I'm seeing the following reproducible crash on Mac OS X for x86_64 using svn 1.6.15. This is crash does not happen using 1.6.12.
It seems to be the call to apr_psprintf that is not right. Here is the bt: #0 0x00007fff82ac8160 in strlen () #1 0x00000001015190c7 in apr_vformatter (flush_func=0x101526840 <psprintf_flush>, vbuff=0x7fff5fbfd970, fmt=0x1015b2353 "s", ap=0x7fff5fbfda00) at strings/apr_snprintf.c:957 #2 0x0000000101526baa in apr_pvsprintf (pool=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s", ap=0x7fff5fbfda00) at memory/unix/apr_pools.c:1117 #3 0x0000000101526e98 in apr_psprintf (p=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s") at memory/unix/apr_pools.c:2017 #4 0x000000010159a61c in representation_string (rep=0x100938cb0, format=4, mutable_rep_truncated=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2228 #5 0x000000010159a859 in svn_fs_fs__write_noderev (outfile=0x100939f78, noderev=0x100938bf8, format=4, include_mergeinfo=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2271 #6 0x000000010159ac0e in svn_fs_fs__put_node_revision (fs=0x10092b6f8, id=0x100938d68, noderev=0x100938bf8, fresh_txn_root=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2337 #7 0x000000010159eecf in create_new_txn_noderev_from_rev (fs=0x10092b6f8, txn_id=0x100933b70 "1-4", src=0x100935340, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:4240 #8 0x000000010159f647 in svn_fs_fs__create_txn (txn_p=0x100933708, fs=0x10092b6f8, rev=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:4413 #9 0x00000001015a5a35 in svn_fs_fs__begin_txn (txn_p=0x100933708, fs=0x10092b6f8, rev=1, flags=2, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:6960 #10 0x00000001001dadf0 in svn_fs_begin_txn2 (txn_p=0x100933708, fs=0x10092b6f8, rev=1, flags=2, pool=0x100933628) at subversion/libsvn_fs/fs-loader.c:641 #11 0x00000001007a0755 in svn_repos_fs_begin_txn_for_commit2 (txn_p=0x100933708, repos=0x1009220d8, rev=1, revprop_table=0x100933738, pool=0x100933628) at subversion/libsvn_repos/fs-wrap.c:85 #12 0x0000000100799278 in open_root (edit_baton=0x1009336a8, base_revision=-1, pool=0x100935628, root_baton=0x7fff5fbfdff8) at subversion/libsvn_repos/commit.c:183 #13 0x00000001007d6149 in svn_delta_path_driver (editor=0x100926638, edit_baton=0x1009336a8, revision=-1, paths=0x1009218b0, callback_func=0x100732cc8 <path_driver_cb_func>, callback_baton=0x100926638, pool=0x100921628) at subversion/libsvn_delta/path_driver.c:167 #14 0x000000010073357e in mkdir_urls (commit_info_p=0x7fff5fbfe310, urls=0x1009216a8, make_parents=0, revprop_table=0x0, ctx=0x10091b6a8, pool=0x100921628) at subversion/libsvn_client/add.c:821 #15 0x0000000100733753 in svn_client_mkdir3 (commit_info_p=0x7fff5fbfe310, paths=0x1009216a8, make_parents=0, revprop_table=0x0, ctx=0x10091b6a8, pool=0x100921628) at subversion/libsvn_client/add.c:886 #16 0x0000000101072d04 in pysvn_client::cmd_mkdir (this=0x10028cc70, a_ar...@0x7fff5fbfe440, a_k...@0x7fff5fbfe430) at pysvn_client_cmd_add.cpp:274 #17 0x000000010104e19f in Py::PythonExtension<pysvn_client>::method_keyword_call_handler (_self_and_name_tuple=0x1004ee368, _args=0x1004ec878, _keywords=0x0) at ExtensionOldType.hxx:321 #18 0x0000000100089187 in PyEval_EvalFrameEx () #19 0x00000001000892e1 in PyEval_EvalFrameEx () #20 0x00000001000892e1 in PyEval_EvalFrameEx () #21 0x00000001000892e1 in PyEval_EvalFrameEx () #22 0x000000010008acce in PyEval_EvalCodeEx () #23 0x000000010008ad61 in PyEval_EvalCode () #24 0x00000001000a265a in Py_CompileString () #25 0x00000001000a2723 in PyRun_FileExFlags () #26 0x00000001000a423d in PyRun_SimpleFileExFlags () #27 0x00000001000b0286 in Py_Main () #28 0x0000000100000e6c in ?? () (gdb) f 4 #4 0x000000010159a61c in representation_string (rep=0x100938cb0, format=4, mutable_rep_truncated=1, pool=0x100933628) at subversion/libsvn_fs_fs/fs_fs.c:2228 2228 return apr_psprintf(pool, "%ld %" APR_OFF_T_FMT " %" SVN_FILESIZE_T_FMT (gdb) l 2223 { 2224 if (rep->txn_id && mutable_rep_truncated) 2225 return "-1"; 2226 2227 if (format < SVN_FS_FS__MIN_REP_SHARING_FORMAT || rep->sha1_checksum == NULL) 2228 return apr_psprintf(pool, "%ld %" APR_OFF_T_FMT " %" SVN_FILESIZE_T_FMT 2229 " %" SVN_FILESIZE_T_FMT " %s", 2230 rep->revision, rep->offset, rep->size, 2231 rep->expanded_size, 2232 svn_checksum_to_cstring_display(rep->md5_checksum, (gdb) p *rep $1 = { md5_checksum = 0x100938cf0, sha1_checksum = 0x0, revision = 1, offset = 63, size = 34, expanded_size = 34, txn_id = 0x0, uniquifier = 0x0 } (gdb) f 2 #2 0x0000000101526baa in apr_pvsprintf (pool=0x100933628, fmt=0x1015b2341 "%ld %lld %ld %ld %s", ap=0x7fff5fbfda00) at memory/unix/apr_pools.c:1117 1117 if (apr_vformatter(psprintf_flush, &ps.vbuff, fmt, ap) == -1) { (gdb) f 1 #1 0x00000001015190c7 in apr_vformatter (flush_func=0x101526840 <psprintf_flush>, vbuff=0x7fff5fbfd970, fmt=0x1015b2353 "s", ap=0x7fff5fbfda00) at strings/apr_snprintf.c:957 957 s_len = strlen(s); (gdb) p s $2 = 0x22 <Address 0x22 out of bounds> It seems that one of rep->size or rep->expanded_size is being used as the string address. Barry