Bug #1474
closed
Core dump in svccfg
100%
Description
Hi,
When I type:
svccfg
select ssh
describe -t start
Segmentation Fault (core dumped)
==> core dump generated each time.
Related issues
Updated by sham pavman about 12 years ago
- % Done changed from 0 to 70
Testing the fix.. Should be sent for review shortly.
Shampavman
Updated by
Updated by Albert Lee about 12 years ago
- Category set to cmd - userland programs
Updated by sham pavman about 12 years ago
- % Done changed from 70 to 100
The fix is sent for RTI,
Below is a description of the findings.
PROBLEM::
The issue here is this,
1.)pt_svc = pt_orig_svc
2.)We free pt_svc and set it to NULL.(Forgot pt_orig_svc)
3.) The addr gets freed and at a later stage via malloc() pt_snap points to
that addr.
4.) At the end we destroy pt_snap first and then pt_orig_svc
(http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libscf/common/scf_tmpl.c#scf_tmpl_pg_destroy)
And thus dump core.
Stopping in scf_tmpl_pg_destroy via the listtmpl() would end up having
something like this..
(dbx) next
t@1 (l@1) stopped in scf_tmpl_pg_destroy at line 2528 in file "scf_tmpl.c"
2528 scf_service_destroy(svc);
(dbx) print *t
*t = {
pt_populated = 1
pt_h = 0x80dbac8
pt_pg = 0x80d5da8
pt_orig_svc = 0x80d5e08 <-- (1)
pt_svc = (nil)
pt_orig_inst = (nil)
pt_inst = 0x80d5dc8
pt_snap = 0x80d5e08 <---(1)
pt_is_iter = 1
pt_iter = (nil)
pt_iter_last = 3
}
(dbx)
Thanks
Shampavman
Updated by Milan Jurik over 11 years ago
- Status changed from New to Closed
- Tags deleted (
needs-triage)
This stalled and now it is fixed as https://www.illumos.org/issues/1991