Opened 3 years ago

Closed 3 years ago

#19177 closed defect (duplicate)

another free() crash

Reported by: toralf Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: #19128 Points:
Reviewer: Sponsor:

Description

this is still on commit 0f80dd2 - maybe just another variant of #19128 or #19175 :

============================================================ T= 1464221042
Tor 0.2.8.2-alpha-dev (git-684babee8491c3e9) died: Caught signal 11
/usr/bin/tor(+0x1435c9)[0x7a2491b5c9]
/lib64/libc.so.6(cfree+0x14)[0x3aaf152f244]
/lib64/libc.so.6(cfree+0x14)[0x3aaf152f244]
/usr/bin/tor(tor_cert_free+0x51)[0x7a2487bca1]
/usr/bin/tor(+0x86cef)[0x7a2485ecef]
/usr/bin/tor(+0x8c4c0)[0x7a248644c0]
/usr/bin/tor(routerlist_remove_old_routers+0x665)[0x7a24866bb5]
/usr/bin/tor(+0x3d615)[0x7a24815615]
/usr/bin/tor(+0x57ac3)[0x7a2482fac3]
/usr/lib64/libevent-2.0.so.5(event_base_loop+0xcc0)[0x3aaf27d3840]
/usr/bin/tor(do_main_loop+0x235)[0x7a248190c5]
/usr/bin/tor(tor_main+0x1b35)[0x7a2481c745]
/usr/bin/tor(main+0x2b)[0x7a248146ab]
/lib64/libc.so.6(__libc_start_main+0x114)[0x3aaf14cd734]
/usr/bin/tor(_start+0x29)[0x7a248146f9]

and gdb out is

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x64656d616e6e55) at malloc.c:2945
2945    malloc.c: No such file or directory.
#0  __GI___libc_free (mem=0x64656d616e6e55) at malloc.c:2945
#1  0x0000007a2487bca1 in tor_cert_free (cert=0x7a2bfb3830)
    at src/or/torcert.c:119
#2  0x0000007a2485ecef in signed_descriptor_free (sd=0x7a2d0410e0)
    at src/or/routerlist.c:2935
#3  0x0000007a24863fd6 in routerlist_remove_old (rl=<optimized out>, 
    sd=<optimized out>, idx=<optimized out>, idx@entry=1242)
    at src/or/routerlist.c:3309
#4  0x0000007a248644c0 in routerlist_remove_old_cached_routers_with_id (
    now=now@entry=1464221041, cutoff=cutoff@entry=1463789041, 
    lo=lo@entry=1241, hi=hi@entry=1243, retain=retain@entry=0x7a2cd11040)
    at src/or/routerlist.c:3821
#5  0x0000007a24866bb5 in routerlist_remove_old_routers ()
    at src/or/routerlist.c:3940
#6  0x0000007a24815615 in check_descriptor_callback (now=1464221041, 
    options=<optimized out>) at src/or/main.c:1858
#7  0x0000007a2482fac3 in periodic_event_dispatch (fd=<optimized out>,
    what=<optimized out>, data=0x7a24c20340 <periodic_events+512>)
    at src/or/periodic.c:52
#8  0x000003aaf27d3840 in event_process_active_single_queue (
    activeq=0x7a282e6cd0, base=0x7a282e7ab0)
    at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1368
#9  event_process_active (base=<optimized out>)
    at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1438
#10 event_base_loop (base=0x7a282e7ab0, flags=flags@entry=0)
    at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1639
#11 0x0000007a248190c5 in run_main_loop_once () at src/or/main.c:2537
#12 run_main_loop_until_done () at src/or/main.c:2583
#13 do_main_loop () at src/or/main.c:2509
#14 0x0000007a2481c745 in tor_main (argc=<optimized out>, argv=<optimized out>)
    at src/or/main.c:3638
#15 0x0000007a248146ab in main (argc=<optimized out>, argv=<optimized out>)
    at src/or/tor_main.c:30
warning: target file /proc/1917/cmdline contained unexpected null characters
Saved corefile /root/core
(gdb) quit
A debugging session is active.

        Inferior 1 [process 1917] will be detached.

Quit anyway? (y or n) [answered Y; input not from terminal]
Detaching from program: /usr/bin/tor, process 1917

Neither gdb nor tor are running but I do have a core file (and the logs)

Child Tickets

Change History (1)

comment:1 Changed 3 years ago by nickm

Parent ID: #19128
Resolution: duplicate
Status: newclosed

I am about 99% sure this is a duplicate of #19175, based on the stack trace. But please reopen if you can reproduce this (or any other #19128 variant) with the latest maint-0.2.8 or release-0.2.8.

Note: See TracTickets for help on using tickets.