Question double free error

Hello, colleagues!

I'm compiling current version of tbaMUD from git

and run in my test server.

After 2 days MUD is crashed with strange error:

double free error or corruption

I'm repeat crash with gdb and look line of error:

File comm.c

after comment /* Clear the command history */

Statement

if (d->history[cnt])
        free(d->history[cnt]);  // <- crash here, says sir gdb

Line # 2103 in original codeI don't know how to fix it

With best regards,

Serge "Prool" Pustovoitoff

Hi Serge,

This problem should not arise. I mean, this is code that's been running for decades, literally, with no problem on other machines. So, it's probably a symptom of something else failing somewhere else in the code, causing this code to be run twice on the same structure.

I think it is a good start what you're listing here, but please read this www.tbamud.com/forum/4-development/6-debugging-tutorial-for-gdb for a better description of how to use gdb.
I would very much like to know the output of print *d and print d->history as well as info local to be able to offer any help here.

Some questions I would want answered: could this be an already free'd descriptor_data? Which index of the history array are we freeing? What was in the rest of this array?

Thank you for good response.

I'm waiting of another crash...

2 month, 3 weeks...

I couldn't repeat the mistake.

Perhaps it was a random long sequence of bytes into the port from random internet spider...

I'm repeat this crash!

MUD write message "free(): invalid pointer"

Crash in the same statement

if (d->history[cnt])
free(d->history[cnt]);

gdb outputs:


bt

(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7dae859 in __GI_abort () at abort.c:79
#2 0x00007ffff7e1929e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f43298 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff7e2132c in malloc_printerr (str=str@entry=0x7ffff7f414c1 "free(): invalid pointer") at malloc.c:5347
#4 0x00007ffff7e22b5c in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4173
#5 0x00005555555b9a91 in close_socket (d=0x555556b6c2c0) at comm.c:2111
#6 0x00005555555bb398 in game_loop (local_mother_desc=3) at comm.c:917
#7 0x0000555555566319 in init_game (local_port=<optimized out>) at comm.c:544
#8 main (argc=2, argv=<optimized out>) at comm.c:355
(gdb)

up
up
up


(gdb) print d->history
$2 = (char **) 0x555556af52c0

(gdb) info local
cnt = <optimized out>
temp = <optimized out>

(gdb) print *d
$1 = {descriptor = 1454777824, host = "UU\000\000\340\213\367\367\377\177", '\000' <repeats 30 times>, bad_pws = 0 '\000',
idle_tics = 0 '\000', connected = 32, desc_num = 256, login_time = 1684182582, showstr_head = 0x0, showstr_vector = 0x0,
showstr_count = 0, showstr_page = 0, str = 0x0, backstr = 0x0, max_str = 0, mail_to = 0, has_prompt = 0,
inbuf = "\000ET / HTTP/1.1\r\nHost: 195.123.245.173:8888\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n", '\000' <repeats 12108 times>,
last_input = "Connection: keep-alive\000 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0", '\000' <repeats 417 times>,
small_outbuf = "Attempting to Detect Client, Please Wait...\r\n\377\375\030Collecting Protocol Information... Please Wait.\r\n", '\000' <repeats 926 times>,
output = 0x555556b6f53c "Attempting to Detect Client, Please Wait...\r\n\377\375\030Collecting Protocol Information... Please Wait.\r\n",
history = 0x555556af52c0, history_pos = 0, bufptr = 97, bufspace = 926, large_outbuf = 0x0, input = {head = 0x0, tail = 0x555556b625b0},
character = 0x0, original = 0x0, snooping = 0x0, snoop_by = 0x0, next = 0x0, olc = 0x0, pProtocol = 0x555556b75270, events = 0x3700}


This is very very strange.

195.123.245.173 - is IP of my MUD server, 8888 - is my port

Maybe, it is request from browser? (by URL " 195.123.245.173:8888 ")

Or from mud catalogue with watchdog or web interface? (similar to mudconnector or grapevine)

With best regards, Serge "Prool" Pustovoitoff

Some time in the past a web browser has connected, yes. And you're reusing that memory. But your inbuf starts with NULL, so it's just a regular connect.
What is the output of this command?

print *(d->history)