On Thu, Sep 08, 2011 at 01:14:27AM -0500, Dave Huang wrote: > >I have a reproducible crash when trying to open the repository browser, > >sparse - checkout selection, revision graph and probably other features. > > > >Reproduce: > >- "tortoiseproc /command:repobrowser /path:svn://somewhere" > >- enter your correct credentials > > > >It seems to only happen for svn:// repositories. (I don't know whether > >it also happens for non-authenticated). > > I'm getting the same crash with: > Windows 7 SP1 x64 > TortoiseSVN 1.6.99, Build 21919 - 64 Bit -dev, 2011/08/31 21:32:47 > Subversion 1.7.0, -dev > apr 1.4.5 > apr-utils 1.3.12 > neon 0.29.6 > OpenSSL 1.0.0d 8 Feb 2011 > zlib 1.2.5 > > Child-SP RetAddr Call Site > 00000000`0445f448 000007fe`edbbaa27 0x6a > 00000000`0445f450 000007fe`f89ab49a libsasl!_sasl_log+0x627 > [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 1924] > 00000000`0445f520 000007fe`edbb53c2 > saslDIGESTMD5!digestmd5_client_mech_dispose+0x4a > [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\plugins\digestmd5.c @ > 4174] > 00000000`0445f560 000007fe`edbb84aa libsasl!client_dispose+0x72 > [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\client.c @ 289] > 00000000`0445f5a0 000007fe`f0a24e8d libsasl!sasl_dispose+0x5a > [c:\projects\svn\tortoisesvn\ext\cyrus-sasl\lib\common.c @ 848] > 00000000`0445f5e0 00000000`6c6c3eee > libsvn_tsvn!svn_ra_svn__sasl_init+0x4d (note: this is actually > sasl_dispose_cb) > 00000000`0445f610 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x6e > 00000000`0445f640 00000000`6c6c3ecf libapr_tsvn!apr_pool_destroy+0x4f > 00000000`0445f670 00000001`3fb625ce libapr_tsvn!apr_pool_destroy+0x4f > 00000000`0445f6a0 00000001`3fc3ef04 TortoiseProc+0x725ce > 00000000`0445f7c0 00000001`3fc96ca5 TortoiseProc+0x14ef04 > 00000000`0445f830 00000001`3fc97c20 TortoiseProc+0x1a6ca5 > 00000000`0445f860 00000001`3fc98f4d TortoiseProc+0x1a7c20 > 00000000`0445f8a0 00000000`6a871bc7 TortoiseProc+0x1a8f4d > 00000000`0445f8d0 00000000`6a871c55 MSVCR100!endthread+0x53 > 00000000`0445f900 00000000`773e652d MSVCR100!endthread+0xe1 > 00000000`0445f930 00000000`77adc521 kernel32!BaseThreadInitThunk+0xd > 00000000`0445f960 00000000`00000000 ntdll!RtlUserThreadStart+0x1d > > The crash is coming from libsasl's common.c line 1924, where it's > trying to call through the log_cb function pointer. However, log_cb > is 0xfa (or some other value that's definitely not the address of a > function). log_cb is set by the call to _sasl_getcallback() earlier > (line 1788), and it turns out the problem is that conn->callbacks > points to corrupted memory, and _sasl_getcallback() happens to find > the right bytes to make it think that it's found a log callback > function. > > Subversion's libsvn_ra_svn\cyrus_auth.c svn_ra_svn__do_cyrus_auth() > (line 732) looks fishy to me, although I certainly haven't looked > into it in detail... The callbacks[] array, which is passed ot > new_sasl_ctx(), then to libsasl's sasl_client_new(), is a > local/automatic variable, and it goes out of scope and the memory is > available for reuse after the function exits. However, > new_sasl_ctx() adds the sasl_ctx to a pool and registers a cleanup > function for it. When the pool is destroyed, libsasl wants to use > that callbacks[] array during the cleanup, but that memory's already > filled with other stuff. Shouldn't callbacks[] be allocated on the > heap somehow, rather than on the stack?
Can you try this patch? It ties the callbacks to the pool which the sasl context lives in. Index: subversion/libsvn_ra_svn/cyrus_auth.c =================================================================== --- subversion/libsvn_ra_svn/cyrus_auth.c (revision 1166543) +++ subversion/libsvn_ra_svn/cyrus_auth.c (working copy) @@ -738,9 +738,7 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato const char *mechstring = "", *last_err = "", *realmstring; const char *local_addrport = NULL, *remote_addrport = NULL; svn_boolean_t success; - /* Reserve space for 3 callbacks (for the username, password and the - array terminator). */ - sasl_callback_t callbacks[3]; + sasl_callback_t *callbacks; cred_baton_t cred_baton; int i; @@ -776,6 +774,10 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato cred_baton.realmstring = realmstring; cred_baton.pool = pool; + /* Reserve space for 3 callbacks (for the username, password and the + array terminator). */ + callbacks = apr_palloc(sess->conn->pool, sizeof(*callbacks) * 3); + /* Initialize the callbacks array. */ /* The username callback. */
