MAJOR: segfault or memory corruption by LMDB on close/shutdown #48
Comments
Note that mdb_env_close() already calls pthread_key_delete() which destroys any remaining usage of the thread-specific key. Do you have a test case which shows this crash? There is no such problem in recent versions of glibc. |
pthread_key_delete() don't performs any cleanup in registered threads, for instance see http://linux.die.net/man/3/pthread_key_delete I have a coredump from Ubuntu 1404 LTS (glibc 2.19):
No more threads. |
You have some other bug in your environment then. Notice pthread_key_delete http://www.eglibc.org/cgi-bin/viewvc.cgi/branches/eglibc-2_19/libc/nptl/pthread_key_delete.c?revision=25243&view=markup invalidates the tsd by changing the sequence number on the key. nptl_deallocate_tsd only calls the destructor if the sequence number is identical to its original value, which it cannot be after pthread_key_delete() was called. |
Yes, you are right. This coredump from slapd (brach 2.4) while running test058-syncrepl-asymmetric. |
Hm, I got another coredump from 2.5-branch. The same segfault on slapd shutdown at end of test058-syncrepl-asymmetric. |
I found the bug, nevertheless in LMDB core. It is just a race-condition between:
|
This still implies some other problem, since slapd_daemon() waits for all threads to exit before returning, and backends aren't shut down until after that. I.e., there should not be any other live threads by the time mdb_env_close() is called. |
The root of problem is in wrong usage of pthread_key_create() and pthread_key_delete() inside LMDB.
Therefore any thread, which previously has read from this database and yet not terminated, will make a segfault inside mdb_env_reader_dest() or will corrupt content of memory.
The text was updated successfully, but these errors were encountered: