Bug 1326938

Summary: [acct policy - read only replica] 1.2.11.15-72.el6_7 crash, modify and double free, follow up of bz 1316869
Product: Red Hat Enterprise Linux 6 Reporter: Marc Sauton <msauton>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED DUPLICATE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.7CC: gparente, lkrispen, nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-26 15:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
edited stack trace from sf 01569043 customer core.4315 with 389-ds-base-1.2.11.15-72 none

Description Marc Sauton 2016-04-13 19:44:04 UTC 
Created attachment 1146944 [details]
edited stack trace from sf 01569043 customer core.4315 with 389-ds-base-1.2.11.15-72

Description of problem:

this is a follow up to 
1316869 - ns-slapd general protection ip:7f570c56afd5 sp:7f56dc7edce0 error:0 in libc-2.12.so

after the 1.2.11.15-72 errata, we till have a crash:

#0  0x00007f3932d59625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f3932d5ae05 in abort () at abort.c:92
#2  0x00007f3932d97537 in __libc_message (do_abort=2, fmt=0x7f3932e7f8c0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007f3932d9cf4e in malloc_printerr (action=3, str=0x7f3932e7fc50 "double free or corruption (!prev)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6350
#4  0x00007f3932d9fcf0 in _int_free (av=0x7f38f0000020, p=0x7f38f08f53f0, have_lock=0) at malloc.c:4836
#5  0x00007f39352b5556 in slapi_ch_free (ptr=0x7f39161f77c0) at ldap/servers/slapd/ch_malloc.c:363
#6  0x00007f392b922b3c in id2entry_add_ext (be=0x23b2b20, e=0x7f38f0272d10, txn=<value optimized out>, encrypt=<value optimized out>, cache_res=0x7f39161f79cc) at ldap/servers/slapd/back-ldbm/id2entry.c:140
#7  0x00007f392b9522a4 in ldbm_back_modify (pb=0x4156e70) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:638
#8  0x00007f39352f0031 in op_shared_modify (pb=<value optimized out>, pw_change=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1066
#9  0x00007f39352f131e in do_modify (pb=0x4156e70) at ldap/servers/slapd/modify.c:408
#10 0x00000000004146d4 in connection_dispatch_operation () at ldap/servers/slapd/connection.c:594
#11 connection_threadmain () at ldap/servers/slapd/connection.c:2360
#12 0x00007f393371fa83 in PR_JoinThread (thred=0x10db) at ../../../nspr/pr/src/pthreads/ptthread.c:577
#13 0x0000000000000000 in ?? ()
(gdb)

the full back trace is attached to this report.

a test VM can be accessed internally with the customer provided core file.


Version-Release number of selected component (if applicable):
1.2.11.15-72

How reproducible:
N/A, took days to happen in the customer environment


Steps to Reproduce:
1. not clear yet
2.
3.

Actual results:


Expected results:


Additional info:


Thread 1 (Thread 0x7f39161fc700 (LWP 4330)):
#0  0x00007f3932d59625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x00007f3932d5ae05 in abort () at abort.c:92
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7f39161f6d38, sa_sigaction = 0x7f39161f6d38}, sa_mask = {__val = {139883161021728, 139883686977112, 16, 139883643915369, 1, 139883642596271, 5, 139883643919024, 3, 139883161021726, 2, 139883643915395, 1, 139883643922126, 3, 139883161021732}}, sa_flags = 12, sa_restorer = 0x7f3932e7e6d2}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f3932d97537 in __libc_message (do_abort=2, fmt=0x7f3932e7f8c0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7f39161f76a0, reg_save_area = 0x7f39161f75b0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7f39161f76a0, reg_save_area = 0x7f39161f75b0}}
        fd = 2
        on_2 = <value optimized out>
        list = <value optimized out>
        nlist = <value optimized out>
        cp = <value optimized out>
        written = <value optimized out>
#3  0x00007f3932d9cf4e in malloc_printerr (action=3, str=0x7f3932e7fc50 "double free or corruption (!prev)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6350
        buf = "00007f38f08f5400"
        cp = <value optimized out>
#4  0x00007f3932d9fcf0 in _int_free (av=0x7f38f0000020, p=0x7f38f08f53f0, have_lock=0) at malloc.c:4836
        size = <value optimized out>
        fb = <value optimized out>
        nextchunk = <value optimized out>
        nextsize = <value optimized out>
        nextinuse = <value optimized out>
        prevsize = <value optimized out>
        bck = <value optimized out>
        fwd = <value optimized out>
        errstr = <value optimized out>
        locked = <value optimized out>
#5  0x00007f39352b5556 in slapi_ch_free (ptr=0x7f39161f77c0) at ldap/servers/slapd/ch_malloc.c:363
No locals.
#6  0x00007f392b922b3c in id2entry_add_ext (be=0x23b2b20, e=0x7f38f0272d10, txn=<value optimized out>, encrypt=<value optimized out>, cache_res=0x7f39161f79cc) at ldap/servers/slapd/back-ldbm/id2entry.c:140
        inst = 0x23b2c00
        db = 0x2429ae0
        db_txn = <value optimized out>
        data = {data = 0x7f38f08f5400, size = 1618188, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 0}
        key = {data = 0x7f39161f7830, size = 4, ulen = 0, dlen = 0, doff = 0, app_data = 0x0, flags = 0}
        len = 1618187
        rc = 0
        temp_id = "\000\000\001\252"
        encrypted_entry = 0x0
        entrydn = 0x0
#7  0x00007f392b9522a4 in ldbm_back_modify (pb=0x4156e70) at ldap/servers/slapd/back-ldbm/ldbm_modify.c:638
        cache_rc = 0
        new_mod_count = <value optimized out>
        be = 0x23b2b20
        inst = 0x23b2c00
        li = 0x224cdf0
        e = 0x2d7edb0
        ec = 0x7f38f0272d10
        original_entry = 0x7f38f10f4fc0
        tmpentry = 0x0
        postentry = 0x0
        mods = 0x7f38f0003240
        mods_original = 0x7f38f0273040
        smods = {mods = 0x7f38f0003240, num_elements = 2, num_mods = 1, iterator = 0, free_mods = 0}
        txn = {back_txn_txn = 0x7f38f1595c40}
        parent_txn = 0x0
        ruv_c = {old_entry = 0x0, new_entry = 0x0, smods = 0x0, attr_encrypt = 0}
        ruv_c_init = 0
        retval = 0
        msg = <value optimized out>
        errbuf = 0x0
        retry_count = <value optimized out>
        disk_full = 0
        ldap_result_code = 0
        ldap_result_message = 0x0
        rc = 0
        operation = 0x4157180
        dblock_acquired = 1
        addr = 0x4157258
        is_fixup_operation = 0
        is_ruv = 0
        opcsn = <value optimized out>
        repl_op = 8
        opreturn = 0
        mod_count = 1
#8  0x00007f39352f0031 in op_shared_modify (pb=<value optimized out>, pw_change=0, old_pw=0x0) at ldap/servers/slapd/modify.c:1066
...snip...
Comment 20 Marc Sauton 2016-05-26 15:15:45 UTC 
closing bz 1326938 as dup of bz 1316869

*** This bug has been marked as a duplicate of bug 1316869 ***