0004678: segfault in service_new (?) - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0004678	GNUnet	other	public	2016-09-25 17:27	2018-06-07 00:24

Reporter	ch3	Assigned To	ch3
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	Git master
Target Version	0.11.0pre66	Fixed in Version	0.11.0pre66

Summary	0004678: segfault in service_new (?)
Description	Not exactly sure what the causing module is. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f25770765f4 in GNUNET_MQ_destroy (mq=0x20699e0) at mq.c:1019 1019 mq->destroy_impl (mq, mq->impl_state); (gdb) bt #0 0x00007f25770765f4 in GNUNET_MQ_destroy (mq=0x20699e0) at mq.c:1019 #1 0x00007f257709e479 in GNUNET_SERVICE_client_drop (c=0x2069760) at service_new.c:2352 #2 0x00007f257709cc64 in service_mq_error_handler (cls=0x2069760, error=GNUNET_MQ_ERROR_MALFORMED) at service_new.c:1918 #3 0x00007f25770748b6 in GNUNET_MQ_inject_error (mq=0x20699e0, error=GNUNET_MQ_ERROR_MALFORMED) at mq.c:325 #4 0x00007f2577074650 in GNUNET_MQ_inject_message (mq=0x20699e0, mh=0x206d520) at mq.c:273 #5 0x00007f257709cfe5 in service_client_mst_cb (cls=0x2069760, message=0x206d520) at service_new.c:1971 #6 0x00007f2577073dba in GNUNET_MST_from_buffer (mst=0x20697e0, buf=0x0, size=0, purge=0, one_shot=-1) at mst.c:232 #7 0x00007f257707449a in GNUNET_MST_read (mst=0x20697e0, sock=0x20699c0, purge=0, one_shot=1) at mst.c:359 #8 0x00007f257709d034 in service_client_recv (cls=0x2069760) at service_new.c:1990 #9 0x00007f2577087078 in run_ready (rs=0x206c4b0, ws=0x206c540) at scheduler.c:620 #10 0x00007f25770879c3 in GNUNET_SCHEDULER_run (task=0x7f257709769a <service_main>, task_cls=0x7ffe7a415860) at scheduler.c:887 #11 0x00007f257709c09f in GNUNET_SERVICE_ruN_ (argc=3, argv=0x7ffe7a415c18, service_name=0x413ca7 "rps", options=GNUNET_SERVICE_OPTION_NONE, service_init_cb=0x4117eb <run>, connect_cb=0x41148b <client_connect_cb>, disconnect_cb=0x4116fd <client_disconnect_cb>, cls=0x0, handlers=0x7ffe7a4159f0) at service_new.c:1700 #12 0x00000000004121a2 in main (argc=3, argv=0x7ffe7a415c18) at gnunet-service-rps.c:2416
Steps To Reproduce	run rps testcases (src/rps/test_rps_*) cd src/rps/ && make check
Additional Information	(gdb) bt f #0 0x00007f25770765f4 in GNUNET_MQ_destroy (mq=0x20699e0) at mq.c:1019 dnh = 0x0 __FUNCTION__ = "GNUNET_MQ_destroy" #1 0x00007f257709e479 in GNUNET_SERVICE_client_drop (c=0x2069760) at service_new.c:2352 sh = 0x7ffe7a415860 __FUNCTION__ = "GNUNET_SERVICE_client_drop" #2 0x00007f257709cc64 in service_mq_error_handler (cls=0x2069760, error=GNUNET_MQ_ERROR_MALFORMED) at service_new.c:1918 client = 0x2069760 sh = 0x7ffe7a415860 __FUNCTION__ = "service_mq_error_handler" #3 0x00007f25770748b6 in GNUNET_MQ_inject_error (mq=0x20699e0, error=GNUNET_MQ_ERROR_MALFORMED) at mq.c:325 __FUNCTION__ = "GNUNET_MQ_inject_error" #4 0x00007f2577074650 in GNUNET_MQ_inject_message (mq=0x20699e0, mh=0x206d520) at mq.c:273 handler = 0x2069ad0 handled = 1 ms = 76 __FUNCTION__ = "GNUNET_MQ_inject_message" #5 0x00007f257709cfe5 in service_client_mst_cb (cls=0x2069760, message=0x206d520) at service_new.c:1971 client = 0x2069760 __FUNCTION__ = "service_client_mst_cb" #6 0x00007f2577073dba in GNUNET_MST_from_buffer (mst=0x20697e0, buf=0x0, size=0, purge=0, one_shot=-1) at mst.c:232 hdr = 0x206d520 delta = 12884901889 want = 76 ibuf = 0x206d520 "`i\006\002" need_align = 0 offset = 34002212 ret = 1 __FUNCTION__ = "GNUNET_MST_from_buffer" #7 0x00007f257707449a in GNUNET_MST_read (mst=0x20697e0, sock=0x20699c0, purge=0, one_shot=1) at mst.c:359 ret = 72 left = 72 buf = 0x206d520 "`i\006\002" __FUNCTION__ = "GNUNET_MST_read" #8 0x00007f257709d034 in service_client_recv (cls=0x2069760) at service_new.c:1990 client = 0x2069760 ret = 11 __FUNCTION__ = "service_client_recv" #9 0x00007f2577087078 in run_ready (rs=0x206c4b0, ws=0x206c540) at scheduler.c:620 p = GNUNET_SCHEDULER_PRIORITY_DEFAULT pos = 0x2069ba0 __FUNCTION__ = "run_ready" #10 0x00007f25770879c3 in GNUNET_SCHEDULER_run (task=0x7f257709769a <service_main>, task_cls=0x7ffe7a415860) at scheduler.c:887 rs = 0x206c4b0 ws = 0x206c540 timeout = {rel_value_us = 1720029} ret = 1 shc_int = 0x206cf00 shc_term = 0x206cfc0 shc_quit = 0x206d140 shc_hup = 0x206d200 shc_pipe = 0x206d080 last_tr = 44 busy_wait_warning = 0 pr = 0x206dcb0 c = 91 '[' __FUNCTION__ = "GNUNET_SCHEDULER_run" #11 0x00007f257709c09f in GNUNET_SERVICE_ruN_ (argc=3, argv=0x7ffe7a415c18, service_name=0x413ca7 "rps", options=GNUNET_SERVICE_OPTION_NONE, service_init_cb=0x4117eb <run>, ---Type <return> to continue, or q <return> to quit--- connect_cb=0x41148b <client_connect_cb>, disconnect_cb=0x4116fd <client_disconnect_cb>, cls=0x0, handlers=0x7ffe7a4159f0) at service_new.c:1700 sh = {cfg = 0x2063720, service_name = 0x413ca7 "rps", service_init_cb = 0x4117eb <run>, connect_cb = 0x41148b <client_connect_cb>, disconnect_cb = 0x4116fd <client_disconnect_cb>, cb_cls = 0x0, slc_head = 0x206c350, slc_tail = 0x206c350, clients_head = 0x0, clients_tail = 0x0, handlers = 0x7ffe7a4159f0, task_cls = 0x0, v4_denied = 0x0, v6_denied = 0x0, v4_allowed = 0x20744f0, v6_allowed = 0x206ac40, match_uid = 0, match_gid = 1, got_shutdown = 0, options = GNUNET_SERVICE_OPTION_NONE, ready_confirm_fd = -1, ret = 0, require_found = 1} cfg_filename = 0x2063700 "~/.config/gnunet.conf" opt_cfg_filename = 0x2063850 "/tmp/testbedMdvxJ7/0/config" loglev = 0x0 xdg = 0x0 logfile = 0x0 do_daemonize = 0 skew_offset = 44349769 skew_variance = 2838385273 clock_offset = 3 cfg = 0x2063720 ret = 3 err = 0 service_options = {{shortName = 99 'c', name = 0x7f25770aea37 "config", argumentHelp = 0x7f25770aea3e "FILENAME", description = 0x7f25770aea48 "use configuration file FILENAME", require_argument = 1, processor = 0x7f25770709f3 <GNUNET_GETOPT_set_string>, scls = 0x7ffe7a415850}, {shortName = 100 'd', name = 0x7f25770aea68 "daemonize", argumentHelp = 0x0, description = 0x7f25770aea78 "do daemonize (detach from terminal)", require_argument = 0, processor = 0x7f25770709c6 <GNUNET_GETOPT_set_one>, scls = 0x7ffe7a41583c}, {shortName = 104 'h', name = 0x7f25770aea9c "help", argumentHelp = 0x0, description = 0x7f25770aeaa1 "print this help", require_argument = 0, processor = 0x7f257707044a <GNUNET_GETOPT_format_help_>, scls = 0x0}, { shortName = 76 'L', name = 0x7f25770aeab1 "log", argumentHelp = 0x7f25770aeab5 "LOGLEVEL", description = 0x7f25770aeac0 "configure logging to use LOGLEVEL", require_argument = 1, processor = 0x7f25770709f3 <GNUNET_GETOPT_set_string>, scls = 0x7ffe7a415848}, {shortName = 108 'l', name = 0x7f25770aeae2 "logfile", argumentHelp = 0x7f25770aeaea "LOGFILE", description = 0x7f25770aeaf8 "configure logging to write logs to LOGFILE", require_argument = 1, processor = 0x7f25770709f3 <GNUNET_GETOPT_set_string>, scls = 0x7ffe7a415840}, {shortName = 118 'v', name = 0x7f25770aeb23 "version", argumentHelp = 0x0, description = 0x7f25770aeb2b "print the version number", require_argument = 0, processor = 0x7f2577070404 <GNUNET_GETOPT_print_version_>, scls = 0x7f25770aeb44}, {shortName = 0 '\000', name = 0x0, argumentHelp = 0x0, description = 0x0, require_argument = 0, processor = 0x0, scls = 0x0}} __FUNCTION__ = "GNUNET_SERVICE_ruN_" #12 0x00000000004121a2 in main (argc=3, argv=0x7ffe7a415c18) at gnunet-service-rps.c:2416 mh = {{mv = 0x0, cb = 0x40cb1d <handle_client_request>, cls = 0x0, type = 954, expected_size = 12}, {mv = 0x0, cb = 0x40cf24 <handle_client_request_cancel>, cls = 0x0, type = 956, expected_size = 8}, { mv = 0x0, cb = 0x40d208 <handle_client_seed>, cls = 0x0, type = 957, expected_size = 4}, {mv = 0x0, cb = 0x40e8ba <handle_client_act_malicious>, cls = 0x0, type = 958, expected_size = 4}, {mv = 0x0, cb = 0x0, cls = 0x0, type = 0, expected_size = 0}}
Tags	No tags attached.

Christian Grothoff 2016-09-25 20:47 manager ~0011148	Valgrind says: ==4864== Invalid read of size 8 ==4864== at 0x507ED91: GNUNET_MQ_destroy (mq.c:1017) ==4864== by 0x50A4006: GNUNET_SERVICE_client_drop (service_new.c:2352) ==4864== by 0x50A414B: GNUNET_SERVICE_shutdown (service_new.c:2382) ==4864== by 0x509D607: service_shutdown (service_new.c:354) ==4864== by 0x508E893: run_ready (scheduler.c:620) ==4864== by 0x508F162: GNUNET_SCHEDULER_run (scheduler.c:887) ==4864== by 0x50A1E00: GNUNET_SERVICE_ruN_ (service_new.c:1700) ==4864== by 0x40F706: main (gnunet-service-rps.c:2412) ==4864== Address 0x73c1770 is 16 bytes inside a block of size 136 free'd ==4864== at 0x4C29E90: free (vg_replace_malloc.c:473) ==4864== by 0x504FA78: GNUNET_xfree_ (common_allocation.c:321) ==4864== by 0x507F300: GNUNET_MQ_destroy (mq.c:1061) ==4864== by 0x40AC1E: destroy_cli_ctx (gnunet-service-rps.c:942) ==4864== by 0x40EE95: client_disconnect_cb (gnunet-service-rps.c:2239) ==4864== by 0x50A3F6B: GNUNET_SERVICE_client_drop (service_new.c:2333) ==4864== by 0x50A414B: GNUNET_SERVICE_shutdown (service_new.c:2382) ==4864== by 0x509D607: service_shutdown (service_new.c:354) ==4864== by 0x508E893: run_ready (scheduler.c:620) ==4864== by 0x508F162: GNUNET_SCHEDULER_run (scheduler.c:887) ==4864== by 0x50A1E00: GNUNET_SERVICE_ruN_ (service_new.c:1700) ==4864== by 0x40F706: main (gnunet-service-rps.c:2412) ==4864== =

Christian Grothoff 2016-09-25 20:48 manager ~0011149	So the bug is actually in RPS: you must not call GNUNET_MQ_destroy() for the MQs of the service. So just remove line 942 and it might be OK ;-). Hint: change rps.conf.in to include: [rps] PREFIX = valgrind and you can easily get the above yourself ;-).

Date Modified	Username	Field	Change
2016-09-25 17:27	ch3	New Issue
2016-09-25 20:47	Christian Grothoff	Note Added: 0011148
2016-09-25 20:48	Christian Grothoff	Note Added: 0011149
2016-09-25 20:49	Christian Grothoff	Assigned To	=> ch3
2016-09-25 20:49	Christian Grothoff	Status	new => assigned
2016-09-25 20:49	Christian Grothoff	Target Version	=> 0.11.0pre66
2016-09-25 22:39	ch3	Status	assigned => resolved
2016-09-25 22:39	ch3	Resolution	open => fixed
2016-09-25 22:39	ch3	Fixed in Version	=> Git master
2016-09-30 14:40	Christian Grothoff	Fixed in Version	Git master => 0.11.0pre66
2018-06-07 00:24	Christian Grothoff	Status	resolved => closed