bug#26976: On Hydra, offload crashes while trying to build linux-libre source

Ludovic Courtès Sat, 20 May 2017 15:01:39 -0700

l...@gnu.org (Ludovic Courtès) skribis:

> I was able to reproduce it on hydra.gnu.org with:
>
>   guix copy --to=hydra.gnunet.org 
> /gnu/store/gi7r1v65zqhh8riqprq8nchfc9v9k156-guix-current
>
> which leads most of the time to SIGSEGV (I couldn’t get the SIGSEGV on
> my laptop):


Similar backtrace with debugging symbols:

--8<---------------cut here---------------start------------->8---
#0  0x00007fc24587dac7 in deflate_fast () from 
/gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11/lib/libz.so.1
No symbol table info available.
#1  0x00007fc24587f78d in deflate () from 
/gnu/store/jwkcd7siv6fcyl0qsg607bg9c8ap0gqr-zlib-1.2.11/lib/libz.so.1
No symbol table info available.
#2  0x00007fc243b9d4e1 in gzip_compress (session=session@entry=0x10817d0, 
source=source@entry=0x1082170, level=<optimized out>) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/gzip.c:85
        zout = 0x10845a0
        in_ptr = 0x1946bc0
        in_size = 24744
        dest = 0x1085900
        out_buf = 
"\000\000\000\000\000\000\000\000\000\000\235\000\000\000z\377\000\000\200\000\000\000\374\376\000\000\000\200\205\001\000\000\000\200\237\034\000\000@?9\000\000\000\000\000\000\260\032\000\000\000\200\177\064b\004\067\000\000\000\000\270\000\000\000\000@;\224\003\000\000\002\000\000\000\000\000\000\000\000\000\200\253\002\000\000\000\300G9\000\000\200\f7\246\000\000\000\000\000\000\000\000\000\064\000\000\000\000\000\000\000\000\000\230\004\000\000\000f\332\222F\004\000\000\000\064\367\032\067\006\000\000\000\000h\000\000\000\000\000\000\000\000\000\260",
 '\000' <repeats 13 times>, "v\000\000\000\000 ", '\000' <repeats 46 times>...
        len = <optimized out>
        status = <optimized out>
        __func__ = "gzip_compress"
#3  0x00007fc243b9d813 in compress_buffer (session=session@entry=0x10817d0, 
buf=0x1082170) at /tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/gzip.c:106
        dest = 0x0
#4  0x00007fc243b82f37 in packet_send2 (session=session@entry=0x10817d0) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/packet.c:535
        blocksize = <optimized out>
        hmac_type = SSH_HMAC_SHA256
        currentlen = 24744
        hmac = 0x0
        padstring = '\000' <repeats 31 times>
        rc = -1
        finallen = <optimized out>
        payloadsize = 24744
        compsize = <optimized out>
        padding = <optimized out>
        header = "\000\000\000\000"
        __func__ = "packet_send2"
#5  0x00007fc243b83885 in packet_send (session=session@entry=0x10817d0) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/packet.c:604
No locals.
#6  0x00007fc243b74f4a in ssh_channel_send_eof (channel=0x10874c0) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/channels.c:1085
        session = 0x10817d0
        rc = -1
        err = <optimized out>
        __func__ = "ssh_channel_send_eof"
#7  0x00007fc243b75085 in ssh_channel_close (channel=0x10874c0) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/channels.c:1128
        session = 0x10817d0
        rc = 0
        __func__ = "ssh_channel_close"
#8  0x00007fc243fdd59f in ptob_close (channel=0x14983a0) at channel-type.c:228
        ch = 0x14983c0
#9  0x00007fc24ac3d785 in release_port (port=0x14983a0) at ports.c:158
        pt = 0x14983a0
        port = 0x14983a0
        pt = <optimized out>
        cur = 1
        next = <optimized out>
#10 0x00007fc24ac40a0b in scm_close_port (port=0x14983a0) at ports.c:887
No locals.
#11 0x00007fc24ac7cc4d in vm_regular_engine (thread=0xffff21fa, vp=0xd24f30, 
registers=0x11c4b70, resume=-56837) at vm-engine.c:784

[...]

(gdb) frame 2
#2  0x00007fc243b9d4e1 in gzip_compress (session=session@entry=0x10817d0, 
source=source@entry=0x1082170, level=<optimized out>) at 
/tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/gzip.c:85
85      in /tmp/guix-build-libssh-0.7.4.drv-0/libssh-0.7.4/src/gzip.c
(gdb) p *zout
$4 = {next_in = 0x1949b1e ":key inputs outputs #:allow-other-keys)\n", ' ' 
<repeats 21 times>, ";; Util-linux comes with a bunch of completion files 
for\n", ' ' <repeats 21 times>, ";; its own commands which are more 
sophisticated and\n        "..., avail_in = 18681, total_in = 3741615, next_out 
= 0x7fc2472681e6 "", avail_out = 790, total_out = 1120084, msg = 0x0, state = 
0x11c3420, zalloc = 0x7fc24588ab50 <zcalloc>, 
  zfree = 0x7fc24588ab60 <zcfree>, opaque = 0x0, data_type = 0, adler = 
3865149116, reserved = 0}
(gdb) p out_buf
$5 = 
"\000\000\000\000\000\000\000\000\000\000\235\000\000\000z\377\000\000\200\000\000\000\374\376\000\000\000\200\205\001\000\000\000\200\237\034\000\000@?9\000\000\000\000\000\000\260\032\000\000\000\200\177\064b\004\067\000\000\000\000\270\000\000\000\000@;\224\003\000\000\002\000\000\000\000\000\000\000\000\000\200\253\002\000\000\000\300G9\000\000\200\f7\246\000\000\000\000\000\000\000\000\000\064\000\000\000\000\000\000\000\000\000\230\004\000\000\000f\332\222F\004\000\000\000\064\367\032\067\006\000\000\000\000h\000\000\000\000\000\000\000\000\000\260",
 '\000' <repeats 13 times>, "v\000\000\000\000 ", '\000' <repeats 46 times>...
(gdb) p &out_buf
$6 = (unsigned char (*)[4092]) 0x7fc247267500
(gdb) p (char*)zout->next_out - (char*)&out_buf
$7 = 3302
(gdb) p $7 + zout->avail_out
$8 = 4092

[...]

(gdb) p *source    
$18 = {data = 0x1946bc0 "^", used = 24744, allocated = 32768, pos = 0, secure = 
0}
(gdb) p in_ptr
$19 = (void *) 0x1946bc0
(gdb) p (char*)zout->next_in - (char*) in_ptr
$20 = 12126
(gdb) p $20 + zout->avail_in 
$21 = 30807
--8<---------------cut here---------------end--------------->8---

$21 here is above source->used, which suggestes the callee, ‘deflate’,
could end up reading 6K beyond the end of ‘source->data’.

Thoughts?

Ludo’.

bug#26976: On Hydra, offload crashes while trying to build linux-libre source

Reply via email to