0003135: Segmentation fault in queue_data

ID	Project	Category	View Status	Date Submitted	Last Update

0003135	GNUnet	cadet service	public	2013-11-27 01:52	2013-12-24 20:53

Reporter	bratao	Assigned To	Bart Polot
Priority	high	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Platform	W32	OS	Windows	OS Version	8.1
Product Version	Git master
Target Version	0.10.0

Summary	0003135: Segmentation fault in queue_data
Description	I have A and B machines, connected by LAN. A is sharing 3 files. B is downloading those 3 files. B crash in Mesh and service-fs simultaneously .
Additional Information	Reading symbols from C:\Cangote\lib\gnunet\libexec\gnunet-service-mesh.exe...don e. (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 4216.0x80c] 0x0040244f in queue_data (t=0xa1ba70, ch=0xa1b878, msg=0x6510e4) at gnunet-service-mesh_tunnel.c:619 warning: Source file is more recent than executable. 619 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tq); (gdb) bt full #0 0x0040244f in queue_data (t=0xa1ba70, ch=0xa1b878, msg=0x6510e4) at gnunet-service-mesh_tunnel.c:619 tq = 0x651100 size = 16 __FUNCTION__ = "queue_data" #1 0x00407721 in GMT_send_prebuilt_message (message=0x6510e4, t=0xa1ba70, ch=0xa1b878, fwd=0, cont=0x0, cont_cls=0x0) at gnunet-service-mesh_tunnel.c:2082 q = 0x650150 c = 0x7104b307 <regexec+103> msg = 0x10 size = 16 encrypted_size = 0 cbuf = 0x28f754 "\020" iv = 2684936 type = 40 __FUNCTION__ = "GMT_send_prebuilt_message" #2 0x00416dfd in GMCH_send_prebuilt_message (message=0x6510e4, ch=0xa1b878, fwd=0, retransmission=0) at gnunet-service-mesh_channel.c:1931 __FUNCTION__ = "GMCH_send_prebuilt_message" #3 0x004020ae in send_queued_data (t=0xa1fb78) at gnunet-service-mesh_tunnel.c:580 tq = 0x6510d8 next = 0x64e3b0 room = 10 __FUNCTION__ = "send_queued_data" #4 0x00404e82 in handle_pong (t=0xa1fb78, msg=0x28fb5c) at gnunet-service-mesh_tunnel.c:1236 challenge = 3667771245 __FUNCTION__ = "handle_pong" #5 0x00405335 in GMT_handle_kx (t=0xa1fb78, message=0x28fb5c) at gnunet-service-mesh_tunnel.c:1362 type = 265 __FUNCTION__ = "GMT_handle_kx" #6 0x0040d471 in handle_mesh_kx (peer=0x28faf4, msg=0x28fb14) at gnunet-service-mesh_connection.c:1740 c = 0xa1fe28 neighbor = 0x6480c0 peer_id = 2 size = 84 type = 262 fwd = 0 __FUNCTION__ = "handle_mesh_kx" #7 0x0040d592 in GMC_handle_kx (cls=0x0, peer=0x28faf4, message=0x28fb14) at gnunet-service-mesh_connection.c:1786 No locals. #8 0x695055f4 in main_notify_handler (cls=0xa17770, msg=0x28faf0) at core_api.c:936 h = 0xa17770 m = 0x772be046 <ntdll!RtlAllocateHeap> cnm = 0x1baf1247 dnm = 0x64f3f0 ntm = 0x28faf0 em = 0x28fb14 smr = 0x772be0f2 <ntdll!RtlAllocateHeap+172> mh = 0x423788 <core_handlers+72> init = 0x1ceeb07 pr = 0x64e968 th = 0x45f4cb5 hpos = 9 trigger = 10000000 msize = 120 et = 262 __FUNCTION__ = "main_notify_handler" #9 0x62b440cc in receive_task (cls=0x646408, tc=0x28fbf0) at client.c:589 client = 0x646408 handler = 0x69503f36 <main_notify_handler> cmsg = 0x6529e0 handler_cls = 0xa17770 msize = 120 mbuf = 0x28faf0 "" msg = 0x28faf0 __FUNCTION__ = "receive_task" #10 0x62b7f6e1 in run_ready (rs=0xa197e8, ws=0xa1a800) at scheduler.c:593 p = GNUNET_SCHEDULER_PRIORITY_DEFAULT pos = 0xa1b950 tc = {reason = GNUNET_SCHEDULER_REASON_TIMEOUT, read_ready = 0xa197e8, write_ready = 0xa1a800} __FUNCTION__ = "run_ready" #11 0x62b7ff5d in GNUNET_SCHEDULER_run (task=0x62b8bc24 <service_task>, task_cls=0x28fd98) at scheduler.c:808 rs = 0xa197e8 ws = 0xa1a800 timeout = {rel_value_us = 0} ret = 0 shc_int = 0x64eaa0 shc_term = 0x64ee00 last_tr = 80 busy_wait_warning = 0 pr = 0xa196c0 c = 98 'b' __FUNCTION__ = "GNUNET_SCHEDULER_run" #12 0x62b8caf3 in GNUNET_SERVICE_run (argc=3, argv=0x6412c0, service_name=0x427739 <__FUNCTION__.105212+1342> "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x42101f <run>, task_cls=0x0) at service.c:1478 err = 0 ret = 3 cfg_fn = 0x641958 "~/.gnunet/gnunet.conf" opt_cfg_fn = 0x644030 "C:\\Users\\slave\\AppData\\Roaming\\Cangote\\cang ote.conf" loglev = 0x0 logfile = 0x0 do_daemonize = 0 i = 4294967295 skew_offset = 52 skew_variance = 8426786857650028036 clock_offset = -5155769697 sctx = {cfg = 0x640da8, server = 0x643cd8, addrs = 0x0, service_name = 0x427739 <__FUNCTION__.105212+1342> "mesh", task = 0x42101f <run>, task_cls = 0x0, v4_denied = 0x0, v6_denied = 0x0, v4_allowed = 0x642c40, v6_allowed = 0x644c78, my_handlers = 0x64e0f0, addrlens = 0x0, lsocks = 0xa195e8, shutdown_task = 5, timeout = {rel_value_us = 18446744073709551615}, ret = 1, ready_confirm_fd = -1, require_found = 1, match_uid = 1, match_gid = 1, options = GNUNET_SERVICE_OPTION_NONE} cfg = 0x640da8 xdg = 0x0 service_options = {{shortName = 99 'c', name = 0x62ba711c <defhandlers+1308> "config", argumentHelp = 0x62ba7123 <defhandlers+1315> "FILENAME", description = 0x62ba712c <defhandlers+1324> "use configuration file FILENAME", require_argument = 1, processor = 0x62b6b55e <GNUNET_GETOPT_set_string>, scls = 0x28fe18}, {shortName = 100 'd', name = 0x62ba714c <defhandlers+1356> "daemonize", argumentHelp = 0x0, description = 0x62ba7158 <defhandlers+1368> "do daemonize (detach fr om terminal)", require_argument = 0, processor = 0x62b6b542 <GNUNET_GETOPT_set_one>, scls = 0x28fe0c}, {shortName = 104 'h', name = 0x62ba717c <defhandlers+1404> "help", argumentHelp = 0x0, description = 0x62ba7181 <defhandlers+1409> "print this help", require_argument = 0, processor = 0x62b6b0d7 <GNUNET_GETOPT_format_help_>, scls = 0x0}, {shortName = 76 'L', name = 0x62ba7191 <defhandlers+1425> "log", argumentHelp = 0x62ba7195 <defhandlers+1429> "LOGLEVEL", description = 0x62ba71a0 <defhandlers+1440> "configure logging to us e LOGLEVEL", require_argument = 1, processor = 0x62b6b55e <GNUNET_GETOPT_set_string>, scls = 0x28fe14}, {shortName = 108 'l', name = 0x62ba71c2 <defhandlers+1474> "logfile", argumentHelp = 0x62ba71ca <defhandlers+1482> "LOGFILE", description = 0x62ba71d4 <defhandlers+1492> "configure logging to wr ite logs to LOGFILE", require_argument = 1, processor = 0x62b6b55e <GNUNET_GETOPT_set_string>, scls = 0x28fe10}, {shortName = 118 'v', name = 0x62ba71ff <defhandlers+1535> "version", argumentHelp = 0x0, description = 0x62ba7207 <defhandlers+1543> "print the version numbe r", require_argument = 0, processor = 0x62b6b0a8 <GNUNET_GETOPT_print_version_>, scls = 0x62ba7220 <defhandlers+1568>}, {shortName = 0 '\000', name = 0x0, argumentHelp = 0x0, description = 0x0, require_argument = 0, processor = 0x0, scls = 0x0}} __FUNCTION__ = "GNUNET_SERVICE_run" #13 0x004213c9 in main (argc=3, argv=0x6412c0) at gnunet-service-mesh.c:161 ret = 52 r = 52 (gdb) l 614 615 tq = GNUNET_malloc (sizeof (struct MeshTunnelDelayed) + size); 616 617 tq->ch = ch; 618 memcpy (&tq[1], msg, size); 619 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tq); 620 } 621 622 623 (gdb) up #1 0x00407721 in GMT_send_prebuilt_message (message=0x6510e4, t=0xa1ba70, ch=0xa1b878, fwd=0, cont=0x0, cont_cls=0x0) at gnunet-service-mesh_tunnel.c:2082 2082 queue_data (t, ch, message); (gdb) l 2077 uint32_t iv; 2078 uint16_t type; 2079 2080 if (MESH_TUNNEL3_READY != t->state) 2081 { 2082 queue_data (t, ch, message); 2083 /* FIXME */ 2084 return NULL; 2085 } 2086 LOG (GNUNET_ERROR_TYPE_DEBUG, "GMT Send on Tunnel %s\n", GMT_2s (t));
Tags	No tags attached.

Bart Polot 2013-11-27 03:36 reporter ~0007721	Could you please provide the following info? - bt (not full, since it's easier to parse for a first impression) - p t - p ch Thanks!

bratao 2013-11-27 03:46 reporter ~0007722	Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 768.0xbf4] 0x0040244f in queue_data (t=0x6cba70, ch=0x6cb878, msg=0x1f11094) at gnunet-service-mesh_tunnel.c:619 warning: Source file is more recent than executable. 619 GNUNET_CONTAINER_DLL_insert_tail (t->tq_head, t->tq_tail, tq); (gdb) bt #0 0x0040244f in queue_data (t=0x6cba70, ch=0x6cb878, msg=0x1f11094) at gnunet-service-mesh_tunnel.c:619 #1 0x00407721 in GMT_send_prebuilt_message (message=0x1f11094, t=0x6cba70, ch=0x6cb878, fwd=0, cont=0x0, cont_cls=0x0) at gnunet-service-mesh_tunnel.c:2082 #2 0x00416dfd in GMCH_send_prebuilt_message (message=0x1f11094, ch=0x6cb878, fwd=0, retransmission=0) at gnunet-service-mesh_channel.c:1931 #3 0x004020ae in send_queued_data (t=0x6cfb78) at gnunet-service-mesh_tunnel.c:580 #4 0x00404e82 in handle_pong (t=0x6cfb78, msg=0x28fb5c) at gnunet-service-mesh_tunnel.c:1236 #5 0x00405335 in GMT_handle_kx (t=0x6cfb78, message=0x28fb5c) at gnunet-service-mesh_tunnel.c:1362 #6 0x0040d471 in handle_mesh_kx (peer=0x28faf4, msg=0x28fb14) at gnunet-service-mesh_connection.c:1740 #7 0x0040d592 in GMC_handle_kx (cls=0x0, peer=0x28faf4, message=0x28fb14) at gnunet-service-mesh_connection.c:1786 #8 0x695055f4 in main_notify_handler (cls=0x6c7770, msg=0x28faf0) at core_api.c:936 #9 0x62b440cc in receive_task (cls=0x1f06408, tc=0x28fbf0) at client.c:589 #10 0x62b7f6e1 in run_ready (rs=0x6c97e8, ws=0x6ca800) at scheduler.c:593 #11 0x62b7ff5d in GNUNET_SCHEDULER_run (task=0x62b8bc24 <service_task>, task_cls=0x28fd98) at scheduler.c:808 #12 0x62b8caf3 in GNUNET_SERVICE_run (argc=3, argv=0x1f012c0, service_name=0x427739 <__FUNCTION__.105212+1342> "mesh", options=GNUNET_SERVICE_OPTION_NONE, task=0x42101f <run>, task_cls=0x0) at service.c:1478 #13 0x004213c9 in main (argc=3, argv=0x1f012c0) at gnunet-service-mesh.c:161 (gdb) p t $1 = {peer = 0x1f0b2c8, state = 1656029047, kx_ctx = 0x6cfc88, e_key = { aes_key = "8x±\001\000\000\000\000\000\000\000\000(\000\000\000\000\000\000\ 000 \000\000\000", twofish_key = "\003\000\000\000 \001\000\000\000\000\000\000\000\|Û£ ║¡\000\210x©l"}, d_key = { aes_key = "w ┤bh·l\000p¿±\001\000\000\000\000\000\000\000\000>\000\000\000\0 00\000\000\000 ", twofish_key = " \000\000\000\000\003\000\000\000 \001\000\000\000\ 000\000\000\000uÛ£ "}, rekey_task = 1004493731512975398, connection_head = 0xdf0adba, connection_tail = 0xdf0adba, next_cid = 233876922, channel_head = 0xdf0adba, channel_tail = 0xdf0adba, next_chid = 233876922, destroy = 233876922, tq_head = 0xdf0adba, tq_tail = 0xdf0adba} (gdb) p ch $2 = {t = 0x6cba70, port = 1656231755, gid = 32521432, lid_root = 32577448, lid_dest = 0, state = MESH_CHANNEL_NEW, nobuffer = 59, reliable = 0, timestamp = {abs_value_us = 18446744073709551615}, root = 0x0, dest = 0x4, destroy = -1, pending_messages = 4294967295, root_rel = 0x1, dest_rel = 0x0} (gdb)

bratao 2013-11-27 03:47 reporter ~0007723 Last edited: 2013-11-27 03:47	An observation. The error happen at the very end of a download.

Bart Polot 2013-11-27 05:17 reporter ~0007724	Seems like a clear user after free, specially if it's on the end of the download. Note to self: check that the tunnel is removed from connections so a stray pong does fail instead of triggering the handler on a dead tunnel.

Bart Polot 2013-11-27 15:28 reporter ~0007734	Really can't reproduce or figure this out. Can you reliably reproduce this problem? If so it would be really helpful if you could: - run it under valgrind and/or - activate mesh debug (FORCE_LOG mesh;;;;DEBUG) and post the output in pastebin or send me a txt file (I expect the output to be veeeeery big)

bratao 2013-11-28 20:30 reporter ~0007742	Bart, W32 do not have valgrind. I will try again with log enabled.

Christian Grothoff 2013-11-29 20:11 manager ~0007751	The FS crashes should now be fixed. Bart: I don't think how this should be W32-specific, so you might be able to reproduce it by running the peers + FS + non-anonymous transfers manually yourself. That's how I got valgrind traces of the FS issue(s).

Bart Polot 2013-12-06 02:39 reporter ~0007766	I made changes since this was reported and can't reproduce myself, could you please confirm that it still happens? At what frequency? Is it affected by the file size?

bratao 2013-12-16 12:05 reporter ~0007890	Cannot reproduce anymore.

Date Modified	Username	Field	Change
2013-11-27 01:52	bratao	New Issue
2013-11-27 01:52	bratao	Status	new => assigned
2013-11-27 01:52	bratao	Assigned To	=> Bart Polot
2013-11-27 03:36	Bart Polot	Note Added: 0007721
2013-11-27 03:36	Bart Polot	Status	assigned => feedback
2013-11-27 03:46	bratao	Note Added: 0007722
2013-11-27 03:46	bratao	Status	feedback => assigned
2013-11-27 03:47	bratao	Note Added: 0007723
2013-11-27 03:47	bratao	Note Edited: 0007723
2013-11-27 05:17	Bart Polot	Note Added: 0007724
2013-11-27 05:17	Bart Polot	Status	assigned => acknowledged
2013-11-27 15:28	Bart Polot	Note Added: 0007734
2013-11-27 15:28	Bart Polot	Status	acknowledged => feedback
2013-11-28 20:23	Christian Grothoff	Target Version	=> 0.10.0
2013-11-28 20:30	bratao	Note Added: 0007742
2013-11-28 20:30	bratao	Status	feedback => assigned
2013-11-29 20:11	Christian Grothoff	Note Added: 0007751
2013-11-30 19:34	Christian Grothoff	Priority	normal => high
2013-12-06 02:39	Bart Polot	Note Added: 0007766
2013-12-06 02:39	Bart Polot	Status	assigned => feedback
2013-12-16 12:05	bratao	Note Added: 0007890
2013-12-16 12:05	bratao	Status	feedback => assigned
2013-12-16 12:05	bratao	Status	assigned => resolved
2013-12-16 12:05	bratao	Resolution	open => fixed
2013-12-24 20:53	Christian Grothoff	Status	resolved => closed
2014-05-09 18:34	Christian Grothoff	Category	mesh service => cadet service

View Issue Details

Activities

Issue History