[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4976) memory corruption in test008-concurrency

Full_Name: Hallvard B Furuseth
Version: HEAD, RE23
OS: Linux
Submission from: (NULL) (
Submitted by: hallvard

Slapd sometimes crashes with memory corruption in test008-concurrency.

./configure LIBS="-lmcheck" (a glibc memory checking library)
provokes the bug regularly: it dumps core after reporting "memory
clobbered before allocated block" somewhere in the test output.

It still happens with no avoidable non-OpenLDAP packages (testing with
back-null or back-ldif):

bash$ ./configure --disable-backends --enable-null --disable-overlays \
	--without-cyrus-sasl --without-tls --quiet LIBS="-lmcheck"

"configure --without-threads" seems to prevent the crash, so I presume
it's thread-related.  So far, Valgrind has prevented it too:-(
If someone has Purify, maybe that can find it.

Patch needed to test with back-null:

--- tests/data/slapd.conf~	2007-01-06 20:35:00 +0100
+++ tests/data/slapd.conf	2007-05-19 19:45:23 +0200
@@ -40,3 +40,6 @@
 suffix		"dc=example,dc=com"
-directory	@TESTDIR@/db.1.a
+#bdb#directory	@TESTDIR@/db.1.a
+#hdb#directory	@TESTDIR@/db.1.a
+#ldif#directory	@TESTDIR@/db.1.a
+#null#bind	on
 rootdn		"cn=Manager,dc=example,dc=com"
--- tests/scripts/acfilter.sh~	2007-01-06 20:35:00 +0100
+++ tests/scripts/acfilter.sh	2007-05-19 20:01:19 +0200
@@ -15,4 +15,5 @@
-# Strip comments
+# Strip comments, or remove everything with back-null
-grep -v '^#'
+test "$BACKEND" = "null" || grep -v '^#'

Test loop:

cd tests
try() {
	ulimit -c unlimited
	echo ./run -b $1 test008
	nice ./run -b $1 test008 && test "`echo core*`" = "core*"
(declare -i n=0; while try null && try ldif; do n=$n+1; echo "#$n done"; done)

I don't see anything from the backtraces, they report when
the problem is noticed instead of when it is created.  E.g.:

#0  0x0039e7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x003df7a5 in raise () from /lib/tls/libc.so.6
#2  0x003e1209 in abort () from /lib/tls/libc.so.6
#3  0x00413a1a in __libc_message () from /lib/tls/libc.so.6
#4  0x00413a54 in __libc_fatal () from /lib/tls/libc.so.6
#5  0x0041fddf in mabort () from /lib/tls/libc.so.6
#6  0x0041f655 in freehook () from /lib/tls/libc.so.6
#7  0x0041a5e5 in free () from /lib/tls/libc.so.6
#8  0x080fea27 in ber_bvarray_free (a=0x0) at memory.c:744
#9  0x0806a34e in attr_clean (a=0x4dfff4) at attr.c:134
#10 0x0806a454 in attrs_free (a=0x8e56204) at attr.c:194
#11 0x0806b0c9 in entry_clean (e=0x8e4bdd4) at entry.c:473
#12 0x0806b142 in entry_free (e=0x8e4bdd4) at entry.c:483
#13 0x0806e898 in be_entry_release_rw (op=0x8e84c78, e=0x8e4bdd4, rw=6)
    at backend.c:797
#14 0x08069221 in do_add (op=0x8e84c78, rs=0xb59fe154) at add.c:197
#15 0x080626e7 in connection_operation (ctx=0xb59fe228, arg_v=0x8e84c78)
    at connection.c:1145
#16 0x08062d44 in connection_read_thread (ctx=0xb59fe228, argv=0xa)
    at connection.c:1271
#17 0x080dc75a in ldap_int_thread_pool_wrapper (xpool=0x8e04fe8) at tpool.c:725
#18 0x006193cc in start_thread () from /lib/tls/libpthread.so.0
#19 0x00480c3e in clone () from /lib/tls/libc.so.6