Bug#622591: crash in ChertVersion::create

Joey Hess joeyh at debian.org
Wed Apr 13 16:22:28 UTC 2011 

Olly Betts wrote:
> > I have a reproducible segfault in xapian, that seems to occur when the
> > database is being first created, but oddly seems depenadnt on a 
> > particular input corpus being indexed -- similar sites with other content
> > don't crash.
> 
> That's odd, as the database is created before that.  Makes me wonder if
> there's memory corruption involved.  I've never seen anything like this
> before anyway.

Here is a minimal test case to reproduce this bug. I've gotten all
content and ikiwiki out of the picture, we're down to 2 perl modules
and perl itself.

#!/usr/bin/perl
use Image::Magick;
use Search::Xapian;
$db=Search::Xapian::WritableDatabase->new("/tmp/xap",
	Search::Xapian::DB_CREATE());

Note that order matters. If Search::Xapian is loaded before
Image::Magic, no crash. This strongly points to an Image::Magick bug to
me, or possibly, multiple interacting bugs.

I can reproduce it on stable and unstable; amd64, and i386.

(liw: I've put a workaround in place on Branchable to force
Search::Xapian to be loaded first.)

Here's what valgrind has to say.

joey at wren:~>valgrind perl foo.pl
==11278== Memcheck, a memory error detector
==11278== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==11278== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==11278== Command: perl foo.pl
==11278== 
==11278== Conditional jump or move depends on uninitialised value(s)
==11278==    at 0x80B5DCB: Perl_re_compile (in /usr/bin/perl)
==11278==    by 0x806E5A1: Perl_pmruntime (in /usr/bin/perl)
==11278==    by 0x80A0536: Perl_yyparse (in /usr/bin/perl)
==11278==    by 0x810674C: ??? (in /usr/bin/perl)
==11278==    by 0x8108185: Perl_pp_require (in /usr/bin/perl)
==11278==    by 0x80D4357: Perl_runops_standard (in /usr/bin/perl)
==11278==    by 0x8078784: Perl_call_sv (in /usr/bin/perl)
==11278==    by 0x80C7B06: ??? (in /usr/bin/perl)
==11278==    by 0x80C7C95: Perl_magic_getpack (in /usr/bin/perl)
==11278==    by 0x80CAFBA: Perl_mg_get (in /usr/bin/perl)
==11278==    by 0x80E6F99: Perl_sv_setsv_flags (in /usr/bin/perl)
==11278==    by 0x80DB14C: Perl_pp_aassign (in /usr/bin/perl)
==11278== 
==11278== Conditional jump or move depends on uninitialised value(s)
==11278==    at 0x80B5DCB: Perl_re_compile (in /usr/bin/perl)
==11278==    by 0x811136F: Perl_pp_regcomp (in /usr/bin/perl)
==11278==    by 0x80D4357: Perl_runops_standard (in /usr/bin/perl)
==11278==    by 0x8078A39: Perl_call_sv (in /usr/bin/perl)
==11278==    by 0x8078EC3: Perl_call_list (in /usr/bin/perl)
==11278==    by 0x80652C8: ??? (in /usr/bin/perl)
==11278==    by 0x8072A6E: Perl_newATTRSUB (in /usr/bin/perl)
==11278==    by 0x8071A25: Perl_utilize (in /usr/bin/perl)
==11278==    by 0x80A1C4A: Perl_yyparse (in /usr/bin/perl)
==11278==    by 0x807B7DD: ??? (in /usr/bin/perl)
==11278==    by 0x807C87C: perl_parse (in /usr/bin/perl)
==11278==    by 0x8064293: main (in /usr/bin/perl)
==11278== 
==11287== Warning: invalid file descriptor 1014 in syscall close()
==11287== Warning: invalid file descriptor 1015 in syscall close()
==11287== Warning: invalid file descriptor 1016 in syscall close()
==11287==    Use --log-fd=<number> to select an alternative log fd.
==11287== Warning: invalid file descriptor 1017 in syscall close()
==11287== Warning: invalid file descriptor 1018 in syscall close()
==11278== Invalid write of size 2
==11278==    at 0x92C0301: ??? (in /lib/libuuid.so.1.3.0)
==11278==    by 0x92C122E: uuid_generate (in /lib/libuuid.so.1.3.0)
==11278==    by 0x9ACC7A1: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9A9E084: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9AA4638: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9AA4A02: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9A470E5: Xapian::WritableDatabase::WritableDatabase(std::string const&, int) (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x97D42EB: XS_Search__Xapian__WritableDatabase_new1 (in /usr/lib/perl5/auto/Search/Xapian/Xapian.so)
==11278==    by 0x80D5D7A: Perl_pp_entersub (in /usr/bin/perl)
==11278==    by 0x80D4357: Perl_runops_standard (in /usr/bin/perl)
==11278==    by 0x8079471: perl_run (in /usr/bin/perl)
==11278==    by 0x80642FC: main (in /usr/bin/perl)
==11278==  Address 0x30 is not stack'd, malloc'd or (recently) free'd
==11278== 
==11278== 
==11278== Process terminating with default action of signal 11 (SIGSEGV)
==11278==  Access not within mapped region at address 0x30
==11278==    at 0x92C0301: ??? (in /lib/libuuid.so.1.3.0)
==11278==    by 0x92C122E: uuid_generate (in /lib/libuuid.so.1.3.0)
==11278==    by 0x9ACC7A1: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9A9E084: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9AA4638: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9AA4A02: ??? (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x9A470E5: Xapian::WritableDatabase::WritableDatabase(std::string const&, int) (in /usr/lib/sse2/libxapian.so.22.2.0)
==11278==    by 0x97D42EB: XS_Search__Xapian__WritableDatabase_new1 (in /usr/lib/perl5/auto/Search/Xapian/Xapian.so)
==11278==    by 0x80D5D7A: Perl_pp_entersub (in /usr/bin/perl)
==11278==    by 0x80D4357: Perl_runops_standard (in /usr/bin/perl)
==11278==    by 0x8079471: perl_run (in /usr/bin/perl)
==11278==    by 0x80642FC: main (in /usr/bin/perl)
==11278==  If you believe this happened as a result of a stack
==11278==  overflow in your program's main thread (unlikely but
==11278==  possible), you can try to increase the size of the
==11278==  main thread stack using the --main-stacksize= flag.
==11278==  The main thread stack size used in this run was 8388608.
==11278== 
==11278== HEAP SUMMARY:
==11278==     in use at exit: 1,343,913 bytes in 22,686 blocks
==11278==   total heap usage: 48,620 allocs, 25,934 frees, 21,660,888 bytes allocated
==11278== 
==11278== LEAK SUMMARY:
==11278==    definitely lost: 172 bytes in 1 blocks
==11278==    indirectly lost: 2,259 bytes in 41 blocks
==11278==      possibly lost: 963,768 bytes in 22,088 blocks
==11278==    still reachable: 377,714 bytes in 556 blocks
==11278==         suppressed: 0 bytes in 0 blocks
==11278== Rerun with --leak-check=full to see details of leaked memory
==11278== 
==11278== For counts of detected and suppressed errors, rerun with: -v
==11278== Use --track-origins=yes to see where uninitialised values come from
==11278== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 82 from 9)

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110413/f2c60cac/attachment.pgp>

More information about the pkg-perl-maintainers mailing list