Skip to content

Incorrect increment of inactive in rbtdb.c:maybe_free_rbtdb()

It is possible to have two threads destroying an rbtdb at the same time when detachnode() executes and removes the last reference to a node between exiting being set to true for the node and testing if the references are zero in maybe_free_rbtdb().

Thread 18 (Thread 80113ef00 (LWP 100776/<unknown>)):
#0  0x0000000800d5843a in _umtx_op () from /home/support/XXXXXXX/lib/libc.so.7
#1  0x0000000800c7e9dd in pthread_mutex_unlock () from /home/support/XXXXXXX/lib/libthr.so.3
#2  0x00000000006c31ba in task_ready (task=0x805272c80) at task.c:424
#3  0x00000000006c3412 in isc_task_sendto (task0=0x805272c80, eventp=0x7fffdfdfc208, c=1) at task.c:570
#4  0x00000000006c3232 in isc_task_send (task0=0x805272c80, eventp=0x7fffdfdfc208) at task.c:517
#5  0x0000000000491e72 in free_rbtdb (rbtdb=0x827229aa0, log=true, event=0x0) at rbtdb.c:1122
#6  0x000000000049760f in detachnode (db=0x827229aa0, targetp=0x7fffdfdfcaa0) at rbtdb.c:5477
#7  0x00000000004a0cdf in rdataset_disassociate (rdataset=0x82f4d2f48) at rbtdb.c:8816
#8  0x00000000005452bd in dns_rdataset_disassociate (rdataset=0x82f4d2f48) at rdataset.c:111
#9  0x0000000000441c40 in msgresetnames (msg=0x82f4c74a0, first_section=0) at message.c:465
#10 0x000000000043b95d in msgreset (msg=0x82f4c74a0, everything=false) at message.c:551
#11 0x000000000043b907 in dns_message_reset (msg=0x82f4c74a0, intent=1) at message.c:779
#12 0x000000000036a02d in ns_client_endrequest (client=0x82ecd8b60) at client.c:229
#13 0x0000000000369a2c in ns__client_reset_cb (client0=0x82ecd8b60) at client.c:1536
#14 0x00000000006a67a6 in isc_nmhandle_detach (handlep=0x7fffdfdfcc58) at netmgr.c:1261
#15 0x00000000006a7552 in isc__nm_uvreq_put (req0=0x7fffdfdfcc98, sock=0x83b1e1a00) at netmgr.c:1393
#16 0x00000000006b073f in tcpdnssend_cb (handle=0x83b98aa00, result=54, cbarg=0x83e174800) at tcpdns.c:539
#17 0x00000000006adbc9 in tcp_send_cb (req=0x82fbaf278, status=-32) at tcp.c:1024
#18 0x0000000800c3edcc in uv__stream_destroy () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#19 0x0000000800c3e717 in uv__stream_init () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#20 0x0000000800c341eb in uv_run () from /home/support/XXXXXXX/usr/local/lib/libuv.so.1
#21 0x00000000006a28df in nm_thread (worker0=0x8011e93a8) at netmgr.c:488
#22 0x0000000800c76736 in pthread_create () from /home/support/XXXXXXX/lib/libthr.so.3
#23 0x0000000000000000 in ?? ()

Thread 12 (Thread 801140d00 (LWP 100782/<unknown>)):
#0  0x0000000800e4f1ba in thr_kill () from /home/support/XXXXXXX/lib/libc.so.7
#1  0x0000000800e4d5e4 in raise () from /home/support/XXXXXXX/lib/libc.so.7
#2  0x0000000800dc17e9 in abort () from /home/support/XXXXXXX/lib/libc.so.7
#3  0x0000000000300f21 in assertion_failed (file=0x252469 "rbtdb.c", line=1146, type=isc_assertiontype_require, cond=0x28ef26 "isc_refcount_current(&rbtdb->node_locks[i].references) == 0") at main.c:261
#4  0x000000000067dd18 in isc_assertion_failed (file=0x252469 "rbtdb.c", line=1146, type=isc_assertiontype_require, cond=0x28ef26 "isc_refcount_current(&rbtdb->node_locks[i].references) == 0") at assertions.c:46
#5  0x000000000049207c in free_rbtdb (rbtdb=0x827229aa0, log=true, event=0x0) at rbtdb.c:1146
#6  0x00000000004b16de in free_rbtdb_callback (task=0x805272c80, event=0x836d08768) at rbtdb.c:843
#7  0x00000000006ca483 in dispatch (manager=0x801d5c780, threadid=1) at task.c:1152
#8  0x00000000006c5ed1 in run (queuep=0x801d5d7c8) at task.c:1344
#9  0x0000000800c76736 in pthread_create () from /home/support/XXXXXXX/lib/libthr.so.3
#10 0x0000000000000000 in ?? ()
Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information