Philip Martin <philip@codematters.co.uk> writes:
> Jani Averbach <jaa@jaa.iki.fi> writes:
>
>> On 2005-07-22 12:59-0600, Jani Averbach wrote:
>>> Hello,
>>>
>>> httpd/mod_dav_svn trunk is segfaulting when the test suite runs
>>> against the server. Testing 1.2.x works fine.
>>
>> trunk @ r15378 is fine and r15389 is broken (for sure).
>
> This is the first valgrind error:
>
> $ valgrind -q /usr/local/apache2/bin/httpd -X
> ==17410== Invalid read of size 4
> ==17410== at 0x1BA5A920: apr_xlate_conv_buffer (xlate.c:338)
> ==17410== by 0x1BF15E71: convert_to_stringbuf (utf.c:432)
> ==17410== by 0x1BF16681: convert_cstring (utf.c:655)
> ==17410== by 0x1BF1676A: svn_utf_cstring_to_utf8 (utf.c:678)
> ==17410== by 0x1BF0317D: svn_error_wrap_apr (error.c:164)
> ==17410== by 0x1BF09093: svn_io_file_open (io.c:2174)
> ==17410== by 0x1BF55FDE: read_digest_file (lock.c:265)
> ==17410== by 0x1BF5690C: get_lock (lock.c:492)
> ==17410== by 0x1BF56A2A: get_lock_helper (lock.c:526)
> ==17410== by 0x1BF577CA: svn_fs_fs__get_lock (lock.c:929)
> ==17410== by 0x1B90EFF8: svn_fs_get_lock (fs-loader.c:925)
> ==17410== by 0x1BEB110A: dav_svn_get_locks (lock.c:524)
> ==17410== Address 0x1C077AC8 is 16 bytes inside a block of size 20 free'd
> ==17410== at 0x1B906B04: free (vg_replace_malloc.c:152)
> ==17410== by 0x1BB81F1D: pool_clear_debug (apr_pools.c:1376)
> ==17410== by 0x1BB82086: apr_pool_destroy_debug (apr_pools.c:1437)
> ==17410== by 0x806AC22: ap_process_http_connection (http_core.c:260)
> ==17410== by 0x808E7C4: ap_run_process_connection (connection.c:43)
> ==17410== by 0x808123C: child_main (prefork.c:610)
> ==17410== by 0x80814A7: make_child (prefork.c:650)
> ==17410== by 0x8081596: startup_children (prefork.c:722)
> ==17410== by 0x8081EB0: ap_mpm_run (prefork.c:941)
> ==17410== by 0x808877C: main (main.c:618)
> ==17410==
r15379 is the cause. The pool passed to apr_xlate_open is not the
pool on which xlate_handle_node_cleanup is registered. So when the
apr_xlate_open pool is cleared xlate_handle_node_cleanup is not
called, and references to the invalid converter get left behind.
I don't know whether the pool passed to apr_xlate_open or the one
passed to apr_pool_cleanup_register should be changed. Was the change
in the pool passed to apr_xlate_open deliberate?
--
Philip Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jul 23 18:49:49 2005