Welcome to the Builder Academy

Question Core dump content

More
16 Dec 2024 10:34 - 16 Dec 2024 10:35 #10465 by JTP
Core dump content was created by JTP
Hi I hope you can help solve this crash. Rarely have one. At the time noone was online. But there had been two connect attempts. Mud had been rebooted 3 hours prior with shutdown reboot.

CORE DUMP


This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
< www.gnu.org/software/gdb/bugs/ >...
Reading symbols from /home/mud/jtp/aoh/bin/circle...done.
[New Thread 29222]
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `bin/circle -q 6969'.
Program terminated with signal 6, Aborted.
#0  0x00261402 in __kernel_vsyscall ()
(gdb) up
#1  0x00865b10 in raise () from /lib/libc.so.6
(gdb) up
#2  0x00867421 in abort () from /lib/libc.so.6
(gdb) up
#3  0x0089e67b in __libc_message () from /lib/libc.so.6
(gdb) up
#4  0x008a6a15 in _int_free () from /lib/libc.so.6
(gdb) up
#5  0x008aaa89 in free () from /lib/libc.so.6
(gdb) up
#6  0x080b75f1 in close_socket (d=0xa8b8f70) at comm.c:2217
  2217            free(d->history[cnt]);                 

list shows:
2212      /* Clear the command history. */
2213      if (d->history) {
2214        int cnt;
2215        for (cnt = 0; cnt < HISTORY_SIZE; cnt++)
2216          if (d->history[cnt])
2217            free(d->history[cnt]);
2218        free(d->history);
2219      }
2220
2221      if (d->showstr_head)




(gdb) up
#7  0x080bb36b in game_loop (local_mother_desc=3) at comm.c:902
902              close_socket(d);

list shows:
897        for (d = descriptor_list; d; d = next_d) {
898          next_d = d->next;
899          if (*(d->output) && FD_ISSET(d->descriptor, &output_set)) {
900            /* Output for this player is ready */
901            if (process_output(d) < 0)
902              close_socket(d);
903            else
904              d->has_prompt = 1;
905          }
906        }


(gdb) up
#8  0x080bc847 in init_game (argc=Cannot access memory at address 0x7226
) at comm.c:536

list shows:
531      if (fCopyOver) /* reload players */
532      copyover_recover();
533
534      log("Entering game loop.");
535
536      game_loop(mother_desc);
537
538      Crash_save_all();
539
540      log("Closing all sockets.");


536      game_loop(mother_desc);


(gdb) up
#9  main (argc=Cannot access memory at address 0x7226
) at comm.c:356
356        init_game(port);

list shows:
351
352      if (scheck)
353        boot_world();
354      else {
355        log("Running game on port %d.", port);
356        init_game(port);
357      }
358
359      log("Clearing game world.");
360      destroy_db();



(gdb) up
Initial frame selected; you cannot go up.
(gdb)
Last edit: 16 Dec 2024 10:35 by JTP.

Please Log in or Create an account to join the conversation.

More
18 Dec 2024 19:51 #10466 by cunning
Replied by cunning on topic Core dump content
You will need to provide info local for each iteration. That first one need the info to see what CNT equals. Than
print d->history[What ever CNT equaled] && print *d->history

What you provided is a good start but does not give any info.

Please Log in or Create an account to join the conversation.

More
18 Dec 2024 20:17 #10467 by JTP
Replied by JTP on topic Core dump content
GNU gdb (GDB) CentOS (7.0.1-45.el5.centos)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later < gnu.org/licenses/gpl.html >
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
< www.gnu.org/software/gdb/bugs/ >...
Reading symbols from /home/mud/jtp/aoh/bin/circle...done.
[New Thread 29222]
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libgcc_s.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `bin/circle -q 6969'.
Program terminated with signal 6, Aborted.
#0 0x00261402 in __kernel_vsyscall ()
(gdb) info local
No symbol table info available.
(gdb) up
#1 0x00865b10 in raise () from /lib/libc.so.6
(gdb) info local
No symbol table info available.
(gdb) up
#2 0x00867421 in abort () from /lib/libc.so.6
(gdb) info local
No symbol table info available.
(gdb) up
#3 0x0089e67b in __libc_message () from /lib/libc.so.6
(gdb) info local
No symbol table info available.
(gdb) up
#4 0x008a6a15 in _int_free () from /lib/libc.so.6
(gdb) info local
No symbol table info available.
(gdb) up
#5 0x008aaa89 in free () from /lib/libc.so.6
(gdb) info local
No symbol table info available.
(gdb)
No symbol table info available.
(gdb) up
#6 0x080b75f1 in close_socket (d=0xa8b8f70) at comm.c:2217
2217 free(d->history[cnt]);
(gdb) info local
temp = <value optimized out>
(gdb) up
#7 0x080bb36b in game_loop (local_mother_desc=3) at comm.c:902
902 close_socket(d);
(gdb) info local
input_set = {__fds_bits = {24, 0 <repeats 31 times>}}
output_set = {__fds_bits = {48, 0 <repeats 31 times>}}
exc_set = {__fds_bits = {0 <repeats 32 times>}}
null_set = {__fds_bits = {0 <repeats 32 times>}}
last_time = {tv_sec = 1734323643, tv_usec = 516100}
opt_time = {tv_sec = 0, tv_usec = 100000}
process_time = {tv_sec = 0, tv_usec = 16525}
temp_time = {tv_sec = 0, tv_usec = 83475}
before_sleep = {tv_sec = 1734323643, tv_usec = 432625}
now = {tv_sec = 1734323643, tv_usec = 516618}
timeout = {tv_sec = 0, tv_usec = 0}
comm = "GET / HTTP/1.1\000one\000\000\330R\241\277\021n\212\000\364O\231\000,R\241\277\v\245\220\000\021n\212\000\364O\231\000\340_<\n@a\231\000\070R\241\277 \000\000\000\303R\241\277pe\231\000\021n\212\000\304y\226\000pa\231\000@a\231\000@a\231\000@a\231\000da\231\000da\231\000\220\244\220\000\364O\231\000|R\241\277\v\245\220\000\021n\212\000\364O\231\000\250\357o\n@a\231\000\021n\212\000Q\266\212\000\000\020\002\000XS\241\277\021n\212\000 \000\000\000#S\241\277pe\231\000\021n\212\000 \000\000\000\063S\241\277pe\231\000\f\000\000\000@a\231\000pa\231\000@a\231\000\f\000\000\000@a\231", '\000' , "\020\000\000\000pa\231\000\004\000\000\000\002", '\000' "\260, \000\000\000pa\231\000\004\000\000\000\377\017\000\000\000\000\000\000\000\000\000\000\250\357o\n"...
d = 0xa8b8f70
next_d = <value optimized out>
missed_pulses = <value optimized out>
maxdesc = <value optimized out>
aliased = 0
(gdb) up
#8 0x080bc847 in init_game (argc=Cannot access memory at address 0x7226
) at comm.c:536
536 game_loop(mother_desc);
(gdb) info local
No locals.
(gdb) up
#9 main (argc=Cannot access memory at address 0x7226
) at comm.c:356
356 init_game(port);
(gdb) info local
pos = <value optimized out>
dir = 0x92ec068 "lib"
(gdb) up
Initial frame selected; you cannot go up.
(gdb)

Please Log in or Create an account to join the conversation.

More
18 Dec 2024 21:10 #10468 by thomas
Replied by thomas on topic Core dump content
This is a "fallout" of a buffer overflow. Your "d" variable is corrupted, somehow, so the d->history pointer is filled with some garbage bytes, making the loop try to free some random part of the memory.

There are some tricks to find out where the memory leak is, but let's be honest; this isn't easy. The first step would be to look at the descriptor struct: (from github.com/tbamud/tbamud/blob/88b3027ec6.../src/structs.h#L1073 )
Code:
char inbuf[MAX_RAW_INPUT_LENGTH]; /**< buffer for raw input */ char last_input[MAX_INPUT_LENGTH]; /**< the last input */ char small_outbuf[SMALL_BUFSIZE]; /**< standard output buffer */ char *output; /**< ptr to the current output buffer */ char **history; /**< History of commands, for ! mostly. */ int history_pos; /**< Circular array position. */
You see here that the memory in the descriptor-data object contains a couple of buffers that resides _inside_ the object. Then a pointer to some output buffer and then a pointer to the history list.

It's highly unlikely that the output pointer overflows. You should be doing something really weird to make that happen. But it's likely that one of the other fields overflow.

To identify which, you could do something like this:
Code:
# go to the frame where things are going bad frame 6 # look at the contents of the d variable print *d # look at the contents of the buffers print *d->inbuf print *d->last_input print *d->small_outbuf
Note - at this point some of the pointers have been freed, but they still point to the old memory; close_socket doesn't null out anything as it expects to free the whole structure a couple of lines further down.

Please Log in or Create an account to join the conversation.

More
18 Dec 2024 21:19 #10469 by JTP
Replied by JTP on topic Core dump content
The wierd part is though that I have never changed any of the comm.c. it's stock.

Please Log in or Create an account to join the conversation.

Time to create page: 0.289 seconds