11 0x00007f8ca4871c81 in ldap_int_thread_pool_wrapper (xpool=0x1aa7f70) at
tpool.c:688
         pool = 0x1aa7f70
         task = 0x7f8aa57bb7a0
         work_list = 0x1aa8008
         ctx = {ltu_id = 140233819543296, ltu_key = {{ltk_key = 0x43ce31,
ltk_data = 0x7f8aac028140, ltk_free = 0x43cc83 <conn_counter_destroy>}, {ltk_key
= 0x4af7af, ltk_data = 0x7f8aac028250,
               ltk_free = 0x4af5d4 <slap_sl_mem_destroy>}, {ltk_key = 0x1c58fc0,
ltk_data = 0x7f8aac024fb0, ltk_free = 0x7f8ca15c4122 <mdb_reader_free>},
{ltk_key = 0x7f8ca15b6b94,
               ltk_data = 0x7f8a9f0f7010, ltk_free = 0x7f8ca15b6b4c
<scope_chunk_free>}, {ltk_key = 0x457c69, ltk_data = 0x7f8a88063040, ltk_free =
0x457bbc <slap_op_q_destroy>}, {
               ltk_key = 0x7f8ca15b9a39, ltk_data = 0x7f8a94be7010, ltk_free =
0x7f8ca15b9a16 <search_stack_free>}, {ltk_key = 0x1c67c80, ltk_data =
0x7f8ab46aadb0,
               ltk_free = 0x7f8ca15c4122 <mdb_reader_free>}, {ltk_key = 0x0,
ltk_data = 0x0, ltk_free = 0} <repeats 25 times>}}
         kctx = 0x0
---Type <return> to continue, or q <return> to quit---
         i = 32
         keyslot = 377
         hash = 3746453881
         __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#12 0x00007f8ca2feab50 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#13 0x00007f8ca2d350ed in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#14 0x0000000000000000 in ?? ()
No symbol table info available.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/