Recently had a problem with ntpd refusing to start. Figured out it was
segfaulting on startup for some strange reason. Below is some debug output
(thank you solar for providing it). We think there's a problem with the
commandline options. We're starting it as: ntpd -u ntp:ntp
This was working before a reboot on previous kernel, however I'm not sure if
that's related or not.
Script started on Wed Jul 28 18:04:29 2004
# gdb `which ntpd` /core
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so
.1".
Core was generated by `ntpd -u ntp:ntp'.
Program terminated with signal 11, Segmentation fault.
#0 0x081042d1 in buffered_vfprintf ()
(gdb) bt full
#0 0x081042d1 in buffered_vfprintf ()
No symbol table info available.
#1 0x08100663 in vfprintf ()
No symbol table info available.
#2 0x08108237 in fprintf ()
No symbol table info available.
#3 0x0804891d in getCmdOpts (argc=3, argv=0xbfffdce4) at cmd_args.c:413
inaddrntp = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0},
sin_zero = "\027\000\000\0
00\000\000\000"}
errflg = 1
c = -1
#4 0x08048bdb in getconfig (argc=3, argv=0xbfffdce4) at ntp_config.c:545
i = 0
c = 134607436
errflg = 0
istart = 0
peerversion = 136479436
minpoll = 39
maxpoll = -1073751608
ttl = 0
stratum = 6880
ul = 134608844
peerkey = 3221215672
peerkeystr = (u_char *) 0x8226898 "Di\"\bl<B9>\036\b\004"
fudgeflag = 0
peerflags = 0
hmode = 0
peeraddr = {ss_family = 8136, __ss_align = 3,
__ss_padding = "\035\000\000\000\000\000\000\000\001", '\0' <repeats 11
times>, "\003\000\000\000\00
2\000\000\000<FF><FF><FF><FF>", '\0' <repeats 13 times>,
"\b\000\000\034<B6>\036\b<E9>\032\000\000\220
h\"\b\t\000\000\000<ED>\032\000\000<C0><B5>\036\b<C0><B5>\036\b<C0><B5>\036\b<E0>\032\000\000x<D9><FF>
<BF>0\032\021\b<C0><B5>\036\b<E0>\032\000\000\000\000\000\000-\000\000\000\024\004\002\000\230<D9><FF>
<BF>Q<E0>\b\b"}
maskaddr = {ss_family = 29797, __ss_align = 0,
__ss_padding = '\0' <repeats 24 times>,
"\002\000\000\000\002\000\000\000<C6>?<D3><EB>", '\0' <repea
ts 12 times>, "\002\000\000\000<FF><FF><FF>", '\0' <repeats 13 times>,
"\002\000\000\000<C6>?<D3><FF>"
, '\0' <repeats 32 times>, "\031\000\000\000h<CA>U+\000\000\000"}
includefile = (FILE *) 0x3
includelevel = 0
line = "settimeofday=\"UNKNOWN\"\0002.0@1.1161-r Wed Jul 28 16:00:49
UTC 2004 (1)\"", '\0' <re
peats 11 times>, "%s", '\0' <repeats 110 times>, "precision = 9.000 usec", '\0'
<repeats 122 times>, "
ntpd 4.2.0@1.1161-r Wed Jul 28 16:00:49 UTC 2004 (1)", '\0' <repeats 124
times>, "<C8>\037\000\000\034
<B6>\036\b\000\000\000\000\b<B6>\036"...
tokens = {0x12 <Address 0x12 out of bounds>, 0x1c <Address 0x1c out of
bounds>, 0x6 <Address 0
x6 out of bounds>, 0x0,
0x63657270 <Address 0x63657270 out of bounds>, 0x6f697369 <Address 0x6f697369
out of bounds>, 0x203d
206e <Address 0x203d206e out of bounds>,
0x66332e25 <Address 0x66332e25 out of bounds>, 0x49206f6e <Address 0x49206f6e
out of bounds>, 0x2036
7650 <Address 0x20367650 out of bounds>,
0x65746e69 <Address 0x65746e69 out of bounds>, 0x63616672 <Address 0x63616672
out of bounds>, 0x6620
7365 <Address 0x66207365 out of bounds>,
0x646e756f <Address 0x646e756f out of bounds>, 0x811dd00 "<E8>\004\035", 0x5
<Address 0x5 out of bou
nds>, 0x815957b "%s", 0xbfffd458 "fday=\"UNKNOWN\"",
0xbfffd478 "Jul 28 16:00:49 UTC 2004 (1)\"", 0x808f925 "<E9><B2>"}
ntokens = 0
tok = 0
localaddr = (struct interface *) 0xbfffd510
clock_stat = {type = 20 '\024', flags = 4 '\004', haveflags = 2 '\002',
lencode = 54200, p_las
tcode = 0x811dd9d "\211<EC>]<C3>U\211<E5>WVS\201<EC><CC>\001",
polls = 6, noresponse = 135632251, badformat = 3221214152, baddata =
3221214184, timereset = 1348057
97, clockdesc = 0x6 <Address 0x6 out of bounds>,
fudgetime1 = -1.9895172420304721, fudgetime2 = 0, fudgeval1 = 0, fudgeval2 =
135612442, currentstatu
s = 0 '\0', lastevent = 0 '\0', leap = 0 '\0',
kv_list = 0x0}
filegen = (FILEGEN *) 0x2d
#5 0x0805011f in ntpdmain (argc=3, argv=0xbfffdce4) at ntpd.c:812
now = {Ul_i = {Xl_ui = 3300026640, Xl_i = -994940656}, Ul_f = {Xl_uf =
733163802, Xl_f = 73316
3802}}
cp = 0xbffff6f9 "ntpd"
rbuflist = (struct recvbuf *) 0x3
rbuf = (struct recvbuf *) 0x80fa700
---Type <return> to continue, or q <return> to quit---
#6 0x0804fc92 in main (argc=3, argv=0xbfffdce4) at ntpd.c:239
No locals.
(gdb) info regs
Undefined info command: "regs". Try "help info".
(gdb) info registers
eax 0xbfffaca4 -1073763164
ecx 0xbfffd288 -1073753464
edx 0x8150844 135596100
ebx 0xbfffabe4 -1073763356
esp 0xbfffabc0 0xbfffabc0
ebp 0xbfffccb0 0xbfffccb0
esi 0x81975a0 135886240
edi 0xffffffff -1
eip 0x81042d1 0x81042d1
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
(gdb) x/8i $pc
0x81042d1 <buffered_vfprintf+59>: mov %esi,0xffffdfcc(%ebp)
0x81042d7 <buffered_vfprintf+65>: movl $0xffffffff,0xffffdf90(%ebp)
0x81042e1 <buffered_vfprintf+75>: mov %eax,0xffffdf48(%ebp)
0x81042e7 <buffered_vfprintf+81>: mov %eax,0xffffdf44(%ebp)
0x81042ed <buffered_vfprintf+87>: movl $0xfbad8004,0xffffdf34(%ebp)
0x81042f7 <buffered_vfprintf+97>: lea 0xfffffff4(%ebp),%eax
0x81042fa <buffered_vfprintf+100>: movl $0x0,0xffffdf7c(%ebp)
0x8104304 <buffered_vfprintf+110>: movl $0x816e540,0xffffdfc8(%ebp)
(gdb) quit
# exit
Script done on Wed Jul 28 18:05:25 2004
Here's a conversation from pipacs we had:
<pipacs> uh, how on earth did it
segfault on that insn
<pipacs> is ntpd multithreaded?
<pipacs> mov %esi,0xffffdfcc(%ebp)
<pipacs> ebp points to the stack, that should
be writable
<pipacs> otherwise, yes, that string looks
suspiciously long/part garbage
<pipacs> but fprintf shouldn't crash on it
<pipacs> hmm, actually, it's got a \000 quite
early in it
<pipacs> so it's not even too long
<pipacs> my best guess is that ntpd is
multithreaded and the actual crash occured somewhere
else
Any ideas what's causing this?
