Segmentation fault in lcbvb_destroy when having connection issues


#1
Hi,

We're using libcouchbase-2.4.7 and during some connection issues we received PROTOCOL_BINARY_RESPONSE_NOT_MY_VBUCKET that is finally causing a segmentation fault in lcbvb_destroy():

Program terminated with signal 11, Segmentation fault.
#0  0x000000363b27b53c in free () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.5-7.el6_0.x86_64 cyrus-sasl-lib-2.1.23-15.el6_6.2.x86_64 db4-4.7.25-19.el6_6.x86_64 elfutils-libelf-0.158-3.2.el6.x86_64 glibc-2.12-1.149.el6_6.9.x86_64 gmp-4.3.1-7.el6_2.2.x86_64 gnutls-bf-2.12.23-3.el6.x86_64 keyutils-libs-1.4-5.el6.x86_64 krb5-libs-1.10.3-37.el6_6.x86_64 libacl-2.2.49-6.el6.x86_64 libattr-2.4.44-7.el6.x86_64 libcap-2.16-5.5.el6.x86_64 libcom_err-1.41.12-21.el6.x86_64 libcurl-7.29.0-20.el6.x86_64 libgcc-4.4.7-11.el6.x86_64 libgcrypt-1.4.5-11.el6_4.x86_64 libgpg-error-1.7-4.el6.x86_64 libidn-1.18-2.el6.x86_64 libmicrohttpd-0.9.40-1.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 libssh2-1.4.2-1.el6_6.1.x86_64 libxml2-2.7.6-17.el6_6.1.x86_64 lksctp-tools-1.0.10-7.el6.x86_64 lm_sensors-libs-3.1.1-17.el6.x86_64 lua-5.1.4-4.1.el6.x86_64 net-snmp-libs-5.5-50.el6_6.1.x86_64 nettle-2.2-1.el6.rf.x86_64 nspr-4.10.8-1.el6_6.x86_64 nss-3.19.1-3.el6_6.x86_64 nss-softokn-freebl-3.14.3-22.el6_6.x86_64 nss-util-3.19.1-1.el6_6.x86_64 openldap-2.4.39-8.el6.x86_64 openssl-1.0.1e-30.el6.11.x86_64 perl-libs-5.10.1-136.el6_6.1.x86_64 popt-1.13-7.el6.x86_64 rpm-libs-4.8.0-38.el6_6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 xz-libs-4.999.9-0.5.beta.20091007git.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) where
#0  0x000000363b27b53c in free () from /lib64/libc.so.6
#1  0x00000031d800ce62 in lcbvb_destroy (conf=0x7ff83400e850) at /usr/src/debug/libcouchbase-2.4.7/src/vbucket/vbucket.c:669
#2  0x00000031d8023042 in lcb_clconfig_decref (info=0x7ff834097490) at /usr/src/debug/libcouchbase-2.4.7/src/bucketconfig/confmon.c:344
#3  0x00000031d80244de in lcb_cccp_update (provider=0xd4ae00, host=<value optimized out>, data=0x7ff9b35fdb50) at /usr/src/debug/libcouchbase-2.4.7/src/bucketconfig/bc_cccp.c:195
#4  0x00000031d80329eb in handle_nmv (ctx=0x7ff834014570, nb=<value optimized out>) at /usr/src/debug/libcouchbase-2.4.7/src/mcserver/mcserver.c:157
#5  try_read (ctx=0x7ff834014570, nb=<value optimized out>) at /usr/src/debug/libcouchbase-2.4.7/src/mcserver/mcserver.c:243
#6  on_read (ctx=0x7ff834014570, nb=<value optimized out>) at /usr/src/debug/libcouchbase-2.4.7/src/mcserver/mcserver.c:295
#7  0x00000031d80178e8 in invoke_read_cb (sock=<value optimized out>, which=2, arg=0x7ff834014570) at /usr/src/debug/libcouchbase-2.4.7/src/lcbio/ctx.c:273
#8  E_handler (sock=<value optimized out>, which=2, arg=0x7ff834014570) at /usr/src/debug/libcouchbase-2.4.7/src/lcbio/ctx.c:290
#9  0x00007ffa0fb15f8c in event_process_active_single_queue (base=0xd49f50, flags=1) at event.c:1350
#10 event_process_active (base=0xd49f50, flags=1) at event.c:1420
#11 event_base_loop (base=0xd49f50, flags=1) at event.c:1621

(gdb) f 1
#1  0x00000031d800ce62 in lcbvb_destroy (conf=0x7ff83400e850) at /usr/src/debug/libcouchbase-2.4.7/src/vbucket/vbucket.c:669
669	        free_service_strs(&srv->svc);
(gdb) print srv->svc
$37 = {data = 11210, mgmt = 8091, views = 8092, ixquery = 0, ixadmin = 0, n1ql = 0, views_base_ = 0x0, query_base_ = 0x400 "\207", hoststrs = {0x7ff83400ea50 "`", <incomplete sequence \352>, 0x0, 0x0, 0x0, 0x0, 0x0}}

I tried to figure out what's causing this fault ('hoststrs' and 'query_base_' doesn't seem right/already freed) but so far without any success (I am not so familiar with this code).

Anyone seen this before?

Regards,
Marc

#2

Can you try using the latest version of the library?

Looking at the git log I can’t see anything obvious that was changed in more recent versions, but something like a double free may also be possible.