Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#19006 closed defect (fixed)

[prop250] Pointer corruption and other failures in master and maint-0.2.8

Reported by: teor Owned by:
Priority: High Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: crash
Cc: Actual Points:
Parent ID: #16943 Points:
Reviewer: Sponsor: SponsorR-must

Description

Between 2da2718..7fa11a9 on master, and 01e7f42..55cf197 on maint-0.2.8, we merged code that causes crashes and make-test-network-all failures.

The following master make test-network-all tests fail on Linux:

FAIL: bridges-min
FAIL: hs-min
FAIL: bridges+hs

The following master make test-network-all tests fail on OS X:

FAIL: bridges-min
FAIL: hs-min
FAIL: bridges+hs
FAIL: bridges+ipv6-min
FAIL: ipv6-exit-min
FAIL: mixed

The following maint-0.2.8 make test-network-all tests fail on OS X:

FAIL: basic-min
FAIL: bridges-min
FAIL: hs-min
FAIL: bridges+hs
FAIL: bridges+ipv6-min
FAIL: ipv6-exit-min
FAIL: mixed

mixed uses 0.2.7.6 on my OS X.

The master OS X failures happen due to the following crash:

Application Specific Information:
crashed on child side of fork pre-exec
*** error for object 0x7fb203c032c0: pointer being freed was not allocated
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff9d1a6f06 __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00007fff8daa84ec pthread_kill + 90
2   libsystem_c.dylib             	0x00007fff903bb6e7 abort + 129
3   libsystem_malloc.dylib        	0x00007fff8b468041 free + 425
4   tor                           	0x00000001060086b1 config_free_all + 321 (config.c:841)
5   tor                           	0x000000010606e233 tor_free_all + 179 (main.c:3170)
6   tor                           	0x000000010606e479 tor_cleanup + 313 (main.c:3239)
7   tor                           	0x0000000106067c31 consider_hibernation + 129 (hibernate.c:971)
8   tor                           	0x000000010606c7ce second_elapsed_callback + 590 (main.c:1467)
9   libevent-2.0.5.dylib          	0x0000000106261aa2 event_base_loop + 1871
10  tor                           	0x000000010606c245 do_main_loop + 1525 (main.c:2560)
11  tor                           	0x000000010606e586 tor_main + 230 (main.c:3660)
12  tor                           	0x0000000105fd8ce9 main + 25 (tor_main.c:30)
13  libdyld.dylib                 	0x00007fff982e35ad start + 1

Child Tickets

Change History (13)

comment:1 Changed 4 years ago by arma

#18483 looks promising as the root cause here.

comment:3 Changed 4 years ago by teor

The issue still occurs for me in 01e7f42. So it's before that commit.

comment:4 Changed 4 years ago by teor

The issue still occurs for me in b8e8910. So it's on or before that commit.

comment:5 Changed 4 years ago by teor

I had zombie tor instances still listening on ports. So I don't know if my analysis in comment 3 or 4 is correct.

comment:6 Changed 4 years ago by teor

All commits on or before 01e7f42 (including b8e8910) now work fine for me.

comment:7 Changed 4 years ago by teor

Which makes it very likely it's #18483.

comment:8 Changed 4 years ago by teor

Keywords: must-fix-before-028-rc removed
Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final
Version: Tor: 0.2.8.2-alpha

maint-0.2.8 seems clear:

code 03fc4cf04caf240fa4e285c3b483c60587456e9b

no failures

merge 68d913c49c7aff441fc6671406aee5137f36f620

failed once, succeeded once

FAIL: bridges+hs

note: chutney occasionally fails for reasons unrelated to tor code changes.

code 9aa280cc0c105bc282c3c1c0dee385387251ab12

no failures

code 88deb52d559fbec17be4a634137ac4b6c207ce06

no failures

code 833b5f71a72394c02ef633ba0f78d7011fef6181
code 2e5b35db81e867e782086e3d714fcc7882c9c171

merge 01e7f42a09108e71cede46d4a038c4b1253a3d42

no failures

comment:9 Changed 4 years ago by teor

Parent ID: #16943

master seems clear as of 7fa11a92d59cea60403b918c4fa9cf3dab6aefb3, so perhaps it's #16943.

comment:10 Changed 4 years ago by teor

This issue reliably occurs on dgoulet's ticket16943_029_02 only.

comment:11 Changed 4 years ago by dgoulet

Sponsor: SponsorR-must
Status: newneeds_information

Latest branch of ticket16943_029_02 passes the test. Can you confirm on OS X maybe?

comment:12 Changed 4 years ago by teor

Resolution: fixed
Status: needs_informationclosed

This was fixed a few days ago in the srv-testing branch and now in ticket16943_029_02.
The unit tests continue to fail.
The chutney tests succeed.

Calling this fixed.

comment:13 Changed 4 years ago by arma

So, what was the fix? This was a bug on some other branch that never got merged?

Should this get the TorCoreTeam201605 keyword, or should it not because it was never really a bug?

comment:14 Changed 4 years ago by teor

Summary: Pointer corruption and other failures in master and maint-0.2.8[prop250] Pointer corruption and other failures in master and maint-0.2.8

This has been fixed in recent prop250 branches. It was a bug on prop250 only.

Note: See TracTickets for help on using tickets.