Opened 12 years ago
Last modified 8 years ago
#600 closed defect (Fixed)
circuitlist.c:1165 crashing bug
| Reported by: | shamrock | Owned by: | |
|---|---|---|---|
| Priority: | Low | Milestone: | 0.2.0.x-final |
| Component: | Core Tor/Tor | Version: | 0.2.0.18-alpha |
| Severity: | Keywords: | ||
| Cc: | shamrock, nickm | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
The Tonga tor server crashed with:
Feb 04 10:20:36.880 [err] Bug: circuitlist.c:1165: assert_circuit_ok: Assertion !c->onionskin failed; aborting.
OS:
Debian Etch
2.6.18-5-amd64
[Automatically added by flyspray2trac: Operating System: Other]
Child Tickets
Change History (10)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Lucky confirms that this is a relatively stock 0.2.0.18-alpha:
15:34 < Lucky> Tor version 0.2.0.18-alpha (r13293) (standard build from
weasel's repository
comment:3 Changed 12 years ago by
From Lucky:
(gdb) print *c
$2 = {magic = 2561392719, n_conn_cells = {head = 0x0, tail = 0x0, n = 0}, n_conn = 0x0,
n_conn_id_digest = "Á\017°8ÂnH\a,Ô°h\031mÔà\212DÅx", n_circ_id = 0, n_port = 9001, n_addr = 1408974652,
streams_blocked_on_n_conn = 0, streams_blocked_on_p_conn = 0, state = 3 '\003', purpose = 1 '\001',
package_window = 1000, deliver_window = 1000,
onionskin = 0x2aaad6e0fb40 "CilyR).D\232[À](³é+2\234ëhXúª\211
_}72¾\177¨þ¸1\231W\213\r\206\tµ\2004#\nîb\tBV]éJNP\017P\224ZÛ\023fË\233ý\226á¦Xs\002\200|íL \210ùAçL\têAð\216÷ZÉy\221EC", timestamp_created = 1202116777,
timestamp_dirty = 0, marked_for_close = 0, marked_for_close_file = 0x0, next_active_on_n_conn = 0x0,
prev_active_on_n_conn = 0x0, next = 0x2aaad3981d90}
comment:4 Changed 12 years ago by
Initial analysis:
The assert is coming from inside the circuit_mark_for_close in command_process_destroy_cell().
This is an OR circuit (magic 0x98ABC04F, purpose 1). It's complaining that the circuit's state is open (3), but
its onionskin is still set.
I can confirm that the only places in the code that sets circ->state to 3 are all in circuitbuild.c:
circuit_n_conn_done(), circuit_send_next_onion_skin(), and onionskin_answer().
circuit_send_next_onion_skin() is out, since that can only get called on origin_circuit_t.
comment:5 Changed 12 years ago by
circuit_n_conn_done() always frees the onionskin before it answers sets the state. It looks like this circuit
didn't get circuit_n_conn_done() called on it.
comment:6 Changed 12 years ago by
Added/refactored code in r13394 to try to either track this down or make it go away.
comment:8 Changed 12 years ago by
I have not seen this issue since the upgrade. Feel free to close as Verified Fixed.
comment:10 Changed 8 years ago by
| Component: | Tor Relay → Tor |
|---|
Stack Trace
Core was generated by `/usr/sbin/tor'.
Program terminated with signal 6, Aborted.
#0 0x00002b6d59ec107b in raise () from /lib/libc.so.6
(gdb) backtrace
#0 0x00002b6d59ec107b in raise () from /lib/libc.so.6
#1 0x00002b6d59ec284e in abort () from /lib/libc.so.6
#2 0x0000000000411ecd in assert_circuit_ok (c=0x2aaaec25da30) at circuitlist.c:1128
#3 0x00000000004130ee in _circuit_mark_for_close (circ=0x6d87, reason=28039, line=6,
#4 0x0000000000416fed in command_process_cell (cell=0x7fff51522950, conn=0x2aaac31072d0) at command.c:430
#5 0x000000000042f7dd in connection_or_process_inbuf (conn=0x2aaac31072d0) at connection_or.c:989
#6 0x0000000000426b72 in connection_handle_read (conn=0x2aaac31072d0) at connection.c:1837
#7 0x0000000000456440 in conn_read_callback (fd=<value optimized out>, event=<value optimized out>,
#8 0x00002b6d597b80e2 in event_base_loop () from /usr/lib/libevent-1.1a.so.1
#9 0x000000000045605c in do_main_loop () at main.c:1423
#10 0x00000000004561e9 in tor_main (argc=<value optimized out>, argv=0x7fff51522fe8) at main.c:1973
#11 0x00002b6d59eae4ca in libc_start_main () from /lib/libc.so.6
#12 0x00000000004068ba in _start () at ../sysdeps/x86_64/elf/start.S:113
(gdb) print c
No symbol "c" in current context.