segfault at 000000000311c000 rip 000000000040fb46 rsp 0000007fbffff830 error 4

Peter Van Epp vanepp at sfu.ca
Wed May 6 23:11:01 EDT 2009 

On Wed, May 06, 2009 at 04:55:45PM +0200, Gunnar Lindberg wrote:
> I'm afraid I have bad news.
> 
> We have yet to incorporate Peter's suggestions, for right now we
> create one file for each of the hosts (merge in/out into green*
> and red*). We then copy them to a third host. Both files are required
> to create the complete argus file and if one is missing we just go
> on with life and go for the next shot.
> 
> I now find
>     -rw-r--r--  1 root root 71643920 May  6 09:25 red.ra-090506-09.25
> which indicate we got no
>     green.ra-090506-09.25
> 
> My 0.01c is it's because of
>     argc# grep protection messages
>     May  6 09:17:44 argc kernel: argus[24678] general protection rip:3fabc696bd rsp:7fbfffe930 error:0
> 
> I've now added to /etc/rc.d/init.d/argus
> 
>   + DAEMON_COREFILE_LIMIT=unlimited
>   + ulimit -c unlimited
>     daemon $ARGUS $ARGUSARGS
> 
> Hopefully we'll get a core crash file next time.
> 
> 	Gunnar Lindberg
> 
> >From Gunnar.Lindberg at chalmers.se  Mon May  4 15:31:28 2009
> >Date: Mon, 4 May 2009 15:31:19 +0200 (MEST)
> >Message-Id: <200905041331.n44DVJOH022155 at grunert.cdg.chalmers.se>
> >From: Gunnar Lindberg <Gunnar.Lindberg at chalmers.se>
> >To: carter at qosient.com, vanepp at sfu.ca
> >Subject: Re: [ARGUS] segfault at 000000000311c000 rip 000000000040fb46 rsp 0000007fbffff830 error 4
> >Cc: argus-info at lists.andrew.cmu.edu
> >In-Reply-To: <30E58A49-6C71-4702-B130-832678EE353E at qosient.com>
> 
> >Carter & Peter,
> 
> >Many thanks for prompt responses. We now have argus-3.0.1.beta.3
> >in the air and so far everthing is fine - hopefully it will stay
> >that way :-).
> 
> >As for 1-6) I'll admit we need to go through them a few times more
> >and see which of them we can make use of. Useful stuff, although
> >we may be stopped by things like "local purchase policy".
> 
> >	Gunnar
> 

	Well you don't appear to be alone for what thats worth :-). SFU (my
former employer) is reporting segfaults after upgrading to the latest beta
on a system with a sensor machine writing to a socket to another machine where
ra is reading and storing to disk. I don't yet know which is segfaulting argus
or ra but they too are hoping for a dump. I've been running the 3.0.2.beta.1
argus (before any of the time fixes Carter made I think) on a FreeBSD box 
connected to my adsl line at home and haven't seen any problems. I'm working
on putting a second machine beside the current one to run a sensor writing to
a socket to ra on another machine to see if I can reproduce the seg faults (it
may need more traffic than I have in which case I may be in to tcpreplay :-)). 
	I may also switch from FreeBSD to a linux (probably SUSE) and see if
that changes anything. As noted earlier it is worthwhile to delete the 

#undef ARGUS_SYSLOG

at line 1757 of common/argus_util.c in the argus-3.0.1.beta.3 (and earlier)
source and rebuild. The server will then syslog various events and errors to
the daemon syslog facility (which needs to be enabled in FreeBSD 7.1 in syslog).
That may help too. 
	Is anyone still seeing the "time stamp way out of range" messages that
have been reported by a couple of people? From the timestamp values I think 
variable overwriting in argus is more likely than a system clock error but I'd
like to be able to recreate it here to poke at it.

Peter Van Epp

More information about the argus mailing list