another 2.5.1pre keywords-related coredump

Nix nix at esperi.org.uk
Mon Oct 5 20:28:31 UTC 2009


In the middle of an rnews -U of several thousand articles (suck had
failed due to shared library messups for several days running):

Oct  5 21:07:50 spindle notice: offered <4ac67d02$0$1614$742ec2ed at news.sonic.net> firedrake
Oct  5 21:07:50 spindle notice: offered <t+1yZlC08OxKFAN3 at musonix.demon.co.uk> firedrake
Oct  5 21:07:50 spindle notice: offered <c1a608a0-e8f2-43f7-abc2-b53bc447fe7c at p36g2000vbn.googlegroups.com> firedrake
Oct  5 21:07:50 spindle notice: offered <h9vkj6$seg$1 at news.eternal-september.org> firedrake
Oct  5 21:07:50 spindle notice: offered <a2999743-9aaa-40b4-96c8-98f5ba5f0328 at m38g2000yqd.googlegroups.com> firedrake
Oct  5 21:07:50 spindle notice: offered <slrnhciqna.8cr.dbd at gatekeeper.vic.com> firedrake
Oct  5 21:07:50 spindle notice: offered <S1cb7.394 at netfunny.com> firedrake
Oct  5 21:07:50 spindle notice: ME source lost . Exiting

Yes, it's another coredump:

(gdb) bt
#0  0x00007ff490dfcd65 in raise () from /lib/libc.so.6
#1  0x00007ff490dff9ef in *__GI_abort () at abort.c:88
#2  0x00007ff490e31d0d in __libc_message () from /lib/libc.so.6
#3  0x00007ff490e3b505 in malloc_printerr () from /lib/libc.so.6
#4  0x00007ff490e3fe3c in free () from /lib/libc.so.6
#5  0x000000000040a687 in ARTpost ()
#6  0x0000000000416c25 in NCproc ()
#7  0x00000000004118fb in CHANreadloop ()
#8  0x0000000000413ed6 in main ()
(gdb)

Hm. No line numbers. That's frustrating. Looks like a bug in gdb, I'll
attack that next.

... a bit of temporary bashing with symbol-file yields one important
line number:

#5  0x000000000040a687 in ARTpost (cp=0x7ff4903c9750) at art.c:1943

(with v8638 plus the keywords crash patch). Unsurprisingly this too is
in the not-heavily-tested keywords code.

There's a really suspicious comment on that line:

	if (hc->Value)
	  free(hc->Value);		/* malloc'd within */

Judging from the definition of HDR() this is seriously bad. Maybe some
strdup()ping is in order? (One wonders why anyone would consider
free()ing something that wasn't malloc()ed: sure, it could be a mistake,
but *actually commenting on it on the same line*, well... ;} )

valgrind output as confirmation, still, annoyingly, without line numbers
(something very odd is going on with my debug info), but I doubt you'll
need them, really, the bug is obvious enough even to me and I'm
flattened with a cold right now or I'd fix it as well:

Mon Oct  5 21:19:34 2009: starting
Oct  5 21:19:40.080 + news.srvr.nix <200910052219.19308.robert.wohlrab at gmx.de> 3051
==14702==
==14702== Invalid free() / delete / delete[]
==14702==    at 0x4C2356D: free (in /pkg/valgrind/3.4-090606/lib/valgrind/amd64-linux/vgpreload_memcheck.so)
==14702==    by 0x40A686: ARTpost (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x416C24: NCproc (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x4118FA: CHANreadloop (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x413ED5: main (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==  Address 0x68d10c8 is 456 bytes inside a block of size 8,192 alloc'd
==14702==    at 0x4C2499F: realloc (in /pkg/valgrind/3.4-090606/lib/valgrind/amd64-linux/vgpreload_memcheck.so)
==14702==    by 0x5283E58: x_realloc (in /pkg/inn/2.5-090928/lib/news/lib/libinn.so.2.0.0)
==14702==    by 0x41073E: CHANresize (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x410F0F: CHANreadtext (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x417A92: NCreader (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x4118FA: CHANreadloop (in /pkg/inn/2.5-090928/lib/news/bin/innd)
==14702==    by 0x413ED5: main (in /pkg/inn/2.5-090928/lib/news/bin/innd)

Thankfully the crash is not caused by some complex cross-article arena
corruption but is reproducibly caused by the attached article (still in
wire format, as an application/octet-stream accordingly):

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1
Type: application/octet-stream
Size: 9480 bytes
Desc: crash article (rhf.reruns summary!)
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20091005/2d3d3846/attachment.obj>


More information about the inn-workers mailing list