Closed GoogleCodeExporter closed 9 years ago
I have the same issue, on Ubuntu 11.10 64-bit. I made a debug build of version
2.10 to see what is happening, and found the following:
kernel: [148844.721430] shellinaboxd[1601] general protection ip:4121cb
sp:7fff4aae34f8 error:0 in shellinaboxd[400000+1f000]
0x00000000004121c0 <serverGetConnection+144>: leaveq
0x00000000004121c1 <serverGetConnection+145>: jne 0x412142 <serverGetConnection+18>
0x00000000004121c7 <serverGetConnection+151>: mov 0x18(%rdi),%rcx
0x00000000004121cb <serverGetConnection+155>: cmp %edx,0x8(%rcx,%r9,8)
0x00000000004121d0 <serverGetConnection+160>: jne 0x412142 <serverGetConnection+18>
0x00000000004121d6 <serverGetConnection+166>: repz retq
0x00000000004121d8 <serverGetConnection+168>: nopl 0x0(%rax,%rax,1)
0x4121cb is in serverGetConnection (libhttp/server.c:339).
334 int fd) {
335 if (hint &&
336 server->connections <= hint &&
337 server->connections + server->numConnections > hint &&
338 &server->connections[hint - server->connections] == hint &&
339 !hint->deleted &&
340 server->pollFds[hint - server->connections + 1].fd == fd) {
341 return hint;
342 }
343 for (int i = 0; i < server->numConnections; i++) {
That if-statement in the serverGetConnection function looks a bit hairy. I'm
not able to completely follow the logic but it seems that there is some kind of
an issue with pointer arithmetic and/or pointer mixup in general.
For me, the crashes don't occur very often but they definitely do occur. I can
try to do further analysis with the debug build I have if you want to.
Original comment by samuli.s...@gmail.com
on 14 Mar 2012 at 10:47
Try something along these lines and let me know, if that fixes it:
if (hint &&
server->connections <= hint &&
server->connections + server->numConnections > hint) {
// The compiler would like to optimize the expression:
// &server->connections[hint - server->connections] <=>
// server->connections + hint - server->connections <=>
// hint
// This transformation is correct as far as the language specification is
// concerned, but it is unintended as we actually want to check whether
// the alignment is correct. So, instead of comparing
// &server->connections[hint - server->connections] == hint
// we first use memcpy() to break aliasing.
uintptr_t ptr1, ptr2;
memcpy(&ptr1, &hint, sizeof(ptr1));
memcpy(&ptr2, &server->connections, sizeof(ptr2));
int idx = (ptr1 - ptr2)/sizeof(*server->connections);
if (&server->connections[idx] == hint &&
!hint->deleted &&
server->pollFds[hint - server->connections + 1].fd == fd) {
return hint;
}
}
Original comment by zod...@gmail.com
on 14 Mar 2012 at 5:44
This change was made in commit 13d0448 or svn commit 220 on Sep 3 2010.
Original comment by beewoo...@gmail.com
on 6 Apr 2012 at 3:36
Original issue reported on code.google.com by
shamik.d...@gmail.com
on 17 Mar 2011 at 10:28Attachments: