[Bug 235604] ports-mgmt/pkg: bus error / segmentation fault (core dumped)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Mar 25 19:23:28 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235604
--- Comment #3 from Oliver Fromme <olli at FreeBSD.org> ---
Ok, I got a few minutes and rebuilt the whole thing with jemalloc debugging and
malloc option "junk:true".
The crash (SIGBUS) happens in work/pkg-1.10.5/external/libucl/src/ucl_hash.c
Line 229, in function ucl_hash_destroy():
225 for (k = kh_begin (h); k != kh_end (h); ++k) {
226 if (kh_exist (h, k)) {
227 cur = (kh_value (h, k)).obj;
228 while (cur != NULL) {
229 ----> tmp = cur->next;
230 func (__DECONST (ucl_object_t *, cur));
231 cur = tmp;
232 }
233 }
234 }
(lldb) print cur
(const ucl_object_t *) $0 = 0x5a5a5a5a5a5a5a5a
Obviously it is dereferencing uninitialized memory (0x5a is the value used by
jemalloc for junk-filling when debugging is enabled).
Next I tried building with malloc-option "junk:false,zero:true".
Result: No crash.
However, some time later I tried installing libxml2, and pkg(8) crashes again
at exactly the same location, even with malloc option "zero:true". Now we have:
(lldb) print cur
(const ucl_object_t *) $0 = 0x6c6d7862696c3a74
That looks suspiciously like ASCII characters. In fact, those bytes represent
the characters "lmxbil:t", which is "t:libxml" reversed. Obviously somehow the
pointer got overwritten with parts of a string.
At this point I could really need some help from someone who is a little more
familiar with the source code. This is taking way too much time for me.
This problem is preventing me from putting this machine into production. Being
able to properly install and update packages is crucial. If I can't get this
fixed, I'll have to try to install DragonFly or NetBSD.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pkg
mailing list