prop271: circuits_pending_other_guards not properly maintained
Hello,
I've been doing various tests to prop271 by using it with tor browser.
I started digging more into circuit_find_circuits_to_upgrade_from_guard_wait() and particularly the circuits_pending_other_guards smartlist to understand better how this feature works in little-t-tor.
While inspecting the elements of circuits_pending_other_guards I noticed that some of those circuits were zombies that were already freed, probably because they were closed but not removed from the smartlist.
The only time we change membership of that list is in circuit_set_state():
if (circ->state == CIRCUIT_STATE_GUARD_WAIT) {
smartlist_remove(circuits_pending_other_guards, circ);
}
if (state == CIRCUIT_STATE_GUARD_WAIT) {
smartlist_add(circuits_pending_other_guards, circ);
}We should probably consider removing circuits from that list when they marked for close as well, so that the list does not stay permanently populated. Also see how membership in the similar smartlist circuits_pending_chans is maintained.