View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002495GNUnetcore servicepublic2012-07-12 18:392012-11-05 18:33
ReporterBart Polot Assigned ToChristian Grothoff  
PrioritylowSeveritycrashReproducibilityunable to reproduce
Status closedResolutionduplicate 
Product VersionGit master 
Target Version0.9.4Fixed in Version0.9.4 
Summary0002495: Memory corruption in core / client.
DescriptionThere seems to be some kind of memory corruption in core api / client lib. I don't have the logifle of where it happened unfortuantely, but I have the corefile.

AFAIR the log to stderr complained of chunksizes this->perv->next != this in malloc_consolidation(), unfortunately I could not copy & paste it before , thus I think is some kind of memory corruption / use after free.

#0 0x00007fa7e10cac35 in raise () from /lib/libc.so.6
#1 0x00007fa7e10cc0b8 in abort () from /lib/libc.so.6
#2 0x00007fa7e110e0ca in __malloc_assert () from /lib/libc.so.6
#3 0x00007fa7e110ef04 in malloc_consolidate () from /lib/libc.so.6
#4 0x00007fa7e110f6d8 in _int_free () from /lib/libc.so.6
#5 0x00007fa7e24fbfe9 in GNUNET_xfree_ (ptr=0x1bb8360, filename=0x7fa7e253f4a9 "client.c", linenumber=476) at common_allocation.c:230
#6 0x00007fa7e24fc383 in GNUNET_xgrow_ (old=0x1ba5c48, elementSize=1, oldCount=0x1ba5c68, newCount=0, filename=0x7fa7e253f4a9 "client.c", linenumber=476) at common_allocation.c:313
#7 0x00007fa7e24f9286 in GNUNET_CLIENT_disconnect (client=0x1ba5bf0) at client.c:476
#8 0x00007fa7e2b6cf8a in GNUNET_CORE_disconnect (handle=0x1ba43d0) at core_api.c:1220
#9 0x00000000004148c1 in shutdown_task (cls=0x0, tc=0x7fff123bf280) at gnunet-service-mesh_new.c:5823
#10 0x00007fa7e252bd49 in run_ready (rs=0x1ba2190, ws=0x1ba2220) at scheduler.c:602
#11 0x00007fa7e252c51a in GNUNET_SCHEDULER_run (task=0x7fa7e2539144 <service_task>, task_cls=0x7fff123bf580) at scheduler.c:790
#12 0x00007fa7e253ab6a in GNUNET_SERVICE_run (argc=5, argv=0x7fff123bf7e8, service_name=0x4198d0 "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x4149e6 <run>, task_cls=0x0) at service.c:1788
#13 0x000000000041504b in main (argc=5, argv=0x7fff123bf7e8) at gnunet-service-mesh_new.c:5970

I cannot reproduce it, either under valgrind or otherwise :(
Additional Information(gdb) bt full
#0 0x00007fa7e10cac35 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00007fa7e10cc0b8 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00007fa7e110e0ca in __malloc_assert () from /lib/libc.so.6
No symbol table info available.
#3 0x00007fa7e110ef04 in malloc_consolidate () from /lib/libc.so.6
No symbol table info available.
#4 0x00007fa7e110f6d8 in _int_free () from /lib/libc.so.6
No symbol table info available.
#5 0x00007fa7e24fbfe9 in GNUNET_xfree_ (ptr=0x1bb8360, filename=0x7fa7e253f4a9 "client.c", linenumber=476) at common_allocation.c:230
        __FUNCTION__ = "GNUNET_xfree_"
#6 0x00007fa7e24fc383 in GNUNET_xgrow_ (old=0x1ba5c48, elementSize=1, oldCount=0x1ba5c68, newCount=0, filename=0x7fa7e253f4a9 "client.c", linenumber=476) at common_allocation.c:313
        tmp = 0x0
        size = 0
        __FUNCTION__ = "GNUNET_xgrow_"
#7 0x00007fa7e24f9286 in GNUNET_CLIENT_disconnect (client=0x1ba5bf0) at client.c:476
No locals.
#8 0x00007fa7e2b6cf8a in GNUNET_CORE_disconnect (handle=0x1ba43d0) at core_api.c:1220
        cm = 0x0
        __FUNCTION__ = "GNUNET_CORE_disconnect"
#9 0x00000000004148c1 in shutdown_task (cls=0x0, tc=0x7fff123bf280) at gnunet-service-mesh_new.c:5823
        __FUNCTION__ = "shutdown_task"
#10 0x00007fa7e252bd49 in run_ready (rs=0x1ba2190, ws=0x1ba2220) at scheduler.c:602
        p = GNUNET_SCHEDULER_PRIORITY_SHUTDOWN
        pos = 0x1ba74e0
        tc = {reason = GNUNET_SCHEDULER_REASON_SHUTDOWN, read_ready = 0x1ba2190, write_ready = 0x1ba2220}
        __FUNCTION__ = "run_ready"
#11 0x00007fa7e252c51a in GNUNET_SCHEDULER_run (task=0x7fa7e2539144 <service_task>, task_cls=0x7fff123bf580) at scheduler.c:790
        rs = 0x1ba2190
        ws = 0x1ba2220
        timeout = {rel_value = 0}
        ret = 0
        shc_int = 0x1ba22b0
        shc_term = 0x1ba2360
        shc_quit = 0x1ba24c0
        shc_hup = 0x1ba2570
        shc_pipe = 0x1ba2410
        last_tr = 124
        busy_wait_warning = 1
        pr = 0x1ba2140
        c = 0 '\000'
        __FUNCTION__ = "GNUNET_SCHEDULER_run"
#12 0x00007fa7e253ab6a in GNUNET_SERVICE_run (argc=5, argv=0x7fff123bf7e8, service_name=0x4198d0 "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x4149e6 <run>, task_cls=0x0) at service.c:1788
        err = 0
        cfg_fn = 0x1ba0090 "/tmp/test_mesh_small//1//gnunet-testing-configbWfuqm"
        loglev = 0x1b9ff40 "DEBUG"
        logfile = 0x0
        do_daemonize = 0
        i = 4278758
        skew_offset = 6407344
        skew_variance = 140355236265985
        clock_offset = 0
        sctx = {cfg = 0x1b9ff60, server = 0x1ba26e0, addrs = 0x0, service_name = 0x4198d0 "mesh", task = 0x4149e6 <run>, task_cls = 0x0, v4_denied = 0x0, v6_denied = 0x0, v4_allowed = 0x1ba2150, v6_allowed = 0x1bab4e0, my_handlers = 0x1bac0d0,
          addrlens = 0x0, lsocks = 0x1bb2f40, shutdown_task = 4, timeout = {rel_value = 18446744073709551615}, ret = 1, ready_confirm_fd = -1, require_found = 1, match_uid = 1, match_gid = 1, options = GNUNET_SERVICE_OPTION_NONE}
        cfg = 0x1b9ff60
        service_options = {{shortName = 99 'c', name = 0x7fa7e25454c5 "config", argumentHelp = 0x7fa7e25454cc "FILENAME", description = 0x7fa7e25454d8 "use configuration file FILENAME", require_argument = 1,
            processor = 0x7fa7e251be87 <GNUNET_GETOPT_set_string>, scls = 0x7fff123bf638}, {shortName = 100 'd', name = 0x7fa7e25454f8 "daemonize", argumentHelp = 0x0, description = 0x7fa7e2545508 "do daemonize (detach from terminal)",
            require_argument = 0, processor = 0x7fa7e251be5a <GNUNET_GETOPT_set_one>, scls = 0x7fff123bf624}, {shortName = 104 'h', name = 0x7fa7e254552c "help", argumentHelp = 0x0, description = 0x7fa7e2545531 "print this help",
            require_argument = 0, processor = 0x7fa7e251b91a <GNUNET_GETOPT_format_help_>, scls = 0x0}, {shortName = 76 'L', name = 0x7fa7e2545541 "log", argumentHelp = 0x7fa7e2545545 "LOGLEVEL",
            description = 0x7fa7e2545550 "configure logging to use LOGLEVEL", require_argument = 1, processor = 0x7fa7e251be87 <GNUNET_GETOPT_set_string>, scls = 0x7fff123bf630}, {shortName = 108 'l', name = 0x7fa7e2545572 "logfile",
            argumentHelp = 0x7fa7e254557a "LOGFILE", description = 0x7fa7e2545588 "configure logging to write logs to LOGFILE", require_argument = 1, processor = 0x7fa7e251be87 <GNUNET_GETOPT_set_string>, scls = 0x7fff123bf628}, {
            shortName = 118 'v', name = 0x7fa7e25455b3 "version", argumentHelp = 0x0, description = 0x7fa7e25455bb "print the version number", require_argument = 0, processor = 0x7fa7e251b8d4 <GNUNET_GETOPT_print_version_>,
            scls = 0x7fa7e25455d4}, {shortName = 0 '\000', name = 0x0, argumentHelp = 0x0, description = 0x0, require_argument = 0, processor = 0, scls = 0x0}}
        __FUNCTION__ = "GNUNET_SERVICE_run"
#13 0x000000000041504b in main (argc=5, argv=0x7fff123bf7e8) at gnunet-service-mesh_new.c:5970
        ret = 0
        __FUNCTION__ = "main"
TagsNo tags attached.

Relationships

related to 0002572 closedLRN Crash in dht service during test_stream_local 

Activities

Christian Grothoff

2012-07-18 00:10

manager   ~0006257

Need to learn more, I don't see much here yet.

Christian Grothoff

2012-10-08 23:40

manager   ~0006427

This could be a duplicate of 0002572, as that one was a use-after-free in CLIENT_disconnect/CONNECTION_destroy. And it was highly timing-dependent.

Christian Grothoff

2012-10-08 23:43

manager   ~0006428

I'm going to call this one resolved, as it is very likely a duplicate of the issue LRN and I fixed earlier today, and if not we need a new report with info on how to reproduce this anyway.

Issue History

Date Modified Username Field Change
2012-07-12 18:39 Bart Polot New Issue
2012-07-12 18:39 Bart Polot Status new => assigned
2012-07-12 18:39 Bart Polot Assigned To => Christian Grothoff
2012-07-18 00:10 Christian Grothoff Note Added: 0006257
2012-07-18 00:10 Christian Grothoff Assigned To Christian Grothoff =>
2012-07-18 00:10 Christian Grothoff Status assigned => feedback
2012-09-17 12:55 Christian Grothoff Assigned To => Christian Grothoff
2012-10-08 23:39 Christian Grothoff Relationship added related to 0002572
2012-10-08 23:40 Christian Grothoff Note Added: 0006427
2012-10-08 23:43 Christian Grothoff Note Added: 0006428
2012-10-08 23:43 Christian Grothoff Status feedback => resolved
2012-10-08 23:43 Christian Grothoff Resolution open => duplicate
2012-10-08 23:43 Christian Grothoff Fixed in Version => 0.9.4
2012-10-08 23:43 Christian Grothoff Target Version => 0.9.4
2012-11-05 18:33 Christian Grothoff Status resolved => closed