test062 segfault with back-mdb

[Quanah Gibson-Mount]

This doesn't occur with back-bdb/hdb, and it doesn't happen if I insert a 
sleep after the ldapsearch to see if slapd is running, before the 
modification to cn=config is done.

Thread 3 "lt-slapd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fae46748700 (LWP 11239)]
0x00007fae4553abab in syncprov_free_syncop (so=0x7fae3c102cc0, unlink=1) at 
syncprov.c:811
811                     for ( sop = &so->s_si->si_ops; *sop; sop = 
&(*sop)->s_next ) {


Here's the full backtrace:


Thread 4 (Thread 0x7fae45f47700 (LWP 11240)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at 
../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
No locals.
#1  0x00007fae4b48af69 in ldap_pvt_thread_cond_wait (cond=0x2529138, 
mutex=0x2529110) at thr_posix.c:281
No locals.
#2  0x00007fae4b4896e5 in ldap_int_thread_pool_wrapper (xpool=0x2529100) at 
tpool.c:945
       pq = 0x2529100
       pool = 0x2529000
       task = 0x0
       work_list = 0x2529170
       ctx = {ltu_pq = 0x2529100, ltu_id = 140386474686208, ltu_key = 
{{ltk_key = 0x440674 <conn_counter_init+224>, ltk_data = 0x7fae3c000db0,
             ltk_free = 0x4404c5 <conn_counter_destroy+224>}, {ltk_key = 
0x4bc7fd <slap_sl_mem_create+197>, ltk_data = 0x7fae3c000ec0, ltk_free = 
0x4bc621 <slap_sl_mem_destroy+224>}, {
             ltk_key = 0x45d2c1 <slap_op_free+224>, ltk_data = 
0x7fae3c000950, ltk_free = 0x45d212 <slap_op_free+49>}, {ltk_key = 0x0, 
ltk_data = 0x7fae38108550, ltk_free = 0x0}, {
             ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0} <repeats 28 
times>}}
       kctx = 0x0
       i = 32
       keyslot = 349
       hash = 3903429981
       pool_lock = 0
       freeme = 0
       __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#3  0x00007fae4ae496ba in start_thread (arg=0x7fae45f47700) at 
pthread_create.c:333
       __res = <optimized out>
       pd = 0x7fae45f47700
       now = <optimized out>
       unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140386474686208, 
8789157664068107475, 0, 140386491460639, 140386474686912, 0, 
-8744345895670219565, -8744361424428172077},
             mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
       not_first_call = <optimized out>
       pagesize_m1 = <optimized out>
       sp = <optimized out>
       freesize = <optimized out>
       __PRETTY_FUNCTION__ = "start_thread"
#4  0x00007fae4a23f82d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 3 (Thread 0x7fae46748700 (LWP 11239)):
#0  0x00007fae4553abab in syncprov_free_syncop (so=0x7fae3c102cc0, 
unlink=1) at syncprov.c:811
       sop = 0x6f637d307b3d6573
       sr = 0x0
       srnext = 0x240907c38f1c2800
       ga = 0x0
       gnext = 0x7fae46747960
#1  0x00007fae4553b6ec in syncprov_qtask (ctx=0x7fae46747c30, 
arg=0x7fae3c102cc0) at syncprov.c:1005
       so = 0x7fae3c102cc0
       opbuf = {ob_op = {o_hdr = 0x7fae46747960, o_tag = 99, o_time = 
1492715516, o_tincr = 0, o_tusec = 0, o_qtime = {tv_sec = 0, tv_usec = 0}, 
o_bd = 0x7fae46747650, o_req_dn = {
             bv_len = 9, bv_val = 0x7fae3c103032 "cn=config"}, o_req_ndn = 
{bv_len = 9, bv_val = 0x7fae3c10303c "cn=config"}, o_request = {oq_add = 
{rs_modlist = 0x2,
               rs_e = 0xffffffffffffffff}, oq_bind = {rb_method = 2, 
rb_cred = {bv_len = 18446744073709551615, bv_val = 0x0}, rb_edn = {bv_len = 
0, bv_val = 0x0}, rb_ssf = 1007690928,
               rb_mech = {bv_len = 15, bv_val = 0x7fae3c103046 
"(objectClass=*)"}}, oq_compare = {rs_ava = 0x2}, oq_modify = {rs_mods = 
{rs_modlist = 0x2, rs_no_opattrs = -1 '\377'},
               rs_increment = 0}, oq_modrdn = {rs_mods = {rs_modlist = 
0x2, rs_no_opattrs = -1 '\377'}, rs_deleteoldrdn = 0, rs_newrdn = {bv_len = 
0, bv_val = 0x0}, rs_nnewrdn = {
                 bv_len = 140386308727984, bv_val = 0xf <error: Cannot 
access memory at address 0xf>}, rs_newSup = 0x7fae3c103046, rs_nnewSup = 
0x0}, oq_search = {rs_scope = 2,
               rs_deref = 0, rs_slimit = -1, rs_tlimit = -1, rs_limit = 
0x0, rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 0x7fae3c1024b0, 
rs_filterstr = {bv_len = 15,
                 bv_val = 0x7fae3c103046 "(objectClass=*)"}}, oq_abandon = 
{rs_msgid = 2}, oq_cancel = {rs_msgid = 2}, oq_extended = {rs_reqoid = 
{bv_len = 2,
                 bv_val = 0xffffffffffffffff <error: Cannot access memory 
at address 0xffffffffffffffff>}, rs_flags = 0, rs_reqdata = 0x0}, 
oq_pwdexop = {rs_extended = {rs_reqoid = {
                   bv_len = 2, bv_val = 0xffffffffffffffff <error: Cannot 
access memory at address 0xffffffffffffffff>}, rs_flags = 0, rs_reqdata = 
0x0}, rs_old = {bv_len = 0,
                 bv_val = 0x7fae3c1024b0 "\207"}, rs_new = {bv_len = 15, 
bv_val = 0x7fae3c103046 "(objectClass=*)"}, rs_mods = 0x0, rs_modtail = 
0x0}}, o_abandon = 0, o_cancel = 0,
           o_groups = 0x0, o_do_not_cache = 1 '\001', o_is_auth_check = 0 
'\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 
'\000',
           o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', 
o_no_subordinate_glue = 0 '\000',
           o_ctrlflag = '\000' <repeats 20 times>, 
"\001\000\000\000\000\000\000\000\000\000\000", o_controls = 
0x7fae46747aa8, o_authz = {sai_method = 128, sai_mech = {bv_len = 0,
               bv_val = 0x0}, sai_dn = {bv_len = 9, bv_val = 
0x7fae3c103028 "cn=config"}, sai_ndn = {bv_len = 9, bv_val = 0x7fae3c103028 
"cn=config"}, sai_ssf = 0, sai_transport_ssf = 0,
             sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 
0x0, o_callback = 0x0, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, 
o_private = 0x0, o_extra = {
             slh_first = 0x0}, o_next = {stqe_next = 0x0}}, ob_hdr = 
{oh_opid = 1, oh_connid = 1003, oh_conn = 0x257ad10, oh_msgid = 2, 
oh_protocol = 3, oh_tid = 140386474686208,
           oh_threadctx = 0x7fae46747c30, oh_tmpmemctx = 0x7fae38002bb0, 
oh_tmpmfuncs = 0x773b20 <slap_sl_mfuncs>, oh_counters = 0x7fae3c000db0,
           oh_log_prefix = "conn=1003 op=1", '\000' <repeats 241 times>}, 
ob_controls = {0x0 <repeats 32 times>}}
       op = 0x7fae467477e0
       be = {bd_info = 0x76eec0 <slap_binfo>, bd_self = 0x254c6c0, 
be_ctrls = '\000' <repeats 15 times>, "\001", '\000' <repeats 16 times>, 
"\001", be_flags = 131328, be_restrictops = 0,
         be_requires = 0, be_ssf_set = {sss_ssf = 0, sss_transport = 0, 
sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, 
sss_update_tls = 0, sss_update_sasl = 0,
           sss_simple_bind = 0}, be_suffix = 0x254c8c0, be_nsuffix = 
0x254c910, be_schemadn = {bv_len = 0, bv_val = 0x0}, be_schemandn = {bv_len 
= 0, bv_val = 0x0}, be_rootdn = {
           bv_len = 9, bv_val = 0x254c860 "cn=config"}, be_rootndn = 
{bv_len = 9, bv_val = 0x254c880 "cn=config"}, be_rootpw = {bv_len = 8, 
bv_val = 0x254cad0 "yE1UpCg5"},
         be_max_deref_depth = 15, be_def_limit = {lms_t_soft = 3600, 
lms_t_hard = 0, lms_s_soft = 500, lms_s_hard = 0, lms_s_unchecked = -1, 
lms_s_pr = 0, lms_s_pr_hide = 0,
           lms_s_pr_total = 0}, be_limits = 0x0, be_acl = 0x2633600, 
be_dfltaccess = ACL_NONE, be_extra_anlist = 0x0, be_update_ndn = {bv_len = 
0, bv_val = 0x0}, be_update_refs = 0x0,
         be_pending_csn_list = 0x26335e0, be_pcl_mutex = {__data = {__lock 
= 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, 
__elision = 0, __list = {__prev = 0x0,
               __next = 0x0}}, __size = '\000' <repeats 39 times>, __align 
= 0}, be_syncinfo = 0x0, be_pb = 0x0, be_cf_ocs = 0x0, be_private = 
0x774880 <cfBackInfo>, be_next = {
           stqe_next = 0x0}}
       rc = 0
#2  0x00007fae4b4897f9 in ldap_int_thread_pool_wrapper (xpool=0x2529100) at 
tpool.c:963
       pq = 0x2529100
       pool = 0x2529000
       task = 0x7fae400008c0
       work_list = 0x2529170
       ctx = {ltu_pq = 0x2529100, ltu_id = 140386483078912, ltu_key = 
{{ltk_key = 0x440674 <conn_counter_init+224>, ltk_data = 0x7fae38002aa0,
             ltk_free = 0x4404c5 <conn_counter_destroy+224>}, {ltk_key = 
0x4bc7fd <slap_sl_mem_create+197>, ltk_data = 0x7fae38002bb0, ltk_free = 
0x4bc621 <slap_sl_mem_destroy+224>}, {
             ltk_key = 0x45d2c1 <slap_op_free+224>, ltk_data = 
0x7fae38002670, ltk_free = 0x45d212 <slap_op_free+49>}, {ltk_key = 0x0, 
ltk_data = 0x7fae3c101040, ltk_free = 0x0}, {
             ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0} <repeats 28 
times>}}
       kctx = 0x0
       i = 32
       keyslot = 494
       hash = 3805260270
       pool_lock = 0
       freeme = 0
       __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#3  0x00007fae4ae496ba in start_thread (arg=0x7fae46748700) at 
pthread_create.c:333
       __res = <optimized out>
       pd = 0x7fae46748700
       now = <optimized out>
       unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140386483078912, 
8789157664068107475, 0, 140386491460639, 140386483079616, 0, 
-8744353591714743085, -8744361424428172077},
             mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
       not_first_call = <optimized out>
       pagesize_m1 = <optimized out>
       sp = <optimized out>
       freesize = <optimized out>
       __PRETTY_FUNCTION__ = "start_thread"
#4  0x00007fae4a23f82d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 2 (Thread 0x7fae46f49700 (LWP 11211)):
#0  0x00007fae4a23fe23 in epoll_wait () at 
../sysdeps/unix/syscall-template.S:84
No locals.
#1  0x000000000043c6ac in slapd_daemon_task (ptr=0x2737b40) at daemon.c:2527
       err = 4
       ns = 1
       at = 0
       nfds = 2
       revents = 0x24fccc0
       tvp = 0x0
       cat = {tv_sec = 0, tv_usec = 0}
       i = 1
       nwriters = 0
       now = 1492715518
       tv = {tv_sec = 0, tv_usec = 0}
       tdelta = 1
       rtask = 0x0
       l = 1
       last_idle_check = 1492715506
       ebadf = 0
       tid = 0
#2  0x00007fae4ae496ba in start_thread (arg=0x7fae46f49700) at 
pthread_create.c:333
       __res = <optimized out>
       pd = 0x7fae46f49700
       now = <optimized out>
       unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140386491471616, 
8789157664068107475, 0, 140720937019743, 140386491472320, 0, 
-8744352491666244397, -8744361424428172077},
             mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
       not_first_call = <optimized out>
       pagesize_m1 = <optimized out>
       sp = <optimized out>
       freesize = <optimized out>
       __PRETTY_FUNCTION__ = "start_thread"
#3  0x00007fae4a23f82d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 1 (Thread 0x7fae4b8f8700 (LWP 11196)):
#0  0x00007fae4ae4a98d in pthread_join (threadid=140386491471616, 
thread_return=0x0) at pthread_join.c:90
       __tid = 17259
       _buffer = {__routine = 0x7fae4ae4a8b0 <cleanup>, __arg = 
0x7fae46f49d28, __canceltype = 0, __prev = 0x0}
       oldtype = 0
       pd = 0x7fae46f49700
       self = 0x7fae4b8f8700
       result = 0
#1  0x00007fae4b48aeaa in ldap_pvt_thread_join (thread=140386491471616, 
thread_return=0x0) at thr_posix.c:201
No locals.
#2  0x000000000043d949 in slap_sig_wake (sig=0) at daemon.c:3012
       save_errno = 0
#3  0x0000000000415e5f in main (argc=8, argv=0x7ffc2576ac68) at main.c:1058
       i = -1
       no_detach = 1
       rc = -12
       urls = 0x24f80b0 "ldap://localhost:9011/";
       username = 0x0
       groupname = 0x0
       sandbox = 0x0
       syslogUser = 160
       pid = 16711680
       waitfds = {5294400, 0}
       g_argc = 8
       g_argv = 0x7ffc2576ac68
       configfile = 0x0
       configdir = 0x24f8090 "./slapd.d"
       serverName = 0x7ffc2576b51a "lt-slapd"
       serverMode = 1
       scp = 0x0
       scp_entry = 0x0
       debug_unknowns = 0x0
       syslog_unknowns = 0x0
       serverNamePrefix = 0x50ce18 ""
       l = 0
       slapd_pid_file_unlink = 0
       slapd_args_file_unlink = 0
       firstopt = 0
       __PRETTY_FUNCTION__ = "\000\000\000\000"


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>