Opened 12 years ago

Closed 12 years ago

#2800 closed Bug (fixed)

Crashing during operation

Reported by: desterado Owned by: charles
Priority: Normal Milestone: 1.83
Component: libtransmission Version: 1.82
Severity: Major Keywords:
Cc: kim@…

Description

I have approx 328 torrents running. If all of them are running, the client crashes after a few minutes.

If I run a few of them it does not crash and runs idefinitely.

Attachments (2)

crashreport.rtf (32.9 KB) - added by desterado 12 years ago.
crashreport.doc (83.5 KB) - added by desterado 12 years ago.

Download all attachments as: .zip

Change History (12)

Changed 12 years ago by desterado

Changed 12 years ago by desterado

comment:1 Changed 12 years ago by livings124

  • Version changed from 1.80 to 1.82

Money parts:

Version:         1.82+ (10008)
Code Type:       X86-64 (Native)
1/23/10 1/23/10  5:38:30 PM	Transmission[2718]	Transmission(2718,0x112bc8000) malloc: *** mmap(size=2305843009106137088) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
1/23/10 1/23/10  5:38:30 PM	[0x0-0x15d15d].org.m0k.transmission[2718]	Transmission(2718,0x112bc8000) malloc: *** mmap(size=2305843009106137088) failed (error code=12)
1/23/10 1/23/10  5:38:30 PM	[0x0-0x15d15d].org.m0k.transmission[2718]	*** error: can't allocate region
1/23/10 1/23/10  5:38:30 PM	[0x0-0x15d15d].org.m0k.transmission[2718]	*** set a breakpoint in malloc_error_break to debug
Thread 2 Crashed:
0   libSystem.B.dylib             	0x00007fffffe008b7 __memcpy + 279
1   org.m0k.transmission          	0x000000010008db09 readBtMessage + 993 (bitfield.h:43)
2   org.m0k.transmission          	0x000000010008ec32 canRead + 1679 (peer-msgs.c:1670)
3   org.m0k.transmission          	0x000000010007eae5 canReadWrapper + 321 (peer-io.c:139)
4   org.m0k.transmission          	0x00000001000adc58 event_base_loop + 1148 (event.c:386)
5   org.m0k.transmission          	0x0000000100079d11 libeventThreadFunc + 162 (trevent.c:229)
6   org.m0k.transmission          	0x000000010006ba09 ThreadFunc + 18 (utils.h:316)
7   libSystem.B.dylib             	0x00007fff85de6f8e _pthread_start + 331
8   libSystem.B.dylib             	0x00007fff85de6e41 thread_start + 13

comment:2 Changed 12 years ago by charles

  • Component changed from Transmission to libtransmission
  • Milestone changed from None Set to 1.83
  • Owner set to charles
  • Status changed from new to assigned

comment:3 Changed 12 years ago by charles

Also:

1/23/10 1/23/10  5:38:30 PM	Transmission[2718]	Transmission(2718,0x112bc8000) malloc: *** mmap(size=2305843009106137088) failed (error code=12)
*** error: can't allocate region
*** set a breakpoint in malloc_error_break to debug
1/23/10 1/23/10  5:38:30 PM	[0x0-0x15d15d].org.m0k.transmission[2718]	Transmission(2718,0x112bc8000) malloc: ***

comment:4 Changed 12 years ago by charles

desterado: that backtrace seems to be somehow corrupted. The line numbers don't really fit the way the application said it crashed. :(

Are you familiar with using a debugger? I think we should take the first error message's suggestion of setting a breakpoint in malloc_error_break to debug this.

If you want help with this, come into #transmission ... there are several mac users there who can walk you through this.

comment:5 Changed 12 years ago by desterado

I did a debug, here were the results.

http://transmission.pastebin.com/m49dad759

comment:6 Changed 12 years ago by kim

I think at least part of the problem is bitset.h line 122. Note that i is an int whereas it should be size_t or uint32_t (needs to be some type consistency here I suggest). Anyhow what seems to be happening is peerIoReadBytes is returning a value that is being misinterpreted as -ve int => large unsigned int. Really need debugging turned on to capture the values.

comment:7 Changed 12 years ago by kim

  • Cc kim@… added

Another thought - it appears from the code that T is left unprotected if a peer does send an incorrect value - it basically gets passed straight through to malloc. I always make a principle (although I don't always do what I preach) to range check any non-data value (ie a value that can affect program operation) coming from untrusted sources. Whilst it can be hard to identify the best limits, we can #define limits that can be adjusted over time as needed. I suggest it would be good to add this as a T coding principle and add in checks over time (at least an assert or two would be good). Certainly need to protect against a rogue peer triggering vast mallocs (even if that isn't the cause here).

comment:8 Changed 12 years ago by charles

Thread 4 (process 8117):
#0  0x00007fffffe008b7 in __memcpy ()
#1  0x00000001000ad80b in __inline_memcpy_chk (__dest=Cannot access memory at address 0xfffffffffffffff7) at /Developer/SDKs/MacOSX10.6.sdk/usr/include/secure/_string.h:58
#2  0x00000001000b086b in tr_bitsetReserve (b=Cannot access memory at address 0xffffffffffffffe7) at /Users/thomasfiscoe/Desktop/Transmission/libtransmission/bitset.h:55
#3  0x00000001000b0792 in tr_bitsetAdd (b=Cannot access memory at address 0xffffffffffffffe7) at /Users/thomasfiscoe/Desktop/Transmission/libtransmission/bitset.h:127
#4  0x00000001000b005b in readBtMessage (msgs=Cannot access memory at address 0xffffffffffffffa7) at /Users/thomasfiscoe/Desktop/Transmission/libtransmission/peer-msgs.c:1428
#5  0x00000001000b0d7a in canRead (io=Cannot access memory at address 0xffffffffffffffd7) at /Users/thomasfiscoe/Desktop/Transmission/libtransmission/peer-msgs.c:1670
#6  0x00000001000a0d27 in canReadWrapper (io=Cannot access memory at address 0xffffffffffffffc7) at /Users/thomasfiscoe/Desktop/Transmission/libtransmission/peer-io.c:139

comment:9 Changed 12 years ago by charles

possible fix in r10022. desterado could you give that a try and see if it prevents the crash?

comment:10 Changed 12 years ago by desterado

  • Resolution set to fixed
  • Status changed from assigned to closed

Charles: It seems to be fixed. All the torrents are running and I have not had a crash, it's been about 20 minutes, the crash usually occurred after a few minutes. I am using 10031 by the way, I didn't get a chance to test it until Thu 1/28.

Note: See TracTickets for help on using tickets.