You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I unfortunately can't share the test case since it uses thousands of lines of proprietary code, but it does roughly this:
use DBI;
use DBD::Pg ':async';
use Time::HiRes;
submayhem {
my$dbh = DBI->connect("dbi:Pg:", '', '', {pg_enable_utf8=> 1, PrintError=> 0, RaiseError=> 1, pg_server_prepare=> 0});
my$sth = $dbh->prepare(q{SELECT CASE WHEN pg_sleep(random() * 0.25) IS NOT NULL THEN random()::text::uuid END}, {pg_async=> PG_ASYNC});
$dbh->{InactiveDestroy} = 1;
$sth->execute();
for (my$i = 0; ; ++$i) {
if ($sth->pg_ready) {
last;
}
if ($i >= 100) {
printSTDERR"wait timeout\n";
$sth->cancel();
exit(1);
}
Time::HiRes::sleep(0.05);
}
eval {
$sth->pg_result();
};
}
mayhem();
which sometimes crashes with a backtrace like this:
(gdb) bt
#0 0x00007ffff61c40fb in PQclear () from /usr/lib/x86_64-linux-gnu/libpq.so.5
#1 0x00007ffff64107f8 in pg_db_destroy (dbh=0x1d1bc40, imp_dbh=0x1d22570) at dbdimp.c:688
#2 0x00007ffff6407b54 in XS_DBD__Pg__db_DESTROY (my_perl=0x603010, cv=<optimized out>) at ./Pg.xsi:390
#3 0x00007ffff664a656 in XS_DBI_dispatch (my_perl=<optimized out>, cv=0x8c0268) at DBI.xs:3797
#4 0x00007ffff7b0ad26 in Perl_pp_entersub () from /usr/lib/libperl.so.5.18
#5 0x00007ffff7a94846 in Perl_call_sv () from /usr/lib/libperl.so.5.18
#6 0x00007ffff7b13d71 in ?? () from /usr/lib/libperl.so.5.18
#7 0x00007ffff7b14500 in Perl_sv_clear () from /usr/lib/libperl.so.5.18
#8 0x00007ffff7b14b8d in Perl_sv_free2 () from /usr/lib/libperl.so.5.18
#9 0x00007ffff7aecf48 in ?? () from /usr/lib/libperl.so.5.18
#10 0x00007ffff7aed731 in Perl_mg_free () from /usr/lib/libperl.so.5.18
#11 0x00007ffff7b1479b in Perl_sv_clear () from /usr/lib/libperl.so.5.18
#12 0x00007ffff7b14b8d in Perl_sv_free2 () from /usr/lib/libperl.so.5.18
#13 0x00007ffff7ac2938 in Perl_cv_undef () from /usr/lib/libperl.so.5.18
#14 0x00007ffff7b1473c in Perl_sv_clear () from /usr/lib/libperl.so.5.18
#15 0x00007ffff7b14b8d in Perl_sv_free2 () from /usr/lib/libperl.so.5.18
#16 0x00007ffff7b36698 in Perl_free_tmps () from /usr/lib/libperl.so.5.18
#17 0x00007ffff7b03a35 in Perl_pp_nextstate () from /usr/lib/libperl.so.5.18
#18 0x00007ffff7b03346 in Perl_runops_standard () from /usr/lib/libperl.so.5.18
#19 0x00007ffff7a9bb24 in perl_run () from /usr/lib/libperl.so.5.18
#20 0x0000000000400dd9 in main ()
If I reset InactiveDestroy back to 0 before exiting the subroutine, the problem goes away.
My hypothesis is that the culprit is this code in dbd_st_destroy:
/* If the InactiveDestroy flag has been set, we go no further */if (DBIc_IADESTROY(imp_dbh)) {
if (TRACE4_slow) {
TRC(DBILOGFP, "%sskipping sth destroy due to InactiveDestroy\n", THEADER_slow);
}
fprintf(stderr, "%x\n", imp_sth);
DBIc_IMPSET_off(imp_sth); /* let DBI know we've done it */if (TEND_slow) TRC(DBILOGFP, "%sEnd dbd_st_destroy (InactiveDestroy set)\n", THEADER_slow);
return;
}
which DBIc_IMPSET_off()s the imp_sth still assigned to imp_dbh->async_sth. Later on, when dbd_db_destroy is called, its imp_dbh->async_sth points to freed memory containing garbage and the PQclear() call crashes. My digging around with gdb supports this hypothesis: imp_dbh->async_sth still has a pointer to the same location that previously held a valid sth, but *imp_dbh->async_sth is just garbage.
I've verified this against the master branches of both DBI and DBD::Pg, but this problem seems to have existed for a long time.
The text was updated successfully, but these errors were encountered:
Hi,
I unfortunately can't share the test case since it uses thousands of lines of proprietary code, but it does roughly this:
which sometimes crashes with a backtrace like this:
If I reset InactiveDestroy back to 0 before exiting the subroutine, the problem goes away.
My hypothesis is that the culprit is this code in dbd_st_destroy:
which DBIc_IMPSET_off()s the imp_sth still assigned to imp_dbh->async_sth. Later on, when dbd_db_destroy is called, its imp_dbh->async_sth points to freed memory containing garbage and the PQclear() call crashes. My digging around with gdb supports this hypothesis: imp_dbh->async_sth still has a pointer to the same location that previously held a valid sth, but *imp_dbh->async_sth is just garbage.
I've verified this against the master branches of both DBI and DBD::Pg, but this problem seems to have existed for a long time.
The text was updated successfully, but these errors were encountered: