Date: Thu, 3 Jul 2014 14:01:05 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: FreeBSD Current <freebsd-current@freebsd.org> Subject: getenv("TZ") crashes triggered by tzset_basic() Message-ID: <20140703140105.41065cd2@fabiankeil.de>
next in thread | raw e-mail | index | archive | help
--Sig_/CKeEcckl_f2utA23KkI/Shq Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Using HEAD, www/gatling reproducible crashes for me after receiving a single request if TZ isn't set: (gdb) where #0 strncmp (s1=3D<optimized out>, s2=3D<optimized out>, n=3D<optimized out= >) at /usr/src/lib/libc/string/strncmp.c:46 #1 0x00000008011a9ffe in strncmpeq (nameValue=3D0x7fffffffeb5e "LC_PAPER= =3Dde_DE.UTF-8", name=3D0x8011be49e "TZ", nameLen=3D<optimized out>) at /us= r/src/lib/libc/stdlib/getenv.c:144 #2 __findenv_environ (name=3D<optimized out>, nameLen=3D<optimized out>) a= t /usr/src/lib/libc/stdlib/getenv.c:195 #3 getenv (name=3D0x8011be49e "TZ") at /usr/src/lib/libc/stdlib/getenv.c:4= 41 #4 0x0000000801189f49 in tzset_basic (rdlocked=3D0) at /usr/src/lib/libc/.= ./../contrib/tzcode/stdtime/localtime.c:1274 #5 0x000000080118a13e in localtime (timep=3D0x801c12030) at /usr/src/lib/l= ibc/../../contrib/tzcode/stdtime/localtime.c:1467 #6 0x000000000040d38d in http_dirlisting (h=3D0x801c07140, D=3D0x801c0e080= , path=3D0x7fffffffbb50 "/", arg=3D0x0) at http.c:214 #7 0x000000000040ff9d in http_openfile (h=3D0x801c07140, filename=3D0x801c= 0c085 "/", ss=3D0x7fffffffc108, sockfd=3D9, nobody=3D1) at http.c:1485 #8 0x0000000000413922 in httpresponse (h=3D0x801c07140, s=3D9, headerlen= =3D76) at http.c:1940 #9 0x000000000040657d in handle_read_misc (i=3D9, h=3D0x801c07140, ftptime= out_secs=3D600, nextftp=3D...) at gatling.c:1051 #10 0x0000000000404d54 in main (argc=3D3, argv=3D0x7fffffffe840, envp=3D0x7= fffffffe860) at gatling.c:2247 This is not a recent regression, I first noticed it a couple of months ago but haven't had time to look into it yet. If was reminded of this because a program I'm working on (Privoxy) recently crashed thusly: (gdb) where #0 0x000000080128ef40 in strncmp (s1=3D<optimized out>, s2=3D<optimized ou= t>, n=3D<optimized out>) at /usr/src/lib/libc/string/strncmp.c:46 #1 0x000000080128bb92 in getenv (name=3D<optimized out>) at /usr/src/lib/l= ibc/stdlib/getenv.c:424 #2 0x000000080126bb39 in tzset_basic (rdlocked=3D0) at /usr/src/lib/libc/.= ./../contrib/tzcode/stdtime/localtime.c:1281 #3 0x000000080126bb1b in tzset_basic (rdlocked=3D-14721152) at /usr/src/li= b/libc/../../contrib/tzcode/stdtime/localtime.c:1274 #4 0x000000080122c0a0 in _fmt (format=3D0x22313031734e6863 <Address 0x2231= 3031734e6863 out of bounds>, t=3D0x8012a009e, pt=3D0x2 <Address 0x2 out of = bounds>, ptlim=3D0xf5 <Address 0xf5 out of bounds>,=20 warnp=3D0x8014cc418 <tzname+8>, loc=3D0x80126bb1b <tzset_basic+27>) at = /usr/src/lib/libc/stdtime/strftime.c:137 #5 0x000000080122d6fb in _conv (n=3D<optimized out>, format=3D<optimized o= ut>, pt=3D<optimized out>, n=3D<optimized out>, format=3D<optimized out>, p= t=3D<optimized out>, ptlim=3D<optimized out>) at /usr/src/lib/libc/stdtime/strftime.c:597 #6 _yconv (a=3D<optimized out>, b=3D<optimized out>, convert_top=3D<optimi= zed out>, convert_yy=3D<optimized out>, pt=3D<optimized out>, ptlim=3D<opti= mized out>, a=3D<optimized out>, b=3D<optimized out>,=20 convert_top=3D<optimized out>, convert_yy=3D<optimized out>, pt=3D<opti= mized out>, ptlim=3D<optimized out>) at /usr/src/lib/libc/stdtime/strftime.= c:649 #7 0x0000000000428747 in get_log_timestamp (buffer=3D0x7fffff1f5f80 "2014-= 06-30 17:03:45.115", buffer_size=3D30) at errlog.c:482 [...] (gdb) f 3 #3 0x000000080126bb1b in tzset_basic (rdlocked=3D-14721152) at /usr/src/li= b/libc/../../contrib/tzcode/stdtime/localtime.c:1274 1274 name =3D getenv("TZ"); I haven't been able to reproduce the Privoxy crash yet, but in case of gatling the problem is reproducible and valgrind doesn't complain about any previous memory corruption: fk@r500 ~/test/privoxy/test $valgrind gatling -p 81 =3D=3D6563=3D=3D Memcheck, a memory error detector =3D=3D6563=3D=3D Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward e= t al. =3D=3D6563=3D=3D Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyrig= ht info =3D=3D6563=3D=3D Command: gatling -p 81 =3D=3D6563=3D=3D=20 starting_up 0 :: 81 start_ftp 0 :: 2121 accept 7 10.0.0.1 48596 1 http =3D=3D6563=3D=3D Invalid read of size 1 =3D=3D6563=3D=3D at 0x1039C74: strncmp (mc_replace_strmem.c:596) =3D=3D6563=3D=3D by 0x1BA1FFD: getenv (getenv.c:144) =3D=3D6563=3D=3D by 0x1B81F48: ??? (localtime.c:1274) =3D=3D6563=3D=3D by 0x1B8213D: localtime (localtime.c:1467) =3D=3D6563=3D=3D by 0x40D38C: http_dirlisting (http.c:214) =3D=3D6563=3D=3D by 0x40FF9C: http_openfile (http.c:1485) =3D=3D6563=3D=3D by 0x413921: httpresponse (http.c:1940) =3D=3D6563=3D=3D by 0x40657C: handle_read_misc (gatling.c:1051) =3D=3D6563=3D=3D by 0x404D53: main (gatling.c:2247) =3D=3D6563=3D=3D Address 0xff000b7a is not stack'd, malloc'd or (recently)= free'd =3D=3D6563=3D=3D=20 =3D=3D6563=3D=3D=20 =3D=3D6563=3D=3D Process terminating with default action of signal 11 (SIGS= EGV): dumping core =3D=3D6563=3D=3D Access not within mapped region at address 0xFF000B7A =3D=3D6563=3D=3D at 0x1039C74: strncmp (mc_replace_strmem.c:596) =3D=3D6563=3D=3D by 0x1BA1FFD: getenv (getenv.c:144) =3D=3D6563=3D=3D by 0x1B81F48: ??? (localtime.c:1274) =3D=3D6563=3D=3D by 0x1B8213D: localtime (localtime.c:1467) =3D=3D6563=3D=3D by 0x40D38C: http_dirlisting (http.c:214) =3D=3D6563=3D=3D by 0x40FF9C: http_openfile (http.c:1485) =3D=3D6563=3D=3D by 0x413921: httpresponse (http.c:1940) =3D=3D6563=3D=3D by 0x40657C: handle_read_misc (gatling.c:1051) =3D=3D6563=3D=3D by 0x404D53: main (gatling.c:2247) =3D=3D6563=3D=3D If you believe this happened as a result of a stack =3D=3D6563=3D=3D overflow in your program's main thread (unlikely but =3D=3D6563=3D=3D possible), you can try to increase the size of the =3D=3D6563=3D=3D main thread stack using the --main-stacksize=3D flag. =3D=3D6563=3D=3D The main thread stack size used in this run was 16777216. =3D=3D6563=3D=3D=20 =3D=3D6563=3D=3D HEAP SUMMARY: =3D=3D6563=3D=3D in use at exit: 18,848 bytes in 6 blocks =3D=3D6563=3D=3D total heap usage: 25 allocs, 19 frees, 47,144 bytes allo= cated =3D=3D6563=3D=3D=20 =3D=3D6563=3D=3D LEAK SUMMARY: =3D=3D6563=3D=3D definitely lost: 0 bytes in 0 blocks =3D=3D6563=3D=3D indirectly lost: 0 bytes in 0 blocks =3D=3D6563=3D=3D possibly lost: 0 bytes in 0 blocks =3D=3D6563=3D=3D still reachable: 18,848 bytes in 6 blocks =3D=3D6563=3D=3D suppressed: 0 bytes in 0 blocks =3D=3D6563=3D=3D Rerun with --leak-check=3Dfull to see details of leaked me= mory =3D=3D6563=3D=3D=20 =3D=3D6563=3D=3D For counts of detected and suppressed errors, rerun with: = -v =3D=3D6563=3D=3D ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 fro= m 0) Segmentation fault I can't reproduce the problem with a test program that merely calls localtime(), so I assume some environment changes are required. Has anyone seens this or is able to reproduce the gatling crashes? Fabian --Sig_/CKeEcckl_f2utA23KkI/Shq Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlO1RgQACgkQBYqIVf93VJ1LxACeOyu5j6p/hfsX+7I67nV3VD8h NJgAn2+nJP50B+W+WEjNwaiH7nC1gvVn =fWPG -----END PGP SIGNATURE----- --Sig_/CKeEcckl_f2utA23KkI/Shq--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140703140105.41065cd2>