View Issue Details

IDProjectCategoryView StatusLast Update
0004076GNUnetrps servicepublic2018-06-07 00:24
Reporterch3Assigned Toch3 
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0004076: core dump in rps helper
DescriptionI'm stuck in implementing a helper for the rps service. I spent quite a while on it without progress. Maybe it's obvious once written down.
Steps To Reproducecd gnunet/src/rps/
make test_service_rps_view
./test_service_rps_view
Additional InformationThe helper is gnunet-service-rps_view.c. It crashes while executing the testcase test_service_rps_peers.c due to memory corruption.

test_service_rps_view.c:
49: CHECK (0 == View_size ());
50:
51: CHECK (GNUNET_OK == View_put (&k1)); /* <-- crashes */

The important code in gnunet gnunet-service-rps_view.c:
144: *index = (uint32_t) View_size ();
145: array[*index] = *peer;

According to valgrind the second line does an invalid write.
==22856== Invalid write of size 8
==22856== at 0x40112C: View_put (gnunet-service-rps_view.c:145)
==22856== by 0x401822: check (test_service_rps_view.c:53)
==22856== by 0x402217: main (test_service_rps_view.c:120)

That is completely reasonable as array is of size 3 and according to gdb *index is 3:
145 array[*index] = *peer;
(gdb) p *index
$1 = 3

But here is the thing: It should not be 3:
144 *index = (uint32_t) View_size ();
(gdb) p View_size()
$1 = 0
(gdb) p *index
$2 = 0
(gdb) p *index = (uint32_t) View_size()
$3 = 0
(gdb) p *index
$4 = 0
(gdb) n
145 array[*index] = *peer;
(gdb) p *index
$5 = 3
(gdb) p View_size()
$6 = 0

Also recall the test test_service_rps_view.c:
49: CHECK (0 == View_size ());
50:
51: CHECK (GNUNET_OK == View_put (&k1));
We assure that View_size() really is 0.

Also earlier in the same function View_put() we assure that View_size() is not >= the arraysize:
136: if ((length <= View_size ()) || /* If array is 'full' */
137: (/* ... */))
138: {(gdb) p length
139: return GNUNET_NO;
140: }
141: else
142: {
143: index = GNUNET_new (uint32_t);
144: *index = (uint32_t) View_size ();

(gdb) p length
$7 = 3

TagsNo tags attached.

Activities

ch3

2015-11-30 12:05

developer   ~0009960

Interestingly, this does not even compile on sam (gnunet.org) and on my raspberry pi this specific error does not occur.

ch3

2015-11-30 22:54

developer   ~0009961

fixed in 36698

Issue History

Date Modified Username Field Change
2015-11-29 21:44 ch3 New Issue
2015-11-29 21:44 ch3 Status new => assigned
2015-11-29 21:44 ch3 Assigned To => ch3
2015-11-30 08:29 Christian Grothoff Severity minor => crash
2015-11-30 12:05 ch3 Note Added: 0009960
2015-11-30 22:53 ch3 Resolution open => fixed
2015-11-30 22:54 ch3 Note Added: 0009961
2015-11-30 22:54 ch3 Status assigned => resolved
2017-02-26 02:18 Christian Grothoff Fixed in Version => 0.11.0pre66
2017-02-26 02:18 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed