Issue 5452 - seg fault in syncprov_op abandon on master
Summary: seg fault in syncprov_op abandon on master
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-03 18:41 UTC by Quanah Gibson-Mount
Modified: 2015-07-02 17:44 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description Quanah Gibson-Mount 2008-04-03 18:41:27 UTC
Full_Name: Quanah Gibson-Mount
Version: 2.3.41
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (24.23.156.219)


Core was generated by `/opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra
-h ldap://'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, rs=0x42002a50) at
syncprov.c:1026
1026                    if ( so->s_op->o_connid == op->o_connid &&
(gdb) bt
#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, rs=0x42002a50) at
syncprov.c:1026
#1  0x000000000049b8dd in overlay_op_walk (op=0x42002b40, rs=0x42002a50,
which=op_abandon, oi=0xde1e00, on=0xde1c40) at backover.c:640
#2  0x000000000049bb39 in over_op_func (op=0x42002b40, rs=0x42002a50,
which=op_abandon) at backover.c:702
#3  0x000000000049bca7 in over_op_abandon (op=0x42002b40, rs=0x42002a50) at
backover.c:760
#4  0x0000000000450729 in fe_op_abandon (op=0x42002b40, rs=0x42002a50) at
abandon.c:115
#5  0x000000000042b249 in connection_abandon (c=0x12603dd0) at connection.c:792
#6  0x000000000042b41c in connection_closing (c=0x12603dd0, why=0x4be9a0
"connection lost") at connection.c:840
#7  0x000000000042ca0f in connection_read (s=38, cri=0x42002d90) at
connection.c:1457
#8  0x000000000042c1f8 in connection_read_thread (ctx=0x42002e10, argv=0x26) at
connection.c:1254
#9  0x0000002a956c3bd7 in ldap_int_thread_pool_wrapper (xpool=0x88ce10) at
tpool.c:478
#10 0x0000003342606137 in ?? ()
#11 0x0000000000000000 in ?? ()

(gdb) frame 0
#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, rs=0x42002a50) at
syncprov.c:1026
1026                    if ( so->s_op->o_connid == op->o_connid &&
(gdb) l
1021            syncops *so, *soprev;
1022
1023            ldap_pvt_thread_mutex_lock( &si->si_ops_mutex );
1024            for ( so=si->si_ops, soprev = (syncops *)&si->si_ops; so;
1025                    soprev=so, so=so->s_next ) {
1026                    if ( so->s_op->o_connid == op->o_connid &&
1027                            so->s_op->o_msgid == op->orn_msgid ) {
1028                                    so->s_op->o_abandon = 1;
1029                                    soprev->s_next = so->s_next;
1030                                    break;
(gdb)


Comment 1 Quanah Gibson-Mount 2008-04-04 03:43:46 UTC
--On Thursday, April 03, 2008 6:41 PM +0000 quanah@zimbra.com wrote:

> Full_Name: Quanah Gibson-Mount
> Version: 2.3.41
> OS: Linux 2.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (24.23.156.219)
>
>
> Core was generated by `/opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u
> zimbra -h ldap://'.

also:

(gdb) print so
$1 = (syncops *) 0x12392240
(gdb) print *so
$2 = {s_next = 0x12393510, s_base = {bv_len = 12, bv_val = 0x1238dd50 
"cn=accesslog"}, s_eid = 1, s_op = 0x11d8fc00, s_rid = 100, s_filterstr = 
{bv_len = 0, bv_val = 0x0}, s_flags = 1,
  s_inuse = 1, s_res = 0x0, s_restail = 0x0, s_qtask = 0x0, s_mutex = 
{__m_reserved = 0, __m_count = 0, __m_owner = 0x0, __m_kind = 0, __m_lock = 
{__status = 0, __spinlock = 0}}}


from frame 0.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 Hallvard Furuseth 2008-04-04 11:23:31 UTC
Since it crashes on
	if ( so->s_op->o_connid == op->o_connid &&
	     so->s_op->o_msgid == op->orn_msgid   )
please try
	frame 0
        print *op
        print *so->s_op
and maybe
	backtrace full
while you are at it.

-- 
Hallvard

Comment 3 Hallvard Furuseth 2008-04-04 15:21:12 UTC
changed state Open to Feedback
moved from Incoming to Software Bugs
Comment 4 Quanah Gibson-Mount 2008-04-04 16:19:11 UTC
--On Friday, April 04, 2008 1:23 PM +0200 Hallvard B Furuseth 
<h.b.furuseth@usit.uio.no> wrote:

> Since it crashes on
> 	if ( so->s_op->o_connid == op->o_connid &&
> 	     so->s_op->o_msgid == op->orn_msgid   )
> please try
> 	frame 0
>         print *op
>         print *so->s_op
> and maybe
> 	backtrace full
> while you are at it.

#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, 
rs=0x42002a50) at syncprov.c:1026
1026                    if ( so->s_op->o_connid == op->o_connid &&
(gdb) frame 0
#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, 
rs=0x42002a50) at syncprov.c:1026
1026                    if ( so->s_op->o_connid == op->o_connid &&
(gdb) print *op
$1 = {o_hdr = 0x42002ac0, o_tag = 80, o_time = 0, o_tincr = 0, o_bd = 
0x42002830, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0, 
bv_val = 0x0}, o_request = {oq_add = {
      rs_e = 0x4, rs_modlist = 0x0}, oq_bind = {rb_method = 4, rb_cred = 
{bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 
0, rb_tmp_mech = {bv_len = 0,
        bv_val = 0x0}}, oq_compare = {rs_ava = 0x4}, oq_modify = 
{rs_modlist = 0x4, rs_increment = 0}, oq_modrdn = {rs_newrdn = {bv_len = 4, 
bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
        bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0, rs_deleteoldrdn = 
0}, oq_search = {rs_scope = 4, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, 
rs_limit = 0x0, rs_attrsonly = 0,
      rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 
0x0}}, oq_abandon = {rs_msgid = 4}, oq_cancel = {rs_msgid = 4}, oq_extended 
= {rs_reqoid = {bv_len = 4,
        bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = 
{rs_extended = {rs_reqoid = {bv_len = 4, bv_val = 0x0}, rs_flags = 0, 
rs_reqdata = 0x0}, rs_old = {bv_len = 0,
        bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, 
rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, 
o_do_not_cache = 0 '\0',
  o_is_auth_check = 0 '\0', o_nocaching = 0 '\0', o_delete_glue_parent = 0 
'\0', o_no_schema_check = 0 '\0', o_ctrlflag = '\0' <repeats 31 times>, 
o_controls = 0x0, o_authz = {
    sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len 
= 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, 
sai_transport_ssf = 0, sai_tls_ssf = 0,
    sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 
0x42002810, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 
0x0, o_next = {stqe_next = 0x0}}
(gdb) print *so->s_op
$2 = {o_hdr = 0x11d8fd60, o_tag = 0, o_time = 0, o_tincr = 0, o_bd = 0x0, 
o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0, bv_val = 
0x0}, o_request = {oq_add = {rs_e = 0x0,
      rs_modlist = 0x0}, oq_bind = {rb_method = 0, rb_cred = {bv_len = 0, 
bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_tmp_mech 
= {bv_len = 0, bv_val = 0x0}},
    oq_compare = {rs_ava = 0x0}, oq_modify = {rs_modlist = 0x0, 
rs_increment = 0}, oq_modrdn = {rs_newrdn = {bv_len = 0, bv_val = 0x0}, 
rs_nnewrdn = {bv_len = 0, bv_val = 0x0},
      rs_newSup = 0x0, rs_nnewSup = 0x0, rs_deleteoldrdn = 0}, oq_search = 
{rs_scope = 0, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, 
rs_attrsonly = 0, rs_attrs = 0x0,
      rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, 
oq_abandon = {rs_msgid = 0}, oq_cancel = {rs_msgid = 0}, oq_extended = 
{rs_reqoid = {bv_len = 0, bv_val = 0x0},
      rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = 
{rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, 
rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = {
        bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, 
o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\0', 
o_is_auth_check = 0 '\0', o_nocaching = 0 '\0',
  o_delete_glue_parent = 0 '\0', o_no_schema_check = 0 '\0', o_ctrlflag = 
'\0' <repeats 31 times>, o_controls = 0x11d8fdd8, o_authz = {sai_method = 
0, sai_mech = {bv_len = 0,
      bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len 
= 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, 
sai_sasl_ssf = 0}, o_ber = 0x0,
  o_res_ber = 0x0, o_callback = 0x0, o_ctrls = 0x0, o_csn = {bv_len = 0, 
bv_val = 0x0}, o_private = 0x0, o_next = {stqe_next = 0x12307c00}}



(gdb) backtrace full
#0  0x0000002a975f21ec in syncprov_op_abandon (op=0x42002b40, 
rs=0x42002a50) at syncprov.c:1026
        on = (slap_overinst *) 0xde1c40
        si = (syncprov_info_t *) 0xde2ee0
        so = (syncops *) 0x12392240
        soprev = (syncops *) 0x12394bd0
#1  0x000000000049b8dd in overlay_op_walk (op=0x42002b40, rs=0x42002a50, 
which=op_abandon, oi=0xde1e00, on=0xde1c40) at backover.c:640
        func = (BI_op_bind **) 0xde1c98
        rc = 32768
#2  0x000000000049bb39 in over_op_func (op=0x42002b40, rs=0x42002a50, 
which=op_abandon) at backover.c:702
        oi = (slap_overinfo *) 0xde1e00
        on = (slap_overinst *) 0xde1c40
        be = (BackendDB *) 0xddf540
        db = {bd_info = 0xde1c40, be_ctrls = 
"\000\001\001\001\000\000\001\000\001\000\001\001\001\000\001", '\0' 
<repeats 17 times>, "\001", be_flags = 256, be_restrictops = 0,
  be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0, sss_tls = 
0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, 
sss_update_tls = 0, sss_update_sasl = 0,
    sss_simple_bind = 0}, be_suffix = 0xdd7920, be_nsuffix = 0xdd7900, 
be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len = 0, 
bv_val = 0x0}, be_rootdn = {bv_len = 12,
    bv_val = 0xdd8410 "cn=accesslog"}, be_rootndn = {bv_len = 12, bv_val = 
0xdd8490 "cn=accesslog"}, be_rootpw = {bv_len = 0, bv_val = 0x0}, 
be_max_deref_depth = 15, be_def_limit = {
    lms_t_soft = -1, lms_t_hard = 0, lms_s_soft = -1, lms_s_hard = 0, 
lms_s_unchecked = -1, lms_s_pr = 0, lms_s_pr_hide = 0, lms_s_pr_total = 0}, 
be_limits = 0x0, be_acl = 0x8b0000,
  be_dfltaccess = ACL_READ, be_replica = 0x0, be_replogfile = 0x0, 
be_update_ndn = {bv_len = 0, bv_val = 0x0}, be_update_refs = 0x0, 
be_pending_csn_list = 0xf35a40, be_pcl_mutex = {
    __m_reserved = 0, __m_count = 0, __m_owner = 0x0, __m_kind = 0, 
__m_lock = {__status = 0, __spinlock = 0}}, be_pcl_mutexp = 0xddf680, 
be_syncinfo = 0x0, be_pb = 0x0,
  be_cf_ocs = 0x2a972f0fe0, be_private = 0x889c80, be_next = {stqe_next = 
0xde1a80}}
        cb = {sc_next = 0x0, sc_response = 0x49b297 <over_back_response>, 
sc_cleanup = 0, sc_private = 0xde1e00}
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#3  0x000000000049bca7 in over_op_abandon (op=0x42002b40, rs=0x42002a50) at 
backover.c:760
No locals.
#4  0x0000000000450729 in fe_op_abandon (op=0x42002b40, rs=0x42002a50) at 
abandon.c:115
No locals.
#5  0x000000000042b249 in connection_abandon (c=0x12603dd0) at 
connection.c:792
        o = (Operation *) 0x11d8f900
        next = (Operation *) 0x0
        op = {o_hdr = 0x42002ac0, o_tag = 80, o_time = 0, o_tincr = 0, o_bd 
= 0x42002830, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 
0, bv_val = 0x0}, o_request = {
    oq_add = {rs_e = 0x4, rs_modlist = 0x0}, oq_bind = {rb_method = 4, 
rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, 
rb_ssf = 0, rb_tmp_mech = {bv_len = 0,
        bv_val = 0x0}}, oq_compare = {rs_ava = 0x4}, oq_modify = 
{rs_modlist = 0x4, rs_increment = 0}, oq_modrdn = {rs_newrdn = {bv_len = 4, 
bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
        bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0, rs_deleteoldrdn = 
0}, oq_search = {rs_scope = 4, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, 
rs_limit = 0x0, rs_attrsonly = 0,
      rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 
0x0}}, oq_abandon = {rs_msgid = 4}, oq_cancel = {rs_msgid = 4}, oq_extended 
= {rs_reqoid = {bv_len = 4,
        bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = 
{rs_extended = {rs_reqoid = {bv_len = 4, bv_val = 0x0}, rs_flags = 0, 
rs_reqdata = 0x0}, rs_old = {bv_len = 0,
        bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, 
rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, 
o_do_not_cache = 0 '\0',
  o_is_auth_check = 0 '\0', o_nocaching = 0 '\0', o_delete_glue_parent = 0 
'\0', o_no_schema_check = 0 '\0', o_ctrlflag = '\0' <repeats 31 times>, 
o_controls = 0x0, o_authz = {
    sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len 
= 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, 
sai_transport_ssf = 0, sai_tls_ssf = 0,
    sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 
0x42002810, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 
0x0, o_next = {stqe_next = 0x0}}
        ohdr = {oh_opid = 0, oh_connid = 583, oh_conn = 0x12603dd0, 
oh_msgid = 0, oh_protocol = 0, oh_tid = 0, oh_threadctx = 0x0, oh_tmpmemctx 
= 0x0, oh_tmpmfuncs = 0x0,
  oh_log_prefix = '\0' <repeats 49 times>}
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0, 
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = 
{sru_sasl = {r_sasldata = 0x0},
    sru_extended = {r_rspoid = 0x0, r_rspdata = 0x0}, sru_search = {r_entry 
= 0x0, r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, 
r_nentries = 0, r_v2ref = 0x0}},
  sr_flags = 0}
#6  0x000000000042b41c in connection_closing (c=0x12603dd0, why=0x4be9a0 
"connection lost") at connection.c:840
        sd = 38
        __PRETTY_FUNCTION__ = "connection_closing"
#7  0x000000000042ca0f in connection_read (s=38, cri=0x42002d90) at 
connection.c:1457
        rc = -2
        c = (Connection *) 0x12603dd0
        __PRETTY_FUNCTION__ = "connection_read"
#8  0x000000000042c1f8 in connection_read_thread (ctx=0x42002e10, 
argv=0x26) at connection.c:1254
        rc = 42
        cri = {op = 0x11d8f900, func = 0, arg = 0x0, nullop = 0}
        s = 38
#9  0x0000002a956c3bd7 in ldap_int_thread_pool_wrapper (xpool=0x88ce10) at 
tpool.c:478
        pool = (struct ldap_int_thread_pool_s *) 0x88ce10
        ctx = (ldap_int_thread_ctx_t *) 0xf375d0
        ltc_key = {{ltk_key = 0x48717a, ltk_data = 0xe658c0, ltk_free = 
0x486f64 <slap_sl_mem_destroy>}, {ltk_key = 0x976100, ltk_data = 0xf,
    ltk_free = 0x2a971e9cf9 <bdb_locker_id_free>}, {ltk_key = 0x2a971dae1f, 
ltk_data = 0x159be000, ltk_free = 0x2a971dadff <search_stack_free>}, 
{ltk_key = 0x976680, ltk_data = 0xf,
    ltk_free = 0x2a971e9cf9 <bdb_locker_id_free>}, {ltk_key = 0x0, ltk_data 
= 0x0, ltk_free = 0} <repeats 28 times>}
        tid = 1107310944
        i = 219
        keyslot = 219
        hash = 219
#10 0x0000003342606137 in ?? ()
No symbol table info available.
#11 0x0000000000000000 in ?? ()
No symbol table info available.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 5 Hallvard Furuseth 2008-04-04 17:48:24 UTC
changed state Feedback to Open
Comment 6 Howard Chu 2008-04-09 11:45:17 UTC
quanah@zimbra.com wrote:
> --On Friday, April 04, 2008 1:23 PM +0200 Hallvard B Furuseth
> <h.b.furuseth@usit.uio.no>  wrote:
>
>> Since it crashes on
>> 	if ( so->s_op->o_connid == op->o_connid&&
>> 	so->s_op->o_msgid == op->orn_msgid   )
>> please try
>> 	frame 0
>>          print *op
>>          print *so->s_op
>> and maybe
>> 	backtrace full
>> while you are at it.

So far there don't appear to be any invalid pointers anywhere, so there's no 
clue why you hit a SEGV here. Can you reproduce this situation using valgrind?
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 7 Quanah Gibson-Mount 2009-02-15 02:10:01 UTC
changed notes
changed state Open to Suspended
Comment 8 Howard Chu 2009-04-10 20:14:36 UTC
moved from Software Bugs to Historical
Comment 9 Leonid Yuriev 2014-12-29 11:26:40 UTC
ITS#8012 is a duplicate of this bug.
Please see ones and review/apply the patch.
http://www.openldap.org/its/index.cgi/Incoming?id=8012

Leonid.

Comment 10 Howard Chu 2015-01-04 07:33:18 UTC
changed notes
changed state Suspended to Test
moved from Historical to Software Bugs
Comment 11 Quanah Gibson-Mount 2015-01-05 19:52:09 UTC
changed notes
changed state Test to Release
Comment 12 Quanah Gibson-Mount 2015-01-05 19:54:29 UTC
changed notes
Comment 13 OpenLDAP project 2015-07-02 17:44:42 UTC
Suspending due to being unable to reproduce with later releases.
dup #8012, fixed in master
fixed in RE24
fixed in RE25
Comment 14 Quanah Gibson-Mount 2015-07-02 17:44:42 UTC
changed notes
changed state Release to Closed