innfeed segfaults on NULL buffer in getBanner() - mine too..

Mon Aug 20 11:51:24 UTC 2007

Hi,

I do not know what to do with that system signal flag 16 on FreeBSD 6.2 (*64* bits).
It is perhaps not INN's fault and the problem should be reported to the maintainers
of the port of INN for FreeBSD <http://www.freebsd.org/cgi/cvsweb.cgi/ports/news/inn/>,
unless someone here has an idea of what is going on.

By the way, does INN 2.4.x work fine on FreeBSD 6.2 (*32* bits)?

It is worth mentioning that they have been reporting INN 2.5 to be broken for
six months ("BROKEN: Does not install") in
<http://www.freebsd.org/cgi/cvsweb.cgi/ports/news/inn-current/>.

For record, the problem happens here, in innfeed/buffer.c:

Buffer *makeBufferArray (Buffer buff, ...)
{
  va_list ap ;
  size_t cLen = 10, idx = 0 ;
  Buffer *ptr, p ;

  ptr = xcalloc (cLen, sizeof(Buffer)) ;

  ptr [idx++] = buff ;     <-----------------------------------------

  va_start (ap, buff) ;
  do
    {
      p = va_arg (ap, Buffer) ;
      if (idx == cLen)
        {
          cLen += 10 ;
          ptr = xrealloc (ptr, sizeof(Buffer) * cLen) ;
        }
      ptr [idx++] = p ;
    }
  while (p != NULL) ;
  va_end (ap) ;

  return ptr ;
}

-- 
Julien ÉLIE

Previous message for further information:

>> I believe I have found where exactly the inbuffer is NULLified.
>> It disappears during a handleSignals() call in endpoint.c.
>>
>> What we are tracking is the content of priorityList[1].
>
> And also why sigFlags[16] is always set to 5693512.
> Well, why is not it 0?
> Does someone know what that SIGURG signal means?  And especially
> how to prevent it from happening?
>
> On that FreeBSD, I have in /usr/include/sys/signal.h:
>
> #if __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE
> #define SIGURG          16      /* urgent condition on IO channel */
> #endif
>
> So there is an urgent socket condition which happens during:
>
> 1246          readBuffers = makeBufferArray (bufferTakeRef (cxn->respBuffer), NULL) ;
>
>
>
> Breakpoint 6, makeBufferArray (buff=0x56e048) at buffer.c:295
> 295       size_t cLen = 10, idx = 0 ;
> (gdb)
> 298       ptr = xcalloc (cLen, sizeof(Buffer)) ;
> (gdb)
> x_calloc (n=10, size=8, file=0x4493b8 "buffer.c", line=298) at xmalloc.c:98
>
>
> The size (8) is right (64-bit architecture).
> (gdb) print sizeof(buff)
> $38 = 8
>
>
> 300       ptr [idx++] = buff ;
> (gdb) print sigFlags[16]
> $39 = 0
> (gdb) step
> 302       va_start (ap, buff) ;
> (gdb) print sigFlags[16]
> $40 = 5693512
>
>
> Well, it is "ptr [idx++] = buff ;" which causes sigFlags[16] not to be null.
>
>
> (gdb) print ptr
> $60 = (Buffer *) 0x56f800
> (gdb) print *ptr
> $61 = 0x56e048
> (gdb) print **ptr
> $62 = {refCount = 2, mem = 0x56d400 "", memSize = 256, dataSize = 0, deletable = true,
> bufferDeletedCbk = 0, bufferDeletedCbkData = 0x0, next = 0x56e000, prev = 0x0} 