autobuild[sn-devel-144]: intermittent test failure detected

autobuild autobuild at samba.org
Mon Apr 3 16:09:30 UTC 2017 

The autobuild test system (on sn-devel-144) has detected an intermittent failing test in 
the current master tree.

The autobuild log of the failure is available here:

   http://git.samba.org/autobuild.flakey.sn-devel-144/2017-04-03-1809/flakey.log

The samba build logs are available here:

   http://git.samba.org/autobuild.flakey.sn-devel-144/2017-04-03-1809/samba.stderr
   http://git.samba.org/autobuild.flakey.sn-devel-144/2017-04-03-1809/samba.stdout
  
The top commit at the time of the failure was:

commit a4599b3011647c06be0d5a914bc4f72d490f6bc5
Author: Jeremy Allison <jra at samba.org>
Date:   Sat Apr 1 15:34:48 2017 +0000

    s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
    
    In the NTVFS server we have the following talloc heirarchy:
    
                                       event_ctx
                                         |
            ---------------------------------------------------- .. other children
            |                       |                      |
         msg_dgm_ref              srv_conn            msg_dgm_ref
            ^                       |
            |                    NTVFS structures
            |                       |
            |                    XXXXXX
            |                       |
            |                       |
            --------------------- pointer to msg_dgm_ref
    
    Some of the structures under NTVFS (marked XXXXX) can have
    pointers to imessaging contexts which internally have pointers
    to msg_dgm_ref structurs allocated off event_ctx.
    
    The original code calls:
    
            model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
            talloc_free(srv_conn);
    
    But model_ops->terminate() calls talloc_free(event_ctx) and
    then calls exit(). In this case srv_conn is never explicitly
    freed, but only freed as a talloc child of the event_ctx.
    
    Depending on the ordering of the linked list of talloc children
    under event_ctx(which can be reordered via talloc_free/reinit
    of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can
    be left pointing to memory that was already freed. This pointer
    is then used in the destructor for a file object called when
    srv_conn is freed.
    
    Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first
    and then model_ops->terminate() fixes this problem.
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Ralph Böhme <slow at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sun Apr  2 05:18:39 CEST 2017 on sn-devel-144

More information about the samba-cvs mailing list