Opened 3 years ago

Closed 3 years ago

#19175 closed defect (fixed)

free(): invalid next size (fast)

Reported by: toralf Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords:
Cc: Actual Points: 0.1
Parent ID: #19128 Points: 0.1
Reviewer: Sponsor:

Description

stumpled over the following cor git commit 0f80dd2

Program received signal SIGABRT, Aborted.
0x000003d47f7ff37b in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:55
55      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x000003d47f7ff37b in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x000003d47f8009e1 in __GI_abort () at abort.c:89
#2  0x000003d47f842b4d in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x3d47f942988 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x000003d47f848e2f in malloc_printerr (action=3,
    str=0x3d47f942a98 "free(): invalid next size (fast)", ptr=<optimized out>,

full gdb output will be attached b/c this stupid trac doesn't allow me to file it here.

Child Tickets

Attachments (1)

nohup.out.gz (1.7 KB) - added by toralf 3 years ago.
m nohup.out; nohup gdb -q -p pgrep tor -ex "handle SIGPIPE nostop ignore noprint" -ex "handle SIGHUP nostop" -ex cont -ex bt &

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by toralf

Attachment: nohup.out.gz added

m nohup.out; nohup gdb -q -p pgrep tor -ex "handle SIGPIPE nostop ignore noprint" -ex "handle SIGHUP nostop" -ex cont -ex bt &

comment:1 Changed 3 years ago by nickm

#3  0x000003d47f848e2f in malloc_printerr (action=3, 
    str=0x3d47f942a98 "free(): invalid next size (fast)", ptr=<optimized out>, 
    ar_ptr=<optimized out>) at malloc.c:5000
#4  0x000003d47f84969e in _int_free (av=0x3d47fb6fb80 <main_arena>, 
    p=<optimized out>, have_lock=0) at malloc.c:3861
#5  0x00000054d1de0cef in signed_descriptor_free (sd=0x54d409bea0)
    at src/or/routerlist.c:2935
#6  0x00000054d1de5fd6 in routerlist_remove_old (rl=<optimized out>, 
    sd=<optimized out>, idx=<optimized out>, idx@entry=5347)
    at src/or/routerlist.c:3309
#7  0x00000054d1de64c0 in routerlist_remove_old_cached_routers_with_id (
    now=now@entry=1464188606, cutoff=cutoff@entry=1463756606, 
    lo=lo@entry=5346, hi=hi@entry=5348, retain=retain@entry=0x54d32ca4d0)
    at src/or/routerlist.c:3821
#8  0x00000054d1de8bb5 in routerlist_remove_old_routers ()
    at src/or/routerlist.c:3940
#9  0x00000054d1d97615 in check_descriptor_callback (now=1464188606, 
    options=<optimized out>) at src/or/main.c:1858
#10 0x00000054d1db1ac3 in periodic_event_dispatch (fd=<optimized out>, 
    what=<optimized out>, data=0x54d21a2340 <periodic_events+512>)
    at src/or/periodic.c:52

comment:2 Changed 3 years ago by nickm

aha. It's routerlist_reparse_old that is messing up! It has duplicate code that also exists in signed_descriptor_from_routerinfo, but it's missing the tor_cert fix.

comment:3 Changed 3 years ago by nickm

Milestone: Tor: 0.2.8.x-final
Owner: set to nickm
Severity: NormalMajor
Status: newaccepted

comment:4 Changed 3 years ago by nickm

Actual Points: 0.1
Points: 0.1
Status: acceptedneeds_review

bug19175_028 should fix this.

comment:5 Changed 3 years ago by nickm

Parent ID: #19128

comment:6 Changed 3 years ago by dgoulet

Status: needs_reviewmerge_ready

Typo in the commit message: freeling the original

lgtm!

comment:7 Changed 3 years ago by nickm

Resolution: fixed
Status: merge_readyclosed

bug19175_028_v2 fixes the commit msg typo. merged!

Note: See TracTickets for help on using tickets.