server crash in authz object pool

The svn-bb-openbsd bot has found a crash in the object pool code.

It is triggered when running RA serf tests on OpenBSD. The httpd
work processes crash due to what looks like a use-after-free (0xdf
means this byte of memory has been freed).

I can reproduce this on sparc64 and amd64 machines.
The build is without APR_HAS_THREADS, using the prefork MPM with HTTPD 2.2.
Let me know if you need more details. I have no time at present to hunt
this down myself, so I'm sending this info to the list in hope that it
will be useful.

#2 0x00000efde1f5550d in lookup (object=0xefe4c595ac0, object_pool=0xefe97bc4f60, key=0xefe97bc4ac0, result_pool=0xefddbb18500)
    at subversion/libsvn_subr/object_pool.c:193
193 = apr_hash_get(object_pool->objects, key->data, key->size);
(gdb) p *object_pool->objects
$3 = {pool = 0xdfdfdfdfdfdfdfdf, array = 0xdfdfdfdfdfdfdfdf, iterator = {ht = 0x0, this = 0x0, next = 0xdfdfdfdfdfdfdfdf, index = 3755991007},
  count = 3755991007, max = 3755991007, seed = 3755991007, hash_func = 0xdfdfdfdfdfdfdfdf, free = 0xdfdfdfdfdfdfdfdf}
(gdb) bt
#0 0x00000efe4199790c in find_entry (ht=0x2e646e762f6e6f69, key=0xefec8a8aa40, klen=16, val=0x0)
    at /home/stsp/svn/src/apr-1.5.2/tables/apr_hash.c:293
#1 0x00000efe41997c7a in apr_hash_get (ht=0x2e646e762f6e6f69, key=0xefec8a8aa40, klen=16) at /home/stsp/svn/src/apr-1.5.2/tables/apr_hash.c:367
#2 0x00000efde1f5550d in lookup (object=0xefe4c595ac0, object_pool=0xefe97bc4f60, key=0xefe97bc4ac0, result_pool=0xefddbb18500)
    at subversion/libsvn_subr/object_pool.c:193
#3 0x00000efde1f55814 in svn_object_pool__lookup (object=0xefe4c595ac0, object_pool=0xefe97bc4f60, key=0xefe97bc4ac0,
    result_pool=0xefddbb18500) at subversion/libsvn_subr/object_pool.c:309
#4 0x00000efe40b70459 in authz_read (authz_p=0xefe4c595ac0, authz_id=0xefe4c595ac8,
---Type <return> to continue, or q <return> to quit---
    path=0xefe5f813680 "/home/stsp/svn/svn-trunk/subversion/tests/cmdline/svn-test-work/authz", groups_path=0x0, must_exist=1, repos_hint=0x0,
    result_pool=0xefddbb18500, scratch_pool=0xefddbb1a600) at subversion/libsvn_repos/authz.c:1579
#5 0x00000efe40b7067f in svn_repos_authz_read3 (authz_p=0x7f7ffffe2170,
    path=0xefe5f813680 "/home/stsp/svn/svn-trunk/subversion/tests/cmdline/svn-test-work/authz", groups_path=0x0, must_exist=1, repos_hint=0x0,
    result_pool=0xefddbb18500, scratch_pool=0xefddbb1a600) at subversion/libsvn_repos/authz.c:1642
#6 0x00000efecc0ae158 in get_access_conf (r=0xefe412bb400, conf=0xefe1d05af00, scratch_pool=0xefddbb1a600)
    at subversion/mod_authz_svn/mod_authz_svn.c:467
#7 0x00000efecc0ae7c6 in req_check_access (r=0xefe412bb400, conf=0xefe1d05af00, repos_path_ref=0x7f7ffffe2320,
---Type <return> to continue, or q <return> to quit---
    dest_repos_path_ref=0x7f7ffffe2318) at subversion/mod_authz_svn/mod_authz_svn.c:690
#8 0x00000efecc0aefb0 in auth_checker (r=0xefe412bb400) at subversion/mod_authz_svn/mod_authz_svn.c:1036
#9 0x00000efbd47194bb in ap_run_auth_checker (r=0xefe412bb400) at /home/stsp/svn/src/httpd-2.2.32/server/request.c:78
#10 0x00000efbd4719b87 in ap_process_request_internal (r=0xefe412bb400) at /home/stsp/svn/src/httpd-2.2.32/server/request.c:198
#11 0x00000efbd478241d in ap_process_request (r=0xefe412bb400) at /home/stsp/svn/src/httpd-2.2.32/modules/http/http_request.c:296
#12 0x00000efbd477f051 in ap_process_http_connection (c=0xefde19a0200) at /home/stsp/svn/src/httpd-2.2.32/modules/http/http_core.c:190
#13 0x00000efbd4729a83 in ap_run_process_connection (c=0xefde19a0200) at /home/stsp/svn/src/httpd-2.2.32/server/connection.c:43
#14 0x00000efbd4729f2d in ap_process_connection (c=0xefde19a0200, csd=0xefde5a3b300) at /home/stsp/svn/src/httpd-2.2.32/server/connection.c:190
---Type <return> to continue, or q <return> to quit---
#15 0x00000efbd47b5d6e in child_main (child_num_arg=5) at /home/stsp/svn/src/httpd-2.2.32/server/mpm/prefork/prefork.c:667
#16 0x00000efbd47b5f4f in make_child (s=0xefe150eda00, slot=5) at /home/stsp/svn/src/httpd-2.2.32/server/mpm/prefork/prefork.c:768
#17 0x00000efbd47b61e9 in perform_idle_server_maintenance (p=0xefe150ed500) at /home/stsp/svn/src/httpd-2.2.32/server/mpm/prefork/prefork.c:903
#18 0x00000efbd47b674b in ap_mpm_run (_pconf=0xefe150ed500, plog=0xefe150ed800, s=0xefe150eda00)
    at /home/stsp/svn/src/httpd-2.2.32/server/mpm/prefork/prefork.c:1107
#19 0x00000efbd4703e23 in main (argc=5, argv=0x7f7ffffe2878) at /home/stsp/svn/src/httpd-2.2.32/server/main.c:753
(gdb)
Received on 2018-02-12 12:50:26 CET