[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Crash doing svn_client_mkdir in 1.6.15 in x86_64. Is this known?

From: Barry Scott <barry_at_barrys-emacs.org>
Date: Sun, 9 Jan 2011 20:07:35 +0000

I'm seeing the following reproducible crash on Mac OS X for x86_64 using svn 1.6.15.
This is crash does not happen using 1.6.12.

It seems to be the call to apr_psprintf that is not right.

Here is the bt:

#0 0x00007fff82ac8160 in strlen ()
#1 0x00000001015190c7 in apr_vformatter (flush_func=0x101526840 <psprintf_flush>, vbuff=0x7fff5fbfd970, fmt=0x1015b2353 "s", ap=0x7fff5fbfda00) at strings/apr_snprintf.c:957
#2 0x0000000101526baa in apr_pvsprintf (pool=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s", ap=0x7fff5fbfda00) at memory/unix/apr_pools.c:1117
#3 0x0000000101526e98 in apr_psprintf (p=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s") at memory/unix/apr_pools.c:2017
#4 0x000000010159a61c in representation_string (rep=0x100938cb0, format=4, mutable_rep_truncated=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2228
#5 0x000000010159a859 in svn_fs_fs__write_noderev (outfile=0x100939f78, noderev=0x100938bf8, format=4, include_mergeinfo=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2271
#6 0x000000010159ac0e in svn_fs_fs__put_node_revision (fs=0x10092b6f8, id=0x100938d68, noderev=0x100938bf8, fresh_txn_root=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2337
#7 0x000000010159eecf in create_new_txn_noderev_from_rev (fs=0x10092b6f8, txn_id=0x100933b70 "1-4", src=0x100935340, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:4240
#8 0x000000010159f647 in svn_fs_fs__create_txn (txn_p=0x100933708, fs=0x10092b6f8, rev=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:4413
#9 0x00000001015a5a35 in svn_fs_fs__begin_txn (txn_p=0x100933708, fs=0x10092b6f8, rev=1, flags=2, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:6960
#10 0x00000001001dadf0 in svn_fs_begin_txn2 (txn_p=0x100933708, fs=0x10092b6f8, rev=1, flags=2, pool=0x100933628) at subversion/libsvn_fs/fs-loader.c:641
#11 0x00000001007a0755 in svn_repos_fs_begin_txn_for_commit2 (txn_p=0x100933708, repos=0x1009220d8, rev=1, revprop_table=0x100933738, pool=0x100933628) at subversion/libsvn_repos/fs-wrap.c:85
#12 0x0000000100799278 in open_root (edit_baton=0x1009336a8, base_revision=-1, pool=0x100935628, root_baton=0x7fff5fbfdff8) at subversion/libsvn_repos/commit.c:183
#13 0x00000001007d6149 in svn_delta_path_driver (editor=0x100926638, edit_baton=0x1009336a8, revision=-1, paths=0x1009218b0, callback_func=0x100732cc8 <path_driver_cb_func>, callback_baton=0x100926638, pool=0x100921628) at subversion/libsvn_delta/path_driver.c:167
#14 0x000000010073357e in mkdir_urls (commit_info_p=0x7fff5fbfe310, urls=0x1009216a8, make_parents=0, revprop_table=0x0, ctx=0x10091b6a8, pool=0x100921628) at subversion/libsvn_client/add.c:821
#15 0x0000000100733753 in svn_client_mkdir3 (commit_info_p=0x7fff5fbfe310, paths=0x1009216a8, make_parents=0, revprop_table=0x0, ctx=0x10091b6a8, pool=0x100921628) at subversion/libsvn_client/add.c:886
#16 0x0000000101072d04 in pysvn_client::cmd_mkdir (this=0x10028cc70, a_args=@0x7fff5fbfe440, a_kws=@0x7fff5fbfe430) at pysvn_client_cmd_add.cpp:274
#17 0x000000010104e19f in Py::PythonExtension<pysvn_client>::method_keyword_call_handler (_self_and_name_tuple=0x1004ee368, _args=0x1004ec878, _keywords=0x0) at ExtensionOldType.hxx:321
#18 0x0000000100089187 in PyEval_EvalFrameEx ()
#19 0x00000001000892e1 in PyEval_EvalFrameEx ()
#20 0x00000001000892e1 in PyEval_EvalFrameEx ()
#21 0x00000001000892e1 in PyEval_EvalFrameEx ()
#22 0x000000010008acce in PyEval_EvalCodeEx ()
#23 0x000000010008ad61 in PyEval_EvalCode ()
#24 0x00000001000a265a in Py_CompileString ()
#25 0x00000001000a2723 in PyRun_FileExFlags ()
#26 0x00000001000a423d in PyRun_SimpleFileExFlags ()
#27 0x00000001000b0286 in Py_Main ()
#28 0x0000000100000e6c in ?? ()

(gdb) f 4
#4 0x000000010159a61c in representation_string (rep=0x100938cb0, format=4, mutable_rep_truncated=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2228
2228 return apr_psprintf(pool, "%ld %" APR_OFF_T_FMT " %" SVN_FILESIZE_T_FMT
(gdb) l
2223 {
2224 if (rep->txn_id && mutable_rep_truncated)
2225 return "-1";
2226
2227 if (format < SVN_FS_FS__MIN_REP_SHARING_FORMAT || rep->sha1_checksum == NULL)
2228 return apr_psprintf(pool, "%ld %" APR_OFF_T_FMT " %" SVN_FILESIZE_T_FMT
2229 " %" SVN_FILESIZE_T_FMT " %s",
2230 rep->revision, rep->offset, rep->size,
2231 rep->expanded_size,
2232 svn_checksum_to_cstring_display(rep->md5_checksum,
(gdb) p *rep
$1 = {
  md5_checksum = 0x100938cf0,
  sha1_checksum = 0x0,
  revision = 1,
  offset = 63,
  size = 34,
  expanded_size = 34,
  txn_id = 0x0,
  uniquifier = 0x0
}
(gdb) f 2
#2 0x0000000101526baa in apr_pvsprintf (pool=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s", ap=0x7fff5fbfda00) at memory/unix/apr_pools.c:1117
1117 if (apr_vformatter(psprintf_flush, &ps.vbuff, fmt, ap) == -1) {
(gdb) f 1
#1 0x00000001015190c7 in apr_vformatter (flush_func=0x101526840 <psprintf_flush>, vbuff=0x7fff5fbfd970, fmt=0x1015b2353 "s", ap=0x7fff5fbfda00) at strings/apr_snprintf.c:957
957 s_len = strlen(s);
(gdb) p s
$2 = 0x22 <Address 0x22 out of bounds>

It seems that one of rep->size or rep->expanded_size is being used as the string address.

Barry
Received on 2011-01-09 21:08:17 CET

This is an archived mail posted to the Subversion Dev mailing list.