Opened 13 years ago

Last modified 7 years ago

#386 closed defect (Fixed)

Assertion circ->state == CIRCUIT_STATE_OR_WAIT failed

Reported by: weasel Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.1.1.26
Severity: Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Feb 04 21:06:56.621 [err] circuitbuild.c:461: circuit_n_conn_done: Assertion circ->state == CIRCUIT_STATE_OR_WAIT failed; aborting.

(gdb) bt
#0 0x7026f1d0 in kill () from /lib/libc.so.6
#1 0x701b430c in pthread_kill () from /lib/libpthread.so.0
#2 0x701b465c in raise () from /lib/libpthread.so.0
#3 0x7026eeac in raise () from /lib/libc.so.6
#4 0x70270354 in abort () from /lib/libc.so.6
#5 0x00017a14 in circuit_n_conn_done (or_conn=0x4ddbb8, status=0) at circuitbuild.c:465
#6 0x0001fcdc in circuit_about_to_close_connection (conn=0x4ddbb8) at circuituse.c:522
#7 0x00049218 in connection_unlink (conn=0x0, remove=1) at main.c:208
#8 0x00049fa8 in conn_close_if_marked (i=1) at main.c:523
#9 0x00049cb4 in close_closeable_connections () at main.c:388
#10 0x0004af4c in second_elapsed_callback (fd=-1, args=0xbb000) at main.c:1024
#11 0x70226f84 in event_base_priority_init () from /usr/lib/libevent-1.1a.so.1
#12 0x70227240 in event_base_loop () from /usr/lib/libevent-1.1a.so.1
#13 0x0004b380 in do_main_loop () at main.c:1183
#14 0x0004c348 in tor_main (argc=774536, argv=0xeffffa74) at main.c:2158
#15 0x70258e44 in libc_start_main () from /lib/libc.so.6
#16 0x00013af4 in _start () at ../sysdeps/sparc/sparc32/elf/start.S:56
#17 0x00013af4 in _start () at ../sysdeps/sparc/sparc32/elf/start.S:56
Previous frame identical to this frame (corrupt stack?)

#5 0x00017a14 in circuit_n_conn_done (or_conn=0x4ddbb8, status=0) at circuitbuild.c:465
(gdb) p *or_conn
$1 = {magic = 2084319310, type = 4 '\004', state = 5 '\005', purpose = 0 '\0', wants_to_read = 0,

wants_to_write = 0, hold_open_until_flushed = 1, has_sent_end = 0, control_events_are_extended = 0,
is_obsolete = 1, s = 15, poll_index = 6, read_event = 0x484de0, write_event = 0x56aec8, inbuf = 0xde310,
inbuf_reached_eof = 0, timestamp_lastread = 1170623215, outbuf = 0x372890, outbuf_flushlen = 0,
timestamp_lastwritten = 1170623216, timestamp_created = 1170621095, timestamp_lastempty = 1170623216,
addr = 2551048465, port = 9001, marked_for_close = 688, marked_for_close_file = 0x8b288 "main.c",
address = 0x5ed250 "152.13.233.17", identity_pkey = 0x730058,
identity_digest = "ùg^|æµ\205ø\f\236\216§ÖÈJ\023Æ)»b", nickname = 0x23def0 "WeAreAHedge",
chosen_exit_name = 0x0, tls = 0x7f25f8, bandwidth = 1024000, receiver_bucket = 1024000,
circ_id_type = CIRC_ID_TYPE_HIGHER, n_circuits = 0, next_with_same_id = 0x8767e0, next_circ_id = 19039,
stream_id = 0, next_stream = 0x0, cpath_layer = 0x0, package_window = 0, deliver_window = 0,
requested_resource = 0x0, socks_request = 0x0, global_identifier = 250042, event_mask = 0,
incoming_cmd_len = 0, incoming_cmd_cur_len = 0, incoming_cmd = 0x0, on_circuit = 0x0,
rend_query = '\0' <repeats 16 times>, incoming_cmd_type = 0}

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (6)

comment:1 Changed 13 years ago by weasel

(gdb) p *circ
$1 = {magic = 892424771, p_conn = 0x0, n_conn = 0x24b190,

n_conn_id_digest = "\b\020\032Ñ$ñ\016/\037\030ß+Qô\220\0368Qp", p_streams = 0x0, n_streams = 0x0,
resolving_streams = 0x0, n_addr = 3224007160, n_port = 9001, next_stream_id = 23328,
package_window = 1000, deliver_window = 1000, p_circ_id = 0, n_circ_id = 23781, p_crypto = 0x0,
n_crypto = 0x0, p_digest = 0x0, n_digest = 0x0, build_state = 0x6fcc70, cpath = 0x4da9e8,
onionskin = 0x0, handshake_digest = '\0' <repeats 19 times>, timestamp_created = 1170623216,
timestamp_dirty = 0, state = 0 '\0', purpose = 15 '\017', marked_for_close = 0,
marked_for_close_file = 0x0, rend_query = "XXXXXXXXXXXXXXXX",
rend_pk_digest = "ô®ì\024;>\233W+CÁ\215p×È\024¯|µÈ",
rend_cookie = "¶\016_Ò\v#ít~3Íe\217\213&[D´\016õ", rend_splice = 0x0, global_identifier = 27075,
next = 0x718c28}

comment:2 Changed 13 years ago by arma

(gdb) p *circuits_pending_or_conns
$2 = {list = 0x65b3c8, num_used = 2, capacity = 32}
(gdb) p circuits_pending_or_conns->list[1]
$12 = (void *) 0x41e2b8
(gdb) p circuits_pending_or_conns->list[0]
$13 = (void *) 0x718c28
(gdb) p circ
$14 = (circuit_t *) 0x5166b0
(gdb) p circuits_pending_or_conns->list[4]
$25 = (void *) 0x5166b0

It's past the end of the list. Perhaps the list is getting changed
as we walk down it? I am guessing this circuit got "redrafted" as
a new rend circ:

circ->cpath:
$27 = {magic = 1880256530, f_crypto = 0x0, b_crypto = 0x0, f_digest =
0x0, b_digest = 0x0,

dh_handshake_state = 0x0, fast_handshake_state = "<stuff that will

confuse screen>",

handshake_digest = '\0' <repeats 19 times>, extend_info = 0x4cd548,

state = 1 '\001',

next = 0x235440, prev = 0x6b1990, package_window = 1000,

deliver_window = 1000}

circ->build_state:

$28 = {desired_path_len = 4, chosen_exit = 0x1a22b8, need_uptime = 0,

need_capacity = 1,

is_internal = 1, pending_final_cpath = 0x144560, failure_count = 2,

expiry_time = 1170623238}

comment:3 Changed 13 years ago by nickm

Possibly fixed in r9482. For a while, I wanted to refactor our use of circuits_pending_or_conns by
making it static. As an added bonus, this lets us use a different idiom in circuit_n_conn_done that
doesn't risk changing circuits_pending_or_conns as we iterate over it.

comment:4 Changed 13 years ago by nickm

Also, assuming this doesn't explode, should I backport the fix?

(Yes, I know no 0.1.1.27 is planned.)

comment:5 Changed 13 years ago by nickm

flyspray2trac: bug closed.
Believed fixed in r9482.

comment:6 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.