> -----Original Message-----
> From: lieven.govae...@gmail.com [mailto:lieven.govae...@gmail.com] On
> Behalf Of Lieven Govaerts
> Sent: vrijdag 10 januari 2014 11:53
> To: Subversion Development
> Subject: Segfault in mod_dav_svn with repositories on /
>
> Hi,
>
>
> a customer is seeing reproducible httpd child process segfaults when
> using Subversion.
>
> Setup:
> - Subversion 1.8.1 - WANDisco package subversion-1.8.1-1.x86_64.rpm
> - Apache 2.2.15 - RedHat package httpd-2.2.15-26.el6.x86_64
> - OS: Red Hat Enterprise Linux Server release 6.4
> - Client: svn, version 1.7.9-SlikSvn-1.7.9-WIN32 (SlikSvn/1.7.9) WIN32
>
> Apache is configured to use the prefork module. For Subversion we use
> mod_dav_svn, but not mod_authz_svn.
>
> We have a few svn repositories, all located on the root of the server.
> Relevant extra of httpd config:
> <Location />
> DAV svn
> SVNParentPath /data/scm/repositories/
> SVNListParentPath on
> SVNPathAuthz off
> ...
> </Location>
>
> A correct url in our setup is https://scm/repo.
>
> Issue:
> With this configuration, we can get httpd child processes to crash
> systematically by connecting to the root of the server:
> $ svn ls https://scm/
> ..
> svn: E175002: Unable to connect to a repository at URL 'https://scm'
> svn: E175002: OPTIONS of 'https://scm': Could not read status line:
> Secure connection truncated (https://scm)
>
> In the httpd access logs we see:
> 10.50.148.71 - - [20/Dec/2013:15:10:54 +0100] "OPTIONS / HTTP/1.1" 401 472
>
> And in error.log (after activating core dump generation and
> installation of debuginfo rpm's):
> [Fri Dec 20 15:10:58 2013] [notice] child pid 18905 exit signal
> Segmentation fault (11), possible coredump in /data/httpd/coredumps/
>
> Core dump stacktrace:
> $ gdb /usr/sbin/httpd core.17002
> Program terminated with signal 11, Segmentation fault.
> #0 dav_svn__build_uri (repos=<value optimized out>,
> what=DAV_SVN__BUILD_URI_PUBLIC, revision=-1,
> path=<value optimized out>, add_href=0, pool=0x7f8ca55ba368) at
> subversion/mod_dav_svn/util.c:249
> 249 if (root_path[1] == '\0')
> (gdb) bt
> #0 dav_svn__build_uri (repos=<value optimized out>,
> what=DAV_SVN__BUILD_URI_PUBLIC, revision=-1,
> path=<value optimized out>, add_href=0, pool=0x7f8ca55ba368) at
> subversion/mod_dav_svn/util.c:249
> #1 0x00007f8c9794aed4 in get_option (resource=0x7f8ca55d2948,
> elem=0x7f8ca55d2d30, option=0x7ffffcd83820)
> at subversion/mod_dav_svn/version.c:180
> #2 0x00007f8c9c19539a in dav_method_options (r=<value optimized out>)
> at /usr/src/debug/httpd-2.2.15/modules/dav/main/mod_dav.c:1840
> #3 0x00007f8c9c195fe8 in dav_handler (r=0x7f8ca55ba3e8)
> at /usr/src/debug/httpd-2.2.15/modules/dav/main/mod_dav.c:4650
> #4 0x00007f8ca3630bb0 in ap_run_handler (r=0x7f8ca55ba3e8) at
> /usr/src/debug/httpd-2.2.15/server/config.c:158
> #5 0x00007f8ca363446e in ap_invoke_handler (r=0x7f8ca55ba3e8) at
> /usr/src/debug/httpd-2.2.15/server/config.c:376
> #6 0x00007f8ca363fb30 in ap_process_request (r=0x7f8ca55ba3e8)
> at /usr/src/debug/httpd-2.2.15/modules/http/http_request.c:282
> #7 0x00007f8ca363c9a8 in ap_process_http_connection (c=0x7f8ca548d7b8)
> at /usr/src/debug/httpd-2.2.15/modules/http/http_core.c:190
> #8 0x00007f8ca36386b8 in ap_run_process_connection (c=0x7f8ca548d7b8)
> at /usr/src/debug/httpd-2.2.15/server/connection.c:43
> #9 0x00007f8ca3644977 in child_main (child_num_arg=<value optimized
> out>)
> at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:667
> #10 0x00007f8ca3644c8a in make_child (s=0x7f8ca5301860, slot=12)
> at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:763
> #11 0x00007f8ca364590c in perform_idle_server_maintenance
> (_pconf=<value optimized out>,
> plog=<value optimized out>, s=<value optimized out>)
> at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:898
> #12 ap_mpm_run (_pconf=<value optimized out>, plog=<value optimized
> out>, s=<value optimized out>)
> at /usr/src/debug/httpd-2.2.15/server/mpm/prefork/prefork.c:1102
> #13 0x00007f8ca361c900 in main (argc=3, argv=0x7ffffcd83e68) at
> /usr/src/debug/httpd-2.2.15/server/main.c:760
>
>
> Looking at the code at the crash location, this looks like a simple
> case of an incorrect assumption:
>
> 246: /* The first character of root_path is guaranteed to be "/". If
> 247: there's no component beyond that, then just use "", so that
> 248: appending another "/" later does not result in "//". */
> 249: if (root_path[1] == '\0')
> 250: root_path = "";
>
> I'm wondering if this simple change will solve the issue (can't test
> it here/now):
>
> 249: if (root_path[0] == '\0' || root_path[1] == '\0')
> 250: root_path = "";
That would fix the segfault, but I think not the root cause of the problem.
(Personally I would check root_path[0] against '/'.)
The real problem is that we then continue building a special url (E.g
../!svn/rvr..) for something that is not really a repository.
Your segfault should be properly fixed with r1557094, but we should probably
also run some tests on a repository that is at the server root (instead of
only a parent path).
Bert
