Bug 327111

Summary: Segfault
Product: [Fedora] Fedora Reporter: sangu <sangu.fedora>
Component: tlaAssignee: Debarshi Ray <debarshir>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: loganjerry
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.3.5-4.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-21 21:10:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to prevent segmentation fault on Fedora 8 onwards. none

Description sangu 2007-10-11 01:25:15 UTC 
Description of problem:
$ tla register-archive http://arch.sv.gnu.org/archives/emacs
Segmentation fault
$gdb tla
(gdb) r register-archive http://arch.sv.gnu.org/archives/emacs
[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208297184 (LWP 5605)]
0x080b0e5a in ?? ()
(gdb) bt
#0  0x080b0e5a in ?? ()
#1  0x080a0f7f in ?? ()
#2  0x00144083 in end_response (userdata=0x8381198, resource=0x8386158, 
    status=0x0, description=0x0) at ne_props.c:553
#3  0x001426f4 in end_element (userdata=0x837f190, state=2, 
    nspace=0x837fbf0 "DAV:", name=0x8386040 "response") at ne_207.c:220
#4  0x00142eb8 in end_element (userdata=0x8380778, name=0x8385f00 "D:response")
    at ne_xml.c:390
#5  0x00552262 in doContent (parser=0x8380f98, startTagLevel=0, enc=0x569300, 
    s=0x837fe5a "</D:response>\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/gnus/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getlastmodified>Thu,
19 Jan 2006 "..., 
    end=0x838014a "lient/0.1 neon/0.27.2\r\nConnection: TE\r\nTE:
trailers\r\nDepth: 1\r\nContent-Length: 182\r\nContent-Type: application/xml\r\n", 
    nextPtr=0x8380fb0, haveMore=1 '\001') at lib/xmlparse.c:2449
#6  0x00552edd in contentProcessor (parser=0x8380f98, 
    start=0x837fc6f "<D:multistatus xmlns:D=\"DAV:\"
xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getl"...,

    end=0x838014a "lient/0.1 neon/0.27.2\r\nConnection: TE\r\nTE:
trailers\r\nDepth: 1\r\nContent-Length: 182\r\nContent-Type: application/xml\r\n", 
    endPtr=0x8380fb0) at lib/xmlparse.c:2023
---Type <return> to continue, or q <return> to quit---
#7  0x00553f94 in doProlog (parser=0x8380f98, enc=0x569300, 
    s=0x837fc6f "<D:multistatus xmlns:D=\"DAV:\"
xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getl"...,

    end=0x838014a "lient/0.1 neon/0.27.2\r\nConnection: TE\r\nTE:
trailers\r\nDepth: 1\r\nContent-Length: 182\r\nContent-Type:
application/xml\r\n", tok=12, 
    next=0x837fc6f "<D:multistatus xmlns:D=\"DAV:\"
xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getl"...,
nextPtr=0x8380fb0, haveMore=1 '\001') at lib/xmlparse.c:3905
#8  0x00554e65 in prologProcessor (parser=0x8380f98, 
    s=0x837fc48 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., end=0x838014a "lient/0.1
neon/0.27.2\r\nConnection: TE\r\nTE: trailers\r\nDepth: 1\r\nContent-Length:
182\r\nContent-Type: application/xml\r\n", 
    nextPtr=0x8380fb0) at lib/xmlparse.c:3635
#9  0x0054c57b in XML_ParseBuffer (parser=0x8380f98, len=1282, isFinal=0)
    at lib/xmlparse.c:1573
#10 0x00555342 in XML_Parse (parser=0x8380f98, 
    s=0x8383080 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., ---Type <return> to
continue, or q <return> to quit---
len=1282, isFinal=0) at lib/xmlparse.c:1544
#11 0x0014304d in ne_xml_parse (p=0x8380778, 
    block=0x8383080 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., len=1282) at ne_xml.c:546
#12 0x0014317b in ne_xml_parse_v (userdata=0x8380778, 
    block=0x8383080 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., len=1282) at ne_xml.c:500
#13 0x00135d81 in ne_read_response_block (req=0x8383048, 
    buffer=0x8383080 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., buflen=<value optimized
out>) at ne_request.c:779
#14 0x00136144 in ne_discard_response (req=0x8383048) at ne_request.c:1334
#15 0x0013712b in ne_request_dispatch (req=0x8383048) at ne_request.c:1346
#16 0x00143925 in propfind (handler=0x8381198, results=0x80a0f10, 
    userdata=0xbf90d6b4) at ne_props.c:143
#17 0x001442c6 in ne_simple_propfind (sess=0x837e968, 
    href=0x8380620 "/archives/emacs/", depth=1, props=0x80de7e0, 
    results=0x80a0f10, userdata=0xbf90d6b4) at ne_props.c:616
---Type <return> to continue, or q <return> to quit---
#18 0x080a1235 in ?? ()
#19 0x080a138c in ?? ()
#20 0x080aa828 in ?? ()
#21 0x0809a4ae in ?? ()
#22 0x08063684 in ?? ()
#23 0x08049c4e in ?? ()
#24 0x0018f320 in __libc_start_main () from /lib/libc.so.6
#25 0x08049901 in ?? ()

Version-Release number of selected component (if applicable):
1.3.4-8.fc8

How reproducible:
always

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:
neon-0.27.2-2
expat-2.0.1-2
Comment 1 Jerry James 2007-11-30 23:45:57 UTC 
This happens on x86_64, too.  In src/tla/libarch/pfs-dav.c, in function results,
this invocation:

  file = str_chr_rindex_n (uri, n, '/') + 1;

sets file to 1, because the str_chr_rindex_n call is returning 0, meaning "not
found".  The code then calls str_length on file, with predictable results.

Incidentally, the string in which it is looking for a '/' (named "uri") is
"http".  The string in data->uri is "/archives/emacs".

I see that tla 1.3.5 has been out since July 2006.  Is there any chance we can
try that to see if it fixes this bug?
Comment 2 Josh Boyer 2007-12-01 01:09:24 UTC 
I orphaned this a while ago and it was picked up by Debarshi Ray
Comment 3 Debarshi Ray 2007-12-02 08:30:08 UTC 
tla-1.3.5 is available for Fedora 7, Fedora 8 and Rawhide. Can you please try them?
Comment 4 Jerry James 2007-12-03 16:37:31 UTC 
No, that doesn't fix the problem. :-(  It's still crashing in exactly the same
spot.  Here is a more detailed backtrace from my F8 x86_64 machine, with
debuginfo installed for expat-2.0.1-2, keyutils-1.2-2, neon-0.27.2-2, and
tla-1.3.5-2.

#0  str_length (x=0x1 <Address 0x1 out of bounds>)
    at /usr/src/debug/tla-1.3.5/src/hackerlab/char/str.c:54
#1  0x0000000000449b60 in results (userdata=0x7ffface6a210, 
    uri=<value optimized out>, set=<value optimized out>)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/pfs-dav.c:940
#2  0x00002aaaaaad9cb3 in end_response (userdata=0x6ff6a0, resource=0x6feb50, 
    status=<value optimized out>, description=0x6feb68 "��o") at ne_props.c:553
#3  0x00002aaaaaad8618 in end_element (userdata=0x6f7da0, state=2, 
    nspace=<value optimized out>, name=<value optimized out>) at ne_207.c:220
#4  0x00002aaaaaad8d22 in end_element (userdata=<value optimized out>, 
    name=<value optimized out>) at ne_xml.c:390
#5  0x000000383c20a035 in doContent (parser=0x6f7f30, startTagLevel=0, 
    enc=0x383c420640, 
    s=0x6fd3f2 "</D:response>\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/gnus/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getlastmodified>Thu,
19 Jan 2006 "..., 
    end=0x6fd692
"GMT</lp1:getlastmodified>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n</D:prop>\n<D:status>HTTP/1.1
200
OK</D:status>\n</D:propstat>\n<D:propstat>\n<D:prop>\n<g0:getcontentlength/>\n</D:prop>\n<D:st"...,

    nextPtr=0x6f7f60, haveMore=1 '\001') at lib/xmlparse.c:2449
#6  0x000000383c20acf4 in contentProcessor (parser=0x6f7f30, 
    start=0x6feb68 "��o", 
    end=0x2aaaaaad9c80
"H\211\\$�H\211l$�H\203�\030H\213G`H\211�H\211�H\205�t\026D\213^\bE\205�~\rH\215v\030H\213\177hH\211���H\211�H\211��R���H�EH",

    endPtr=0x6464646464646464) at lib/xmlparse.c:2023
#7  0x000000383c20be19 in doProlog (parser=0x6f7f30, enc=0x383c420640, 
    s=0x6fd207 "<D:multistatus xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response
xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getl"...,

    end=0x6fd692
"GMT</lp1:getlastmodified>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n</D:prop>\n<D:status>HTTP/1.1
200
OK</D:status>\n</D:propstat>\n<D:propstat>\n<D:prop>\n<g0:getcontentlength/>\n</D:prop>\n<D:st"...,

    tok=29, 
    next=0x6fd207 "<D:multistatus xmlns:D=\"DAV:\"
xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:getl"...,
nextPtr=0x6f7f60, haveMore=1 '\001') at lib/xmlparse.c:3905
#8  0x000000383c20ce2b in prologProcessor (parser=0x6f7f30, 
    s=0x6fd1e0 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., 
    end=0x6fd692
"GMT</lp1:getlastmodified>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n</D:prop>\n<D:status>HTTP/1.1
200
OK</D:status>\n</D:propstat>\n<D:propstat>\n<D:prop>\n<g0:getcontentlength/>\n</D:prop>\n<D:st"...,

    nextPtr=0x6f7f60) at lib/xmlparse.c:3635
#9  0x000000383c203fb1 in XML_ParseBuffer (parser=0x1, len=0, isFinal=0)
    at lib/xmlparse.c:1573
#10 0x00002aaaaaad8e89 in ne_xml_parse (p=0x6f6300, 
    block=0x6fb010 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., len=1202) at ne_xml.c:546
#11 0x00002aaaaaacd479 in ne_read_response_block (req=0x6fafc0, 
    buffer=0x6fb010 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus
xmlns:D=\"DAV:\" xmlns:ns0=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\"
xmlns:lp2=\"http://apache.org/dav/props/\"
xmlns:g0=\"DAV:\">\n<D:href>/archives/emacs/</"..., buflen=<value optimized
out>) at ne_request.c:779
#12 0x00002aaaaaacd790 in ne_discard_response (req=0x1) at ne_request.c:1334
#13 0x00002aaaaaace53b in ne_request_dispatch (req=0x6fafc0)
    at ne_request.c:1346
#14 0x00002aaaaaad962d in propfind (handler=0x6ff6a0, 
    results=0x449af0 <results>, userdata=0x7ffface6a210) at ne_props.c:143
#15 0x00002aaaaaad9eaf in ne_simple_propfind (sess=<value optimized out>, 
    href=<value optimized out>, depth=<value optimized out>, props=0x489cc0, 
    results=0x449af0 <results>, userdata=0x7ffface6a210) at ne_props.c:616
#16 0x0000000000449df6 in pfs_directory_files (p=0x6f4dc0, 
    path=<value optimized out>, soft_errors=1)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/pfs-dav.c:406
#17 0x0000000000449ef2 in pfs_file_exists (p=0x6f4dc0, 
    path=<value optimized out>)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/pfs-dav.c:458
#18 0x000000000045269b in pfs_archive_version (a=0x6e2770)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/archive-pfs.c:261
#19 0x00000000004446f2 in arch_archive_connect_location (name=0x0, 
    location=0x7ffface6b8ed "http://arch.sv.gnu.org/archives/emacs", 
    want_mirror_of=0x0)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/archive.c:103
#20 0x0000000000418386 in arch_cmd_register_archive (
    program_name=0x6e1460 "tla register-archive", argc=2, argv=0x7ffface6a490)
    at /usr/src/debug/tla-1.3.5/src/tla/libarch/cmd-register-archive.c:179
#21 0x000000000040277c in main (argc=3, argv=<value optimized out>)
    at /usr/src/debug/tla-1.3.5/src/tla/tla/tla.c:103
#22 0x0000003838e1e074 in __libc_start_main () from /lib64/libc.so.6
#23 0x0000000000402499 in _start ()
Comment 5 Debarshi Ray 2007-12-11 13:11:12 UTC 
This bug does not hit Fedora 7 and older systems. I will try to replicate this
on Fedora 8 and Rawhide and see.
Comment 6 Debarshi Ray 2007-12-12 17:22:30 UTC 
This is identical to Debian Bug #402952:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=402952

Looks like there is a problem with neon >= 0.25.2.
Comment 7 Debarshi Ray 2007-12-13 19:51:53 UTC 
Created attachment 287851 [details]
Patch to prevent segmentation fault on Fedora 8 onwards.

The attached patch seems to fix this problem and I have created a new update --
1.3.5-4 -- which uses it. You can find tla-1.3.5-4 on updates-testing or from
http://koji.fedoraproject.org/koji/packageinfo?packageID=3996

Please let me know if this is satisfactory or not,
Comment 8 Fedora Update System 2007-12-15 17:49:41 UTC 
tla-1.3.5-4.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update tla'
Comment 9 Fedora Update System 2007-12-15 17:51:42 UTC 
tla-1.3.5-4.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update tla'
Comment 10 Jerry James 2007-12-17 04:49:24 UTC 
I don't know what happened to sangu, but 1.3.5-4.fc8 works for me.  Thanks!
Comment 11 Debarshi Ray 2007-12-17 07:22:50 UTC 
I am changing the resolution to "WORKSFORME". Feel free to comment if there are
further problems.
Comment 12 Fedora Update System 2007-12-21 21:10:19 UTC 
tla-1.3.5-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2007-12-21 21:13:15 UTC 
tla-1.3.5-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.