[augeas-devel] libguestfs crash in libaugeas

David Lutterkort lutter at redhat.com
Tue Aug 3 18:11:57 UTC 2010 

On Tue, 2010-08-03 at 11:54 +0100, Matthew Booth wrote:
> We're having a problem with libguestfs's daemon crashing during v2v. The 
> crash is in libaugeas. We unfortunately don't have a small reproducer, 
> but we have finally managed to get a core dump. The stack trace looks 
> like this:
> 
> #0  0x00007fb490f3763b in pathx_symtab_remove_descendants (
>      symtab=<value optimized out>, tree=0x5941900) at pathx.c:2569
> #1  0x00007fb490f3580b in tree_rm (p=0x8177da0) at augeas.c:890
> #2  0x00007fb490f363e5 in aug_rm (aug=0x57b5e20, path=<value optimized out>)
>      at augeas.c:911
> #3  0x00007fb490f36b08 in aug_save (aug=0x57b5e20) at augeas.c:1192
> #4  0x0000000000403992 in do_aug_save () at augeas.c:332
> #5  0x000000000042194f in aug_save_stub (xdr_in=<value optimized out>)
>      at stubs.c:623
> 
> Interesting local variables:
> 
> (gdb) print t
> $4 = (struct tree *) 0xc1
> (gdb) print *tree
> $5 = {next = 0x0, parent = 0x66a5130, label = 0x64f55a0 "saved",
>    children = 0x0, value = 0x6a32290 "/files/boot/grub/menu.lst", dirty = 0}
> 
> This is augeas-libs-0.7.2-3.fc13.x86_64.

Looks like memory is getting corrupted before things blow up here. More
specifically, the nodeset for a variable has been corrupted. What's in
tab->name ? (That's the name of the variable)

> There are many circumstances in which this conversion works. For 
> example, if I run the conversion again against the partially converted 
> guest it will succeed. This leads me to believe that the problem is 
> unlikely to be local to the crash.
> 
> Any ideas? I can provide the crashed daemon and core dump for inspection 
> if required. I'm also more than happy to test augeas patches.

The following would be really useful in putting together a reproducer
with augtool, not sure how realistic getting that is:

      * A list of the augeas commands that have been executed since the
        last call to aug_init up to the point of the crash
      * A tarball of /etc of the image that causes the crash
      * A list of the defined variables if we can't get a list of
        commands - you can get them with 'aug_print(aug,
        "/augeas/variables")' just before the aug_save call that blows
        up.

David

More information about the augeas-devel mailing list