[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[Libevent-users] my app crashed, maybe a bug in libevent

in buffer.c :
 
for (chain = buf->first;
       remaining >= chain->off;
       chain = next) {
   next = chain->next;
   remaining -= chain->off;
   if (chain == *buf->last_with_datap) {
    buf->last_with_datap = &buf->first;
   }
   if (&chain->next == buf->last_with_datap)
    buf->last_with_datap = &buf->first;
   if (CHAIN_PINNED_R(chain)) {
    EVUTIL_ASSERT(remaining == 0);
    chain->misalign += chain->off;
    chain->off = 0;
    break;
   } else
    evbuffer_chain_free(chain);
  }
 
this line : "remaining >= chain->off" cause segment fault
Program terminated with signal 11, Segmentation fault.
#0  evbuffer_drain (buf=0x97baed8, len=900) at buffer.c:983
983                          remaining >= chain->off;
(gdb) bt
#0  evbuffer_drain (buf=0x97baed8, len=900) at buffer.c:983
#1  0xb734a7d7 in evbuffer_write_atmost (buffer=0x97baed8, fd=10, howmuch=16384) at buffer.c:2375
#2  0xb734cf4a in bufferevent_writecb (fd=10, event=4, arg=0x97bad78) at bufferevent_sock.c:261
#3  0xb7344580 in event_process_active_single_queue (base=0x902bd20, flags=<value optimized out>) at event.c:1346
#4  event_process_active (base=0x902bd20, flags=<value optimized out>) at event.c:1416
#5  event_base_loop (base=0x902bd20, flags=<value optimized out>) at event.c:1617
#6  0xb73451a5 in event_base_dispatch (event_base=0x902bd20) at event.c:1446
#7  0x0804fda8 in start_ipcclient (ipcclient=0xbffc6060, protocol_node=0x93ed69c) at ipcclient.c:504
#8  0x0804a1f2 in main (argc=5, argv=0xbffc6134) at main.c:232
(gdb) p *buf
$1 = {first = 0x97bab70, last = 0x97ba350, last_with_datap = 0x97baed8, total_len = 60, n_add_for_cb = 0, n_del_for_cb = 0, lock = 0x0,
  own_lock = 0, freeze_start = 0, freeze_end = 0, deferred_cbs = 0, flags = 1, cb_queue = 0x0, refcnt = 1, deferred = {cb_next = {tqe_next = 0x0,
      tqe_prev = 0x0}, queued = 0, cb = 0, arg = 0x0}, callbacks = {tqh_first = 0x9721bc8, tqh_last = 0x9721bc8}, parent = 0x97bad78}
(gdb) p *buf->first
$2 = {next = 0x9a080e8, buffer_len = 159097672, misalign = 0, off = 0, flags = 0, buffer = 0x97bab88 "sasipc\001"}
(gdb) p *buf->first->next
$3 = {next = 0x0, buffer_len = 295009, misalign = 163680152, off = 159099752, flags = 0, buffer = 0x0}
(gdb) p remaining
$4 = 0
 
You can see this line:
for (chain = buf->first;
       remaining >= chain->off;
       chain = next)
If next is NULL, the program must cause segmentation fault
Is this a bug?