Gearman

Bug #1333919
Activity log

Activity log for bug #1333919

Date	Who	What changed	Old value	New value	Message
2014-06-24 19:10:58	Ross Schlaikjer	bug			added bug
2014-06-24 19:47:43	Ross Schlaikjer	description	When a worker is run against a server and times out enough times, freeing that worker will then cause a segfault in gearman_packet_free. This is with Gearman 1.0.6. Program received signal SIGSEGV, Segmentation fault. checkhdr (hdr=hdr@entry=0x9595959595959565) at mcheck.c:93 93 mcheck.c: No such file or directory. (gdb) bt #0 checkhdr (hdr=hdr@entry=0x9595959595959565) at mcheck.c:93 #1 0x00007ffff7884ec9 in checkhdr (hdr=0x9595959595959565) at mcheck.c:185 #2 freehook (ptr=0x9595959595959595, caller=0x7ffff7bbec8b <gearman_packet_free(gearman_packet_st)+65>) at mcheck.c:186 #3 0x00007ffff7bbec8b in gearman_packet_free (packet=0x609418) at libgearman/packet.cc:289 #4 0x00007ffff7bb93c6 in gearman_connection_st::free_recv_packet (this=0x601e20) at libgearman/connection.cc:381 #5 0x00007ffff7bb9354 in gearman_connection_st::close_socket (this=0x601e20) at libgearman/connection.cc:361 #6 0x00007ffff7bb9118 in gearman_connection_st::~gearman_connection_st (this=0x601e20, __in_chrg=<optimized out>) at libgearman/connection.cc:264 #7 0x00007ffff7bc28f2 in gearman_free_all_cons (universal=...) at libgearman/universal.cc:234 #8 0x00007ffff7bc2769 in gearman_universal_free (universal=...) at libgearman/universal.cc:159 #9 0x00007ffff7bc4f87 in gearman_worker_free (worker=0x601040) at libgearman/worker.cc:209 #10 0x0000000000400946 in main () This can be replicated with the following C. The bug does not appear unless work() is called in this way at least three times. #include <libgearman-1.0/gearman.h> void cb(gearman_job_st* job, void* ctx, size_t* foo, gearman_return_t* ret){ return NULL; } int main(){ gearman_worker_st* w = gearman_worker_create(NULL); gearman_worker_add_function( w, "test", 10, cb, NULL ); gearman_worker_add_servers(w, "gearman.xvjpf.org"); gearman_worker_set_timeout(w, 30); gearman_worker_timeout(w); gearman_worker_work(w); gearman_worker_work(w); gearman_worker_work(w); gearman_worker_free(w); }	When a worker is run against a server and times out enough times, freeing that worker will then cause a segfault in gearman_packet_free. This is with Gearman 1.0.6. Program received signal SIGSEGV, Segmentation fault. checkhdr (hdr=hdr@entry=0x9595959595959565) at mcheck.c:93 93 mcheck.c: No such file or directory. (gdb) bt #0 checkhdr (hdr=hdr@entry=0x9595959595959565) at mcheck.c:93 #1 0x00007ffff7884ec9 in checkhdr (hdr=0x9595959595959565) at mcheck.c:185 #2 freehook (ptr=0x9595959595959595, caller=0x7ffff7bbec8b <gearman_packet_free(gearman_packet_st)+65>) at mcheck.c:186 #3 0x00007ffff7bbec8b in gearman_packet_free (packet=0x609418) at libgearman/packet.cc:289 #4 0x00007ffff7bb93c6 in gearman_connection_st::free_recv_packet (this=0x601e20) at libgearman/connection.cc:381 #5 0x00007ffff7bb9354 in gearman_connection_st::close_socket (this=0x601e20) at libgearman/connection.cc:361 #6 0x00007ffff7bb9118 in gearman_connection_st::~gearman_connection_st (this=0x601e20, __in_chrg=<optimized out>) at libgearman/connection.cc:264 #7 0x00007ffff7bc28f2 in gearman_free_all_cons (universal=...) at libgearman/universal.cc:234 #8 0x00007ffff7bc2769 in gearman_universal_free (universal=...) at libgearman/universal.cc:159 #9 0x00007ffff7bc4f87 in gearman_worker_free (worker=0x601040) at libgearman/worker.cc:209 #10 0x0000000000400946 in main () This can be replicated with the following C. The bug does not appear unless work() is called in this way at least three times. #include <libgearman-1.0/gearman.h> void cb(gearman_job_st* job, void* ctx, size_t* foo, gearman_return_t* ret){ return NULL; } int main(){ gearman_worker_st* w = gearman_worker_create(NULL); gearman_worker_add_function( w, "test", 10, cb, NULL ); gearman_worker_add_servers(w, "your.gearman.server"); gearman_worker_set_timeout(w, 30); gearman_worker_timeout(w); gearman_worker_work(w); gearman_worker_work(w); gearman_worker_work(w); gearman_worker_free(w); }