I was getting this particular crash with +nssearch (dnsutils
1:9.5.0.dfsg.P2-5.1) so I decided to look deeper. I was able to find that
the crash was in dighost.c:send_done() ISC_LIST_DEQUEUE call. Next I added
some extra debug just before it:
for (b = ISC_LIST_HEAD(sevent->bufferlist);
b != NULL;
b = ISC_LIST_HEAD(sevent->bufferlist))
{
printf("%s[%p]: ISC_LIST_DEQUEUE sevent %p b %p b->link.next %p\n",
__func__, pthread_self(),
sevent, b, b->link.next);
ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
}
Build, debug with gdb, and I got:
$ gdb ./dig
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run poliisi.fi +nssearch
Starting program: /home/[user]/bind9-9.5.0.dfsg.P2/bin/dig/.libs/dig poliisi.fi
+nssearch
[Thread debugging using libthread_db enabled]
[New Thread 0xb7b316d0 (LWP 10533)]
[New Thread 0xb7aefb90 (LWP 10536)]
[New Thread 0xb72eeb90 (LWP 10537)]
[New Thread 0xb6aedb90 (LWP 10538)]
send_done[0xb7aefb90]: ISC_LIST_DEQUEUE sevent 0xb7b030f8 b 0xb7aff178
b->link.next (nil)
send_done[0xb7aefb90]: ISC_LIST_DEQUEUE sevent 0xb7b033c8 b 0xb7aff178
b->link.next (nil)
send_done[0xb7aefb90]: ISC_LIST_DEQUEUE sevent 0xb7b031e8 b 0xb7aff310
b->link.next (nil)
send_done[0xb7aefb90]: ISC_LIST_DEQUEUE sevent 0xb7b030f8 b 0xb7aff310
b->link.next 0xffffffff
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7aefb90 (LWP 10536)]
0x080591d3 in send_done (_task=0xb7af2008, event=0xb7b030f8) at dighost.c:2116
2116 ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
(gdb) bt
#0 0x080591d3 in send_done (_task=0xb7af2008, event=0xb7b030f8)
at dighost.c:2116
#1 0x081831a7 in run (uap=0xb7af0008) at task.c:862
#2 0xb7eed4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#3 0xb7d336de in clone () from /lib/i686/cmov/libc.so.6
(gdb)
Spot the 0xffffffff link.next pointer in the last ISC_LIST_DEQUEUE call.
Buffer 0xb7aff310 eppears to get removed twice (ISC_LIST_DEQUEUE set
link.next to -1 after removing the node).
The buffer management code is a mess. The buffers are being added to
bufferlist elsewhere (lib/isc/unix/socket.c it appears) so it's quite
hard to keep track of things. Still, I hope this information will be
helpful for tracking down the bug.
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_<4+D&i++<87;);puts
(" Harry 'Piru' Sintonen <sinto...@iki.fi> http://www.iki.fi/sintonen";);}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
