malloc(): unsorted double linked list corrupted
vtyw opened this issue · comments
This repo seemed to fix the periodic segfault issue on Ubuntu 20 but then 20 minutes later I got a new crash, still related to malloc:
No symbol table info available.
StacktraceAddressSignature: /opt/logmein-hamachi/bin/hamachid.org:6:/usr/lib/x86_64-linux-gnu/libc-2.31.so+859:/usr/lib/x86_64-linux-gnu/libc-2.31.so+6b3ee:/usr/lib/x86_64-linux-gnu/libc-2.31.so+7347c:/usr/lib/x86_64-linux-gnu/libc-2.31.so+7646c:/usr/lib/x86_64-linux-gnu/libc-2.31.so+78419:/opt/logmein-hamachi/bin/hamachid-patcher.so+4b1:/usr/lib/x86_64-linux-gnu/libc-2.31.so+5fe84:/usr/lib/x86_64-linux-gnu/libc-2.31.so+70050:/usr/lib/x86_64-linux-gnu/libc-2.31.so+6ee24:/usr/lib/x86_64-linux-gnu/libc-2.31.so+6beb1:/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so+3a7e:/usr/lib/x86_64-linux-gnu/libnss_files-2.31.so+3e54:/usr/lib/x86_64-linux-gnu/libc-2.31.so+c0483:/usr/lib/x86_64-linux-gnu/libc-2.31.so+bfb4b:/opt/logmein-hamachi/bin/hamachid.org+be3f5
StacktraceTop:
__libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fe15d1a1285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
malloc_printerr (str=str@entry=0x7fe15d1a3ad8 "malloc(): unsorted double linked list corrupted") at malloc.c:5347
_int_malloc (av=av@entry=0x7fe15d1d2b80 <main_arena>, bytes=bytes@entry=4608) at malloc.c:3744
__GI___libc_malloc (bytes=4608) at malloc.c:3066
malloc () from /opt/logmein-hamachi/bin/hamachid-patcher.so
Tags: focal
ThreadStacktrace:
.
Thread 1 (Thread 0x7fe15ce96b80 (LWP 8386)):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
set = {__val = {0, 5297646, 140725458914064, 25, 25603464, 26345392, 83, 140605907966975, 140725458914064, 9947296, 140725458914064, 4294967295, 6911304, 4486734, 6911304, 140605905665848}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007fe15d00c859 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x1920230, sa_sigaction = 0x1920230}, sa_mask = {__val = {26343680, 26346032, 25329864, 9947296, 9947560, 9947560, 5143264, 66307, 2752527, 1, 33188, 0, 0, 475842, 4096, 944}}, sa_flags = 1643674988, sa_restorer = 0x2a18d77d}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fe15d0773ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fe15d1a1285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
ap = {{gp_offset = 24, fp_offset = 32765, overflow_arg_area = 0x7ffd32fd4de0, reg_save_area = 0x7ffd32fd4d70}}
fd = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
#3 0x00007fe15d07f47c in malloc_printerr (str=str@entry=0x7fe15d1a3ad8 "malloc(): unsorted double linked list corrupted") at malloc.c:5347
No locals.
#4 0x00007fe15d08246c in _int_malloc (av=av@entry=0x7fe15d1d2b80 <main_arena>, bytes=bytes@entry=4608) at malloc.c:3744
next = <optimized out>
iters = <optimized out>
nb = <optimized out>
idx = 100
bin = <optimized out>
victim = <optimized out>
size = <optimized out>
victim_index = <optimized out>
remainder = <optimized out>
remainder_size = <optimized out>
block = <optimized out>
bit = <optimized out>
map = <optimized out>
fwd = <optimized out>
bck = <optimized out>
tcache_unsorted_count = 1
tcache_nb = 0
tc_idx = 287
return_cached = <optimized out>
__PRETTY_FUNCTION__ = "_int_malloc"
#5 0x00007fe15d084419 in __GI___libc_malloc (bytes=4608) at malloc.c:3066
ar_ptr = 0x7fe15d1d2b80 <main_arena>
victim = <optimized out>
hook = <optimized out>
tbytes = <optimized out>
tc_idx = <optimized out>
__PRETTY_FUNCTION__ = "__libc_malloc"
#6 0x00007fe15d4324b1 in malloc () from /opt/logmein-hamachi/bin/hamachid-patcher.so
No symbol table info available.
#7 0x00007fe15d06be84 in __GI__IO_file_doallocate (fp=0x1929860) at filedoalloc.c:101
size = 4096
p = <optimized out>
st = {st_dev = 66307, st_ino = 264950, st_nlink = 1, st_mode = 33188, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 2805, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1643595508, tv_nsec = 390669850}, st_mtim = {tv_sec = 1643595508, tv_nsec = 386669812}, st_ctim = {tv_sec = 1643595508, tv_nsec = 386669812}, __glibc_reserved = {0, 0, 0}}
#8 0x00007fe15d07c050 in __GI__IO_doallocbuf (fp=fp@entry=0x1929860) at libioP.h:948
No locals.
#9 0x00007fe15d07ae24 in _IO_new_file_underflow (fp=0x1929860) at fileops.c:486
count = <optimized out>
#10 0x00007fe15d077eb1 in readline_slow (buffer_end=<optimized out>, buffer=0x1971020 "victor", fp=<optimized out>) at readline.c:44
readptr = <optimized out>
readlen = <optimized out>
pnl = <optimized out>
start = <optimized out>
start = <optimized out>
__PRETTY_FUNCTION__ = "readline_slow"
readptr = <optimized out>
readlen = <optimized out>
pnl = <optimized out>
line_length = <optimized out>
#11 __GI___libc_readline_unlocked (fp=fp@entry=0x1929860, buffer=buffer@entry=0x1971020 "victor", buffer_length=buffer_length@entry=1024) at readline.c:153
buffer_end = 0x1971420 ""
readptr = <optimized out>
readlen = 0
start_offset = 0
result = <optimized out>
#12 0x00007fe15c575a7e in internal_getent (stream=stream@entry=0x1929860, result=result@entry=0x7fe15d1d6180 <resbuf>, buffer=buffer@entry=0x1971020 "victor", buflen=buflen@entry=1024, errnop=errnop@entry=0x7fe15ce96ae0) at nss_files/files-XXX.c:151
r = <optimized out>
p = <optimized out>
data = 0x1971020
linebuflen = 1024
parse_result = <optimized out>
#13 0x00007fe15c575e54 in _nss_files_getpwuid_r (uid=1001, result=0x7fe15d1d6180 <resbuf>, buffer=0x1971020 "victor", buflen=1024, errnop=0x7fe15ce96ae0) at nss_files/files-pwd.c:39
status = <optimized out>
stream = 0x1929860
#14 0x00007fe15d0cc483 in __getpwuid_r (uid=uid@entry=1001, resbuf=resbuf@entry=0x7fe15d1d6180 <resbuf>, buffer=0x1971020 "victor", buflen=buflen@entry=1024, result=result@entry=0x7ffd32fd5190) at ../nss/getXXbyYY_r.c:315
startp_initialized = true
startp = 0xecb802bf1220ea97
start_fct = 0xecb81a1193a0ea97
nip = 0x7fe150001ec0
do_merge = 0
mergegrp = <optimized out>
mergebuf = 0x0
endptr = 0x0
fct = {l = 0x7fe15c575e00 <_nss_files_getpwuid_r>, ptr = 0x7fe15c575e00 <_nss_files_getpwuid_r>}
no_more = 0
err = <optimized out>
status = NSS_STATUS_UNAVAIL
nscd_status = <optimized out>
res = <optimized out>
#15 0x00007fe15d0cbb4b in getpwuid (uid=1001) at ../nss/getXXbyYY.c:134
buffer_size = 1024
resbuf = {pw_name = 0x1971020 "victor", pw_passwd = 0x1971027 "x", pw_uid = 1001, pw_gid = 1001, pw_gecos = 0x1971033 "victor,,,", pw_dir = 0x197103d "/home/victor", pw_shell = 0x197104a "/bin/bash"}
result = 0x1
#16 0x00000000004be3f5 in ?? ()
No symbol table info available.
#17 0x000000000050eb48 in ?? ()
No symbol table info available.
#18 0x0000000000446c9e in ?? ()
No symbol table info available.
#19 0x00000000004bebe2 in ?? ()
No symbol table info available.
#20 0x000000000040709e in ?? ()
No symbol table info available.
#21 0x00007fe15d00e0b3 in __libc_start_main (main=0x406e00, argc=1, argv=0x7ffd32fd54d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd32fd54c8) at ../csu/libc-start.c:308
self = <optimized out>
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {6887072, 1403613175900859031, 4224678, 140725458916560, 0, 0, -1404903982286968169, -1389333276703921513}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x1, 0x7ffd32fd54d8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 1}}}
not_first_call = <optimized out>
#22 0x00000000004076cf in ?? ()
No symbol table info available.
Title: hamachid.org assert failure: malloc(): unsorted double linked list corrupted
UnreportableReason: This package does not seem to be installed correctly
UpgradeStatus: No upgrade log present (probably fresh install)
_MarkForUpload: True
separator:
where can i see the errors? i'm a bit new to actually trying to use my linux pc for utility stuff, i tried this fix but i woke up today and it was disconnected again
I got that from an Apport crash report.
wasn't entirely sure what to copy, but i did see that the error was more or less the same,
AssertionMessage: malloc(): unsorted double linked list corrupted
I got that from an Apport crash report.
This repo contains a workaround. It improves things, but does not cure the underlying bug that it is present on the Hamachi client. As far as I am able to guess (no source code available), the flow of things goes somehow like this:
struct item {
int v1, v2 ... ;
string n1, n2;
};
vector<item> list = new vector<item>();
///
... populate list with items
///
item i = *(list->begin());
for (auto p = list->begin(); p != list->end(); ++p) delete *p;
delete list;
// Use i.
So, it is the classic bug: Use pointer to item after freeing the list and contained items. The items are 77 bytes long, so the idea was to cache the memory blocks and not to release them. But, we cannot avoid the destructor of the contained fields of the item struct to be called, so the contained items remain in a sort of "destructed but still present in memory" state that is not completely sane. That is the cause of the errors you are still seeing