View Issue Details

IDProjectCategoryView StatusLast Update
0005367GNUnetrps servicepublic2019-02-14 10:41
Reporterch3Assigned Toch3 
PrioritynormalSeveritycrashReproducibilityrandom
Status assignedResolutionopen 
PlatformOSarchlinuxOS Version2018-06-27
Product Version0.11.0pre66 
Target VersionFixed in Version 
Summary0005367: SIGSEGV after GNUNET_CADET_channel_destroy()
DescriptionSIGSEGV after GNUNET_CADET_channel_destroy()
Steps To ReproduceSometimes on running the rps tests (make check in src/rps) services crash with a SIGSEGV.
Additional InformationValgrind output:

==5381== Memcheck, a memory error detector
==5381== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5381== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==5381== Command: /home/gnunet/prefix_gn/lib//gnunet/libexec/gnunet-service-rps -c /tmp/testbedPwYbVp/4/config
==5381== Parent PID: 5363
==5381==
==5381== Invalid read of size 8
==5381== at 0x5066FAB: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:242)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== by 0x52CD752: cadet_mq_error_handler (cadet_api.c:566)
==5381== by 0x50889EC: GNUNET_MQ_inject_error (mq.c:293)
==5381== by 0x508887A: GNUNET_MQ_inject_message (mq.c:258)
==5381== by 0x52CE0FF: handle_local_data (cadet_api.c:757)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381== Address 0x7776050 is 16 bytes inside a block of size 24 free'd
==5381== at 0x4C2E10B: free (vg_replace_malloc.c:530)
==5381== by 0x5056602: GNUNET_xfree_ (common_allocation.c:337)
==5381== by 0x50670CB: GNUNET_CONTAINER_multihashmap32_remove (container_multihashmap32.c:288)
==5381== by 0x52CCE0C: destroy_channel (cadet_api.c:329)
==5381== by 0x52CF8CC: GNUNET_CADET_channel_destroy (cadet_api.c:1316)
==5381== by 0x113B6F: Peers_remove_peer (gnunet-service-rps.c:1296)
==5381== by 0x115952: remove_peer (gnunet-service-rps.c:2619)
==5381== by 0x11612C: cleanup_destroyed_channel (gnunet-service-rps.c:2741)
==5381== by 0x52CCEFC: destroy_channel (cadet_api.c:340)
==5381== by 0x52CD00F: destroy_channel_on_reconnect_cb (cadet_api.c:394)
==5381== by 0x5066FD4: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== Block was alloc'd at
==5381== at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==5381== by 0x50562CF: GNUNET_xmalloc_unchecked_ (common_allocation.c:230)
==5381== by 0x5055C6B: GNUNET_xmalloc_ (common_allocation.c:73)
==5381== by 0x506752C: GNUNET_CONTAINER_multihashmap32_put (container_multihashmap32.c:488)
==5381== by 0x52CCC93: create_channel (cadet_api.c:301)
==5381== by 0x52CDA5B: handle_channel_created (cadet_api.c:640)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381==
==5381== Invalid read of size 8
==5381== at 0x5066FBE: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== by 0x52CD752: cadet_mq_error_handler (cadet_api.c:566)
==5381== by 0x50889EC: GNUNET_MQ_inject_error (mq.c:293)
==5381== by 0x508887A: GNUNET_MQ_inject_message (mq.c:258)
==5381== by 0x52CE0FF: handle_local_data (cadet_api.c:757)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381== Address 0x7776048 is 8 bytes inside a block of size 24 free'd
==5381== at 0x4C2E10B: free (vg_replace_malloc.c:530)
==5381== by 0x5056602: GNUNET_xfree_ (common_allocation.c:337)
==5381== by 0x50670CB: GNUNET_CONTAINER_multihashmap32_remove (container_multihashmap32.c:288)
==5381== by 0x52CCE0C: destroy_channel (cadet_api.c:329)
==5381== by 0x52CF8CC: GNUNET_CADET_channel_destroy (cadet_api.c:1316)
==5381== by 0x113B6F: Peers_remove_peer (gnunet-service-rps.c:1296)
==5381== by 0x115952: remove_peer (gnunet-service-rps.c:2619)
==5381== by 0x11612C: cleanup_destroyed_channel (gnunet-service-rps.c:2741)
==5381== by 0x52CCEFC: destroy_channel (cadet_api.c:340)
==5381== by 0x52CD00F: destroy_channel_on_reconnect_cb (cadet_api.c:394)
==5381== by 0x5066FD4: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== Block was alloc'd at
==5381== at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==5381== by 0x50562CF: GNUNET_xmalloc_unchecked_ (common_allocation.c:230)
==5381== by 0x5055C6B: GNUNET_xmalloc_ (common_allocation.c:73)
==5381== by 0x506752C: GNUNET_CONTAINER_multihashmap32_put (container_multihashmap32.c:488)
==5381== by 0x52CCC93: create_channel (cadet_api.c:301)
==5381== by 0x52CDA5B: handle_channel_created (cadet_api.c:640)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381==
==5381== Invalid read of size 4
==5381== at 0x5066FC6: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== by 0x52CD752: cadet_mq_error_handler (cadet_api.c:566)
==5381== by 0x50889EC: GNUNET_MQ_inject_error (mq.c:293)
==5381== by 0x508887A: GNUNET_MQ_inject_message (mq.c:258)
==5381== by 0x52CE0FF: handle_local_data (cadet_api.c:757)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381== Address 0x7776040 is 0 bytes inside a block of size 24 free'd
==5381== at 0x4C2E10B: free (vg_replace_malloc.c:530)
==5381== by 0x5056602: GNUNET_xfree_ (common_allocation.c:337)
==5381== by 0x50670CB: GNUNET_CONTAINER_multihashmap32_remove (container_multihashmap32.c:288)
==5381== by 0x52CCE0C: destroy_channel (cadet_api.c:329)
==5381== by 0x52CF8CC: GNUNET_CADET_channel_destroy (cadet_api.c:1316)
==5381== by 0x113B6F: Peers_remove_peer (gnunet-service-rps.c:1296)
==5381== by 0x115952: remove_peer (gnunet-service-rps.c:2619)
==5381== by 0x11612C: cleanup_destroyed_channel (gnunet-service-rps.c:2741)
==5381== by 0x52CCEFC: destroy_channel (cadet_api.c:340)
==5381== by 0x52CD00F: destroy_channel_on_reconnect_cb (cadet_api.c:394)
==5381== by 0x5066FD4: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== Block was alloc'd at
==5381== at 0x4C2CEDF: malloc (vg_replace_malloc.c:299)
==5381== by 0x50562CF: GNUNET_xmalloc_unchecked_ (common_allocation.c:230)
==5381== by 0x5055C6B: GNUNET_xmalloc_ (common_allocation.c:73)
==5381== by 0x506752C: GNUNET_CONTAINER_multihashmap32_put (container_multihashmap32.c:488)
==5381== by 0x52CCC93: create_channel (cadet_api.c:301)
==5381== by 0x52CDA5B: handle_channel_created (cadet_api.c:640)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== by 0x505401C: receive_ready (client.c:421)
==5381== by 0x50A251E: GNUNET_SCHEDULER_do_work (scheduler.c:2104)
==5381==
==5381== Invalid read of size 8
==5381== at 0x52CCD48: destroy_channel (cadet_api.c:323)
==5381== by 0x52CD00F: destroy_channel_on_reconnect_cb (cadet_api.c:394)
==5381== by 0x5066FD4: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== by 0x52CD752: cadet_mq_error_handler (cadet_api.c:566)
==5381== by 0x50889EC: GNUNET_MQ_inject_error (mq.c:293)
==5381== by 0x508887A: GNUNET_MQ_inject_message (mq.c:258)
==5381== by 0x52CE0FF: handle_local_data (cadet_api.c:757)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381== Address 0xdf0adba0df0adda is not stack'd, malloc'd or (recently) free'd
==5381==
==5381==
==5381== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==5381== General Protection Fault
==5381== at 0x52CCD48: destroy_channel (cadet_api.c:323)
==5381== by 0x52CD00F: destroy_channel_on_reconnect_cb (cadet_api.c:394)
==5381== by 0x5066FD4: GNUNET_CONTAINER_multihashmap32_iterate (container_multihashmap32.c:245)
==5381== by 0x52CD051: schedule_reconnect (cadet_api.c:412)
==5381== by 0x52CD752: cadet_mq_error_handler (cadet_api.c:566)
==5381== by 0x50889EC: GNUNET_MQ_inject_error (mq.c:293)
==5381== by 0x508887A: GNUNET_MQ_inject_message (mq.c:258)
==5381== by 0x52CE0FF: handle_local_data (cadet_api.c:757)
==5381== by 0x50887D9: GNUNET_MQ_inject_message (mq.c:250)
==5381== by 0x5053AE7: recv_message (client.c:334)
==5381== by 0x5087C8D: GNUNET_MST_from_buffer (mst.c:232)
==5381== by 0x508853E: GNUNET_MST_read (mst.c:374)
==5381==
==5381== HEAP SUMMARY:
==5381== in use at exit: 71,700 bytes in 2,647 blocks
==5381== total heap usage: 23,212 allocs, 20,565 frees, 811,017 bytes allocated
TagsNo tags attached.

Relationships

has duplicate 0005380 closedch3 never call _CADET_channel_destroy from disconnect handlers 

Activities

Christian Grothoff

2018-06-28 10:20

manager   ~0013095

Problem is this sequence:

==5381== by 0x52CF8CC: GNUNET_CADET_channel_destroy (cadet_api.c:1316)
==5381== by 0x113B6F: Peers_remove_peer (gnunet-service-rps.c:1296)
==5381== by 0x115952: remove_peer (gnunet-service-rps.c:2619)
==5381== by 0x11612C: cleanup_destroyed_channel (gnunet-service-rps.c:2741)

RPS must not call channel destroy on channel that CADET notified it about, and also not destroy _other_ channels during this task.

Christian Grothoff

2019-02-14 10:41

manager   ~0013743

Is this still not fixed?

Issue History

Date Modified Username Field Change
2018-06-27 14:55 ch3 New Issue
2018-06-27 14:55 ch3 Status new => assigned
2018-06-27 14:55 ch3 Assigned To => Bart Polot
2018-06-27 21:47 Christian Grothoff Relationship added related to 0005370
2018-06-28 10:20 Christian Grothoff Note Added: 0013095
2018-06-28 10:20 Christian Grothoff Assigned To Bart Polot => ch3
2018-06-28 10:21 Christian Grothoff Category cadet service => rps service
2018-06-28 10:22 Christian Grothoff Relationship deleted related to 0005370
2018-07-02 14:20 ch3 Relationship added has duplicate 0005380
2019-02-14 10:41 Christian Grothoff Note Added: 0013743