innfeed segfaults on NULL buffer in getBanner() - mine too..

Julien ÉLIE julien at trigofacile.com
Fri Aug 3 12:26:27 UTC 2007


En réponse à Kai Gallasch :
> I have some problem with innfeed crashing a fews seconds after starting
> up. For several weeks we are now trying to get our inn-2.4.3_2 running
> inside a FreeBSD 6.2 jail on our opteron server.

Is your news server still not working?


> This crashing of innfeed seems to be related to an issue discussed on
> the inn-workers mailinglist in Feb. 2007.
>
> http://lists.litech.org/pipermail/inn-workers/2007q1/013637.html
>
> Does anyone else on the list have knowledge of other installations that
> show similar problems with innfeed? Problems with a segfaulting innfeed
> and inn-2.4.3_2 possibly running FreeBSD?

Does the crash happen every time you start innfeed?  And with all the
news servers to which you try to connect?


> I already notified the FreeBSD Ports maintainer of the inn port about
> the issue, but have until now got no feedback from him.

Still no feedback?


> #0  0x000000000040585c in bufferBase (buff=0x0) at buffer.c:230
> #1  0x0000000000421c2c in getBanner (e=0x57b300, i=IoDone, b=0x56e980,
> d=0x57b000) at connection.c:1392
> #2  0x000000000040c210 in Run () at endpoint.c:752
> #3  0x000000000041a66f in main (argc=0, argv=0x7fffffffeb68) at main.c:478
> (gdb) print *cxn
> $1 = {myHost = 0x56a400, myEp = 0x57b300, ident = 0, state =
> cxnConnectingS, checkHead = 0x0, checkRespHead = 0x0, takeHead = 0x0,
> takeRespHead = 0x0, articleQTotal = 0, missing = 0x0,
>  respBuffer = 0x575048, ipName = 0x567b20 "news.verbrennung.org",
> maxCheck = 1, port = 119, articleReceiptTimeout = 600, artReceiptTimerId
> = 0, readTimeout = 300, readBlockedTimerId = 4,
>  writeTimeout = 300, writeBlockedTimerId = 0, flushTimeout = 82059,
> flushTimerId = 5, sleepTimeout = 30, sleepTimerId = 0, loggedNoCr =
> false, immedRecon = false, doesStreaming = false,
>  authenticated = false, quitWasIssued = false, needsChecks = true,
> timeCon = 0, artsTaken = 0, checksIssued = 0, checksRefused = 0,
> takesRejected = 0, takesOkayed = 0, takesSizeRejected = 0,
>  takesSizeOkayed = 0, onThreshold = 47.5, offThreshold = 45,
> filterValue = 0, lowPassFilter = 50, next = 0x0}
> (gdb) p b
> $2 = (Buffer *) 0x56e980
> (gdb) p *b
> $3 = 0x0
> (gdb) p *(struct buffer_s*)b
> $4 = {refCount = 0, mem = 0x0, memSize = 0, dataSize = 0, deletable =
> false, bufferDeletedCbk = 0, bufferDeletedCbkData = 0x0, next = 0x0,
> prev = 0x0}

I see that respBuffer = 0x575048 so b[0] should be 0x575048 according to:

# connection.c (line 1388)
static void getBanner (EndPoint e, IoStatus i, Buffer *b, void *d)
{
  Buffer *readBuffers ;
  Connection cxn = (Connection) d ;
  char *p = bufferBase (b[0]) ;
  int code ;
  bool isOk = false ;
  const char *peerName ;
  char *rest ;

  ASSERT (e == cxn->myEp) ;
  ASSERT (b[0] == cxn->respBuffer) ;
  ASSERT (b[1] == NULL) ;
  ASSERT (cxn->state == cxnConnectingS) ;
  ASSERT (!writeIsPending (cxn->myEp));


By the way, if the two assertions on b were *before* the assignment of *p,
innfeed would not segfault, but only cause an assertion failure.
Hm, and what if:
char *p = bufferBase (cxn->respBuffer) ;

Wouldn't it be the same and maybe work here?
(However, it would not explain why b is NULL...)

-- 
Julien ÉLIE

« Ô temps suspends ton vol ! Et vous heures propices. » (Alphonse de Lamartine) 



More information about the inn-workers mailing list