Issue 6117 - Segfault in hdb_index_mask
Summary: Segfault in hdb_index_mask
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.4.16
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-14 07:22 UTC by Luca Scamoni
Modified: 2020-03-19 17:07 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Luca Scamoni 2009-05-14 07:22:36 UTC 
Full_Name: Luca Scamoni
Version: 2.4.16
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.63.140.131)


Master segfaulted in hdb_index_mask. For some reason desc is NULL.
Backtrace:
#0  0x00de2d92 in hdb_index_mask (be=0x236ec90, desc=0x0, atname=0x236e958) at
index.c:47
        at = (AttributeType *) 0x99f5f48
        ai = (AttrInfo *) 0x0
#1  0x00dd8ca5 in bdb_modify_idxflags (op=0x9c16a28, desc=0x9af4078,
got_delete=1, newattrs=0x5414fdac, oldattrs=0x5414fdac) at modify.c:54
        ap = (Attribute *) 0x5414fdac
        ix2 = {bv_len = 0, bv_val = 0x2370104 ""}
        ix_at = {bv_len = 25, bv_val = 0x99f5998 "certificateRevocationList"}
        ai = (AttrInfo *) 0x9ab07c0
#2  0x00dd98dc in hdb_modify_internal (op=0x9c16a28, tid=0x9ec6628,
modlist=0xa3189f0, e=0x236eaa0, text=0x2370104, textbuf=0x236eb00 "��#",
textlen=256)
    at modify.c:245
        rc = 0
        err = 0
        mod = (Modification *) 0xa3189f0
        ml = (Modifications *) 0xa3189f0
        save_attrs = (Attribute *) 0x5414fdac
        ap = (Attribute *) 0x0
        glue_attr_delete = 0
        got_delete = 1
        __PRETTY_FUNCTION__ = "hdb_modify_internal"
#3  0x00ddab1a in hdb_modify (op=0x9c16a28, rs=0x23700f0) at modify.c:590
        bdb = (struct bdb_info *) 0x9aaf888
        e = (Entry *) 0x545d316c
        ei = (EntryInfo *) 0x9eb8828
        manageDSAit = 0
        textbuf = "��#\000@�#\000����(�6\002�\226\027\000@�#\000\020\000\000\000\024�y\000�\0007\002\220�6\002H�6\002\026wy\000\020\000\000\000@�#\000����`\2352\n`\2352\n\024�y\000h�6\002|wy\000\020\000\000\000\000\000\000\000\220�6\002\000\000\000\000$\000\000\000@�\026\b\006\000\000\000��\024Tl1]T\000\000\000\000x�5\n\000\000\000\000Dj�\tx�5\n\001\000\000\000\001\000\000\000D\2352\n\000\000\000\000\230\n�\t\230\t�\t\224y'\000\220�6\002(�6\002\232#'\000(j�\t�t�S\001\000\000\000��\021\bL\000\000\000\000\200\000\000"...
        textlen = 256
        ltid = (DB_TXN *) 0xa430420
        lt2 = (DB_TXN *) 0x9ec6628
        opinfo = {boi_oe = {oe_next = {sle_next = 0x0}, oe_key = 0x9aaf888},
boi_txn = 0xa430420, boi_locks = 0x0, boi_err = 0, boi_acl_cache = 0 '\0',
  boi_flag = 0 '\0'}
        dummy = {e_id = 0, e_name = {bv_len = 130, bv_val = 0x0}, e_nname =
{bv_len = 130, bv_val = 0x0}, e_attrs = 0x5414fdac, e_ocflags = 65792, e_bv = {
    bv_len = 0, bv_val = 0x0}, e_private = 0x0}
        lock = {off = 148504, ndx = 108, gen = 438195, mode = DB_LOCK_READ}
        num_retries = 0
        preread_ctrl = (LDAPControl **) 0x0
        postread_ctrl = (LDAPControl **) 0x0
        ctrls = {0x0, 0xffffff40, 0x763c2298, 0x1, 0x0, 0x1}
        num_ctrls = 0
        rc = 37153432
#4  0x080fffe2 in overlay_op_walk (op=0x9c16a28, rs=0x23700f0, which=op_modify,
oi=0x9ab0898, on=0x0) at ../../../servers/slapd/backover.c:669
        func = (BI_op_bind **) 0xf5fb8c
        rc = 32768
#5  0x081001a7 in over_op_func (op=0x9c16a28, rs=0x23700f0, which=op_modify) at
../../../servers/slapd/backover.c:721
        oi = (slap_overinfo *) 0x9ab0898
        on = (slap_overinst *) 0x9ab0998
        be = (BackendDB *) 0x9aaf788
        db = {bd_info = 0xf5fb60, bd_self = 0x9aaf788,
  be_ctrls = "\000\001\001\001\000\001\000\000\001\000\000\001\001\000\001\000\001",
'\0' <repeats 15 times>, "\001", be_flags = 2312, be_restrictops = 0,
  be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0, sss_tls = 0,
sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0,
    sss_update_tls = 0, sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix =
0x9aaf5b8, be_nsuffix = 0x9ab0680, be_schemadn = {bv_len = 0, bv_val = 0x0},
  be_schemandn = {bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 34, bv_val =
0x9ab0718 "cn=Manager,dc=a,dc=prod,dc=actalis"}, be_rootndn = {bv_len = 34,
    bv_val = 0x9ab0758 "cn=manager,dc=a,dc=prod,dc=actalis"}, be_rootpw =
{bv_len = 6, bv_val = 0x9ab0548 "secret"}, be_max_deref_depth = 15,
  be_def_limit = {lms_t_soft = 3600, lms_t_hard = 0, lms_s_soft = 500,
lms_s_hard = 0, lms_s_unchecked = -1, lms_s_pr = 0, lms_s_pr_hide = 0,
    lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x0, be_dfltaccess =
ACL_READ, be_update_ndn = {bv_len = 0, bv_val = 0x0}, be_update_refs = 0x0,
  be_pending_csn_list = 0x9af2488, be_pcl_mutex = {__m_reserved = 0, __m_count =
0, __m_owner = 0x0, __m_kind = 0, __m_lock = {__status = 0,
      __spinlock = 0}}, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0xf5f940,
be_private = 0x9aaf888, be_next = {stqe_next = 0x9ab0b98}}
        cb = {sc_next = 0x0, sc_response = 0x80ff283 <over_back_response>,
sc_cleanup = 0, sc_private = 0x9ab0898}
        rc = 32768
        __PRETTY_FUNCTION__ = "over_op_func"
#6  0x0810027d in over_op_modify (op=0x9c16a28, rs=0x23700f0) at
../../../servers/slapd/backover.c:755
No locals.
#7  0x08098538 in fe_op_modify (op=0x9c16a28, rs=0x23700f0) at
../../../servers/slapd/modify.c:301
        update = 0
        repl_user = 0
        op_be = (BackendDB *) 0x9aaf788
        bd = (BackendDB *) 0x8176380
        textbuf = "��#\000@�#\000\230\030�\t(�6\002:v\027\000@�#\000\230\030�\t��#\000��6\002\230\030�\t\004�6\002\004\236\035\000\230\030�\t\230\030�\t[\000\000\000\000@\000\000
�#\000\000\000\000\000\a\000\000\000\006vy\000x�6\002��������\v\000\000\000\025\000\000\000\230\030�\t\000\000\000\000!�\vJ",
'\0' <repeats 16 times>,
"�0h%\000\000\000\000��6\002\027�\t\b��\233\t\220\233\000\n\031\000\000\000\2250h%\000\000\000\000\000\000\000\000\001\000\000\000�\026<\000\004s�S\220i�\t��\a\000\b@`%\a\000\000\000@�\026\b\030�6\002\\\214"...
        textlen = 256
#8  0x08097f67 in do_modify (op=0x9c16a28, rs=0x23700f0) at
../../../servers/slapd/modify.c:175
        dn = {bv_len = 111,
  bv_val = 0x25683012 "cn=CRL7,ou=Regione Lombardia Certification Authority
Cittadini,o=Regione Lombardia,c=IT,dc=a,dc=prod,dc=actalis"}
        textbuf = "8�TG\000\000\000\002\000\000\000\000��:\001�\017\000\000@�\026\b@�#\000\000\000\000\000\000\000\000\000\016\000\000\000@�#\000\000\000\000\000\000\000\000\000T�#\000\200\000\000\000\000\000\000\000\031\000\000\000X�#\000\006\000\000\0000\000\000\000��#\000
�#\000\000\000\000\000��6\002��#\000\001\000\000\000@�#\000\030\0007\002V\224\027\000@�#\000,\000\000\000������\001\000\024�y\000(\0007\002�\231y\000\030��\tS��\t\b\000\000\000�wy\000����\024�y\000\000\000\000\000\001\000\000\000\020\0027\002\000k�\t\230\0007\002fg\016\b\020\0027\002�f\016\b"...
        textlen = 256
        tmp = (Modifications *) 0x0
#9  0x08079867 in connection_operation (ctx=0x2370210, arg_v=0x9c16a28) at
../../../servers/slapd/connection.c:1115
        rc = 80
        op = (Operation *) 0x9c16a28
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = {
    sru_sasl = {r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata =
0x0}, sru_search = {r_entry = 0x0, r_attr_flags = 0,
      r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}},
sr_flags = 0}
        tag = 102
        opidx = SLAP_OP_MODIFY
        conn = (Connection *) 0xb7f7a274
        memctx = (void *) 0x9c16990
        memctx_null = (void *) 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#10 0x08079d99 in connection_read_thread (ctx=0x2370210, argv=0x27) at
../../../servers/slapd/connection.c:1241
        rc = 0
        cri = {op = 0x9c16a28, func = 0, arg = 0x0, ctx = 0x2370210, nullop =
0}
        s = 39
#11 0x003ad389 in ldap_int_thread_pool_wrapper (xpool=0x99dfab0) at
../../../libraries/libldap_r/tpool.c:663
        pool = (struct ldap_int_thread_pool_s *) 0x99dfab0
        task = (ldap_int_thread_task_t *) 0x52502480
        work_list = (ldap_int_tpool_plist_t *) 0x99dfb30
        ctx = {ltu_id = 37161888, ltu_key = {{ltk_key = 0x80793bb, ltk_data =
0x9c168a0, ltk_free = 0x80791ab <conn_counter_destroy>}, {
      ltk_key = 0x80e66d5, ltk_data = 0x9c16990, ltk_free = 0x80e64e8
<slap_sl_mem_destroy>}, {ltk_key = 0x8092ceb, ltk_data = 0x0,
      ltk_free = 0x8092c48 <slap_op_q_destroy>}, {ltk_key = 0x9af2498, ltk_data
= 0x9c12970, ltk_free = 0xdf2796 <bdb_reader_free>}, {ltk_key = 0x9af5a80,
      ltk_data = 0x9c31dd0, ltk_free = 0xdf2796 <bdb_reader_free>}, {ltk_key =
0xde0b96, ltk_data = 0x44e44008, ltk_free = 0xde0b6b <search_stack_free>}, {
      ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0} <repeats 26 times>}}
        kctx = (ldap_int_thread_userctx_t *) 0x0
        i = 32
        keyslot = 580
        hash = 5761604
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#12 0x008ad3cc in start_thread () from /lib/tls/libpthread.so.0
No symbol table info available.
#13 0x001ddc3e in clone () from /lib/tls/libc.so.6
No symbol table info available.

any further info available upon request
Comment 1 Luca Scamoni 2009-05-14 08:15:58 UTC 
Last lines in log file
May 14 07:50:25 quercia01 slapd[29850]: conn=57 op=68 MOD
dn="cn=CRL7,ou=Regione Lombardia Certification Authority
Cittadini,o=Regione Lombardia,c=IT,dc=a,dc
=prod,dc=actalis"
May 14 07:50:25 quercia01 slapd[29850]: conn=57 op=68 MOD
attr=certificateRevocationList;binary
May 14 07:50:25 quercia01 slapd[29850]: slap_queue_csn: queing 0x236e980
20090514055025.683019Z#000000#000#000000


Ing. Luca Scamoni
Responsabile Ricerca e Sviluppo

SysNet s.r.l.
Gruppo Partners Associates
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 0382 573859 (137)
Fax:     +39 0382 476497
Email:   luca.scamoni@sys-net.it
-----------------------------------
Comment 2 Howard Chu 2009-05-14 08:38:51 UTC 
luca@OpenLDAP.org wrote:
> Full_Name: Luca Scamoni
> Version: 2.4.16
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (82.63.140.131)
>
>
> Master segfaulted in hdb_index_mask. For some reason desc is NULL.
> Backtrace:

In frame 1 print *ap

> #0  0x00de2d92 in hdb_index_mask (be=0x236ec90, desc=0x0, atname=0x236e958) at
> index.c:47
>          at = (AttributeType *) 0x99f5f48
>          ai = (AttrInfo *) 0x0
> #1  0x00dd8ca5 in bdb_modify_idxflags (op=0x9c16a28, desc=0x9af4078,
> got_delete=1, newattrs=0x5414fdac, oldattrs=0x5414fdac) at modify.c:54
>          ap = (Attribute *) 0x5414fdac
>          ix2 = {bv_len = 0, bv_val = 0x2370104 ""}
>          ix_at = {bv_len = 25, bv_val = 0x99f5998 "certificateRevocationList"}
>          ai = (AttrInfo *) 0x9ab07c0


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 3 Luca Scamoni 2009-05-14 09:01:00 UTC 
Howard Chu ha scritto:
> 
> In frame 1 print *ap
> 
p *ap
$1 = {a_desc = 0x0, a_vals = 0x0, a_nvals = 0x0, a_numvals = 0, a_flags
= 0, a_next = 0x54149adc}



Ing. Luca Scamoni
Responsabile Ricerca e Sviluppo

SysNet s.r.l.
Gruppo Partners Associates
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 0382 573859 (137)
Fax:     +39 0382 476497
Email:   luca.scamoni@sys-net.it
-----------------------------------
Comment 4 Howard Chu 2009-05-14 09:09:58 UTC 
Luca Scamoni wrote:
> Howard Chu ha scritto:
>>
>> In frame 1 print *ap
>>
> p *ap
> $1 = {a_desc = 0x0, a_vals = 0x0, a_nvals = 0x0, a_numvals = 0, a_flags
> = 0, a_next = 0x54149adc}

Your frame 1 is pretty much impossible - you have oldattrs == newattrs, but in 
frame 2 the attr list was replaced by a duplicate (using attrs_dup, 
modify.c:94). Perhaps you've got a compiler bug.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 5 Quanah Gibson-Mount 2009-05-14 21:25:17 UTC 

--On May 14, 2009 9:10:27 AM +0000 hyc@symas.com wrote:

> Luca Scamoni wrote:
>> Howard Chu ha scritto:
>>>
>>> In frame 1 print *ap
>>>
>> p *ap
>> $1 = {a_desc = 0x0, a_vals = 0x0, a_nvals = 0x0, a_numvals = 0, a_flags
>> = 0, a_next = 0x54149adc}
>
> Your frame 1 is pretty much impossible - you have oldattrs == newattrs,
> but in  frame 2 the attr list was replaced by a duplicate (using
> attrs_dup,  modify.c:94). Perhaps you've got a compiler bug.

Hm, do you build with compiler optimizations enabled?  I build all of my 
OpenLDAP builds with -O0 at this point, due to too many issues cropping up 
when optimized builds were used.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration
Comment 6 Luca Scamoni 2009-05-14 21:46:47 UTC 
quanah@zimbra.com ha scritto:
> --On May 14, 2009 9:10:27 AM +0000 hyc@symas.com wrote:
> 
>> Luca Scamoni wrote:
>>> Howard Chu ha scritto:
>>>> In frame 1 print *ap
>>>>
>>> p *ap
>>> $1 = {a_desc = 0x0, a_vals = 0x0, a_nvals = 0x0, a_numvals = 0, a_flags
>>> = 0, a_next = 0x54149adc}
>> Your frame 1 is pretty much impossible - you have oldattrs == newattrs,
>> but in  frame 2 the attr list was replaced by a duplicate (using
>> attrs_dup,  modify.c:94). Perhaps you've got a compiler bug.
> 
> Hm, do you build with compiler optimizations enabled?  I build all of my 
> OpenLDAP builds with -O0 at this point, due to too many issues cropping up 
> when optimized builds were used.
> 

No. Optimization is disabled in my builds too


Ing. Luca Scamoni
Responsabile Ricerca e Sviluppo

SysNet s.r.l.
Gruppo Partners Associates
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 0382 573859 (137)
Fax:     +39 0382 476497
Email:   luca.scamoni@sys-net.it
-----------------------------------
Comment 7 Quanah Gibson-Mount 2017-03-27 23:39:36 UTC 
moved from Incoming to Software Bugs
Comment 8 Quanah Gibson-Mount 2020-03-19 17:07:54 UTC 
Has not been reproduced in the decade plus
hdb no longer present in master

If you can reproduce with back-mdb and current master, please reopen.