View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003152 | GNUnet | transport service | public | 2013-12-03 13:52 | 2024-05-03 13:58 |
| Reporter | Matthias Wachs | Assigned To | Christian Grothoff | ||
| Priority | urgent | Severity | crash | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.10.0 | Fixed in Version | 0.10.0 | ||
| Summary | 0003152: Dynamic growing consensus set causes segfault | ||||
| Description | ==8516== Invalid read of size 8 ==8516== at 0x5450D24: disconnect_and_free_peer_entry (core_api.c:400) ==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==8516== by 0x54561AB: GNUNET_CORE_disconnect (core_api.c:1217) ==8516== by 0x406138: shutdown_task (gnunet-service-dv.c:1883) ==8516== by 0x56A6CC0: run_ready (scheduler.c:593) ==8516== by 0x56A7547: GNUNET_SCHEDULER_run (scheduler.c:808) ==8516== by 0x56B55CA: GNUNET_SERVICE_run (service.c:1478) ==8516== by 0x406588: main (gnunet-service-dv.c:2035) ==8516== Address 0x6ef4770 is 112 bytes inside a block of size 184 free'd ==8516== at 0x4C2BA6C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8516== by 0x566FE1E: GNUNET_xfree_ (common_allocation.c:236) ==8516== by 0x56701CB: GNUNET_xgrow_ (common_allocation.c:336) ==8516== by 0x402AE4: get_consensus_slot (gnunet-service-dv.c:705) ==8516== by 0x402B02: allocate_route (gnunet-service-dv.c:725) ==8516== by 0x403A3A: check_possible_route (gnunet-service-dv.c:1027) ==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==8516== by 0x403B92: refresh_routes (gnunet-service-dv.c:1059) ==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==8516== by 0x405EC4: handle_core_disconnect (gnunet-service-dv.c:1822) ==8516== by 0x5450C46: disconnect_and_free_peer_entry (core_api.c:389) ==8516== by 0x568359B: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==8516== | ||||
| Tags | No tags attached. | ||||
| has duplicate | 0003155 | closed | Christian Grothoff | Crash in shutdown |
| child of | 0001795 | closed | schanzen | DV is not implemented |
|
|
I've made the recursion on "refresh_routes()" asynchronous (new task), so that at least we're no longer adding new routes while handling core disconnect (that just sounds like a bad idea). It may help, but I've not seen exactly how this would trigger the bug, so more likely the issue itself is not solved by this (SVN 31031). |
|
|
Still there, reproduced using testbed profiler with 10 peers (and allowed 100 connect errors) using DV test configuration file: ==23943== Invalid read of size 8 ==23943== at 0x5455100: main_notify_handler (core_api.c:988) ==23943== by 0x566D619: receive_task (client.c:589) ==23943== by 0x56ABF10: run_ready (scheduler.c:593) ==23943== by 0x56AC862: GNUNET_SCHEDULER_run (scheduler.c:808) ==23943== by 0x56BB65F: GNUNET_SERVICE_run (service.c:1478) ==23943== by 0x10F209: main (gnunet-service-dv.c:2087) ==23943== Address 0x6ed5cd0 is 112 bytes inside a block of size 184 free'd ==23943== at 0x4C2A74C: free (vg_replace_malloc.c:468) ==23943== by 0x5670558: GNUNET_xfree_ (common_allocation.c:236) ==23943== by 0x567096E: GNUNET_xgrow_ (common_allocation.c:336) ==23943== by 0x10AF0F: get_consensus_slot (gnunet-service-dv.c:714) ==23943== by 0x10AF50: allocate_route (gnunet-service-dv.c:734) ==23943== by 0x10C0EA: check_possible_route (gnunet-service-dv.c:1040) ==23943== by 0x5685705: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==23943== by 0x10C271: refresh_routes (gnunet-service-dv.c:1072) ==23943== by 0x5685705: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==23943== by 0x10C2D1: refresh_routes_task (gnunet-service-dv.c:1090) ==23943== by 0x56ABF10: run_ready (scheduler.c:593) ==23943== by 0x56AC862: GNUNET_SCHEDULER_run (scheduler.c:808) |
|
|
Looks like neither get_consensus_slot, nor allocate_route, nor check_possible_route checked that the distance didn't yet grow beyond our 3-hop bound and thus overflowed the 'consensi' array. Added assertions, and added logic to not include routes with too many hops to check_possible_route in SVN 31167. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-12-03 13:52 | Matthias Wachs | New Issue | |
| 2013-12-04 10:44 | Christian Grothoff | Note Added: 0007756 | |
| 2013-12-04 10:45 | Christian Grothoff | Priority | normal => high |
| 2013-12-04 10:45 | Christian Grothoff | Target Version | => 0.10.0 |
| 2013-12-07 22:20 | Christian Grothoff | Relationship added | child of 0001795 |
| 2013-12-07 23:18 | Christian Grothoff | Note Added: 0007774 | |
| 2013-12-07 23:18 | Christian Grothoff | Priority | high => urgent |
| 2013-12-07 23:18 | Christian Grothoff | Severity | minor => crash |
| 2013-12-07 23:18 | Christian Grothoff | Status | new => confirmed |
| 2013-12-07 23:18 | Christian Grothoff | Product Version | => Git master |
| 2013-12-07 23:27 | Christian Grothoff | Note Added: 0007775 | |
| 2013-12-07 23:27 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2013-12-07 23:27 | Christian Grothoff | Status | confirmed => assigned |
| 2013-12-07 23:27 | Christian Grothoff | Status | assigned => resolved |
| 2013-12-07 23:27 | Christian Grothoff | Fixed in Version | => 0.10.0 |
| 2013-12-07 23:27 | Christian Grothoff | Resolution | open => fixed |
| 2013-12-08 22:20 | Christian Grothoff | Relationship added | has duplicate 0003155 |
| 2013-12-24 20:54 | Christian Grothoff | Status | resolved => closed |
| 2024-05-03 13:58 | Christian Grothoff | Category | DV service or transport => transport service |
