Re: [sqlite] Segfault with Evolution and patched SQLite 3.8.7.4 (was: Bus error with Evolution 3.12.9 and SQLite 3.8.7.4)

[Richard Hipp]

On 1/9/15, Paul Menzel  wrote:
> Am Dienstag, den 30.12.2014, 16:15 +0100 schrieb Paul Menzel:
>
> With still around 1.3 GB free on the partition mounted to `/var/`,
> Evolution crashed with the f received the following segmentation fault
> today.

Which build of SQLite are you using.  What is SQLITE_SOURCE_ID?

Also, we have some new "sqlite3.c" and "sqlite3.h" files for the
upcoming 3.8.8 release.  Can I encourage you to try them out.

>
> 0xb3f9af51 in sqlite3Strlen30 (z=0x18  at address 0x18>) at sqlite3.c:22902
>
>
> Thread 53 (Thread 0xa7e04b40 (LWP 3576)):
> #0  0xb3f9af51 in sqlite3Strlen30 (z=0x18  memory at address 0x18>) at sqlite3.c:22902

sqlite3Strlen30() is called with an invalid string pointer,
apparently.  The sqlite3Strlen30() function is just a strlen()
implementation that returns int instead of size_t. Stack frames 0
through 5 look fine, except for the invalid string pointer, of coruse.

> #5  0xb3f9ce21 in unixSync (id=0xacbe7898, flags=2) at
> sqlite3.c:28396
> dirfd = 668585276
> rc = 
> pFile = 0xacbe7898
> isDataOnly = 0
> isFullsync = 0

The unixSync routine above calls frame 4 from
(https://www.sqlite.org/src/artifact/949cdedc74dbf3c1?ln=3589).
Apparently, pFile->zPath is an invalid pointer.


> #6  0xb7ad33d6 in call_old_file_Sync (flags=,
> cFile=) at camel-db.c:66

The pFile object with the invalid zPath field is a parameter to
unixSync(), and hence comes from call_old_file_Sync(), which is not a
part of the SQLite source tree.  I don't have the sources to
camel-db.c so I cannot trace this any further.  My guess (based on the
name of the function) is that camel-db.c is trying to "sync" an
sqlite3_file object that has been previously destroyed.

This appears to be completely unrelated to the previous issue.  The
previous issue was that a file was not being extended correctly
because of a lack of disk space, so that a memcpy() into a mmap() of
that file segfaulted.  That does not appear to be what is happening
here, unless I'm missing something.


> No locals.
> #7  sync_request_thread_cb (task_data=0x860d9d88, null_data=0x0) at
> camel-db.c:92
> sync_data = 0x860d9d88
> done = 
> #8  0xb52d7e64 in g_thread_pool_thread_proxy (data=0x81a73958) at
> /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gthreadpool.c:307
> task = 0x860d9d88
> #9  0xb52d73da in g_thread_proxy (data=0x89118e90) at
> /build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gthread.c:764
> No locals.
> #10 0xb7caeefb in start_thread (arg=0xa7e04b40) at
> pthread_create.c:309
> __res = 
> pd = 0xa7e04b40
> now = 
> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1211363328,
> -1478472896, 4001536, -1478475224, -2031767865, -742727961},
>   mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0,
> 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
> not_first_call = 
> pagesize_m1 = 
> sp = 
> freesize = 
> __PRETTY_FUNCTION__ = "start_thread"
> #11 0xb51a6dfe in clone () at
> ../sysdeps/unix/sysv/linux/i386/clone.S:129
> No locals.
>
> Thread 51 (Thread 0x972ffb40 (LWP 3574)):
> #0  0xb7fdcd3c in __kernel_vsyscall ()
> No symbol table info available.
> #1  0xb7cb59fb in read () at ../sysdeps/unix/syscall-template.S:81
> No locals.
> #2  0xb3f8d76c in seekAndRead (id=0x81e43980, id=0x81e43980,
> cnt=1024, pBuf=0x8e6d9ac0, offset=23846912) at sqlite3.c:27963
> got = 
> prior = 0
> newOffset = 
> #3  unixRead (id=0x81e43980, pBuf=0x8e6d9ac0, amt=1024,
> offset=) at sqlite3.c:28027
> pFile = 0x81e43980
> #4  0xb7ad31c2 in camel_sqlite3_file_xRead (pFile=0x81e46b50,
> pBuf=0x8e6d9ac0, iAmt=1024, iOfst=23846912) at camel-db.c:211
> cFile = 0x81e46b50
> #5  0xb3f86517 in sqlite3OsRead (offset=23846912, amt=1024,
> pBuf=, id=) at sqlite3.c:15971
> No locals.
> #6  readDbPage (pPg=pPg@entry=0x8e6d9ee0, iFrame=) at
> sqlite3.c:43754
> iOffset = 23846912
> pPager = 0x81e46a48
> pgno = 23289
> rc = 0
> pgsz = 1024
> #7  0xb3fa15ab in sqlite3PagerAcquire (pPager=0x81e46a48,
> pgno=pgno@entry=23289, ppPage=0x972fe8b8, flags=2) at sqlite3.c:46275
> rc = 
> pPg = 
> iFrame = 0
> noContent = 0
> bMmapOk = 
> #8  0xb3fa199f in btreeGetPage (pBt=0x81e43920, pgno=23289,
> ppPage=0x972fe908, flags=2) at sqlite3.c:53852
> rc = 
> pDbPage = 0x8e6d9ee0
>   

Re: [sqlite] Segfault with Evolution and patched SQLite 3.8.7.4 (was: Bus error with Evolution 3.12.9 and SQLite 3.8.7.4)

[Paul Menzel]

Am Dienstag, den 30.12.2014, 16:15 +0100 schrieb Paul Menzel:
> Am Dienstag, den 30.12.2014, 08:21 -0500 schrieb Richard Hipp:
> > On Mon, Dec 29, 2014 at 10:37 AM, László Böszörményi (GCS) wrote:
> 
> > > > it’s not obvious that these might cause such a regression.
> > >
> > > I'm the maintainer of SQLite3 in Debian and can't reproduce it on
> > > AMD64. Even if I've a local mailbox, normal IMAP4 ones and some from
> > > GMail. OK, other than the updated SQLite3 library I run on a clean
> > > Jessie.
> > 
> > Our latest theory is that the problem only arises when /var/tmp runs out of
> > space.
> 
> That seems to be a reasonable theory. Looking at `~/.bash_history` I
> indeed cleaned up `/var/crash/1300`, where my core dump files are stored
> by corekeeper [1], and only downgraded to SQLite 3.8.7.1 afterward.
> 
> Upgrading to SQLite 3.8.7.4 again I am unable to reproduce the crash
> with 2 GB free space on the partition `/var`.
> 
> I’ll rebuild SQLite now with the fix applied [2] and try to reproduce
> the issue by filling up `/var` intentionally.

With still around 1.3 GB free on the partition mounted to `/var/`,
Evolution crashed with the f received the following segmentation fault
today.

0xb3f9af51 in sqlite3Strlen30 (z=0x18 ) at sqlite3.c:22902

Here is part of the backtrace.

Thread 54 (Thread 0xa24feb40 (LWP 3581)):
#0  0xb7fdcd3c in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7cb5fdf in fsync () at ../sysdeps/unix/syscall-template.S:81
No locals.
#2  0xb3f9cde9 in full_fsync (fullSync=0, dataOnly=0, fd=) at sqlite3.c:28292
rc = 
#3  unixSync (id=0xa14e4b00, flags=2) at sqlite3.c:28381
rc = 
pFile = 0xa14e4b00
isDataOnly = 0
isFullsync = 0
#4  0xb7ad33d6 in call_old_file_Sync (flags=, 
cFile=) at camel-db.c:66
No locals.
#5  sync_request_thread_cb (task_data=0xa132c4d8, null_data=0x0) at 
camel-db.c:92
sync_data = 0xa132c4d8
done = 
#6  0xb52d7e64 in g_thread_pool_thread_proxy (data=0x81a73958) at 
/build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gthreadpool.c:307
task = 0xa132c4d8
#7  0xb52d73da in g_thread_proxy (data=0x890b0230) at 
/build/glib2.0-EvFudu/glib2.0-2.42.1/./glib/gthread.c:764
No locals.
#8  0xb7caeefb in start_thread (arg=0xa24feb40) at pthread_create.c:309
__res = 
pd = 0xa24feb40
now = 
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1211363328, 
-1571820736, 4001536, -1571823064, -643453236, -742727961}, 
  mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, 
data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = 
pagesize_m1 = 
sp = 
freesize = 
__PRETTY_FUNCTION__ = "start_thread"
#9  0xb51a6dfe in clone () at 
../sysdeps/unix/sysv/linux/i386/clone.S:129
No locals.

Thread 53 (Thread 0xa7e04b40 (LWP 3576)):
#0  0xb3f9af51 in sqlite3Strlen30 (z=0x18 ) at sqlite3.c:22902
z2 = 0x18 
#1  sqlite3VXPrintf (pAccum=pAccum@entry=0xa7e03e30, 
bFlags=bFlags@entry=0, fmt=0xb400f0f8 "s", ap=0xa7e03e90 "\003") at 
sqlite3.c:21385
c = 
bufpt = 0x18 
precision = 
length = 
idx = 
width = 
flag_leftjustify = 0 '\000'
flag_plussign = 24 '\030'
flag_blanksign = 0 '\000'
flag_alternateform = 0 '\000'
flag_altform2 = 0 '\000'
flag_zeropad = 0 '\000'
flag_long = 0 '\000'
flag_longlong = 0 '\000'
done = 
xtype = 6 '\006'
bArgList = 0 '\000'
useIntern = 0 '\000'
prefix = 
longvalue = 
realvalue = 
infop = 
zOut = 
nOut = 
zExtra = 0x0
exp = 
e2 = 
nsd = 
rounder = 
flag_dp = 
flag_rtz = 
pArgList = 0x0
buf = 
"\203\210,\000\000\000\066W+\265\001\000\000\000$\000\000\000\271\231\264\267\234\361)\265\003\000\000\000(\034\021\254\020\000\020\254\000@&\265\020\000\020\254\220\302\021\254\210(\253\201\214\022\023\265\310W\247\201E\n\270\251\371M(\265"
#2  0xb3f9b7d5 in sqlite3_vsnprintf (n=512, zBuf=0xa7e03e9b "\265", 
zFormat=0xb400f0f7 "%s", ap=0xa7e03e8c "\030") at sqlite3.c:21731
acc = {db = 0x0, zBase = 0xa7e03e9b "\265", zText = 0xa7e03e9b 
"\265", nChar = 0, nAlloc = 512, mxAlloc = 0, useMalloc = 0 '\000', 
  accError = 0 '\000'}
ap =