Opened 12 years ago

Closed 12 years ago

#2673 closed Bug (fixed)

crash in tr_torrentGetMetadataPiece

Reported by: titer Owned by: charles
Priority: Normal Milestone:
Component: libtransmission Version: 1.76+
Severity: Normal Keywords:
Cc:

Description

With r9771:

Transmission(89210,0x102948000) malloc: *** mmap(size=18446744073709531136) failed (error code=12)
*** error: can't allocate region
(gdb) bt
#0  0x00007fff8553084d in usleep$NOCANCEL ()
#1  0x00007fff8554fe3c in abort ()
#2  0x00007fff8553eae5 in szone_error ()
#3  0x00007fff85463936 in allocate_pages ()
#4  0x00007fff85473911 in large_malloc ()
#5  0x00007fff85465688 in szone_malloc_should_clear ()
#6  0x00007fff85464a4a in malloc_zone_malloc ()
#7  0x00007fff85462d48 in malloc ()
#8  0x00000001000c6104 in tr_malloc (size=18446744073709518920) at utils.h:297
#9  0x00000001000c6270 in tr_torrentGetMetadataPiece (tor=0x101078000, piece=2, len=0x102947cd4) at /Users/titer/T/trunk/libtransmission/torrent-magnet.c:117
#10 0x00000001000b097b in fillOutputBuffer (msgs=0x1012b9600, now=1260862317) at /Users/titer/T/trunk/libtransmission/peer-msgs.c:1863
#11 0x00000001000b104f in peerPulse (vmsgs=0x1012b9600) at /Users/titer/T/trunk/libtransmission/peer-msgs.c:2010
#12 0x00000001000b107f in tr_peerMsgsPulse (msgs=0x1012b9600) at /Users/titer/T/trunk/libtransmission/peer-msgs.c:2020
#13 0x00000001000aaeb3 in pumpAllPeers (mgr=0x100449350) at /Users/titer/T/trunk/libtransmission/peer-mgr.c:2977
#14 0x00000001000aaf20 in bandwidthPulse (foo=-1, bar=1, vmgr=0x100449350) at /Users/titer/T/trunk/libtransmission/peer-mgr.c:2990
#15 0x00000001000d4ecc in event_process_active (base=0x10183c0f0) at /Users/titer/T/trunk/third-party/libevent/event.c:385
#16 0x00000001000d5210 in event_base_loop (base=0x10183c0f0, flags=0) at /Users/titer/T/trunk/third-party/libevent/event.c:525
#17 0x00000001000d5095 in event_loop (flags=0) at /Users/titer/T/trunk/third-party/libevent/event.c:461
#18 0x00000001000d4f0c in event_dispatch () at /Users/titer/T/trunk/third-party/libevent/event.c:399
#19 0x000000010009b0bf in libeventThreadFunc (veh=0x10183bb10) at /Users/titer/T/trunk/libtransmission/trevent.c:228
#20 0x000000010008a254 in ThreadFunc (_t=0x10183b5d0) at /Users/titer/T/trunk/libtransmission/platform.c:108
#21 0x00007fff85499f8e in _pthread_start ()
#22 0x00007fff85499e41 in thread_start ()
(gdb) up
#9  0x00000001000c6270 in tr_torrentGetMetadataPiece (tor=0x101078000, piece=2, len=0x102947cd4) at /Users/titer/T/trunk/libtransmission/torrent-magnet.c:117
117	                char * buf = tr_new( char, l );
(gdb) p l
$10 = -32696
(gdb) p *tor
$7 = {
  session = 0x10183bc00, 
  info = {
    totalSize = 1564271538, 
    name = 0x11373df70, 
    torrent = 0x1137afde0, 
    webseeds = 0x0, 
    comment = 0x11373c840 "", 
    creator = 0x1137541a0 "", 
    files = 0x11379a7c0, 
    pieces = 0x1011c2e00, 
    trackers = 0x11376af40, 
    dateCreated = 0, 
    trackerCount = 1, 
    webseedCount = 0, 
    fileCount = 1, 
    pieceSize = 524288, 
    pieceCount = 2984, 
    hash = "FۗP??\023!'R?\023?\030P???Cd", 
    hashString = "46db9750b5f513212752be13c01850d7c8f14364", 
    hashEscaped = "F%DB%97P%B5%F5%13%21%27R%BE%13%C0%18P%D7%C8%F1Cd", '\0' <repeats 12 times>, 
    isPrivate = 0 '\0', 
    isMultifile = 0 '\0'
  }, 
  magicNumber = 95549, 
  error = TR_STAT_OK, 
  errorString = '\0' <repeats 127 times>, 
  obfuscatedHash = "??(r?o\001rKK??\017\020\021V?*\031?", 
  incompleteMetadata = 0x0, 
  peer_id = 0x113733370 "-TR176Z-iqhwgj2nfdob", 
  downloadDir = 0x11373aa20 "/Volumes/Hulk/Torrents", 
  incompleteDir = 0x0, 
  infoDictLength = 72, 
  infoDictOffset = 59784, 
  currentDir = 0x11373aa20 "/Volumes/Hulk/Torrents", 
  blockSize = 16384, 
  blockCount = 95476, 
  lastBlockSize = 9138, 
  lastPieceSize = 320434, 
  blockCountInPiece = 32, 
  blockCountInLastPiece = 20, 
  completion = {
    sizeWhenDoneIsDirty = 1 '\001', 
    haveValidIsDirty = 1 '\001', 
    tor = 0x101078000, 
    blockBitfield = {
      bits = 0x101166a00 "????", 
      bitCount = 95476, 
      byteCount = 11935
    }, 
    pieceBitfield = {
      bits = 0x113790030 "?@?\t\030 \020?\021", 
      bitCount = 2984, 
      byteCount = 373
    }, 
    completeBlocks = 0x101157600, 
    sizeWhenDoneLazy = 1564271538, 
    haveValidLazy = 285533106, 
    sizeNow = 298705842
  }, 
  checkedPieces = {
    bits = 0x113758ee0 "?@?\t\030 \020?\021", 
    bitCount = 2984, 
    byteCount = 373
  }, 
  completeness = TR_LEECH, 
  tiers = 0x113710c20, 
  tiersSubscription = 0x113741f60, 
  dhtAnnounceAt = 1260862779, 
  dhtAnnounce6At = 1260862320, 
  dhtAnnounceInProgress = 0 '\0', 
  dhtAnnounce6InProgress = 0 '\0', 
  downloadedCur = 357330363, 
  downloadedPrev = 0, 
  uploadedCur = 51591194, 
  uploadedPrev = 0, 
  corruptCur = 3145728, 
  corruptPrev = 0, 
  etaDLSpeedCalculatedAt = 1260862316663, 
  etaDLSpeed = 276.34722623383669, 
  etaULSpeedCalculatedAt = 0, 
  etaULSpeed = 0, 
  addedDate = 1260861183, 
  activityDate = 1260862317, 
  doneDate = 0, 
  startDate = 1260861183, 
  anyDate = 1260862317, 
  metadata_func = 0x10002f5f3 <metadataCallback>, 
  metadata_func_user_data = 0x113737050, 
  completeness_func = 0x10002f52c <completenessChangeCallback>, 
  completeness_func_user_data = 0x113737050, 
  ratio_limit_hit_func = 0x10002f5b2 <ratioLimitHitCallback>, 
  ratio_limit_hit_func_user_data = 0x113737050, 
  isRunning = 1 '\001', 
  isDeleting = 0 '\0', 
  needsSeedRatioCheck = 0 '\0', 
  startAfterVerify = 0 '\0', 
  isDirty = 1 '\001', 
  maxConnectedPeers = 200, 
  verifyState = TR_VERIFY_NONE, 
  lastStatTime = 1260862316, 
  stats = {
    id = 2, 
    activity = TR_STATUS_DOWNLOAD, 
    error = TR_STAT_OK, 
    errorString = '\0' <repeats 127 times>, 
    recheckProgress = 0, 
    percentComplete = 0.190881923, 
    metadataPercentComplete = 1, 
    percentDone = 0.190881923, 
    percentRatio = 1, 
    rawUploadSpeed = 55.87939453125, 
    rawDownloadSpeed = 279.0625, 
    pieceUploadSpeed = 50, 
    pieceDownloadSpeed = 266.19873046875, 
    eta = 4472, 
    peersKnown = 1378, 
    peersConnected = 160, 
    peersFrom = {53, 1, 4, 0, 102, 0}, 
    peersSendingToUs = 90, 
    peersGettingFromUs = 15, 
    webseedsSendingToUs = 0, 
    sizeWhenDone = 1564271538, 
    leftUntilDone = 1265680384, 
    desiredAvailable = 1265680384, 
    corruptEver = 3145728, 
    uploadedEver = 51565594, 
    downloadedEver = 357134900, 
    haveValid = 285533106, 
    haveUnchecked = 13058048, 
    manualAnnounceTime = -1, 
    ratio = 0.144386888, 
    addedDate = 1260861183, 
    doneDate = 0, 
    startDate = 1260861183, 
    activityDate = 1260862316
  }, 
  next = 0x0, 
  uniqueId = 2, 
  bandwidth = 0x1137397e0, 
  torrentPeers = 0x1137467d0, 
  desiredRatio = 2, 
  ratioLimitMode = TR_RATIOLIMIT_GLOBAL, 
  preVerifyTotal = 0
}

Change History (4)

comment:1 Changed 12 years ago by charles

  • Component changed from Transmission to libtransmission
  • Owner set to charles
  • Status changed from new to assigned

Looks like two problems:

  1. infoDictLength is 72, which seems awfully small, and probably wrong
  1. no safeguards against small sizes like that

comment:2 Changed 12 years ago by charles

titer: was this torrent loaded from a .torrent file on startup, or did you get it through a magnet link in the same session in which you got this crash?

If it was loaded from a .torrent file, and you load it up again, is infoDictLength still 72?

comment:3 Changed 12 years ago by titer

Problem 1) fixed in [9772]

comment:4 Changed 12 years ago by charles

  • Milestone 1.80 deleted
  • Resolution set to fixed
  • Status changed from assigned to closed

08:34 < CIA-39> charles * r9774 libtransmission/torrent-magnet.c: (trunk libT) #2673 "crash in tr_torrentGetMetadataPiece" -- add safeguards against small sizes

Note: See TracTickets for help on using tickets.