Opened 11 years ago

Closed 11 years ago

#3631 closed Bug (fixed)

crash in tr_ioFindFileLocation

Reported by: charles Owned by: charles
Priority: Normal Milestone: 2.11
Component: Transmission Version: 2.10
Severity: Major Keywords:
Cc:

Description

This was reported by two separate users with similar crash reports in the forums:

https://forum.transmissionbt.com/viewtopic.php?p=49662#p49662

Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020
Crashed Thread:  2

Thread 2 Crashed:
0   org.m0k.transmission             0x000000010006e09b tr_ioFindFileLocation + 111
1   org.m0k.transmission             0x000000010006e1a5 readOrWritePiece + 65
2   org.m0k.transmission             0x00000001000947c7 tr_cachePrefetchBlock + 93
3   org.m0k.transmission             0x00000001000851b7 prefetchPieces + 77
4   org.m0k.transmission             0x00000001000836bb readBtMessage + 1456
5   org.m0k.transmission             0x0000000100082d19 canRead + 1591
6   org.m0k.transmission             0x000000010007abb7 canReadWrapper + 218
7   org.m0k.transmission             0x0000000100079c5f event_read_cb + 239
8   org.m0k.transmission             0x000000010009ccd7 event_base_loop + 953
9   org.m0k.transmission             0x0000000100075d4c libeventThreadFunc + 104
10  org.m0k.transmission             0x000000010006b3bb ThreadFunc + 18
11  libSystem.B.dylib                0x00007fff8434e456 _pthread_start + 331
12  libSystem.B.dylib                0x00007fff8434e309 thread_start + 13

https://forum.transmissionbt.com/viewtopic.php?p=49669#p49669

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000020
Crashed Thread: 1


Thread 1 Crashed:
0 org.m0k.transmission 0x000000010006e09b tr_ioFindFileLocation + 111
1 org.m0k.transmission 0x000000010006e1a5 readOrWritePiece + 65
2 org.m0k.transmission 0x00000001000947c7 tr_cachePrefetchBlock + 93
3 org.m0k.transmission 0x00000001000851b7 prefetchPieces + 77
4 org.m0k.transmission 0x00000001000836bb readBtMessage + 1456
5 org.m0k.transmission 0x0000000100082d19 canRead + 1591
6 org.m0k.transmission 0x000000010007abb7 canReadWrapper + 218
7 org.m0k.transmission 0x0000000100079c5f event_read_cb + 239
8 org.m0k.transmission 0x000000010009ccd7 event_base_loop + 953

This appears to be a dereference of a NULL "file" pointer in the "*fileOffset = offset - file->offset" in tr_ioFindFileLocation() -- 111 offset is about the right length to reach that line, and 32 is the offset of tr_file's length field assuming 64-bit pointers and that uint8_t's are padded to 4 bytes each.

So, it appears that the bsearch() call is returning NULL somehow...

Change History (2)

comment:1 Changed 11 years ago by charles

  • Owner set to charles
  • Status changed from new to assigned

The forums confirm the r11313 fix.

comment:2 Changed 11 years ago by charles

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.