Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Mar 2019 19:23:26 +0000
From:      bugzilla-noreply@freebsd.org
To:        pkg@FreeBSD.org
Subject:   [Bug 235604] ports-mgmt/pkg: bus error / segmentation fault (core dumped)
Message-ID:  <bug-235604-32340-SzPlqMeLg6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-235604-32340@https.bugs.freebsd.org/bugzilla/>
References:  <bug-235604-32340@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235604

--- Comment #3 from Oliver Fromme <olli@FreeBSD.org> ---
Ok, I got a few minutes and rebuilt the whole thing with jemalloc debugging and
malloc option "junk:true".

The crash (SIGBUS) happens in work/pkg-1.10.5/external/libucl/src/ucl_hash.c
Line 229, in function ucl_hash_destroy():

225            for (k = kh_begin (h); k != kh_end (h); ++k) {
226                    if (kh_exist (h, k)) {
227                            cur = (kh_value (h, k)).obj;
228                            while (cur != NULL) {
229                ---->               tmp = cur->next;
230                                    func (__DECONST (ucl_object_t *, cur));
231                                    cur = tmp;
232                            }
233                    }
234            }

(lldb) print cur
(const ucl_object_t *) $0 = 0x5a5a5a5a5a5a5a5a

Obviously it is dereferencing uninitialized memory (0x5a is the value used by
jemalloc for junk-filling when debugging is enabled).

Next I tried building with malloc-option "junk:false,zero:true".
Result:  No crash.

However, some time later I tried installing libxml2, and pkg(8) crashes again
at exactly the same location, even with malloc option "zero:true". Now we have:

(lldb) print cur
(const ucl_object_t *) $0 = 0x6c6d7862696c3a74

That looks suspiciously like ASCII characters.  In fact, those bytes represent
the characters "lmxbil:t", which is "t:libxml" reversed. Obviously somehow the
pointer got overwritten with parts of a string.

At this point I could really need some help from someone who is a little more
familiar with the source code.  This is taking way too much time for me.

This problem is preventing me from putting this machine into production. Being
able to properly install and update packages is crucial. If I can't get this
fixed, I'll have to try to install DragonFly or NetBSD.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235604-32340-SzPlqMeLg6>