Full_Name: Leonid Yuriev Version: 2.4-HEAD OS: Ubuntu 14.10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (31.130.36.33) with addition into main(): + mallopt(M_CHECK_ACTION, 7); + mallopt(M_PERTURB, 111); Core was generated by `/opt/openldap.devel/libexec/slapd -l LOCAL5 -d 32768 -s 0 -4 -h ldap://10.4.0.1'. Program terminated with signal 11, Segmentation fault. #0 0x000000000051025d in syncprov_op_abandon (op=0x7f14efffe970, rs=0x7f14efffe7b0) at syncprov.c:1134 1134 if ( so->s_op->o_connid == op->o_connid && (gdb) bt #0 0x000000000051025d in syncprov_op_abandon (op=7x7f14efffe970, rs=0x7f14efffe7b0) at syncprov.c:1134 #1 0x000000000048ae3a in overlay_op_walk (op=op@entry=0x7f14efffe970, rs=0x7f14efffe7b0, which=op_abandon, oi=0x23b3030, on=0x23b3210) at backover.c:661 #2 0x000000000048afd1 in over_op_func (op=0x7f14efffe970, rs=<optimised out>, which=<optimised out>) at backover.c:730 #3 0x0000000000442ea7 in fe_op_abandon (op=0x7f14efffe970, rs=0x7f14efffe7b0) at abandon.c:136 #4 0x0000000000422d3c in connection_abandon (c=c@entry=0x7f15178fe390) at connection.c:747 #5 0x0000000000424a09 in connection_closing (c=0x7f15178fe390, why=0x538d20 <conn_lost_str> "connection lost") at connection.c:820 #6 0x00000000004255ef in connection_read (cri=<optimised out>, s=<optimised out>) at connection.c:1476 #7 connection_read_thread (ctx=0x7f14efffebd0, argv=0x12a) at connection.c:1284 #8 0x00007f1517613cf2 in ldap_int_thread_pool_wrapper (xpool=0x233d090) at tpool.c:688 #9 0x00007f1516c930a5 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 coredump is available and additional info could be provided.
(gdb) info local on = <optimised out> si = 0x23b33f0 so = 0x7f14b444cd30 soprev = 0x7f14e02dc9b0 (gdb) p *so->s_op->o_hdr Cannot access memory at address 0x3932323134313032 (gdb) p *si $1 = {si_ops = 0x7f14e949ed60, si_contextdn = {bv_len = 7, bv_val = 0x2389e10 "dc=ldap"}, si_ctxcsn = 0x2640e60, si_sids = 0x243a6c0, si_numcsns = 4, si_chkops = 1, si_chktime = 60, si_numops = 0, si_nopres = 0, si_usehint = 1, si_active = 2, si_dirty = 0, si_chklast = 1419822205, si_mods = 0x7f14bcead650, si_logs = 0x0, si_csn_rwlock = {__data = {__lock = 0, __nr_readers = 0, __readers_wakeup = 5312, __writer_wakeup = 9078, __nr_readers_queued = 0, __nr_writers_queued = 0, __writer = 0, __shared = 0, __pad1 = 0, __pad2 = 0, __flags = 0}, __size = "\000\000\000\000\000\000\000\000\300\024\000\000v#", '\000' <repeats 41 times>, __align = 0}, si_ops_mutex = {__data = {__lock = 1, __count = 0, __owner = 30051, __nusers = 1, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = "\001\000\000\000\000\000\000\000cu\000\000\001", '\000' <repeats 26 times>, __align = 1}, si_mods_mutex = {__data = { __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}, si_resp_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}} (gdb) p *so $2 = {s_next = 0x0, s_base = {bv_len = 15, bv_val = 0x7f14b4964180 "dc=ngdr,dc=ldap"}, s_eid = 4, s_op = 0x7f14b0a12d30, s_rid = 4, s_sid = 1, s_filterstr = {bv_len = 15, bv_val = 0x7f14b4000b18 "\300\f"}, s_flags = 17, s_inuse = 1, s_res = 0x7f14d19ff780, s_restail = 0x7f14c818b090, s_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}} (gdb) p *so->s_op $3 = {o_hdr = 0x3932323134313032, o_tag = 25385731496096560, o_time = 8029759185026510703, o_tincr = 37, o_bd = 0x3932323134313032, o_req_dn = {bv_len = 25385731496096560, bv_val = 0x20 <Address 0x20 out of bounds>}, o_req_ndn = {bv_len = 37, bv_val = 0x7061646c3d6364 <Address 0x7061646c3d6364 out of bounds>}, o_request = {oq_add = {rs_modlist = 0x6f6f6f6f6f6f6f6f, rs_e = 0x6f6f6f6f6f6f6f6f}, oq_bind = {rb_method = 1869573999, rb_cred = {bv_len = 8029759185026510703, bv_val = 0x25 <Address 0x25 out of bounds>}, rb_edn = {bv_len = 4121411795907850290, bv_val = 0x5a303034303330 <Address 0x5a303034303330 out of bounds>}, rb_ssf = 32, rb_mech = {bv_len = 53, bv_val = 0x6 <Address 0x6 out of bounds>}}, oq_compare = {rs_ava = 0x6f6f6f6f6f6f6f6f}, oq_modify = {rs_mods = {rs_modlist = 0x6f6f6f6f6f6f6f6f, rs_no_opattrs = 111 'o'}, rs_increment = 37}, oq_modrdn = {rs_mods = {rs_modlist = 0x6f6f6f6f6f6f6f6f, rs_no_opattrs = 111 'o'}, rs_deleteoldrdn = 37, rs_newrdn = {bv_len = 4121411795907850290, bv_val = 0x5a303034303330 <Address 0x5a303034303330 out of bounds>}, rs_nnewrdn = {bv_len = 32, bv_val = 0x35 <Address 0x35 out of bounds>}, rs_newSup = 0x6, rs_nnewSup = 0x7f14b01bc820}, oq_search = {rs_scope = 1869573999, rs_deref = 1869573999, rs_slimit = 1869573999, rs_tlimit = 1869573999, rs_limit = 0x25, rs_attrsonly = 875638834, rs_attrs = 0x5a303034303330, rs_filter = 0x20, rs_filterstr = {bv_len = 53, bv_val = 0x6 <Address 0x6 out of bounds>}}, oq_abandon = {rs_msgid = 1869573999}, oq_cancel = {rs_msgid = 1869573999}, oq_extended = {rs_reqoid = {bv_len = 8029759185026510703, bv_val = 0x6f6f6f6f6f6f6f6f <Address 0x6f6f6f6f6f6f6f6f out of bounds>}, rs_flags = 37, rs_reqdata = 0x3932323134313032}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 8029759185026510703, bv_val = 0x6f6f6f6f6f6f6f6f <Address 0x6f6f6f6f6f6f6f6f out of bounds>}, rs_flags = 37, rs_reqdata = 0x3932323134313032}, rs_old = {bv_len = 25385731496096560, bv_val = 0x20 <Address 0x20 out of bounds>}, rs_new = {bv_len = 53, bv_val = 0x6 <Address 0x6 out of bounds>}, rs_mods = 0x7f14b01bc820, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x6f6f6f6f6f6f6f6f, o_do_not_cache = 53 '5', o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 36 '$', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', o_ctrlflag = "\000\000\000\000г\033\260\024\177", '\000' <repeats 18 times>, "oooo", o_controls = 0x25, o_authz = { sai_method = 3751589900465327636, sai_mech = {bv_len = 1617057180469906565, bv_val = 0x0}, sai_dn = {bv_len = 53, bv_val = 0xf <Address 0xf out of bounds>}, sai_ndn = {bv_len = 139726839426656, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 48, sai_sasl_ssf = 0}, o_ber = 0x25, o_res_ber = 0x3932323134313032, o_callback = 0x5a303034303330, o_ctrls = 0x6f6f6f6f6f007972, o_csn = {bv_len = 37, bv_val = 0x3932323134313032 <Address 0x3932323134313032 out of bounds>}, o_private = 0x5a303034303330, o_extra = {slh_first = 0x7972}, o_next = {stqe_next = 0x35}} (gdb) p *op $4 = {o_hdr = 0x7f14efffe820, o_tag = 80, o_time = 0, o_tincr = 0, o_bd = 0x7f14efffe5d0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0, bv_val = 0x0}, o_request = {oq_add = { rs_modlist = 0x3, rs_e = 0x0}, oq_bind = {rb_method = 3, rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = 0x0}}, oq_compare = { rs_ava = 0x3}, oq_modify = {rs_mods = {rs_modlist = 0x3, rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn = {rs_mods = {rs_modlist = 0x3, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn = 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope = 3, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 3}, oq_cancel = {rs_msgid = 3}, oq_extended = {rs_reqoid = { bv_len = 3, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 3, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x0, o_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x7f14efffe5a0, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}} (gdb) p *soprev $5 = {s_next = 0x7f14b444cd30, s_base = {bv_len = 15, bv_val = 0x7f14e063fb20 "dc=ngdr,dc=ldap"}, s_eid = 4, s_op = 0x7f14e0260c70, s_rid = 4, s_sid = 2, s_filterstr = {bv_len = 15, bv_val = 0x7f14e0000b18 "\300\f"}, s_flags = 2, s_inuse = 1, s_res = 0x0, s_restail = 0x0, s_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}} (gdb) p op->o_hdr $6 = (Opheader *) 0x7f14efffe820 (gdb) p *op->o_hdr $7 = {oh_opid = 0, oh_connid = 15472, oh_conn = 0x7f15178fe390, oh_msgid = 0, oh_protocol = 0, oh_tid = 0, oh_threadctx = 0x0, oh_tmpmemctx = 0x0, oh_tmpmfuncs = 0x0, oh_counters = 0x0, oh_log_prefix = '\000' <repeats 255 times>} (gdb) p *op->o_hdr->oh_conn $8 = {c_struct_state = SLAP_C_USED, c_conn_state = SLAP_C_CLOSING, c_conn_idx = 298, c_sd = 298, c_close_reason = 0x538d20 <conn_lost_str> "connection lost", c_mutex = {__data = {__lock = 1, __count = 0, __owner = 30051, __nusers = 1, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = "\001\000\000\000\000\000\000\000cu\000\000\001", '\000' <repeats 26 times>, __align = 1}, c_sb = 0x7f14d43369e0, c_starttime = 1419822255, c_activitytime = 1419822255, c_connid = 15472, c_peer_domain = {bv_len = 7, bv_val = 0x7f14d495fdc0 "unknown"}, c_peer_name = { bv_len = 18, bv_val = 0x7f14d495be10 "IP=127.0.0.1:52784"}, c_listener = 0x231d210, c_sasl_bind_mech = {bv_len = 0, bv_val = 0x0}, c_sasl_dn = {bv_len = 0, bv_val = 0x0}, c_sasl_authz_dn = { bv_len = 0, bv_val = 0x0}, c_authz_backend = 0x2388eb0, c_authz_cookie = 0x0, c_authz = {sai_method = 128, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 7, bv_val = 0x7f14a8adeef0 "dc=ldap"}, sai_ndn = {bv_len = 7, bv_val = 0x7f14a8c3e860 "dc=ldap"}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, c_protocol = 3, c_ops = { stqh_first = 0x7f14c13dfa50, stqh_last = 0x7f14c13dfbb8}, c_pending_ops = {stqh_first = 0x0, stqh_last = 0x7f15178fe4b8}, c_write1_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}, c_write1_cv = {__data = {__lock = 0, __futex = 0, __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0}, c_write2_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}, c_write2_cv = {__data = { __lock = 0, __futex = 0, __total_seq = 0, __wakeup_seq = 0, __woken_seq = 0, __mutex = 0x0, __nwaiters = 0, __broadcast_seq = 0}, __size = '\000' <repeats 47 times>, __align = 0}, c_currentber = 0x0, c_writers = 0, c_writing = 0 '\000', c_sasl_bind_in_progress = 0 '\000', c_writewaiter = 0 '\000', c_is_tls = 0 '\000', c_needs_tls_accept = 0 '\000', c_sasl_layers = 0 '\000', c_sasl_done = 0 '\000', c_sasl_authctx = 0x0, c_sasl_sockctx = 0x0, c_sasl_extra = 0x0, c_sasl_bindop = 0x0, c_pagedresults_state = {ps_be = 0x0, ps_size = 0, ps_count = 0, ps_cookie = 0, ps_cookieval = {bv_len = 0, bv_val = 0x0}}, c_n_ops_received = 3, c_n_ops_executing = 1, c_n_ops_pending = 0, c_n_ops_completed = 2, c_n_get = 3, c_n_read = 3, c_n_write = 0, c_extensions = 0x0, c_clientfunc = 0x0, c_clientarg = 0x0, c_send_ldap_result = 0x435340 <slap_send_ldap_result>, c_send_search_entry = 0x435d80 <slap_send_search_entry>, c_send_search_reference = 0x437270 <slap_send_search_reference>, c_send_ldap_extended = 0x435a50 <slap_send_ldap_extended>, c_send_ldap_intermediate = 0x435bf0 <slap_send_ldap_intermediate>}
Let see to syncprov_matchops() in syncprov.c: lines 1233-1235 (begin of the loop): ldap_pvt_thread_mutex_lock( &si->si_ops_mutex ); for (ss = si->si_ops, sprev = (syncops *)&si->si_ops; ss; sprev = ss, ss=snext) lines 1273-1275: ss = sprev; continue; } and 1347 (near from end of the loop): syncprov_free_syncop( ss ); Seems that syncops which is freed on 1347 could be referenced by 1273 on a next iteration of the loop. Leonid.
Please review attached patch and merge-in. Leonid. --- The attached files is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned rights and/or interest in this work to any party. I, Leonid Yuriev am authorized by Peter-Service LLC, my employer, to release this work under the following terms. Peter-Service LLC hereby places the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
I think this is duplicate of ITS#5452. Happy New Year! Leonid.
Patch update: Detaching a syncops record from op-list CONDITIONALLY, only when it was freed by syncprov_free_syncop. The syncprov_drop_psearch() and syncprov_drop_psearch() now returns a flag, which is nonzero if the given syncops was freed. Leonid. 29.12.2014 13:50, Leonid Yuriev пишет: > Please review attached patch and merge-in. > > Leonid. > > --- > > The attached files is derived from OpenLDAP Software. All of the > modifications > to OpenLDAP Software represented in the following patch(es) were > developed by > Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned > rights > and/or interest in this work to any party. I, Leonid Yuriev am > authorized by > Peter-Service LLC, my employer, to release this work under the > following terms. > > Peter-Service LLC hereby places the following modifications to > OpenLDAP Software > (and only these modifications) into the public domain. Hence, these > modifications may be freely used and/or redistributed for any purpose > with or without attribution and/or other notice. >
changed notes changed state Open to Test moved from Incoming to Software Bugs
Leonid Yuriev wrote: > Patch update: > > Detaching a syncops record from op-list CONDITIONALLY, only when it > was freed by syncprov_free_syncop. > The syncprov_drop_psearch() and syncprov_drop_psearch() now returns > a flag, which is nonzero if the given syncops was freed. Thanks, applied to master. > > Leonid. > > 29.12.2014 13:50, Leonid Yuriev пишет: >> Please review attached patch and merge-in. >> >> Leonid. >> >> --- >> >> The attached files is derived from OpenLDAP Software. All of the >> modifications >> to OpenLDAP Software represented in the following patch(es) were >> developed by >> Peter-Service LLC, Moscow, Russia. Peter-Service LLC has not assigned >> rights >> and/or interest in this work to any party. I, Leonid Yuriev am >> authorized by >> Peter-Service LLC, my employer, to release this work under the >> following terms. >> >> Peter-Service LLC hereby places the following modifications to >> OpenLDAP Software >> (and only these modifications) into the public domain. Hence, these >> modifications may be freely used and/or redistributed for any purpose >> with or without attribution and/or other notice. >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Test to Release
changed notes
dup ITS#5452 fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed