Anonymous | Login | Signup for a new account | 2024-11-21 15:38 CET |
My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0001404 | aMule | Transfer | public | 2008-09-07 02:42 | 2010-01-30 21:25 | ||||
Reporter | u294 | ||||||||
Assigned To | sturedman | ||||||||
Priority | normal | Severity | crash | Reproducibility | sometimes | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | SVN | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0001404: Crash in specific circumstances when remote peer behaves in specially crafted manner | ||||||||
Description | During downloading certain files aMule may crash if certain peers encountered.Exact details are not known, but for me it looks like issue with crash may be caused by a remote peer. It appears that before crash usually the following happens: 1) You're downloading some popular file 2) Then someone is going to interfere with this. 3) Certain malicious peer at some point begins upload to you. Peer looks like normal eMule 0.49b but insted of sending correct data, peer sends some full 9.27 Mb chunk with totally incorrect data. Hash check fails. 4) Then, AICH not seems to be in play for totally corrupt parts. 5) Part re-downloaded again and again.Malicious peer sends corrupt data part again and again, without getting banned. Data seems to vary since obtained hash always different (and mismatches expected hash) and these data are well-compressible so peer sends at low speed but still manages to flood you with corrupted chunk again and again quickly. 6) Actually, aMule sticks to re-downloading corrupt chunk from this malicious peer.If there is other non-malicious peers, download MAY progress further and AICH will even work for parts where not all data bad.But... 7) ...but if malicious peer will do the trick long enough, looks like this leads to aMule crash. Crash is always looks very similar. There is certain part of code crashes, looks like remote peer manages to cause null-pointer access. Crash happens in both aMule SVN and 2.2.2 Debug info from GDB following - SVN version from 06.09.2008 used but I have a bunch of similar traces for 2.2.2 release. 2008-09-07 04:00:27: PartFile.cpp(2418): PartFiles: Testfile.dat: Expected part-hash: F6A6B49FE02BEC6EFDECF7655A6426F2 2008-09-07 04:00:27: PartFile.cpp(2419): PartFiles: Testfile.dat: Actual part-hash: A93DAB577CDD7522E087213EAA67CF2E Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f17c7daf780 (LWP 17666)] 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179 1179 m_reqfile->RemoveBlockFromList(cur_block->StartOffset, cur_block->EndOffset); (gdb) bt #0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179 0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243 0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113 0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748 0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467 0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0 0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0 0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0 0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0 #11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0 0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0 0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95 (gdb) bt full #0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179 cur_block = (Requested_Block_Struct *) 0x0 it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0x7962a38, _M_version = 83958208, _M_prior = 0x0, _M_next = 0x5011940}, _M_current = { _M_node = 0x50118c0}} 0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243 bDelete = false 0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113 it2 = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf58500, _M_version = 0, _M_prior = 0x0, _M_next = 0x7fffcfdec9d0}, _M_current = { _M_node = 0x943ccd0}} curClient = (CUpDownClient *) 0x79627a0 it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf58500, _M_version = 1, _M_prior = 0x7fffcfdec970, _M_next = 0x0}, _M_current = { _M_node = 0xf584f0}} cur_tick = 974916251 0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748 cur_tick = 974916251 buddy = Connected current_it = {<__gnu_debug::_Safe_iterator_base> = {_M_sequence = 0xf584a0, _M_version = 1, _M_prior = 0x0, _M_next = 0x0}, _M_current = { _M_node = 0xf58478}} 0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467 msCur = 6774177 msPrev1 = 6774177 msPrev5 = 6772568 msPrevSave = 6729069 msPrevHist = 6774000 msPrevOS = 6772568 msPrevKnownMet = 5400184 0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0 No symbol table info available. #11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0 No symbol table info available. 0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 No symbol table info available. 0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0 No symbol table info available. 0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 No symbol table info available. 0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 No symbol table info available. 0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0 No symbol table info available. 0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0 ---Type <return> to continue, or q <return> to quit--- No symbol table info available. 0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0 No symbol table info available. 0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95 No locals. (gdb) thread apply all bt Thread 5 (Thread 0x40c1f950 (LWP 17686)): #0 0x00007f17c79bde1d in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/libpthread.so.0 0000001 0x00007f17c62dc0d9 in wxConditionInternal::WaitTimeout () from /usr/lib/libwx_baseu-2.8.so.0 0000002 0x00007f17c62dc9ae in wxSemaphoreInternal::WaitTimeout () from /usr/lib/libwx_baseu-2.8.so.0 0000003 0x000000000074459e in CTimerThread::Entry (this=0xea3cf0) at Timer.cpp:64 0000004 0x00007f17c62dd23a in wxThreadInternal::PthreadStart () from /usr/lib/libwx_baseu-2.8.so.0 0000005 0x00007f17c79b93f7 in start_thread () from /lib/libpthread.so.0 0000006 0x00007f17c57c7b2d in clone () from /lib/libc.so.6 0000007 0x0000000000000000 in ?? () Thread 3 (Thread 0x41c70950 (LWP 17684)): #0 0x00007f17c79c0e81 in nanosleep () from /lib/libpthread.so.0 0000001 0x00007f17c62e262c in wxMicroSleep () from /usr/lib/libwx_baseu-2.8.so.0 0000002 0x00000000005a4428 in UploadBandwidthThrottler::Entry (this=0x5135d40) at UploadBandwidthThrottler.cpp:324 0000003 0x00007f17c62dd23a in wxThreadInternal::PthreadStart () from /usr/lib/libwx_baseu-2.8.so.0 0000004 0x00007f17c79b93f7 in start_thread () from /lib/libpthread.so.0 0000005 0x00007f17c57c7b2d in clone () from /lib/libc.so.6 0000006 0x0000000000000000 in ?? () Thread 1 (Thread 0x7f17c7daf780 (LWP 17666)): #0 0x0000000000466ddf in CUpDownClient::ClearDownloadBlockRequests (this=0x79627a0) at BaseClient.cpp:1179 0000001 0x00000000004673cb in CUpDownClient::Disconnected (this=0x79627a0, strReason=@0x7fffcfdeca00, bFromSocket=false) at BaseClient.cpp:1243 0000002 0x000000000047a469 in CClientList::ProcessDirectCallbackList (this=0xf58240) at ClientList.cpp:1113 0000003 0x000000000047e02b in CClientList::Process (this=0xf58240) at ClientList.cpp:748 0000004 0x0000000000456c21 in CamuleApp::OnCoreTimer (this=0xe59870) at amule.cpp:1467 0000005 0x00007f17c62de72d in wxEvtHandler::ProcessEventIfMatches () from /usr/lib/libwx_baseu-2.8.so.0 0000006 0x00007f17c62de8ec in wxEventHashTable::HandleEvent () from /usr/lib/libwx_baseu-2.8.so.0 0000007 0x00007f17c62dea2d in wxEvtHandler::ProcessEvent () from /usr/lib/libwx_baseu-2.8.so.0 0000008 0x00007f17c62deefc in wxEvtHandler::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 0000009 0x00007f17c6246a1e in wxAppConsole::ProcessPendingEvents () from /usr/lib/libwx_baseu-2.8.so.0 0000010 0x00007f17c69f75e6 in wxAppBase::ProcessIdle () from /usr/lib/libwx_gtk2u_core-2.8.so.0 #11 0x00007f17c694e064 in ?? () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000012 0x00007f17c3b273d4 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 0000013 0x00007f17c3b2a6e5 in ?? () from /usr/lib/libglib-2.0.so.0 0000014 0x00007f17c3b2aa05 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 0000015 0x00007f17c5062f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 0000016 0x00007f17c696501d in wxEventLoop::Run () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000017 0x00007f17c69f758b in wxAppBase::MainLoop () from /usr/lib/libwx_gtk2u_core-2.8.so.0 0000018 0x00007f17c627d19c in wxEntry () from /usr/lib/libwx_baseu-2.8.so.0 0000019 0x000000000062129a in main (argc=2, argv=0x7fffcfded2c8) at amule-gui.cpp:95 (gdb) | ||||||||
Additional Information | Crash happens after some run time.You must have certaun evildoer peer(s) as source(s) and evildoer should then start upload of corrupt chunks to you. Evildoer should manage to upload full corrupt chunk several times to you and do this several times in a row quickly enough (unfortunately, evildoer peer sticks to exactly this behavior). Otherwise aMule runs fine for whole days. This crash is pretty typical and I believe that someone has found nasty flaw in this code.Maybe toggling race condition or some another bug. | ||||||||
Tags | No tags attached. | ||||||||
Fixed in Revision | |||||||||
Operating System | Any | ||||||||
Attached Files | |||||||||
Notes | |
(0002945) u294 (reporter) 2008-09-07 05:06 |
Btw: I'm running aMule on multi-core machine. |
(0002983) sturedman (developer) 2008-11-07 09:59 |
I've made a possible patch (for the crash only) |
(0002984) sturedman (developer) 2008-11-07 10:01 |
... too bad I can't attach it. >:( |
(0003040) sturedman (developer) 2009-01-07 22:46 |
Patch is in SVN and does NOT solve the problem. Open again. |
(0003041) sturedman (developer) 2009-01-07 22:49 |
See http://www.amule.org/amule/index.php?topic=15960.0 [^] for backtrace. No clue about the reason though. |
(0003121) u294 (reporter) 2009-04-20 03:59 |
As for me, this crash appears to be gone in recent versions. Did not seen this issue in a while, tried with ton of files and thousands and thousands peers. Does not reproduces for me - never managed to get such crashes again since some aMule version.Tried with hundreds of files and tens thousands of peers - it was enough to crash aMule in 24h or so, now it does not crashes. |
(0003376) sturedman (developer) 2010-01-30 21:25 |
Fixed in 9989. Hopefully. Problem was that a client already scheduled for deletion was added to the DirectCallbackList and later accessed after it was deleted. It seems to happen only with certain clients, but I think it was just unlucky timing and no bad intention. |
Issue History | |||
Date Modified | Username | Field | Change |
2008-09-07 02:42 | u294 | New Issue | |
2008-09-07 02:42 | u294 | Operating System | => Any |
2008-09-07 05:06 | u294 | Note Added: 0002945 | |
2008-11-07 09:59 | sturedman | Note Added: 0002983 | |
2008-11-07 09:59 | sturedman | Assigned To | => sturedman |
2008-11-07 09:59 | sturedman | Status | new => acknowledged |
2008-11-07 10:01 | sturedman | Note Added: 0002984 | |
2009-01-07 22:46 | sturedman | Note Added: 0003040 | |
2009-01-07 22:49 | sturedman | Note Added: 0003041 | |
2009-04-20 03:59 | u294 | Note Added: 0003121 | |
2010-01-30 21:25 | sturedman | Note Added: 0003376 | |
2010-01-30 21:25 | sturedman | Status | acknowledged => resolved |
2010-01-30 21:25 | sturedman | Resolution | open => fixed |
2010-01-30 21:25 | sturedman | Product Version | 2.2.2 => SVN |
Copyright © 2000 - 2024 MantisBT Team |