View Issue Details

IDProjectCategoryView StatusLast Update
0003628GNUnetutil librarypublic2018-06-07 00:25
ReporterBart Polot Assigned Toch3  
PrioritynormalSeveritycrashReproducibilitysometimes
Status closedResolutionfixed 
Product VersionGit master 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003628: MQ_send calls GNUNET_CLIENT_notify_transmit_ready twice due to corrupted memory
Descriptionstate->connection in connection_client_send_impl seems to be freed
Steps To Reproducerun test_rps_multipeer
Additional InformationProgram terminated with signal SIGABRT, Aborted.
#0 0x00007fd6d34d4a97 in raise () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007fd6d34d4a97 in raise () from /usr/lib/libc.so.6
#1 0x00007fd6d34d5e6a in abort () from /usr/lib/libc.so.6
#2 0x00007fd6d5607b4e in GNUNET_abort () at common_logging.c:289
#3 0x00007fd6d5604cc2 in GNUNET_CLIENT_notify_transmit_ready (client=0x1433f00, size=16, timeout=..., auto_retry=0,
    notify=0x7fd6d56324e2 <connection_client_transmit_queued>, notify_cls=0x1413100) at client.c:1211
#4 0x00007fd6d56328de in connection_client_send_impl (mq=0x1413100, msg=0x13f0330, impl_state=0x1433fa0) at mq.c:655
#5 0x00007fd6d5631823 in GNUNET_MQ_send (mq=0x1413100, ev=0x13f0300) at mq.c:290
#6 0x00007fd6d586cfb1 in GNUNET_RPS_seed_ids (h=0x13e1920, n=0, ids=0x6024c0 <rps_peer_ids>) at rps_api.c:272
#7 0x00000000004011b5 in seed_peers (cls=0x602480 <rps_peers+64>, tc=0x7fff6affab00) at test_rps_multipeer.c:146
#8 0x00007fd6d564153e in run_ready (rs=0x139a780, ws=0x139a810) at scheduler.c:587
#9 0x00007fd6d5641dc2 in GNUNET_SCHEDULER_run (task=0x7fd6d563bce4 <program_main>, task_cls=0x7fff6affad90)
    at scheduler.c:816
#10 0x00007fd6d563c866 in GNUNET_PROGRAM_run2 (argc=3, argv=0x7fff6affaf30, binaryName=0x40189d "test-rps-multipeer",
    binaryHelp=0x7fd6d53eabc9 "nohelp", options=0x7fff6affaef0, task=0x7fd6d53e2280 <run>, task_cls=0x1399740,
    run_without_scheduler=0) at program.c:286
#11 0x00007fd6d563c9bd in GNUNET_PROGRAM_run (argc=3, argv=0x7fff6affaf30, binaryName=0x40189d "test-rps-multipeer",
    binaryHelp=0x7fd6d53eabc9 "nohelp", options=0x7fff6affaef0, task=0x7fd6d53e2280 <run>, task_cls=0x1399740)
    at program.c:325
#12 0x00007fd6d53e257d in GNUNET_TESTBED_test_run (testname=0x40189d "test-rps-multipeer",
    cfg_filename=0x40188f "test_rps.conf", num_peers=5, event_mask=0, cc=0x0, cc_cls=0x0, test_master=0x401537 <run>,
    test_master_cls=0x0) at testbed_api_test.c:151
#13 0x0000000000401748 in main (argc=1, argv=0x7fff6affb088) at test_rps_multipeer.c:307
(gdb) up 4
#4 0x00007fd6d56328de in connection_client_send_impl (mq=0x1413100, msg=0x13f0330, impl_state=0x1433fa0) at mq.c:655
655 GNUNET_CLIENT_notify_transmit_ready (state->connection, ntohs (msg->size),
(gdb) p *state
$1 = {receive_active = 1, receive_requested = 1, connection = 0x1433f00, th = 0x0}
(gdb) p *state->connection
$2 = {connection = 0x1433d80, cfg = 0xdf0adba0df0adba,
  service_name = 0xdf0adba0df0adba <error: Cannot access memory at address 0xdf0adba0df0adba>, tag = 0xdf0adba0df0adba,
  receiver_handler = 0xdf0adba0df0adba, receiver_handler_cls = 0xdf0adba0df0adba, th = 0xdf0adba0df0adba,
  receive_task = 0xdf0adba0df0adba,
  received_buf = 0xdf0adba0df0adba <error: Cannot access memory at address 0xdf0adba0df0adba>, receive_timeout = {
    abs_value_us = 1004493731513019834}, back_off = {rel_value_us = 1004493731513019834},
  received_pos = 1004493731513019834, received_size = 233876922, msg_complete = 233876922, in_receive = 233876922,
  first_message = 233876922, attempts = 233876922}
(gdb) p/x *state->connection
$3 = {connection = 0x1433d80, cfg = 0xdf0adba0df0adba, service_name = 0xdf0adba0df0adba, tag = 0xdf0adba0df0adba,
  receiver_handler = 0xdf0adba0df0adba, receiver_handler_cls = 0xdf0adba0df0adba, th = 0xdf0adba0df0adba,
  receive_task = 0xdf0adba0df0adba, received_buf = 0xdf0adba0df0adba, receive_timeout = {
    abs_value_us = 0xdf0adba0df0adba}, back_off = {rel_value_us = 0xdf0adba0df0adba}, received_pos = 0xdf0adba0df0adba,
  received_size = 0xdf0adba, msg_complete = 0xdf0adba, in_receive = 0xdf0adba, first_message = 0xdf0adba,
  attempts = 0xdf0adba}
(gdb) up 1
#5 0x00007fd6d5631823 in GNUNET_MQ_send (mq=0x1413100, ev=0x13f0300) at mq.c:290
290 mq->send_impl (mq, ev->mh, mq->impl_state);
(gdb) p *mq
$4 = {handlers = 0x7fd6d5a6d1c0 <mq_handlers>, handlers_cls = 0x13e1920,
  send_impl = 0x7fd6d5632739 <connection_client_send_impl>,
  destroy_impl = 0x7fd6d563270f <connection_client_destroy_impl>,
  cancel_impl = 0x7fd6d5632996 <connection_client_cancel_impl>, impl_state = 0x1433fa0,
  error_handler = 0x7fd6d586cc94 <mq_error_handler>, envelope_head = 0x0, envelope_tail = 0x0,
  current_envelope = 0x13f0300, assoc_map = 0x0, continue_task = 0x0, assoc_id = 0}
(gdb) p *mq->impl_state
Attempt to dereference a generic pointer.
(gdb) p *ev
$5 = {next = 0x0, prev = 0x0, mh = 0x13f0330, parent_queue = 0x1413100, sent_cb = 0x0, sent_cls = 0x0}
(gdb) p *ev->parent_queue
$6 = {handlers = 0x7fd6d5a6d1c0 <mq_handlers>, handlers_cls = 0x13e1920,
  send_impl = 0x7fd6d5632739 <connection_client_send_impl>,
  destroy_impl = 0x7fd6d563270f <connection_client_destroy_impl>,
  cancel_impl = 0x7fd6d5632996 <connection_client_cancel_impl>, impl_state = 0x1433fa0,
  error_handler = 0x7fd6d586cc94 <mq_error_handler>, envelope_head = 0x0, envelope_tail = 0x0,
  current_envelope = 0x13f0300, assoc_map = 0x0, continue_task = 0x0, assoc_id = 0}
(gdb)
TagsNo tags attached.

Activities

Florian Dold

2015-03-07 23:38

developer   ~0008992

Discussed in private email. Currently RPS ignores the error callback for the message queue, which may thus be in an error state when 'send' is called next.

We'll investigate this further when Julius' pending changes for the RPS API are committed (which might make the problem go away or not).

Christian Grothoff

2015-03-20 21:15

manager   ~0009027

Reported to be gone with changes to RPS code.

Issue History

Date Modified Username Field Change
2015-01-28 17:22 Bart Polot New Issue
2015-01-28 17:22 Bart Polot Status new => assigned
2015-01-28 17:22 Bart Polot Assigned To => Florian Dold
2015-03-07 23:38 Florian Dold Note Added: 0008992
2015-03-07 23:38 Florian Dold Status assigned => feedback
2015-03-20 21:15 Christian Grothoff Note Added: 0009027
2015-03-20 21:15 Christian Grothoff Status feedback => resolved
2015-03-20 21:15 Christian Grothoff Fixed in Version => 0.11.0pre66
2015-03-20 21:15 Christian Grothoff Resolution open => fixed
2015-03-20 21:15 Christian Grothoff Assigned To Florian Dold => ch3
2018-06-07 00:25 Christian Grothoff Status resolved => closed