View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003794 | GNUnet | cadet service | public | 2015-05-20 19:11 | 2018-06-07 00:24 |
Reporter | Christian Grothoff | Assigned To | Bart Polot | ||
Priority | urgent | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Platform | i7 | OS | Debian GNU/Linux | OS Version | squeeze |
Product Version | Git master | ||||
Target Version | 0.11.0pre66 | Fixed in Version | 0.11.0pre66 | ||
Summary | 0003794: cadet use after free valgrind report (on shutdown, with crash) | ||||
Description | ==25802== Invalid read of size 8 ==25802== at 0x412C73: get_prev_hop (gnunet-service-cadet_connection.c:730) ==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== Address 0x9e06288 is 200 bytes inside a block of size 256 free'd ==25802== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256) ==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800) ==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665) ==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358) ==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676) ==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503) ==25802== by 0x432772: main (gnunet-service-cadet.c:174) ==25802== ==25802== Invalid read of size 4 ==25802== at 0x412D2F: get_prev_hop (gnunet-service-cadet_connection.c:735) ==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== Address 0x9e06290 is 208 bytes inside a block of size 256 free'd ==25802== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256) ==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800) ==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665) ==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358) ==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676) ==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503) ==25802== by 0x432772: main (gnunet-service-cadet.c:174) ==25802== ==25802== Invalid read of size 8 ==25802== at 0x412D3D: get_prev_hop (gnunet-service-cadet_connection.c:735) ==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== Address 0x9e06288 is 200 bytes inside a block of size 256 free'd ==25802== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256) ==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800) ==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665) ==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358) ==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676) ==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503) ==25802== by 0x432772: main (gnunet-service-cadet.c:174) ==25802== ==25802== Invalid read of size 4 ==25802== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735) ==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== Address 0xdf0adba0df0add2 is not stack'd, malloc'd or (recently) free'd ==25802== ==25802== ==25802== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==25802== General Protection Fault ==25802== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735) ==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==25802== by 0x50916BC: run_ready (scheduler.c:587) ==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==25802== | ||||
Tags | No tags attached. | ||||
duplicate of | 0003696 | closed | Bart Polot | segv in get_prev_hop() |
related to | 0003723 | closed | Christian Grothoff | cadet leaves sock file around (and only cadet) |
related to | 0003842 | closed | Christian Grothoff | Error: util-3140, Revision 35949 |
|
Seen again: grothoff@pixel:~$ gnunet-arm -e ==13065== Invalid read of size 8 ==13065== at 0x412C73: get_prev_hop (gnunet-service-cadet_connection.c:730) ==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==13065== by 0x50916BC: run_ready (scheduler.c:587) ==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==13065== Address 0xb5a40f8 is 5,704 bytes inside an unallocated block of size 14,496 in arena "client" ==13065== May 21 11:08:35-088549 cadet-13065 WARNING Message `External protocol violation detected at gnunet-service-cadet_tunnel.c:2759.' repeated 123 times in the last 62 s May 21 11:08:35-088549 cadet-13065 ERROR Assertion failed at gnunet-service-cadet_connection.c:2993. ==13065== Invalid read of size 4 ==13065== at 0x412D2F: get_prev_hop (gnunet-service-cadet_connection.c:735) ==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==13065== by 0x50916BC: run_ready (scheduler.c:587) ==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==13065== Address 0x9f5def0 is 32 bytes before a block of size 16 in arena "client" ==13065== ==13065== Invalid read of size 8 ==13065== at 0x412D3D: get_prev_hop (gnunet-service-cadet_connection.c:735) ==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==13065== by 0x50916BC: run_ready (scheduler.c:587) ==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==13065== Address 0x9f5dee8 is 24 bytes after a block of size 80 in arena "client" ==13065== ==13065== Invalid read of size 4 ==13065== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735) ==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==13065== by 0x50916BC: run_ready (scheduler.c:587) ==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==13065== Address 0xa8 is not stack'd, malloc'd or (recently) free'd ==13065== ==13065== ==13065== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==13065== Access not within mapped region at address 0xA8 ==13065== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735) ==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989) ==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357) ==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461) ==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389) ==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259) ==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716) ==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115) ==13065== by 0x50916BC: run_ready (scheduler.c:587) ==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867) ==13065== If you believe this happened as a result of a stack ==13065== overflow in your program's main thread (unlikely but ==13065== possible), you can try to increase the size of the ==13065== main thread stack using the --main-stacksize= flag. ==13065== The main thread stack size used in this run was 8388608. ==13065== ==13065== HEAP SUMMARY: ==13065== in use at exit: 427,279 bytes in 10,596 blocks ==13065== total heap usage: 483,504,284 allocs, 483,493,688 frees, 33,705,358,254 bytes allocated ==13065== ==13065== LEAK SUMMARY: ==13065== definitely lost: 66,800 bytes in 1,405 blocks ==13065== indirectly lost: 39,164 bytes in 1,936 blocks ==13065== possibly lost: 0 bytes in 0 blocks ==13065== still reachable: 321,315 bytes in 7,255 blocks ==13065== suppressed: 0 bytes in 0 blocks ==13065== Rerun with --leak-check=full to see details of leaked memory ==13065== |
|
I've tried to narrow it down using assertions/etc, but the fucker is still there: ==21471== Invalid read of size 8 ==21471== at 0x40F0CE: get_prev_hop (gnunet-service-cadet_connection.c:739) ==21471== by 0x414329: GCC_notify_broken (gnunet-service-cadet_connection.c:3022) ==21471== by 0x41DF43: notify_broken (gnunet-service-cadet_peer.c:354) ==21471== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==21471== by 0x41E694: core_disconnect (gnunet-service-cadet_peer.c:471) ==21471== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389) ==21471== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==21471== by 0x54C7496: reconnect_later (core_api.c:450) ==21471== by 0x54C8E4F: main_notify_handler (core_api.c:788) ==21471== by 0x5050A0E: receive_helper (client.c:540) ==21471== by 0x505E021: receive_ready (connection.c:1139) ==21471== by 0x508DCE2: run_ready (scheduler.c:587) ==21471== Address 0x9873eb0 is 192 bytes inside a block of size 264 free'd ==21471== at 0x4C29E90: free (vg_replace_malloc.c:473) ==21471== by 0x5054F87: GNUNET_xfree_ (common_allocation.c:256) ==21471== by 0x414141: GCC_destroy (gnunet-service-cadet_connection.c:2832) ==21471== by 0x4143FB: GCC_notify_broken (gnunet-service-cadet_connection.c:3033) ==21471== by 0x41DF43: notify_broken (gnunet-service-cadet_peer.c:354) ==21471== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==21471== by 0x41E694: core_disconnect (gnunet-service-cadet_peer.c:471) ==21471== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389) ==21471== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==21471== by 0x54C7496: reconnect_later (core_api.c:450) ==21471== by 0x54C8E4F: main_notify_handler (core_api.c:788) ==21471== by 0x5050A0E: receive_helper (client.c:540) ==21471== |
|
Current theory: we're iterating over all entries in a hashmap. Each channel is TWICE in the map. If we hid the 'GCC_destroy', it may remove TWO entries from the hashmap -- the current one, and another one. The multihashmap_iterate is happy to tolerate removal of the current entry, but if the "next" pointer happens to be the "other one", then we'll go and tango with a use-after-free (or rather, use-after-remove) immediately for the next round of the callback from the iterator. As 'c' is then dead, we die. |
|
Outch, fixing the note 9236, I now am 'rewarded' with one of the earlier assertions failing: Jun 09 11:41:16-626431 cadet-25047 ERROR Assertion failed at gnunet-service-cadet_connection.c:1568. This is the one in unregister_neighbours that is supposed to check that the peer that was the next hop during registration is still the same during unregistration. The assertion failing means that the connection suddenly has a different successor (bug in interning logic?). On top of that, the original valgrind issue persists, even if we are lucky enough to not hit the assertion above: ^C==25522== Invalid read of size 8 ==25522== at 0x40F0CE: get_prev_hop (gnunet-service-cadet_connection.c:739) ==25522== by 0x414478: GCC_notify_broken (gnunet-service-cadet_connection.c:3023) ==25522== by 0x41E0B0: notify_broken (gnunet-service-cadet_peer.c:363) ==25522== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340) ==25522== by 0x41E8B7: core_disconnect (gnunet-service-cadet_peer.c:482) ==25522== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389) ==25522== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361) ==25522== by 0x54CB505: GNUNET_CORE_disconnect (core_api.c:1259) ==25522== by 0x421D72: GCP_shutdown (gnunet-service-cadet_peer.c:1745) ==25522== by 0x424E65: shutdown_task (gnunet-service-cadet.c:115) ==25522== by 0x508DCE2: run_ready (scheduler.c:587) ==25522== by 0x508E576: GNUNET_SCHEDULER_run (scheduler.c:867) ==25522== Address 0x8c8d190 is 192 bytes inside a block of size 264 free'd ==25522== at 0x4C29E90: free (vg_replace_malloc.c:473) ==25522== by 0x5054F87: GNUNET_xfree_ (common_allocation.c:256) ==25522== by 0x414290: GCC_destroy (gnunet-service-cadet_connection.c:2833) ==25522== by 0x413B65: shutdown_iterator (gnunet-service-cadet_connection.c:2685) ==25522== by 0x5065624: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358) ==25522== by 0x413B89: GCC_shutdown (gnunet-service-cadet_connection.c:2696) ==25522== by 0x424E56: shutdown_task (gnunet-service-cadet.c:112) ==25522== by 0x508DCE2: run_ready (scheduler.c:587) ==25522== by 0x508E576: GNUNET_SCHEDULER_run (scheduler.c:867) ==25522== by 0x509B715: GNUNET_SERVICE_run (service.c:1503) ==25522== by 0x42512C: main (gnunet-service-cadet.c:174) ==25522== |
|
SVN rev 35978 compiled with AddressSanatizer shows this on shutdown: ================================================================= ==30042==ERROR: AddressSanitizer: heap-use-after-free on address 0xb1729384 at pc 0x80525f7 bp 0xbfd13238 sp 0xbfd1322c READ of size 4 at 0xb1729384 thread T0 #0 0x80525f6 in unqueue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1776 #1 0x805f8c0 in GCT_cancel /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:4140 #2 0x8072e63 in channel_rel_free_all /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1007 #3 0x807520d in GCCH_destroy /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1379 #4 0x805ddca in GCT_destroy /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3671 #5 0x8056809 in destroy_iterator /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2404 #6 0xb716c03e in GNUNET_CONTAINER_multipeermap_iterate /root/gnunet/src/util/container_multipeermap.c:343 #7 0x805adaf in GCT_shutdown /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3206 #8 0x808ed38 in shutdown_task /root/gnunet/src/cadet/gnunet-service-cadet.c:113 #9 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587 #10 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867 #11 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503 #12 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174 #13 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722) #14 0x804acf0 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x804acf0) 0xb1729384 is located 4 bytes inside of 32-byte region [0xb1729380,0xb17293a0) freed by thread T0 here: #0 0xb72874c4 in free (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e4c4) #1 0xb713fadd in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:256 #2 0x8052c58 in unqueue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1777 #3 0x805dbe0 in GCT_destroy /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3661 #4 0x8056809 in destroy_iterator /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2404 #5 0xb716c03e in GNUNET_CONTAINER_multipeermap_iterate /root/gnunet/src/util/container_multipeermap.c:343 #6 0x805adaf in GCT_shutdown /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3206 #7 0x808ed38 in shutdown_task /root/gnunet/src/cadet/gnunet-service-cadet.c:113 #8 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587 #9 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867 #10 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503 #11 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174 #12 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722) previously allocated by thread T0 here: #0 0xb72876e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4) #1 0xb713f7b8 in GNUNET_xmalloc_unchecked_ /root/gnunet/src/util/common_allocation.c:154 #2 0xb713f216 in GNUNET_xmalloc_ /root/gnunet/src/util/common_allocation.c:75 #3 0x8052da4 in queue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1797 #4 0x805343b in send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1852 #5 0x805fa59 in GCT_send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:4171 #6 0x8079bc3 in GCCH_send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:2414 #7 0x8071b16 in send_create /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:897 #8 0x8077393 in GCCH_handle_local_create /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1892 #9 0x807b368 in handle_channel_create /root/gnunet/src/cadet/gnunet-service-cadet_local.c:394 #10 0xb71c4ef8 in GNUNET_SERVER_inject /root/gnunet/src/util/server.c:997 #11 0xb71c60a7 in client_message_tokenizer_callback /root/gnunet/src/util/server.c:1256 #12 0xb71cb90b in GNUNET_SERVER_mst_receive /root/gnunet/src/util/server_mst.c:262 #13 0xb71c5c56 in process_incoming /root/gnunet/src/util/server.c:1178 #14 0xb715390e in receive_ready /root/gnunet/src/util/connection.c:1139 #15 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587 #16 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867 #17 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503 #18 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174 #19 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722) SUMMARY: AddressSanitizer: heap-use-after-free /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1776 unqueue_data Shadow bytes around the buggy address: 0x362e5220: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x362e5230: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 0x362e5240: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa 0x362e5250: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd 0x362e5260: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa =>0x362e5270:[fd]fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x362e5280: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x362e5290: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x362e52a0: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd 0x362e52b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x362e52c0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==30042==ABORTING |
|
Awesome, this helps :) Thanks! |
|
Also, btw, this bug is unrelated to the previous one... |
|
The newest bug (https://gnunet.org/bugs/view.php?id=3794#c9326) should be fixed at r35986. |
|
Haven't seen this in a while, seems resolved. Will leave GCC_check_connections in place for some more testing. |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-05-20 19:11 | Christian Grothoff | New Issue | |
2015-05-20 19:11 | Christian Grothoff | Status | new => assigned |
2015-05-20 19:11 | Christian Grothoff | Assigned To | => Bart Polot |
2015-05-21 11:05 | Christian Grothoff | Note Added: 0009142 | |
2015-06-08 10:50 | Christian Grothoff | Relationship added | duplicate of 0003696 |
2015-06-08 22:14 | Christian Grothoff | Note Added: 0009235 | |
2015-06-08 22:49 | Christian Grothoff | Note Added: 0009236 | |
2015-06-09 10:50 | Christian Grothoff | Assigned To | Bart Polot => Christian Grothoff |
2015-06-09 11:49 | Christian Grothoff | Note Added: 0009237 | |
2015-06-19 06:52 | Christian Grothoff | Relationship added | related to 0003723 |
2015-06-19 06:52 | Christian Grothoff | Relationship added | related to 0003842 |
2015-06-19 16:27 | Bart Polot | Relationship added | related to 0003845 |
2015-06-24 00:39 | Christian Grothoff | Assigned To | Christian Grothoff => Bart Polot |
2015-06-24 16:53 | Bart Polot | Status | assigned => feedback |
2015-06-24 17:55 | amatus | Note Added: 0009326 | |
2015-06-24 17:56 | Bart Polot | Note Added: 0009327 | |
2015-06-24 17:59 | Bart Polot | Note Added: 0009328 | |
2015-06-25 05:19 | Bart Polot | Relationship deleted | related to 0003845 |
2015-06-25 05:34 | Bart Polot | Note Added: 0009339 | |
2015-10-02 06:01 | Bart Polot | Note Added: 0009677 | |
2015-10-02 06:01 | Bart Polot | Status | feedback => resolved |
2015-10-02 06:01 | Bart Polot | Fixed in Version | => Git master |
2015-10-02 06:01 | Bart Polot | Resolution | open => fixed |
2015-10-02 14:32 | Christian Grothoff | Fixed in Version | Git master => 0.11.0pre66 |
2018-06-07 00:24 | Christian Grothoff | Status | resolved => closed |