From owner-freebsd-current@freebsd.org Fri Jun 24 22:03:16 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAA9CB8035A for ; Fri, 24 Jun 2016 22:03:16 +0000 (UTC) (envelope-from guyyur@gmail.com) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6700A1290 for ; Fri, 24 Jun 2016 22:03:16 +0000 (UTC) (envelope-from guyyur@gmail.com) Received: by mail-wm0-x241.google.com with SMTP id c82so8472276wme.3 for ; Fri, 24 Jun 2016 15:03:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=2b/pY3RAeRzRujlQ14aUdKDuUZxvZtl7pJ9fXduUeM0=; b=AdiLvp4MtVdCRTOT5pJNp9FmUftRaYJsnx4NlIbraRtJw8Luq2JOJDFayDSZg1238/ AStoNZyXO5dskw1FBrMlgnk2UhfH1jER1eHQkFPMm6h/jelhU6MwEVMpNc9HmWSqgJRY mo7C9dLiyguLQv9c1OvJ+m0ivT/tudRrML06xR7hNLGzgX1gWmUE4+vVxhugLUIAOGcs fgirSbzwjBMTEmn6hC0Fw1RtFaR1h/Evqz5xEgJl4xFEVuyfFQsxxFjWaPfoHHSyNYmD KdoFTNG3WgGh3aaca4hUDv+CIvBzuNr88K3BLVznqT/YXQxJgLJD2Hj+/7PPJV0GX2eC DKNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=2b/pY3RAeRzRujlQ14aUdKDuUZxvZtl7pJ9fXduUeM0=; b=anzDcAw7REVq7kxsZRv5AkU3JLjHXspwTBSa5Qx0O2JsyLMCSVlxR7mEMQ28zam95N wu/gxhb3F0s0hXK6WaP6SigBuko11YL682XhssVqKZBkS9mCWefGL1W+0iqgDuDRdYTf u5DluTqG3J9B/KwM2sT5SfD5h/BbL8fqIpMvGVSkekonfcg0m/8qbvrZe+hc1LJxenhD asvO/JhvgJJi7TPbWO93SP/STCAemR50cBfPTR74MkMyYfEK8W7OR/fVsJOdQQgXjB9C uDAMFEmclV5p1MY0YwvWs+PHew6VSKwgct7J3aFizOl9lzYf7RZRD2d94qtyAp/ST75g dgZQ== X-Gm-Message-State: ALyK8tIADH4fkeguPV0KCI3CUkmrkbjUTjp7+CLOFCKPquVNxIcUgqpTNQMnJmCKvDWAvI24ICBeGBSYDmyPHA== X-Received: by 10.28.50.131 with SMTP id y125mr269219wmy.94.1466805794569; Fri, 24 Jun 2016 15:03:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.9.142 with HTTP; Fri, 24 Jun 2016 15:03:13 -0700 (PDT) From: Guy Yur Date: Sat, 25 Jun 2016 01:03:13 +0300 Message-ID: Subject: Re: Samba 4.3 and 4.4 crashes on FreeBSD 11-ALPHA4 To: Konstantin Belousov Cc: Daniel Engberg , freebsd-current Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2016 22:03:17 -0000 Hi, I got the same crash on a VirtualBox VM with r302170 and samba43-4.3.9, tdb-1.3.9,1. Based on the smbd log, when I was on r301989 smbd didn't crash. smbd started crashing when I installed r302170 today. gdb 6.1.1 and 7.11.1 don't see the shared libraries for some reason so I don't get the symbols when opening the core file. lldb works fine. smbclient, smbd, nmbd all panic at the same location: tdb_runtime_check_for_robust_mutexes when calling _pthread_mutex_destroy. When running 'lldb /usr/local/bin/smbclient //HOST/Share', If I point a breakpoint at mutex_assert_not_owned and 'cont' each time, there is no crash (m_qe pointers are both null). Putting a breakpoint at mutex.c:957 and then breaking at mutex_assert_not_owned, I see m_qe.tqe_prev is not null. It points to a null pointer. Core file '/var/tmp/smbclient.50434.core' (x86_64) was loaded. (lldb) bt * thread #1: tid = 100179, 0x00000008047bfcda libc.so.7`thr_kill + 10, name = 'smbclient', stop reason = signal SIGABRT * frame #0: 0x00000008047bfcda libc.so.7`thr_kill + 10 frame #1: 0x00000008047bfcab libc.so.7`__raise(s=6) + 59 at raise.c:52 [opt] frame #2: 0x00000008047bfc19 libc.so.7`abort + 73 at abort.c:65 [opt] frame #3: 0x0000000801481d7a libthr.so.3`_thread_exitf(fname=, lineno=, fmt=) + 138 at thr_exit.c:190 [opt] frame #4: 0x000000080147bcf9 libthr.so.3`mutex_assert_not_owned(curthread=, m=) + 121 at thr_mutex.c:152 [opt] frame #5: 0x000000080147bc27 libthr.so.3`_pthread_mutex_destroy(mutex=0x00000008012e9000) + 87 at thr_mutex.c:474 [opt] frame #6: 0x0000000809abdce3 libtdb.so.1`tdb_runtime_check_for_robust_mutexes + 1475 at mutex.c:957 ... (lldb) f 6 frame #6: 0x0000000809abdce3 libtdb.so.1`tdb_runtime_check_for_robust_mutexes + 1475 at mutex.c:957 954 } 955 } 956 if (m != NULL) { -> 957 pthread_mutex_destroy(m); 958 } 959 if (cleanup_ma) { 960 pthread_mutexattr_destroy(&ma); lldb for smbclient with breakpoint: * thread #1: tid = 100104, 0x000000080147bc8b libthr.so.3`mutex_assert_not_owned(curthread=0x0000000810816000, m=0x0000000801352000) + 11 at thr_mutex.c:150, stop reason = breakpoint 2.1 frame #0: 0x000000080147bc8b libthr.so.3`mutex_assert_not_owned(curthread=0x0000000810816000, m=0x0000000801352000) + 11 at thr_mutex.c:150 [opt] 147 { 148 149 #if defined(_PTHREADS_INVARIANTS) -> 150 if (__predict_false(m->m_qe.tqe_prev != NULL || 151 m->m_qe.tqe_next != NULL)) 152 PANIC("mutex %p own %#x is on list %p %p", 153 m, m->m_lock.m_owner, m->m_qe.tqe_prev, m->m_qe.tqe_next); (lldb) p *m (pthread_mutex) $3 = { m_lock = { m_owner = 100180 m_flags = 17 m_ceilings = ([0] = 0, [1] = 0) m_rb_lnk = 0 m_spare = ([0] = 0, [1] = 0) } m_flags = 1 m_count = 0 m_spinloops = 0 m_yieldloops = 0 m_ps = 2 m_qe = { tqe_next = 0x0000000000000000 tqe_prev = 0x00000008108161a0 } m_pqe = { tqe_next = 0x0000000000000000 tqe_prev = 0x0000000000000000 } m_rb_prev = 0x0000000000000000 } (lldb) p *m->m_qe.tqe_prev (pthread_mutex *) $5 = 0x0000000000000000 Regards, Guy