Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#5735 closed Bug (fixed)

SegFault inside node_alloc, patch provided

Reported by: benjarobin Owned by: jordan
Priority: Normal Milestone: 2.90
Component: libtransmission Version: 2.84
Severity: Major Keywords: backport-candidate-2.8x, patch
Cc:

Description

Transmission Qt or Gtk SegFault randomly. I help an user to debug it (https://forums.archlinux.fr/topic15592.html), and obtain the following callstack

#0  node_alloc () at list.c:43
        ret = 0x0
#1  0x000000000046e0f1 in tr_list_append (list=list@entry=0x6c41c0 <paused_easy_handles>, data=0x7fffc85edac0) at list.c:99
        node = 0x7fffcedd1700
#2  0x0000000000461923 in writeFunc (ptr=0x7fffc9c303f0, size=<optimized out>, nmemb=16384, vtask=0x7fffe01e2960) at web.c:127
        ptr = 0x7fffc9c303f0
        size = <optimized out>
        nmemb = 16384
        vtask = 0x7fffe01e2960
        byteCount = <optimized out>
        task = 0x7fffe01e2960
#3  0x00007ffff5e056d8 in ?? () from /usr/lib/libcurl.so.4
No symbol table info available.
#4  0x00007ffff5e1bf39 in curl_easy_pause () from /usr/lib/libcurl.so.4
No symbol table info available.
#5  0x0000000000461e0a in tr_webThreadFunc (vsession=0x77d070) at web.c:448
        handle = <optimized out>
        tmp = 0x7fffc978f690
        msec = 0
        unused = 0
        msg = <optimized out>
        mcode = <optimized out>
        str = <optimized out>
        multi = 0x7fffc8020a90
        web = 0x7fffc80209d0
        taskCount = <optimized out>
        task = <optimized out>
        session = 0x77d070
#6  0x00000000004446aa in ThreadFunc (_t=0x7fffe000fcd0) at platform.c:105
        t = 0x7fffe000fcd0
#7  0x00007ffff52ae124 in start_thread () from /usr/lib/libpthread.so.0
No symbol table info available.
#8  0x00007ffff4fe24bd in clone () from /usr/lib/libc.so.6
No symbol table info available.

The bug was quickly spotted, see the attached file for the patch.

Attachments (1)

bug-alloc-cache.patch (1.2 KB) - added by benjarobin 6 years ago.
Patch fix concurrency on recycled_nodes

Download all attachments as: .zip

Change History (8)

comment:1 Changed 6 years ago by jordan

  • Keywords backport-candidate-2.8x added
  • Milestone changed from None Set to 2.90
  • Status changed from new to assigned

Looks right to me. Thanks for the patch!

Changed 6 years ago by benjarobin

Patch fix concurrency on recycled_nodes

comment:2 Changed 6 years ago by jordan

Actually this patch isn't quite right, it leads to an uninitialized 'ret' value in node_alloc() being evaluated. But the point about wrapping recycled_nodes in the mutex lock is well-taken.

comment:3 Changed 6 years ago by benjarobin

Warning, I did submit the first time the wrong patch... Now this should be OK, sorry...

comment:4 Changed 6 years ago by benjarobin

I know, I did added here a comment, and fix the patch, but it lloks like it stuck in the moderator queue.

comment:5 Changed 6 years ago by jordan

  • Resolution set to fixed
  • Status changed from assigned to closed

Yep, looks like we found the uninitialized variable at the same time.

Patch committed in r14139 for 2.90.

I've given this ticket a 'backport-2.8x-candidate' tag, so in the unlikely event that we do another bugfix release in the 2.8x series, this patch will be included there as well.

comment:6 Changed 6 years ago by benjarobin

You mean r14319 :-)

comment:7 Changed 6 years ago by jordan

Yeah that one too ;-)

Note: See TracTickets for help on using tickets.