Description Karl Palsson 2015-08-24 09:34:57 EDT

Presumably tied to openwrt's switch to musl libc, but I haven't rebuilt it all with uclibc again.  Reported with 1.4.2 and confirmed with 1.4.3 as well.

Starting the broker as just "mosquitto -v" (no config file) and then publishing a single message from a remote client (mosquitto_sub) is sufficient to crash the broker with a bus fault.

Program received signal SIGBUS, Bus error.
0x77f78b30 in malloc_usable_size ()
   from /home/karlp/src/openwrt-trunk-upstream/scripts/../staging_dir/target-mips_34kc_musl-1.1.10/root-ar71xx/lib/ld-musl-mips-sf.so.1
(gdb) bt
Python Exception <type 'exceptions.ImportError'> No module named gdb.frames: 
#0  0x77f78b30 in malloc_usable_size ()
   from /home/karlp/src/openwrt-trunk-upstream/scripts/../staging_dir/target-mips_34kc_musl-1.1.10/root-ar71xx/lib/ld-musl-mips-sf.so.1
#1  0x00408ca2 in _mosquitto_free (mem=0x0) at ../lib/memory_mosq.c:57
#2  0x0041007c in mqtt3_subs_clean_session (db=db@entry=0x428280 <int_db>, context=context@entry=0x77d81290) at subs.c:631
#3  0x00407208 in mqtt3_context_cleanup (db=db@entry=0x428280 <int_db>, context=0x77d81290, do_free=do_free@entry=true)
    at context.c:138
#4  0x00407454 in mosquitto__free_disused_contexts (db=db@entry=0x428280 <int_db>) at context.c:224
#5  0x004085ae in mosquitto_main_loop (db=db@entry=0x428280 <int_db>, listensock=listensock@entry=0x77ff2ad0, 
    listensock_count=listensock_count@entry=2, listener_max=listener_max@entry=4) at loop.c:130
#6  0x00402f1e in main (argc=<optimized out>, argv=<optimized out>) at mosquitto.c:366
(gdb) up
#1  0x00408ca2 in _mosquitto_free (mem=0x0) at ../lib/memory_mosq.c:57
57		memcount -= malloc_usable_size(mem);
(gdb) up
#2  0x0041007c in mqtt3_subs_clean_session (db=db@entry=0x428280 <int_db>, context=context@entry=0x77d81290) at subs.c:631
631		_mosquitto_free(context->subs);
(gdb) info locals
i = 0
leaf = <optimized out>
hier = <optimized out>
(gdb) info args
db = 0x428280 <int_db>
context = 0x77d81290
(gdb) p *context
$1 = {sock = -1, protocol = mosq_p_mqtt31, address = 0x77d811d0 "192.168.255.124", id = 0x0, username = 0x0, 
  password = 0x0, keepalive = 60, last_mid = 0, state = mosq_cs_disconnected, last_msg_in = 2660, last_msg_out = 2660, 
  ping_t = 0, in_packet = {payload = 0x0, next = 0x0, remaining_mult = 1, remaining_length = 0, packet_length = 0, 
    to_process = 0, pos = 0, mid = 0, command = 0 '\000', remaining_count = 0 '\000'}, current_out_packet = 0x0, 
  out_packet = 0x0, will = 0x0, ssl = 0x0, ssl_ctx = 0x0, tls_cafile = 0x0, tls_capath = 0x0, tls_certfile = 0x0, 
  tls_keyfile = 0x0, tls_pw_callback = 0x0, tls_version = 0x0, tls_ciphers = 0x0, tls_psk = 0x0, tls_psk_identity = 0x0, 
  tls_cert_reqs = 0, tls_insecure = false, want_write = false, want_connect = false, clean_session = true, 
  is_dropping = false, is_bridge = false, bridge = 0x0, msgs = 0x0, last_msg = 0x0, msg_count = 0, msg_count12 = 0, 
  acl_list = 0x0, listener = 0x0, disconnect_t = 1440421836, out_packet_last = 0x0, subs = 0x0, sub_count = 0, 
  pollfd_index = 2, ws_context = 0x0, wsi = 0x0, hh_id = {tbl = 0x77d81560, prev = 0x0, next = 0x0, hh_prev = 0x0, 
    hh_next = 0x0, key = 0x77d81540, keylen = 18, hashv = 974165546}, hh_sock = {tbl = 0x77d811f0, prev = 0x0, 
    next = 0x0, hh_prev = 0x0, hh_next = 0x0, key = 0x77d81290, keylen = 4, hashv = 1015908205}, for_free_next = 0x0}
(gdb)


Running again, context->subs and context->sub_count are both 0 at entry to this function.

Grossly adding a check on ->subs before the _mosquitto_free call works, but I'm not sure if that's the real fix or not.