Bug 1141634 - dnf.Base.query.filter() segfaults
Summary: dnf.Base.query.filter() segfaults
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: hawkey
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ales Kozumplik
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:fca5161520eb25fa4f87642bfac...
: 1141309 (view as bug list)
Depends On:
Blocks: 1139398 1141309
TreeView+ depends on / blocked
 
Reported: 2014-09-15 05:18 UTC by Tim Lauridsen
Modified: 2014-09-30 23:42 UTC (History)
11 users (show)

Fixed In Version: hawkey-0.5.1-1.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-23 04:23:44 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
File: backtrace (159.56 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: cgroup (190 bytes, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: core_backtrace (10.19 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: dso_list (8.25 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: environ (1.75 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: exploitable (82 bytes, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: limits (1.29 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: maps (39.37 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: open_fds (263 bytes, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: proc_pid_status (910 bytes, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
File: var_log_messages (21.43 KB, text/plain)
2014-09-15 05:18 UTC, Tim Lauridsen
no flags Details
minimal dnf base class (4.46 KB, text/plain)
2014-09-15 05:22 UTC, Tim Lauridsen
no flags Details
example to reproduce issue (2.89 KB, text/plain)
2014-09-15 05:23 UTC, Tim Lauridsen
no flags Details
script to reproduce the issue (2.71 KB, text/plain)
2014-09-15 05:42 UTC, Tim Lauridsen
no flags Details

Description Tim Lauridsen 2014-09-15 05:18:29 UTC
Description of problem:
dnf.Base.query().available().filter(name=n, version=v, release=r, arch=a) segfaults in f21

Version-Release number of selected component:
python3-3.4.1-14.fc21

Additional info:
reporter:       libreport-2.2.3
backtrace_rating: 4
cmdline:        python3 dnf-test.py
crash_function: dataiterator_find_keyname
executable:     /usr/bin/python3.4
kernel:         3.16.1-301.fc21.x86_64
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 dataiterator_find_keyname at /usr/src/debug/libsolv/src/repodata.c:1394
 #1 dataiterator_step at /usr/src/debug/libsolv/src/repodata.c:1541
 #2 filter_dataiterator at /usr/src/debug/hawkey/py3/src/query.c:284
 #3 compute at /usr/src/debug/hawkey/py3/src/query.c:805
 #4 hy_query_run_set at /usr/src/debug/hawkey/py3/src/query.c:1202
 #5 run at /usr/src/debug/hawkey/py3/src/python/query-py.c:312
 #6 call_function at /usr/src/debug/Python-3.4.1/Python/ceval.c:4239
 #7 PyEval_EvalFrameEx at /usr/src/debug/Python-3.4.1/Python/ceval.c:2853
 #8 PyEval_EvalCodeEx at /usr/src/debug/Python-3.4.1/Python/ceval.c:3607
 #9 fast_function at /usr/src/debug/Python-3.4.1/Python/ceval.c:4363

Comment 1 Tim Lauridsen 2014-09-15 05:18:33 UTC
Created attachment 937429 [details]
File: backtrace

Comment 2 Tim Lauridsen 2014-09-15 05:18:35 UTC
Created attachment 937430 [details]
File: cgroup

Comment 3 Tim Lauridsen 2014-09-15 05:18:36 UTC
Created attachment 937431 [details]
File: core_backtrace

Comment 4 Tim Lauridsen 2014-09-15 05:18:37 UTC
Created attachment 937432 [details]
File: dso_list

Comment 5 Tim Lauridsen 2014-09-15 05:18:38 UTC
Created attachment 937433 [details]
File: environ

Comment 6 Tim Lauridsen 2014-09-15 05:18:39 UTC
Created attachment 937434 [details]
File: exploitable

Comment 7 Tim Lauridsen 2014-09-15 05:18:41 UTC
Created attachment 937435 [details]
File: limits

Comment 8 Tim Lauridsen 2014-09-15 05:18:42 UTC
Created attachment 937436 [details]
File: maps

Comment 9 Tim Lauridsen 2014-09-15 05:18:43 UTC
Created attachment 937437 [details]
File: open_fds

Comment 10 Tim Lauridsen 2014-09-15 05:18:45 UTC
Created attachment 937438 [details]
File: proc_pid_status

Comment 11 Tim Lauridsen 2014-09-15 05:18:46 UTC
Created attachment 937439 [details]
File: var_log_messages

Comment 12 Tim Lauridsen 2014-09-15 05:22:00 UTC
Created attachment 937440 [details]
minimal dnf base class

Comment 13 Tim Lauridsen 2014-09-15 05:23:02 UTC
Created attachment 937441 [details]
example to reproduce issue

Comment 14 Tim Lauridsen 2014-09-15 05:30:26 UTC
It look like that .filter blows up when used to filter packages based on name, arch, version & release in  f21

I have made i little test script to reproduce the issue

download attached base.py & dnf-test.py and run it with

sudo python3 dnf-test.py

the following dnf related packages was used:

dnf.0.6.1-1.fc21.noarch 
hawkey.0.5.0-2.fc21.x86_64 
librepo.1.7.5-2.fc21.x86_64

Comment 15 Tim Lauridsen 2014-09-15 05:42:39 UTC
Created attachment 937445 [details]
script to reproduce the issue

Comment 16 Tim Lauridsen 2014-09-15 05:43:35 UTC
Made the reproducer script a little simpler

Comment 17 Ales Kozumplik 2014-09-15 10:13:43 UTC
Looking.

Comment 18 Ales Kozumplik 2014-09-15 11:46:54 UTC
Odd, possibly related to other corrupted cachefile bugs (bug 1139398, bug 1131328).

The crash happens when hawkey narrows packages down to those with x86_64 architecture using libsolv's dataiterator: that is a fairly common operation and I do not believe it is specific in any way to the attached script.

Tim, do you happen to have the full core file? Can you reproduce this consistently? If you can: please upload the /var/cache/dnf file somewhere for us, then remove the cache files and try again. It should work then (and thus confirm my suspicion about libsolv cache corruption).

Thanks!

Comment 19 Tim Lauridsen 2014-09-15 12:34:11 UTC
Yes, I can reproduce this consistently on multiple f21 systems

If I delete /var/cache/dnf, the script will run one time without errors
next time I get errors again.

I will upload /var/cache/dnf to dropbox and post a link, when the upload complettes.

where do I find the full core file on my system ?

Comment 20 Tim Lauridsen 2014-09-15 13:13:23 UTC
upload tarball of /var/cache/dnf here

https://www.dropbox.com/sh/gofe95ogsz6gvud/AAD56gFRvHszCEHS1wH7DMsta?dl=0

Comment 21 Tim Lauridsen 2014-09-15 14:29:32 UTC
I can reproduce using dnf cli also

$ sudo dnf list dnf-0.6.1-1.fc21

will crash

If I do a 'sudo rm -rf /var/cache/dnf', then I can run the command one time and it works, next time it craches.

Comment 22 Tim Lauridsen 2014-09-15 14:37:52 UTC
I have upload a tarball of the abrt files from dnf cli crash to the dropbox link above.

Comment 23 Tim Lauridsen 2014-09-15 14:45:26 UTC
also uploaded a dnf-cache-x86_64.tar.gz file containing the /var/cache/dnf on
the crash time.

Comment 24 Ales Kozumplik 2014-09-17 06:15:10 UTC
(In reply to Tim Lauridsen from comment #21)
> I can reproduce using dnf cli also
> 
> $ sudo dnf list dnf-0.6.1-1.fc21
> 
> will crash
> 
> If I do a 'sudo rm -rf /var/cache/dnf', then I can run the command one time
> and it works, next time it craches.

Awesome, this reproduces it for me. Thanks!

Comment 25 Ales Kozumplik 2014-09-18 07:22:32 UTC
The core of the issue is heap corruption caused by receiving unexpected EVR data (from updateinfo solvables) in pool_split_evr(). The kicker is that Radek Holy has already fixed this upstream in 7f06256, but we haven't realized the issue was this severe, haven't made a build yet and, even worse, didn't see it occurring in internal testing.

I'm going to provide new builds today for rawhide and F21 devel branch. F20 is not affected as hawkey doesn't read updateinfo there.

Comment 26 Ales Kozumplik 2014-09-18 07:26:28 UTC
*** Bug 1141309 has been marked as a duplicate of this bug. ***

Comment 27 Fedora Update System 2014-09-18 08:44:44 UTC
hawkey-0.5.1-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/hawkey-0.5.1-1.fc21

Comment 28 Tim Lauridsen 2014-09-18 17:05:56 UTC
Fixes the issue for me, thanks :)

Comment 29 Fedora Update System 2014-09-19 17:44:24 UTC
Package hawkey-0.5.1-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing hawkey-0.5.1-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-11102/hawkey-0.5.1-1.fc21
then log in and leave karma (feedback).

Comment 30 Fedora Update System 2014-09-23 04:23:44 UTC
hawkey-0.5.1-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.