From owner-freebsd-current@FreeBSD.ORG  Thu Jul  3 13:30:29 2014
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6ABAE88D
 for <freebsd-current@freebsd.org>; Thu,  3 Jul 2014 13:30:29 +0000 (UTC)
Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no
 [IPv6:2001:700:1100:1:200:ff:fe00:b])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "smtp.fagskolen.gjovik.no",
 Issuer "Fagskolen i Gj??vik" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A8CEA2833
 for <freebsd-current@freebsd.org>; Thu,  3 Jul 2014 13:30:28 +0000 (UTC)
Received: from mail.fig.ol.no (localhost [127.0.0.1])
 by mail.fig.ol.no (8.14.9/8.14.9) with ESMTP id s63DULDb012214
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 3 Jul 2014 15:30:21 +0200 (CEST)
 (envelope-from trond@fagskolen.gjovik.no)
Received: from localhost (trond@localhost)
 by mail.fig.ol.no (8.14.9/8.14.9/Submit) with ESMTP id s63DUK73012211;
 Thu, 3 Jul 2014 15:30:20 +0200 (CEST)
 (envelope-from trond@fagskolen.gjovik.no)
X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs
Date: Thu, 3 Jul 2014 15:30:20 +0200 (CEST)
From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no>
Sender: Trond.Endrestol@fagskolen.gjovik.no
To: Fabian Keil <freebsd-listen@fabiankeil.de>
Subject: Re: getenv("TZ") crashes triggered by tzset_basic()
In-Reply-To: <20140703140105.41065cd2@fabiankeil.de>
Message-ID: <alpine.BSF.2.11.1407031529060.11883@mail.fig.ol.no>
References: <20140703140105.41065cd2@fabiankeil.de>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
Organization: Fagskolen Innlandet
OpenPGP: url=http://fig.ol.no/~trond/trond.key
MIME-Version: 1.0
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham
 autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.fig.ol.no
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.18
Cc: FreeBSD Current <freebsd-current@freebsd.org>
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2014 13:30:29 -0000

On Thu, 3 Jul 2014 14:01+0200, Fabian Keil wrote:

> Using HEAD, www/gatling reproducible crashes for me after receiving
> a single request if TZ isn't set:
> 
> (gdb) where
> #0  strncmp (s1=<optimized out>, s2=<optimized out>, n=<optimized out>) at /usr/src/lib/libc/string/strncmp.c:46
> #1  0x00000008011a9ffe in strncmpeq (nameValue=0x7fffffffeb5e "LC_PAPER=de_DE.UTF-8", name=0x8011be49e "TZ", nameLen=<optimized out>) at /usr/src/lib/libc/stdlib/getenv.c:144
> #2  __findenv_environ (name=<optimized out>, nameLen=<optimized out>) at /usr/src/lib/libc/stdlib/getenv.c:195
> #3  getenv (name=0x8011be49e "TZ") at /usr/src/lib/libc/stdlib/getenv.c:441
> #4  0x0000000801189f49 in tzset_basic (rdlocked=0) at /usr/src/lib/libc/../../contrib/tzcode/stdtime/localtime.c:1274
> #5  0x000000080118a13e in localtime (timep=0x801c12030) at /usr/src/lib/libc/../../contrib/tzcode/stdtime/localtime.c:1467
> #6  0x000000000040d38d in http_dirlisting (h=0x801c07140, D=0x801c0e080, path=0x7fffffffbb50 "/", arg=0x0) at http.c:214
> #7  0x000000000040ff9d in http_openfile (h=0x801c07140, filename=0x801c0c085 "/", ss=0x7fffffffc108, sockfd=9, nobody=1) at http.c:1485
> #8  0x0000000000413922 in httpresponse (h=0x801c07140, s=9, headerlen=76) at http.c:1940
> #9  0x000000000040657d in handle_read_misc (i=9, h=0x801c07140, ftptimeout_secs=600, nextftp=...) at gatling.c:1051
> #10 0x0000000000404d54 in main (argc=3, argv=0x7fffffffe840, envp=0x7fffffffe860) at gatling.c:2247
> 
> This is not a recent regression, I first noticed it a couple
> of months ago but haven't had time to look into it yet.
> 
> If was reminded of this because a program I'm working on
> (Privoxy) recently crashed thusly:
> 
> (gdb) where
> #0  0x000000080128ef40 in strncmp (s1=<optimized out>, s2=<optimized out>, n=<optimized out>) at /usr/src/lib/libc/string/strncmp.c:46
> #1  0x000000080128bb92 in getenv (name=<optimized out>) at /usr/src/lib/libc/stdlib/getenv.c:424
> #2  0x000000080126bb39 in tzset_basic (rdlocked=0) at /usr/src/lib/libc/../../contrib/tzcode/stdtime/localtime.c:1281
> #3  0x000000080126bb1b in tzset_basic (rdlocked=-14721152) at /usr/src/lib/libc/../../contrib/tzcode/stdtime/localtime.c:1274
> #4  0x000000080122c0a0 in _fmt (format=0x22313031734e6863 <Address 0x22313031734e6863 out of bounds>, t=0x8012a009e, pt=0x2 <Address 0x2 out of bounds>, ptlim=0xf5 <Address 0xf5 out of bounds>, 
>     warnp=0x8014cc418 <tzname+8>, loc=0x80126bb1b <tzset_basic+27>) at /usr/src/lib/libc/stdtime/strftime.c:137
> #5  0x000000080122d6fb in _conv (n=<optimized out>, format=<optimized out>, pt=<optimized out>, n=<optimized out>, format=<optimized out>, pt=<optimized out>, ptlim=<optimized out>)
>     at /usr/src/lib/libc/stdtime/strftime.c:597
> #6  _yconv (a=<optimized out>, b=<optimized out>, convert_top=<optimized out>, convert_yy=<optimized out>, pt=<optimized out>, ptlim=<optimized out>, a=<optimized out>, b=<optimized out>, 
>     convert_top=<optimized out>, convert_yy=<optimized out>, pt=<optimized out>, ptlim=<optimized out>) at /usr/src/lib/libc/stdtime/strftime.c:649
> #7  0x0000000000428747 in get_log_timestamp (buffer=0x7fffff1f5f80 "2014-06-30 17:03:45.115", buffer_size=30) at errlog.c:482
> [...]
> (gdb) f 3
> #3  0x000000080126bb1b in tzset_basic (rdlocked=-14721152) at /usr/src/lib/libc/../../contrib/tzcode/stdtime/localtime.c:1274

> 1274		name = getenv("TZ");

Does the code test at all for the possibility of getenv(3) returning a 
NULL pointer?

> I haven't been able to reproduce the Privoxy crash yet, but in case
> of gatling the problem is reproducible and valgrind doesn't complain
> about any previous memory corruption:
> 
> fk@r500 ~/test/privoxy/test $valgrind gatling -p 81
> ==6563== Memcheck, a memory error detector
> ==6563== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
> ==6563== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
> ==6563== Command: gatling -p 81
> ==6563== 
> starting_up 0 :: 81
> start_ftp 0 :: 2121
> accept 7 10.0.0.1 48596 1 http
> ==6563== Invalid read of size 1
> ==6563==    at 0x1039C74: strncmp (mc_replace_strmem.c:596)
> ==6563==    by 0x1BA1FFD: getenv (getenv.c:144)
> ==6563==    by 0x1B81F48: ??? (localtime.c:1274)
> ==6563==    by 0x1B8213D: localtime (localtime.c:1467)
> ==6563==    by 0x40D38C: http_dirlisting (http.c:214)
> ==6563==    by 0x40FF9C: http_openfile (http.c:1485)
> ==6563==    by 0x413921: httpresponse (http.c:1940)
> ==6563==    by 0x40657C: handle_read_misc (gatling.c:1051)
> ==6563==    by 0x404D53: main (gatling.c:2247)
> ==6563==  Address 0xff000b7a is not stack'd, malloc'd or (recently) free'd
> ==6563== 
> ==6563== 
> ==6563== Process terminating with default action of signal 11 (SIGSEGV): dumping core
> ==6563==  Access not within mapped region at address 0xFF000B7A
> ==6563==    at 0x1039C74: strncmp (mc_replace_strmem.c:596)
> ==6563==    by 0x1BA1FFD: getenv (getenv.c:144)
> ==6563==    by 0x1B81F48: ??? (localtime.c:1274)
> ==6563==    by 0x1B8213D: localtime (localtime.c:1467)
> ==6563==    by 0x40D38C: http_dirlisting (http.c:214)
> ==6563==    by 0x40FF9C: http_openfile (http.c:1485)
> ==6563==    by 0x413921: httpresponse (http.c:1940)
> ==6563==    by 0x40657C: handle_read_misc (gatling.c:1051)
> ==6563==    by 0x404D53: main (gatling.c:2247)
> ==6563==  If you believe this happened as a result of a stack
> ==6563==  overflow in your program's main thread (unlikely but
> ==6563==  possible), you can try to increase the size of the
> ==6563==  main thread stack using the --main-stacksize= flag.
> ==6563==  The main thread stack size used in this run was 16777216.
> ==6563== 
> ==6563== HEAP SUMMARY:
> ==6563==     in use at exit: 18,848 bytes in 6 blocks
> ==6563==   total heap usage: 25 allocs, 19 frees, 47,144 bytes allocated
> ==6563== 
> ==6563== LEAK SUMMARY:
> ==6563==    definitely lost: 0 bytes in 0 blocks
> ==6563==    indirectly lost: 0 bytes in 0 blocks
> ==6563==      possibly lost: 0 bytes in 0 blocks
> ==6563==    still reachable: 18,848 bytes in 6 blocks
> ==6563==         suppressed: 0 bytes in 0 blocks
> ==6563== Rerun with --leak-check=full to see details of leaked memory
> ==6563== 
> ==6563== For counts of detected and suppressed errors, rerun with: -v
> ==6563== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
> Segmentation fault
> 
> I can't reproduce the problem with a test program that merely calls
> localtime(), so I assume some environment changes are required.
> 
> Has anyone seens this or is able to reproduce the gatling crashes?
> 
> Fabian
> 

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+