search

oetiker / mrtg

MRTG - Multi Router Traffic Grapher
http://www.mrtg.org
250 stars 62 forks source link

rateup crashes when kMG is set #3

Closed danielluke closed 7 years ago

danielluke commented 8 years ago

With 2.17.4, I can reproduce a crash (SIGABRT from 'pointer being freed was not allocated') on Mac OS X 10.12.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
abort() called
*** error for object 0x7f8899d001d0: pointer being freed was not allocated

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib              0x00007fff90ef9dda __pthread_kill + 10
1   libsystem_pthread.dylib             0x00007fff90fe4797 pthread_kill + 90
2   libsystem_c.dylib                   0x00007fff90e5f440 abort + 129
3   libsystem_malloc.dylib              0x00007fff90f4f097 free + 530
4   rateup                              0x0000000105a1ee2d image + 13457
5   rateup                              0x0000000105a1b5f0 main + 4908
6   libdyld.dylib                       0x00007fff90dcb255 start + 1

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007fff5a1e4a08  rdx: 0x0000000000000000
  rdi: 0x000000000000060b  rsi: 0x0000000000000006  rbp: 0x00007fff5a1e4a30  rsp: 0x00007fff5a1e4a08
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000008000000  r11: 0x0000000000000206
  r12: 0x00007f889a823800  r13: 0x0000000000000001  r14: 0x00007fff99ace3c0  r15: 0x0000000000000000
  rip: 0x00007fff90ef9dda  rfl: 0x0000000000000206  cr2: 0x00007fff90fe249b

Logical CPU:     0
Error Code:      0x02000148
Trap Number:     133
oetiker commented 8 years ago

this error is unfortunately not very distinctive ... what is especially odd, is that the kill happens within pthread whereas mrtg does not use threads ...

danielluke commented 8 years ago

There's always (at least) one thread.

The important part is that it's abort()'ing in free() and saying "pointer being freed was not allocated". Since it stopped crashing when I comment out a config like that said "kMG[foo]: ,k,M,G" , I suspect rateup.c line 1136.

therealbstern commented 7 years ago

I'm certain it's line 1136. It frees short_si, which is actually the copy of kMG that has been stomped upon during the first pass through image(). Later accesses will cause problems, the most benign of which is the units being incorrect for weekly/monthly/yearly graphs.

I'm working on a PR to address this right now.