Hi folks,
Here's a report filed in the Debian bug tracking system.
On Wed, Jan 22, 2003 at 05:06:58PM +0100, Paul Slootman wrote:
> Package: trn4
> Version: 4.0-test76-3
> Severity: normal
> Tags: patch
>
> trn was sitting in the newsgroup selector for some time, after I had
> quit a newsgroup. When I hit enter to enter the newsgroup again, the
> server had apparently timed out, and trn crashed.
>
> (gdb) bt
> #0 0x400c6911 in kill () from /lib/libc.so.6
> #1 0x400c6732 in raise () from /lib/libc.so.6
> #2 0x400c7846 in abort () from /lib/libc.so.6
> #3 0x08055976 in sig_catcher (signo=11) at final.c:231
> #4 0x400c6898 in sigaction () from /lib/libc.so.6
> #5 0x0806d4d7 in thread_close () at rthread.c:167
> #6 0x0805055c in close_cache () at cache.c:136
> #7 0x080686c6 in unuse_multirc (mptr=<incomplete type>) at rcstuff.c:204
> #8 0x080557de in finalize (status=-11) at final.c:123
> #9 0x08055a20 in sig_catcher (signo=11) at final.c:268
> #10 0x400c6898 in sigaction () from /lib/libc.so.6
> #11 0x0806d4d7 in thread_close () at rthread.c:167
> #12 0x0805055c in close_cache () at cache.c:136
> #13 0x080686c6 in unuse_multirc (mptr=<incomplete type>) at rcstuff.c:204
> #14 0x08088b42 in nntp_server_died (dp=0x80ca338) at nntp.c:572
> #15 0x08075b40 in sel_dogroups () at rt-select.c:289
> #16 0x08075f95 in newsgroup_selector () at rt-select.c:419
> #17 0x080821b1 in do_multirc () at trn.c:183
> #18 0x08075d0a in multirc_selector () at rt-select.c:344
> #19 0x08082097 in main (argc=7, argv=0xbffff7e4) at trn.c:126
> (gdb) p datasrc
> $1 = (DATASRC *) 0x0
>
>
> nntp_server_died() calls close_datasrc(dp)
> close_datasrc() sets datasrc to NULL if datasrc == dp
> nntp_server_died() then calls unuse_multirc(mp)
> unuse_multirc() (eventually) calls close_cache()
> close_cache() calls thread_close()
> thread_close() calls ov_close()
> ov_close() uses datasrc as a pointer. Remember that datasrc was
> set to NULL in close_datasrc() earlier! Hence the SIGSEGV
>
> Simple solution is to check datasrc in ov_close() whether it's valid.
> Of course, perhaps the setting to NULL in close_datasrc() is what's
> wrong; AFAICS this at least will prevent the SEGV.
Thanks for the careful analysis and the patch. Figuring out whether
close_datasrc() is wrong here is beyond me, but perhaps somebody on
trn-workers will know.
> diff -ru trn4-4.0-test76/rt-ov.c trn4-4.0-test76.mine/rt-ov.c
> --- trn4-4.0-test76/rt-ov.c 2000-05-28 22:43:37.000000000 +0200
> +++ trn4-4.0-test76.mine/rt-ov.c 2003-01-22 16:32:37.000000000 +0100
> @@ -483,6 +483,8 @@
> void
> ov_close()
> {
> + if (!datasrc)
> + return;
> if (datasrc->ov_opened) {
> if (datasrc->ov_in) {
> (void) fclose(datasrc->ov_in);
This makes sense to me, so I've applied it to the Debian package. Well,
actually, I preferred this:
--- trn4-4.0-test76.orig/rt-ov.c
+++ trn4-4.0-test76/rt-ov.c
@@ -483,7 +483,7 @@
void
ov_close()
{
- if (datasrc->ov_opened) {
+ if (datasrc && datasrc->ov_opened) {
if (datasrc->ov_in) {
(void) fclose(datasrc->ov_in);
datasrc->ov_in = NULL;
... not that it's very important either way.
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
