[tor-bugs] #26311 [Core Tor/Tor]: Error in `/usr/bin/tor': free(): invalid next size (normal): 0x000055ed468598d0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 11 14:49:12 UTC 2018
#26311: Error in `/usr/bin/tor': free(): invalid next size (normal):
0x000055ed468598d0
--------------------------+------------------------------------
Reporter: cypherpunks | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor | Version: Tor: 0.3.3.5-rc
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------------
Comment (by starlight):
Speculative yet plausible theory:
Allowing the possibility network storage is not directly corrupting
memory, the slowness of paging over network may be exposing a race-
condition bug where an unprotected critical-section results in corruption.
This of course is the nastiest class of bug.
My understanding is that much of the work processing consensus documents
was recently moved from the main event-loop thread to worker threads and
this might have led to the introduction of an unprotected race.
Issue may have arrived suddenly due to increasing memory pressure on the
shared container or VM from other instances; where previously paging may
have not been present, but occurs now. If successfuly locking of memory
with `DisableAllSwap` reduces or eliminates the traps, theory is further
validated.
Best way to find such bugs in my experience with the Valgrind compnent
Helgrind. Helgrind shows where the problem resides without necessarily
triggering it. Slow as Hell though. . .only runs test.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26311#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list