This is an update to the reported issue below.
It appears that calling the pre-processor macro svn_pool_create with an
argument of NULL is done a lot in the Subversion code base. The comments in the
APR function apr_pool_create_ex in module memory/unix/apr_pools.c seems to
imply you shouldn't do this. However, as long as you've made a call to either
the APR function apr_pool_initialize in the module memory/unix/apr_pools.c or
apr_initialize in one of the OS appropriate APR modules then you're ok as it
initializes the global pool which is used when the parent argument is NULL.
However, the stack flow listed below from the mod_dav_svn subversion module
never makes a call to any of the initialization functions. Ensuring that the
APR module has been correctly initialized resolves this issue. That being said
the APR code should probably handle being called before initialization
gracefully rather than just causing a segmentation fault.
I will note that while I didn't test it, the same issue appears to be present
in the Subversion 1.8.16 code base via code inspection. Since Subversion 1.8,
and probably 1.9, are widely in use maybe something about how I configure /
build the code is causing this issue. That being said, I cannot get the
Subversion Apache module to work correctly without first patching the code to
explicitly initialize the APR module (and patching APR to check if it's been
initialized and return an appropriate apr_status_t for good measure).
Thanks,
Aaron
From: Bailey, Aaron
Sent: Friday, July 08, 2016 11:45 AM
To: 'users@subversion.apache.org'
Subject: Bug Report Againgst Subversion 1.9.3 libsvn_subr
To Whom It May Concern,
This email is in regards to a potential software bug I've encountered in
Subversion 1.9.3. I wasn't really able to find anything on the existing issue
tracker, however that may be due to my inability to get any useful information
out of it. As directed on the issues page I'm first emailing this list about
the potential bug.
Summary:
I'm attempting to upgrade a Subversion server to 1.9.3. My distro doesn't
provide a package for newer versions of Subversion. So I've built my own
package and after building the mod_dav_svn package I've been encountering some
issues. Specifically, when Apache, in this case 2.2.15, runs it gets a
segmentation fault when loading the dav_svn_module (mod_dav_svn.so). I've been
looking at the stack trace I get from the core file and it appears to be an
issue with how libsvn_subr is attempting to use the apr_pools.c module. I
believe this is a bug and not an issue with my build. I will present the
information I've found below, please be patient as I'm unable to copy &paste.
Details:
Software Versions:
SUBVERSION 1.9.3
APR 1.5.2
APR-UTIL 1.5.4
SCONS 2.5.0
SERF 1.3.8
Stack Trace:
#0 in apr_pool_create_ex
---------------------------------APR libs from here down the stack
#1 in svn_pool_create_ex
#2 in atomic_init_func
#3 in svn_atomic__init_once
#4 in svn_dso_initialize2
#5 in init_dso
---------------------------------SUBVERSION libs from here down the stack
#6 in ap_run_pre_config
#7 in main
Analysis:
The segmentation fault occurs in the code segment below from the module
memory/unix/apr_pools.c:
"""
if (allocator == NULL)
allocator = parent->allocator; // <-- This line segfaults
"""
Near the above code block provided above there is a comment about how the
parent object will
always be non-NULL except the first time. During the first pool create call it
is supposed to be guaranteed that
the allocator object is not NULL. Since the parent object was NULL as this is
the first call to pool create
it is set to global_pool. However, global_pool is NULL and the passed in
allocator is NULL.
This appears to disagree with the apr_pool_create_ex functions API as specified
in the code and comments.
This seemingly invalid call to the apr_pool_create_ex function stems from the
atomic_init_func function in the module
libsvn_subr/dso.c which makes a call to the pre-processor macro svn_pool_create
with a single argument of NULL.
As best I can tell this macro is defined in the module include/svn_pools.h. It
is defined as
"""
/** Create a pool as a subpool of @a parent_pool */
#define svn_pool_create(parent_pool) svn_pool_create_ex(parent_pool, NULL)
"""
Since this is the first call to the apr_pool_create_ex function it would appear
to be valid to have a NULL parent_pool, but invalid
to then additionally have a NULL allocator.
Thanks,
Aaron
