aMule Bug Tracker - aMule
View Issue Details
0001404aMuleTransferpublic2008-09-07 02:422010-01-30 21:25
u294 
sturedman 
normalcrashsometimes
resolvedfixed 
SVN 
 
Any
0001404: Crash in specific circumstances when remote peer behaves in specially crafted manner
During downloading certain files aMule may crash if certain peers encountered.Exact details are not known, but for me it looks like issue with crash may be caused by a remote peer.

It appears that before crash usually the following happens:
1) You're downloading some popular file
2) Then someone is going to interfere with this.
3) Certain malicious peer at some point begins upload to you. Peer looks like normal eMule 0.49b but insted of sending correct data, peer sends some full 9.27 Mb chunk with totally incorrect data. Hash check fails.
4) Then, AICH not seems to be in play for totally corrupt parts.
5) Part re-downloaded again and again.Malicious peer sends corrupt data part again and again, without getting banned. Data seems to vary since obtained hash always different (and mismatches expected hash) and these data are well-compressible so peer sends at low speed but still manages to flood you with corrupted chunk again and again quickly.
6) Actually, aMule sticks to re-downloading corrupt chunk from this malicious peer.If there is other non-malicious peers, download MAY progress further and AICH will even work for parts where not all data bad.But...
7) ...but if malicious peer will do the trick long enough, looks like this leads to aMule crash.

Crash is always looks very similar. There is certain part of code crashes, looks like remote peer manages to cause null-pointer access. Crash happens in both aMule SVN and 2.2.2

Debug info from GDB following - SVN version from 06.09.2008 used but I have a bunch of similar traces for 2.2.2 release.


2008-09-07 04:00:27: PartFile.cpp(2418): PartFiles: Testfile.dat: Expected part-hash: F6A6B49FE02BEC6EFDECF7655A6426F2
2008-09-07 04:00:27: PartFile.cpp(2419): PartFiles: Testfile.dat: Actual part-hash: A93DAB577CDD7522E087213EAA67CF2E
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f17c7daf780 (LWP 17666)]
0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179
1179 m_reqfile->RemoveBlockFromList(cur_block->StartOffset, cur_block->EndOffset);
(gdb) bt
#0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179
0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243
0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113
0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748
0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467
0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0
0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0
0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0
0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0
#11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0
0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0
0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95
(gdb) bt full
#0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179
        cur_block = (Requested_Block_Struct *) 0x0
        it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0x7962a38, _M_version = 83958208, _M_prior = 0x0, _M_next = 0x5011940}, _M_current = {
    _M_node = 0x50118c0}}
0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243
        bDelete = false
0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113
        it2 = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf58500, _M_version = 0, _M_prior = 0x0, _M_next = 0x7fffcfdec9d0}, _M_current = {
    _M_node = 0x943ccd0}}
        curClient = (CUpDownClient *) 0x79627a0
        it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf58500, _M_version = 1, _M_prior = 0x7fffcfdec970, _M_next = 0x0}, _M_current = {
    _M_node = 0xf584f0}}
        cur_tick = 974916251
0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748
        cur_tick = 974916251
        buddy = Connected
        current_it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf584a0, _M_version = 1, _M_prior = 0x0, _M_next = 0x0}, _M_current = {
    _M_node = 0xf58478}}
0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467
        msCur = 6774177
        msPrev1 = 6774177
        msPrev5 = 6772568
        msPrevSave = 6729069
        msPrevHist = 6774000
        msPrevOS = 6772568
        msPrevKnownMet = 5400184
0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0
No symbol table info available.
#11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0
No symbol table info available.
0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
No symbol table info available.
0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0
No symbol table info available.
0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0
No symbol table info available.
0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95
No locals.
(gdb) thread apply all bt

Thread 5 (Thread 0x40c1f950 (LWP 17686)):
#0 0x00007f17c79bde1d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0
0000001 0x00007f17c62dc0d9 in wxConditionInternal::WaitTimeout () from /usr/lib/libwx_baseu-2.8.so.0
0000002 0x00007f17c62dc9ae in wxSemaphoreInternal::WaitTimeout () from /usr/lib/libwx_baseu-2.8.so.0
0000003 0x000000000074459e in CTimerThread::Entry (this=0xea3cf0) at Timer.cpp:64
0000004 0x00007f17c62dd23a in wxThreadInternal::PthreadStart () from /usr/lib/libwx_baseu-2.8.so.0
0000005 0x00007f17c79b93f7 in start_thread () from /lib/libpthread.so.0
0000006 0x00007f17c57c7b2d in clone () from /lib/libc.so.6
0000007 0x0000000000000000 in ?? ()

Thread 3 (Thread 0x41c70950 (LWP 17684)):
#0 0x00007f17c79c0e81 in nanosleep () from /lib/libpthread.so.0
0000001 0x00007f17c62e262c in wxMicroSleep () from /usr/lib/libwx_baseu-2.8.so.0
0000002 0x00000000005a4428 in UploadBandwidthThrottler::Entry (this=0x5135d40) at UploadBandwidthThrottler.cpp:324
0000003 0x00007f17c62dd23a in wxThreadInternal::PthreadStart () from /usr/lib/libwx_baseu-2.8.so.0
0000004 0x00007f17c79b93f7 in start_thread () from /lib/libpthread.so.0
0000005 0x00007f17c57c7b2d in clone () from /lib/libc.so.6
0000006 0x0000000000000000 in ?? ()

Thread 1 (Thread 0x7f17c7daf780 (LWP 17666)):
#0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179
0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243
0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113
0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748
0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467
0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0
0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0
0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0
0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0
0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0
#11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0
0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0
0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0
0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95
(gdb)
Crash happens after some run time.You must have certaun evildoer peer(s) as source(s) and evildoer should then start upload of corrupt chunks to you. Evildoer should manage to upload full corrupt chunk several times to you and do this several times in a row quickly enough (unfortunately, evildoer peer sticks to exactly this behavior). Otherwise aMule runs fine for whole days.

This crash is pretty typical and I believe that someone has found nasty flaw in this code.Maybe toggling race condition or some another bug.
No tags attached.
Issue History
2008-09-07 02:42u294New Issue
2008-09-07 02:42u294Operating System => Any
2008-09-07 05:06u294Note Added: 0002945
2008-11-07 09:59sturedmanNote Added: 0002983
2008-11-07 09:59sturedmanAssigned To => sturedman
2008-11-07 09:59sturedmanStatusnew => acknowledged
2008-11-07 10:01sturedmanNote Added: 0002984
2009-01-07 22:46sturedmanNote Added: 0003040
2009-01-07 22:49sturedmanNote Added: 0003041
2009-04-20 03:59u294Note Added: 0003121
2010-01-30 21:25sturedmanNote Added: 0003376
2010-01-30 21:25sturedmanStatusacknowledged => resolved
2010-01-30 21:25sturedmanResolutionopen => fixed
2010-01-30 21:25sturedmanProduct Version2.2.2 => SVN

Notes
(0002945)
u294   
2008-09-07 05:06   
Btw: I'm running aMule on multi-core machine.
(0002983)
sturedman   
2008-11-07 09:59   
I've made a possible patch (for the crash only)
(0002984)
sturedman   
2008-11-07 10:01   
... too bad I can't attach it. >:(
(0003040)
sturedman   
2009-01-07 22:46   
Patch is in SVN and does NOT solve the problem. Open again.
(0003041)
sturedman   
2009-01-07 22:49   
See http://www.amule.org/amule/index.php?topic=15960.0 [^] for backtrace.
No clue about the reason though.
(0003121)
u294   
2009-04-20 03:59   
As for me, this crash appears to be gone in recent versions. Did not seen this issue in a while, tried with ton of files and thousands and thousands peers. Does not reproduces for me - never managed to get such crashes again since some aMule version.Tried with hundreds of files and tens thousands of peers - it was enough to crash aMule in 24h or so, now it does not crashes.
(0003376)
sturedman   
2010-01-30 21:25   
Fixed in 9989. Hopefully.

Problem was that a client already scheduled for deletion was added to the DirectCallbackList and later accessed after it was deleted.
It seems to happen only with certain clients, but I think it was just unlucky timing and no bad intention.