Welcome to the Builder Academy

Question double free error

More
21 Sep 2022 12:37 #10157 by prool
double free error was created by prool
Hello, colleagues!

I'm compiling current version of tbaMUD from git

and run in my test server.

After 2 days MUD is crashed with strange error:

double free error or corruption

I'm repeat crash with gdb and look line of error:

File comm.c

after comment /* Clear the command history */

Statement

if (d->history[cnt])
        free(d->history[cnt]);  // <- crash here, says sir gdb

Line # 2103 in original codeI don't know how to fix it

With best regards,

Serge "Prool" Pustovoitoff

With best regards, Prool

Please Log in or Create an account to join the conversation.

More
21 Sep 2022 19:38 - 21 Sep 2022 19:38 #10158 by thomas
Replied by thomas on topic double free error
Hi Serge,

This problem should not arise. I mean, this is code that's been running for decades, literally, with no problem on other machines. So, it's probably a symptom of something else failing somewhere else in the code, causing this code to be run twice on the same structure.

I think it is a good start what you're listing here, but please read this www.tbamud.com/forum/4-development/6-debugging-tutorial-for-gdb for a better description of how to use gdb.
I would very much like to know the output of print *d and print d->history as well as info local to be able to offer any help here.

Some questions I would want answered: could this be an already free'd descriptor_data? Which index of the history array are we freeing? What was in the rest of this array?
Last edit: 21 Sep 2022 19:38 by thomas.

Please Log in or Create an account to join the conversation.

More
24 Sep 2022 09:38 #10162 by prool
Replied by prool on topic double free error
Thank you for good response.

I'm waiting of another crash...

With best regards, Prool

Please Log in or Create an account to join the conversation.

More
15 Dec 2022 17:41 #10240 by prool
Replied by prool on topic double free error
2 month, 3 weeks...

I couldn't repeat the mistake.

Perhaps it was a random long sequence of bytes into the port from random internet spider...

With best regards, Prool

Please Log in or Create an account to join the conversation.

More
15 May 2023 22:06 #10334 by prool
Replied by prool on topic double free error
I'm repeat this crash! :)

MUD write message "free(): invalid pointer"

Crash in the same statement

if (d->history[cnt])
free(d->history[cnt]);

gdb outputs:


bt

(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7dae859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e1929e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f43298 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7e2132c in malloc_printerr (str=str@entry=0x7ffff7f414c1 "free(): invalid pointer") at malloc.c:5347
#4 0x00007ffff7e22b5c in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4173
#5 0x00005555555b9a91 in close_socket (d=0x555556b6c2c0) at comm.c:2111
#6 0x00005555555bb398 in game_loop (local_mother_desc=3) at comm.c:917
#7 0x0000555555566319 in init_game (local_port=<optimized out>) at comm.c:544
#8 main (argc=2, argv=<optimized out>) at comm.c:355
(gdb)

up
up
up


(gdb) print d->history
$2 = (char **) 0x555556af52c0

(gdb) info local
cnt = <optimized out>
temp = <optimized out>

(gdb) print *d
$1 = {descriptor = 1454777824, host = "UU\000\000\340\213\367\367\377\177", '\000' <repeats 30 times>, bad_pws = 0 '\000',
idle_tics = 0 '\000', connected = 32, desc_num = 256, login_time = 1684182582, showstr_head = 0x0, showstr_vector = 0x0,
showstr_count = 0, showstr_page = 0, str = 0x0, backstr = 0x0, max_str = 0, mail_to = 0, has_prompt = 0,
inbuf = "\000ET / HTTP/1.1\r\nHost: 195.123.245.173:8888\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n", '\000' <repeats 12108 times>,
last_input = "Connection: keep-alive\000 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0", '\000' <repeats 417 times>,
small_outbuf = "Attempting to Detect Client, Please Wait...\r\n\377\375\030Collecting Protocol Information... Please Wait.\r\n", '\000' <repeats 926 times>,
output = 0x555556b6f53c "Attempting to Detect Client, Please Wait...\r\n\377\375\030Collecting Protocol Information... Please Wait.\r\n",
history = 0x555556af52c0, history_pos = 0, bufptr = 97, bufspace = 926, large_outbuf = 0x0, input = {head = 0x0, tail = 0x555556b625b0},
character = 0x0, original = 0x0, snooping = 0x0, snoop_by = 0x0, next = 0x0, olc = 0x0, pProtocol = 0x555556b75270, events = 0x3700}


This is very very strange.

195.123.245.173 - is IP of my MUD server, 8888 - is my port

Maybe, it is request from browser? (by URL " 195.123.245.173:8888 ")

Or from mud catalogue with watchdog or web interface? (similar to mudconnector or grapevine)

With best regards, Serge "Prool" Pustovoitoff

With best regards, Prool

Please Log in or Create an account to join the conversation.

More
16 May 2023 06:09 #10335 by thomas
Replied by thomas on topic double free error
Some time in the past a web browser has connected, yes. And you're reusing that memory. But your inbuf starts with NULL, so it's just a regular connect.
What is the output of this command?

print *(d->history)

Please Log in or Create an account to join the conversation.

Time to create page: 0.676 seconds