Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null.
Version-Release number of selected component (if applicable):
ksh-20120801-10.el6_5.5.x86_64
How reproducible:
It is happening intermittently, not every time a job is run.
Steps to Reproduce:
1. No identifiable reproducer at this time
2.
3.
Actual results:
ksh crashes
[400075.213273] ksh[10862]: segfault at 0 ip 00000000004dbbb4 sp 00007fff29e5bb50 error 4 in ksh93[400000+15b000]
Expected results:
No crash
Additional info:
Core dump attached
The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null.
#0 0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347
#1 0x00000000004dca78 in _ast_free (data=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:594
#2 0x0000000000428154 in job_chksave (pid=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1980
#3 0x000000000042ac30 in job_post (shp=0x76cba0, pid=11334, join=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1396
#0 0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347
347 Vmdata_t *vd = SEG(BLOCK(addr))->vmdt;
#define SEG(b) ((b)->head.head.seg.seg)
#define BLOCK(d) ((Block_t*)((char*)(d) - sizeof(Head_t)) )
(gdb) ptype Block_t
type = struct _block_s {
Head_t head;
Body_t body;
}
(gdb) p ((Block_t *)((char *)addr - sizeof(Head_t)))
$28 = (Block_t *) 0x7f08c1921850
(gdb) p ((Block_t *)((char *)addr - sizeof(Head_t)))->head.head.seg.seg
$30 = (Seg_t *) 0x0
I suspect that this is a kind of double-free that is happening in job_post/job_save.
I found the following BZ's that have very similar backtraces, it could be another manifestation of these problems in the job list code:
https://bugzilla.redhat.com/show_bug.cgi?id=1110063https://bugzilla.redhat.com/show_bug.cgi?id=825520
This is most likely duplicate of bug #1112306 but as there are no reproducers for either of these bugs, it's hard to say.
Anyway, closing as a duplicate at least for now - until you can reproduce this crash with fixed ksh package referenced in the duplicate bug. If you can do that, feel free to reopen this bug.
*** This bug has been marked as a duplicate of bug 1112306 ***
Description of problem: The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null. Version-Release number of selected component (if applicable): ksh-20120801-10.el6_5.5.x86_64 How reproducible: It is happening intermittently, not every time a job is run. Steps to Reproduce: 1. No identifiable reproducer at this time 2. 3. Actual results: ksh crashes [400075.213273] ksh[10862]: segfault at 0 ip 00000000004dbbb4 sp 00007fff29e5bb50 error 4 in ksh93[400000+15b000] Expected results: No crash Additional info: Core dump attached The crash is in ksh's version of free under job_chksave - the "segment" asked for in regionof() is null. #0 0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347 #1 0x00000000004dca78 in _ast_free (data=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:594 #2 0x0000000000428154 in job_chksave (pid=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1980 #3 0x000000000042ac30 in job_post (shp=0x76cba0, pid=11334, join=<value optimized out>) at /usr/src/debug/ksh-20120801/src/cmd/ksh93/sh/jobs.c:1396 #0 0x00000000004dbbb4 in regionof (addr=0x7f08c1921860) at /usr/src/debug/ksh-20120801/src/lib/libast/vmalloc/malloc.c:347 347 Vmdata_t *vd = SEG(BLOCK(addr))->vmdt; #define SEG(b) ((b)->head.head.seg.seg) #define BLOCK(d) ((Block_t*)((char*)(d) - sizeof(Head_t)) ) (gdb) ptype Block_t type = struct _block_s { Head_t head; Body_t body; } (gdb) p ((Block_t *)((char *)addr - sizeof(Head_t))) $28 = (Block_t *) 0x7f08c1921850 (gdb) p ((Block_t *)((char *)addr - sizeof(Head_t)))->head.head.seg.seg $30 = (Seg_t *) 0x0 I suspect that this is a kind of double-free that is happening in job_post/job_save. I found the following BZ's that have very similar backtraces, it could be another manifestation of these problems in the job list code: https://bugzilla.redhat.com/show_bug.cgi?id=1110063 https://bugzilla.redhat.com/show_bug.cgi?id=825520