Modify

#1248 closed defect (fixed)

Double free on channel rejoin

Reported by: revmischa Owned by:
Priority: normal Milestone:
Component: BitlBee Version: devel
Keywords: Cc:
IRC client+version: Client-independent Operating System: Linux
OS version/distro: Centos7

Description

For some reason it keeps sending me JOIN #twitter_xyz over and over again. After a while it crashes.

recvfrom(17, "*\2\207u\3\317", 6, 0, NULL, NULL) = 6
recvfrom(17, "\0\r\0\t\0\0\0\0\0\24\0\2\0\1\21\0\3\0<\0\2\0\n\0\3\0\1\26\0\4\0\2"..., 975, 0, NULL, NULL) = 975
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
read(9, "JOIN #twitter_xyz \r\n", 512) = 28
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
read(9, "JOIN #twitter_xyz  \r\nJOIN"..., 512) = 112
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
read(4, 0x7fffba9c0be0, 16)             = -1 EAGAIN (Resource temporarily unavailable)
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
read(9, "JOIN #twitter_xyz \r\n", 512) = 28
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
write(4, "\1\0\0\0\0\0\0\0", 8)         = 8
getsockopt(24, SOL_SOCKET, SO_ERROR, [110], [4]) = 0
close(24)                               = 0
close(24)                               = -1 EBADF (Bad file descriptor)
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address)
writev(2, [{"*** Error in `", 14}, {"/usr/local/sbin/bitlbee", 23}, {"': ", 3}, {"double free or corruption (fastt"..., 35}, {": 0x", 4}, {"00007f59d13352f0", 16}, {" ***\n", 5}], 7Feb 09 15:56:36 
[redacted] bitlbee[17918]: *** Error in `/usr/local/sbin/bitlbee': double free or corruption (fasttop): 0x00007f59d13352f0 ***
) = 100

git version: db5ef3a204c3a518adb7cedde0ffb067d6336add

Attachments (0)

Change History (4)

comment:1 Changed at 2016-02-10T00:23:16Z by anonymous

Feb 09 15:56:36 foo.com bitlbee[17918]: ======= Backtrace: =========
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libc.so.6(+0x7cfe1)[0x7f59ce314fe1]
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libglib-2.0.so.0(g_free+0xf)[0x7f59cf6b637f]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(+0x3f01b)[0x7f59d010701b]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(+0x3f1f0)[0x7f59d01071f0]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(+0x373fd)[0x7f59d00ff3fd]
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libglib-2.0.so.0(g_main_context_dispatch+0x15a)[0x7f59cf6b07aa]
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libglib-2.0.so.0(+0x49af8)[0x7f59cf6b0af8]
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libglib-2.0.so.0(g_main_loop_run+0x6a)[0x7f59cf6b0dca]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(b_main_run+0x13)[0x7f59d00ff36f]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(main+0x55f)[0x7f59d00fcfb3]
Feb 09 15:56:36 foo.com bitlbee[17918]: /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f59ce2b9b15]
Feb 09 15:56:36 foo.com bitlbee[17918]: /usr/local/sbin/bitlbee(+0x15379)[0x7f59d00dd379]

comment:2 Changed at 2016-02-10T00:27:42Z by dx

Can you run it under valgrind? Just install valgrind, stop bitlbee and start it with "valgrind bitlbee -Dnv". That will give more useful output

comment:3 Changed at 2016-02-10T03:47:21Z by anonymous

==10181== Command: ./bitlbee -Dnv
==10181==
==10181== Invalid read of size 4
==10181==    at 0x5374800: g_int_hash (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x53734FB: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x146F98: phb_free (proxy.c:71)
==10181==    by 0x1471EF: proxy_connected (proxy.c:128)
==10181==    by 0x13F3FC: gaim_io_invoke (events_glib.c:86)
==10181==    by 0x53847A9: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384AF7: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384DC9: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x13F36E: b_main_run (events_glib.c:59)
==10181==    by 0x13CFB2: main (unix.c:172)
==10181==  Address 0x114e113c is 44 bytes inside a block of size 72 free'd
==10181==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10181==    by 0x538A37E: g_free (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x14701A: phb_free (proxy.c:85)
==10181==    by 0x1483C5: proxy_disconnect (proxy.c:578)
==10181==    by 0x16B54E: aim_conn_close (conn.c:319)
==10181==    by 0x16B257: connkill_real (conn.c:155)
==10181==    by 0x16B527: aim_conn_kill (conn.c:299)
==10181==    by 0x17AA2D: oscar_chatnav_connect (oscar.c:755)
==10181==    by 0x1471DE: proxy_connected (proxy.c:127)
==10181==    by 0x13F3FC: gaim_io_invoke (events_glib.c:86)
==10181==    by 0x53847A9: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384AF7: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==
==10181== Invalid read of size 8
==10181==    at 0x146FE6: phb_free (proxy.c:81)
==10181==    by 0x1471EF: proxy_connected (proxy.c:128)
==10181==    by 0x13F3FC: gaim_io_invoke (events_glib.c:86)
==10181==    by 0x53847A9: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384AF7: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384DC9: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x13F36E: b_main_run (events_glib.c:59)
==10181==    by 0x13CFB2: main (unix.c:172)
==10181==  Address 0x114e1148 is 56 bytes inside a block of size 72 free'd
==10181==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10181==    by 0x538A37E: g_free (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x14701A: phb_free (proxy.c:85)
==10181==    by 0x5384AF7: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384DC9: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x13F36E: b_main_run (events_glib.c:59)
==10181==    by 0x13CFB2: main (unix.c:172)
==10181==  Address 0x114e1110 is 0 bytes inside a block of size 72 free'd
==10181==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==10181==    by 0x538A37E: g_free (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x14701A: phb_free (proxy.c:85)
==10181==    by 0x1483C5: proxy_disconnect (proxy.c:578)
==10181==    by 0x16B54E: aim_conn_close (conn.c:319)
==10181==    by 0x16B257: connkill_real (conn.c:155)
==10181==    by 0x16B527: aim_conn_kill (conn.c:299)
==10181==    by 0x17AA2D: oscar_chatnav_connect (oscar.c:755)
==10181==    by 0x1471DE: proxy_connected (proxy.c:127)
==10181==    by 0x13F3FC: gaim_io_invoke (events_glib.c:86)
==10181==    by 0x53847A9: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==    by 0x5384AF7: ??? (in /usr/lib64/libglib-2.0.so.0.4200.2)
==10181==

comment:4 Changed at 2016-02-18T11:31:00Z by dx

Resolution: fixed
Status: newclosed

Modify Ticket

Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.