double free in DHT implementation?

[slingamn]

Core was generated by `/home/shivaram/workspace/sandbox/bin/rtorrent [redacted]'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f03770aeccb in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
[Current thread is 1 (Thread 0x7f0378533740 (LWP 22646))]
(gdb) bt
#0  0x00007f03770aeccb in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#1  0x00007f03770b0668 in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#2  0x00007f0376bceb4f in __GI___backtrace (array=array@entry=0x7ffebdf1f450, size=size@entry=20)
    at ../sysdeps/x86_64/backtrace.c:110
#3  0x0000000000412007 in do_panic (signum=11) at main.cc:595
#4  <signal handler called>
#5  0x0000000000000081 in ?? ()
#6  0x00007f03779ec8dd in torrent::DhtTransactionSearch::~DhtTransactionSearch (this=0x780393b0, __in_chrg=<optimized out>)
    at dht_transaction.cc:309
#7  0x00007f03779ea7a3 in torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0x780393b0, __in_chrg=<optimized out>)
    at dht_transaction.h:367
#8  torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0x780393b0, __in_chrg=<optimized out>) at dht_transaction.h:367
#9  0x00007f03779e7b30 in torrent::DhtServer::failed_transaction (this=this@entry=0x19fb080, itr=..., quick=quick@entry=false)
    at dht_server.cc:684
#10 0x00007f03779e810d in torrent::DhtServer::receive_timeout (this=0x19fb080) at dht_server.cc:939
#11 0x00007f037796dee3 in std::function<void ()>::operator()() const (this=<optimized out>) at /usr/include/c++/5/functional:2267
#12 torrent::thread_main::call_events (this=<optimized out>) at thread_main.cc:82
#13 0x00007f03779cb0d0 in torrent::thread_base::event_loop (thread=0x1954e10) at thread_base.cc:141
#14 0x000000000041040e in main (argc=5, argv=<optimized out>) at main.cc:479

going through this line (I'm running a version based on c167c5a9e0bcf0d, including the patches from #134):

https://github.com/rakshasa/libtorrent/blob/c167c5a9e0bcf0df23ae5efd91396aae0e37eb87/src/dht/dht_transaction.cc#L309

[slingamn]

Another trace:

#0  0x00007f49ee25c428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f49ee25e02a in __GI_abort () at abort.c:89
#2  0x0000000000412190 in do_panic (signum=11) at main.cc:616
#3  <signal handler called>
#4  0x00007f49ef15a8da in torrent::DhtTransactionSearch::~DhtTransactionSearch (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.cc:309
#5  0x00007f49ef1587a3 in torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.h:367
#6  torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.h:367
#7  0x00007f49ef155386 in torrent::DhtServer::add_transaction (this=this@entry=0x1b07460, transaction=transaction@entry=0xd8ca190, priority=priority@entry=2) at dht_server.cc:638
#8  0x00007f49ef155883 in torrent::DhtServer::find_node_next (this=this@entry=0x1b07460, transaction=transaction@entry=0xea8f380) at dht_server.cc:496
#9  0x00007f49ef15627e in torrent::DhtServer::parse_find_node_reply (this=this@entry=0x1b07460, transaction=transaction@entry=0xea8f380, nodes=...) at dht_server.cc:466
#10 0x00007f49ef15648e in torrent::DhtServer::process_response (this=this@entry=0x1b07460, id=..., sa=sa@entry=0x7ffc46ee6bd0, response=...) at dht_server.cc:397
#11 0x00007f49ef15790e in torrent::DhtServer::event_read (this=0x1b07460) at dht_server.cc:793
#12 0x00007f49ef0f4d8a in torrent::PollEPoll::perform (this=this@entry=0x1a708b0) at poll_epoll.cc:185
#13 0x00007f49ef0f4e2d in torrent::PollEPoll::do_poll (this=0x1a708b0, timeout_usec=<optimized out>, flags=<optimized out>) at poll_epoll.cc:224
#14 0x00007f49ef139084 in torrent::thread_base::event_loop (thread=0x1a6be30) at thread_base.cc:174
#15 0x000000000041040e in main (argc=5, argv=<optimized out>) at main.cc:479

[slingamn]

Running under valgrind: https://gist.github.com/slingamn/578793a4b7eeffd0a564daa707a2ac1b

indicates that the following line is a source of use-after-frees:

https://github.com/rakshasa/libtorrent/blob/c167c5a9e0bcf0df23ae5efd91396aae0e37eb87/src/dht/dht_server.cc#L638