svnadmin dump segfault in svn_stringbuf_appendbytes/memcpy

Bug #1555185 reported by Ken Baker on 2016-03-09
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
subversion (Ubuntu)
Undecided
Unassigned

Bug Description

While dumping a subversion repository svnadmin intermittently segfaults (I'd estimate 1 in 3 times). After seeing this problem a number of times I installed subversion-dbg and gdb to debug. Below is a stack trace of the failure. I've reproduced this problem using the same repository on multiple systems.

-- Ken

This is the failure I see most often...

root@8b31b8cc004d:/# gdb svnadmin
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from svnadmin...Reading symbols from /usr/lib/debug//usr/bin/svnadmin...done.
done.
(gdb) run dump /tmp/svnroot > /dev/null
...
* Dumped revision 2421.
* Dumped revision 2422.
* Dumped revision 2423.
* Dumped revision 2424.
* Dumped revision 2425.
* Dumped revision 2426.
* Dumped revision 2427.
* Dumped revision 2428.
* Dumped revision 2429.
* Dumped revision 2430.
* Dumped revision 2431.
* Dumped revision 2432.

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) where
#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7559b75 in memcpy (__len=7878, __src=0x7ffff3fed13b, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#2 svn_stringbuf_appendbytes (str=0x7ffff3ecb028, bytes=0x7ffff3fed13b "\211PNG\r\n\032\n", count=7878) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/string.c:590
#3 0x00007ffff755eb2a in svn_temp_serializer__push (context=context@entry=0x7ffff7e120a0, source_struct=source_struct@entry=0x7ffff3f5f058, struct_size=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/temp_serializer.c:261
#4 0x00007ffff6aec1ae in serialize_svn_string (context=context@entry=0x7ffff7e120a0, s=s@entry=0x7ffff3f5f050) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:109
#5 0x00007ffff6aec6e7 in serialize_txdeltawindow (w=0x7fffffffdcb0, context=0x7ffff7e120a0) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:458
#6 svn_fs_fs__serialize_txdelta_window (buffer=0x7fffffffdc30, buffer_size=0x7fffffffdc38, item=0x7fffffffdcb0, pool=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:484
#7 0x00007ffff752e4d0 in membuffer_cache_set (scratch_pool=<optimized out>, serializer=<optimized out>, item=<optimized out>, key=<optimized out>, cache=0x7ffff7fc70a0) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache-membuffer.c:1476
#8 svn_membuffer_cache_set (cache_void=0x7ffff7fcdd08, key=0x7ffff3fed13b, value=0x7fffffffdcb0, scratch_pool=0x3d8c) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache-membuffer.c:2016
#9 0x00007ffff752fa1b in svn_cache__set (cache=0x7ffff7fcdcc8, key=<optimized out>, value=<optimized out>, scratch_pool=0x7ffff3fed028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache.c:105
#10 0x00007ffff6adc04b in set_cached_window (scratch_pool=0x7ffff3fed028, offset=3178977, rs=0x7ffff40e30c8, window=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:4751
#11 read_delta_window (nwin=0x7fffffffdd58, this_chunk=<optimized out>, rs=0x7ffff40e30c8, pool=0x7ffff3fed028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:4997
#12 0x00007ffff6adc2ba in get_combined_window (rb=0x7ffff3fbc2a0, result=<synthetic pointer>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5044
#13 get_contents (len=0x7fffffffddb8, buf=<optimized out>, rb=0x7ffff3fbc2a0) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5199
#14 rep_read_contents (baton=0x7ffff3fbc2a0, buf=0x7ffff445f028 "\211PNG\r\n\032\n", len=0x7fffffffddb8) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5224
#15 0x00007ffff755881a in svn_stream_copy3 (from=0x7ffff3fbc3c0, to=0x7ffff3fbc408, cancel_func=cancel_func@entry=0x0, cancel_baton=cancel_baton@entry=0x0, scratch_pool=scratch_pool@entry=0x7ffff3ff9028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/stream.c:498
#16 0x00007ffff7bb5d9d in dump_node (eb=eb@entry=0x7ffff3db8028, path=path@entry=0x7ffff3dc4da9 "branches/weewx/docs/images/logo-suse.png", kind=kind@entry=svn_node_file, action=action@entry=svn_node_action_add, is_copy=0, cmp_path=<optimized out>, cmp_rev=-1, pool=pool@entry=0x7ffff3ff9028)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:626
#17 0x00007ffff7bb5fb9 in add_file (path=0x7ffff3dc4da9 "branches/weewx/docs/images/logo-suse.png", parent_baton=0x7ffff3fd8c58, copyfrom_path=0x0, copyfrom_rev=-1, pool=0x7ffff3ff9028, file_baton=0x7fffffffe198) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:788
#18 0x00007ffff7bc1bee in path_driver_cb_func (dir_baton=dir_baton@entry=0x7fffffffe280, parent_baton=parent_baton@entry=0x7ffff3fd8c58, callback_baton=callback_baton@entry=0x7fffffffe360, edit_path=edit_path@entry=0x7ffff3dc4da9 "branches/weewx/docs/images/logo-suse.png", pool=pool@entry=0x7ffff3ff9028)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/replay.c:597
#19 0x00007ffff7793abe in svn_delta_path_driver2 (editor=editor@entry=0x7ffff3dbc088, edit_baton=edit_baton@entry=0x7ffff3db8028, paths=0x7ffff409d0a0, paths@entry=0x7ffff3dcdf18, sort_paths=sort_paths@entry=1, callback_func=callback_func@entry=0x7ffff7bc1490 <path_driver_cb_func>, callback_baton=callback_baton@entry=0x7fffffffe360,
    pool=pool@entry=0x7ffff7e05028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_delta/path_driver.c:263
#20 0x00007ffff7bc220c in svn_repos_replay2 (root=<optimized out>, base_path=<optimized out>, base_path@entry=0x7ffff7bca7ac "", low_water_mark=0, low_water_mark@entry=-1, send_deltas=send_deltas@entry=0, editor=0x7ffff3dbc088, edit_baton=0x7ffff3db8028, authz_read_func=authz_read_func@entry=0x0,
    authz_read_baton=authz_read_baton@entry=0x0, pool=pool@entry=0x7ffff7e05028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/replay.c:963
#21 0x00007ffff7bb6c2f in svn_repos_dump_fs3 (repos=<optimized out>, stream=0x7ffff7e0d180, start_rev=0, end_rev=3510, incremental=0, use_deltas=0, notify_func=0x403140 <repos_notify_handler>, notify_baton=0x7ffff7e0d1d8, cancel_func=cancel_func@entry=0x402dc0 <check_cancel>, cancel_baton=cancel_baton@entry=0x0,
    pool=pool@entry=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:1235
#22 0x00000000004058e4 in subcommand_dump (os=<optimized out>, baton=0x7fffffffe5f0, pool=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:1019
#23 0x00000000004044aa in sub_main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe7d8, pool=pool@entry=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:2317
#24 0x0000000000402cb7 in main (argc=3, argv=0x7fffffffe7d8) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:2358
(gdb)

I believe this trace is the same/related failure, except it is at a different revision in the repository and it fails this way far less often.

* Dumped revision 2374.
* Dumped revision 2375.
* Dumped revision 2376.
* Dumped revision 2377.

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) where
#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7559b75 in memcpy (__len=3018, __src=0x7ffff36db437, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:51
#2 svn_stringbuf_appendbytes (str=0x7ffff7e120c0, bytes=0x7ffff36db437 "# $Id$\nimport syslog\nimport Queue\nimport copy\n # Extract the required parameters. If one of them is missing,\n # a KeyError exception will occur. Be prepared to catch it.\n try:\n "..., count=3018)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/string.c:590
#3 0x00007ffff755eb2a in svn_temp_serializer__push (context=context@entry=0x7ffff7e120a0, source_struct=source_struct@entry=0x7ffff36ca058, struct_size=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/temp_serializer.c:261
#4 0x00007ffff6aec1ae in serialize_svn_string (context=context@entry=0x7ffff7e120a0, s=s@entry=0x7ffff36ca050) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:109
#5 0x00007ffff6aec6e7 in serialize_txdeltawindow (w=0x7fffffffdcd0, context=0x7ffff7e120a0) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:458
#6 svn_fs_fs__serialize_txdelta_window (buffer=0x7fffffffdc50, buffer_size=0x7fffffffdc58, item=0x7fffffffdcd0, pool=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/temp_serializer.c:484
#7 0x00007ffff752e4d0 in membuffer_cache_set (scratch_pool=<optimized out>, serializer=<optimized out>, item=<optimized out>, key=<optimized out>, cache=0x7ffff7fc70a0) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache-membuffer.c:1476
#8 svn_membuffer_cache_set (cache_void=0x7ffff7fcdd08, key=0x7ffff36db437, value=0x7fffffffdcd0, scratch_pool=0x1794) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache-membuffer.c:2016
#9 0x00007ffff752fa1b in svn_cache__set (cache=0x7ffff7fcdcc8, key=<optimized out>, value=<optimized out>, scratch_pool=0x7ffff36da028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/cache.c:105
#10 0x00007ffff6adc04b in set_cached_window (scratch_pool=0x7ffff36da028, offset=339, rs=0x7ffff37810a0, window=<optimized out>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:4751
#11 read_delta_window (nwin=0x7fffffffdd78, this_chunk=<optimized out>, rs=0x7ffff37810a0, pool=0x7ffff36da028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:4997
#12 0x00007ffff6adc2ba in get_combined_window (rb=0x7ffff37b9630, result=<synthetic pointer>) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5044
#13 get_contents (len=0x7fffffffddd8, buf=<optimized out>, rb=0x7ffff37b9630) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5199
#14 rep_read_contents (baton=0x7ffff37b9630, buf=0x7ffff307c028 "# $Id: install.py 1185 2014-12-13 02:18:38Z mwall $\n# installer for EmonCMS\n# Copyright 2014 Matthew Wall\n\nfrom setup import ExtensionInstaller\n\ndef loader():\n return EmonCMSInstaller()\n\nclass Emon"..., len=0x7fffffffddd8)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_fs_fs/fs_fs.c:5224
#15 0x00007ffff755881a in svn_stream_copy3 (from=0x7ffff37b9750, to=0x7ffff37b9798, cancel_func=cancel_func@entry=0x0, cancel_baton=cancel_baton@entry=0x0, scratch_pool=scratch_pool@entry=0x7ffff375a028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_subr/stream.c:498
#16 0x00007ffff7bb5d9d in dump_node (eb=eb@entry=0x7ffff4379028, path=path@entry=0x7ffff437d281 "trunk/weewx-uploaders/log_to_file.py", kind=kind@entry=svn_node_file, action=action@entry=svn_node_action_change, is_copy=is_copy@entry=0, cmp_path=<optimized out>, cmp_rev=-1, pool=pool@entry=0x7ffff375a028)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:626
#17 0x00007ffff7bb5e9f in open_file (path=0x7ffff437d281 "trunk/weewx-uploaders/log_to_file.py", parent_baton=0x7ffff374e0a0, ancestor_revision=<optimized out>, pool=0x7ffff375a028, file_baton=0x7fffffffe198) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:826
#18 0x00007ffff7bc1987 in path_driver_cb_func (dir_baton=dir_baton@entry=0x7fffffffe280, parent_baton=parent_baton@entry=0x7ffff374e0a0, callback_baton=callback_baton@entry=0x7fffffffe360, edit_path=edit_path@entry=0x7ffff437d281 "trunk/weewx-uploaders/log_to_file.py", pool=pool@entry=0x7ffff375a028)
    at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/replay.c:663
#19 0x00007ffff7793abe in svn_delta_path_driver2 (editor=editor@entry=0x7ffff437d088, edit_baton=edit_baton@entry=0x7ffff4379028, paths=paths@entry=0x7ffff437d2d0, sort_paths=sort_paths@entry=1, callback_func=callback_func@entry=0x7ffff7bc1490 <path_driver_cb_func>, callback_baton=callback_baton@entry=0x7fffffffe360,
    pool=pool@entry=0x7ffff7e05028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_delta/path_driver.c:263
#20 0x00007ffff7bc220c in svn_repos_replay2 (root=<optimized out>, base_path=<optimized out>, base_path@entry=0x7ffff7bca7ac "", low_water_mark=0, low_water_mark@entry=-1, send_deltas=send_deltas@entry=0, editor=0x7ffff437d088, edit_baton=0x7ffff4379028, authz_read_func=authz_read_func@entry=0x0,
    authz_read_baton=authz_read_baton@entry=0x0, pool=pool@entry=0x7ffff7e05028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/replay.c:963
#21 0x00007ffff7bb6c2f in svn_repos_dump_fs3 (repos=<optimized out>, stream=0x7ffff7e0d180, start_rev=0, end_rev=3510, incremental=0, use_deltas=0, notify_func=0x403140 <repos_notify_handler>, notify_baton=0x7ffff7e0d1d8, cancel_func=cancel_func@entry=0x402dc0 <check_cancel>, cancel_baton=cancel_baton@entry=0x0,
    pool=pool@entry=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/libsvn_repos/dump.c:1235
#22 0x00000000004058e4 in subcommand_dump (os=<optimized out>, baton=0x7fffffffe5f0, pool=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:1019
#23 0x00000000004044aa in sub_main (argc=argc@entry=3, argv=argv@entry=0x7fffffffe7d8, pool=pool@entry=0x7ffff7fe1028) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:2317
#24 0x0000000000402cb7 in main (argc=3, argv=0x7fffffffe7d8) at /build/subversion-0NcZK7/subversion-1.8.8/subversion/svnadmin/svnadmin.c:2358

Package / system information...

root@8b31b8cc004d:/# lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04

root@8b31b8cc004d:/# apt-cache policy subversion subversion-dbg
subversion:
  Installed: 1.8.8-1ubuntu3.2
  Candidate: 1.8.8-1ubuntu3.2
  Version table:
 *** 1.8.8-1ubuntu3.2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.8.8-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
subversion-dbg:
  Installed: 1.8.8-1ubuntu3.2
  Candidate: 1.8.8-1ubuntu3.2
  Version table:
 *** 1.8.8-1ubuntu3.2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.8.8-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Ken Baker (bakerkj) on 2016-03-09
summary: - svnadmin dump segfault in svn_temp_serializer__push/memcpy
+ svnadmin dump segfault in memcpy
summary: - svnadmin dump segfault in memcpy
+ svnadmin dump segfault in svn_stringbuf_appendbytes/memcpy
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in subversion (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers