Re: bin/60150: named(8) crashes at startup on NetBSD/i386 11.0_RC2

To: gnats-bugs%netbsd.org@localhost
Subject: Re: bin/60150: named(8) crashes at startup on NetBSD/i386 11.0_RC2
From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
Date: Sat, 4 Apr 2026 06:35:37 +0900

> >Description:
> After upgrading my LAN DNS server machine from NetBSD/i386 10.1 to 11.0_RC2,
> named(8) crashes right after startup.

After several investigation, it turns out that the crash does not
happen immediately at startup. named(8) starts normally and reaches
"running", and then aborts as reported in the PR when it receives
a query that requires an outbound lookup to an upstream nameserver:

> ---
> assertion "!is_removal_owner(node)" failed: file "/usr/src/external/lgpl2/userspace-rcu/lib/liburcu-cds/../../dist/src/rculfhash.c", line 1097, function "_cds_lfht_add"
> Abort (core dumped)
> ---

The likely cause seems to be misalignment of dns_dispentry_t allocated
by isc_mem_get() in src/external/mpl/bind/dist/lib/dns/dispatch.c:

 https://github.com/NetBSD/src/blob/netbsd-11/external/mpl/bind/dist/lib/dns/dispatch.c#L1453

>>	dns_dispentry_t *resp = isc_mem_get(disp->mctx, sizeof(*resp));

On NetBSD/i386, the returned address is not 8-byte aligned,
per following printf outputs:

---

Index: dist/lib/dns/dispatch.c
===================================================================
RCS file: /cvsroot/src/external/mpl/bind/dist/lib/dns/dispatch.c,v
retrieving revision 1.13
diff -u -p -d -r1.13 dispatch.c
--- dist/lib/dns/dispatch.c	17 Jul 2025 19:01:45 -0000	1.13
+++ dist/lib/dns/dispatch.c	3 Apr 2026 20:13:47 -0000
@@ -16,6 +16,7 @@
 /*! \file */
 
 #include <inttypes.h>
+#include <stddef.h>
 #include <stdbool.h>
 #include <stdlib.h>
 #include <sys/types.h>
@@ -1451,6 +1452,18 @@ dns_dispatch_add(dns_dispatch_t *disp, i
 
 	in_port_t localport = isc_sockaddr_getport(&disp->local);
 	dns_dispentry_t *resp = isc_mem_get(disp->mctx, sizeof(*resp));
+	fprintf(stderr,
+	    "dispatch.c: dispentry layout "
+	    "alignof(node)=%zu alignof(resp)=%zu "
+	    "offsetof(ht_node)=%zu sizeof(resp)=%zu "
+	    "resp_mod8=%lu ht_node_mod8=%lu\n",
+	    (size_t)_Alignof(struct cds_lfht_node),
+	    (size_t)_Alignof(struct dns_dispentry),
+	    offsetof(struct dns_dispentry, ht_node),
+	    sizeof(*resp),
+	    (unsigned long)((uintptr_t)resp & 7),
+	    (unsigned long)((uintptr_t)&resp->ht_node & 7));
+
 	*resp = (dns_dispentry_t){
 		.timeout = timeout,
 		.port = localport,

---

 :
4-Apr-2026 05:11:55.200 running
dispatch.c: dispentry layout alignof(node)=8 alignof(resp)=8 offsetof(ht_node)=184 sizeof(resp)=200 resp_mod8=4 ht_node_mod8=4
assertion "!is_removal_owner(node)" failed: file "/s/netbsd-11/src/external/lgpl2/userspace-rcu/lib/liburcu-cds/../../dist/src/rculfhash.c", line 1097, function "_cds_lfht_add"
Abort (core dumped)
# 

---

`dns_dispentry_t` contains `struct cds_lfht_node ht_node`, and
this node seems to (implicitly?) need to be 8-byte alignment
per liburcu requirements . If it is not properly aligned,
liburcu triggers an assertion in _cds_lfht_add() as noted above.

The misalignment appears to come from the non-"HAVE_JEMALLOC" path
in external/mpl/bind/dist/lib/isc/jemalloc_shim.h:

 https://github.com/NetBSD/src/blob/netbsd-11/external/mpl/bind/dist/lib/isc/jemalloc_shim.h#L33-L54

---

typedef union {
	size_t size;
	max_align_t __alignment;
} size_info;

static inline void *
mallocx(size_t size, int flags) {
	void *ptr = NULL;

	size_t bytes = ISC_CHECKED_ADD(size, sizeof(size_info));
	size_info *si = malloc(bytes);
	INSIST(si != NULL);

	si->size = size;
	ptr = &si[1];

	if ((flags & MALLOCX_ZERO) != 0) {
		memset(ptr, 0, size);
	}

	return ptr;
}

---

On NetBSD/i386, sizeof(max_align_t) is 12 bytes so
sizeof(union size_info) is also 12 byets.

The returned addess of mallocx() calculated by `ptr = &si[1];`
is not 8 byte aligned.

Actually the following ugly patch fixes the assertion of _cds_lfht_add()
in liburcu:

---
Index: dist/lib/isc/jemalloc_shim.h
===================================================================
RCS file: /cvsroot/src/external/mpl/bind/dist/lib/isc/jemalloc_shim.h,v
retrieving revision 1.4
diff -u -p -d -r1.4 jemalloc_shim.h
--- dist/lib/isc/jemalloc_shim.h	26 Jan 2025 16:25:37 -0000	1.4
+++ dist/lib/isc/jemalloc_shim.h	3 Apr 2026 20:13:47 -0000
@@ -30,9 +30,17 @@ const char *malloc_conf = NULL;
 
 #include <stdlib.h>
 
+#ifndef ALIGNMENT
+#define ALIGNMENT 8U
+#endif
+#ifndef roundup2
+#define roundup2(x,m)   ((((x) - 1) | ((m) - 1)) + 1)
+#endif
+
 typedef union {
 	size_t size;
 	max_align_t __alignment;
+	uint8_t __roundup[roundup2(sizeof(max_align_t), ALIGNMENT)];
 } size_info;
 
 static inline void *

---

 :
04-Apr-2026 05:13:13.869 running
dispatch.c: dispentry layout alignof(node)=8 alignof(resp)=8 offsetof(ht_node)=184 sizeof(resp)=200 resp_mod8=0 ht_node_mod8=0
dispatch.c: dispentry layout alignof(node)=8 alignof(resp)=8 offsetof(ht_node)=184 sizeof(resp)=200 resp_mod8=0 ht_node_mod8=0
dispatch.c: dispentry layout alignof(node)=8 alignof(resp)=8 offsetof(ht_node)=184 sizeof(resp)=200 resp_mod8=0 ht_node_mod8=0

---
Izumi Tsutsui

References:
- bin/60150: named(8) crashes at startup on NetBSD/i386 11.0_RC2
  - From: Izumi Tsutsui via gnats

Prev by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: bin/60150: named(8) crashes at startup on NetBSD/i386 11.0_RC2
Next by Thread: lib/60153: Curses crash due to missing NULL check
Indexes:

Home | Main Index | Thread Index | Old Index