router_add_to_routerlist returns >=0 but ri gets freed
Running r10828 inside valgrind:
==21699== Invalid read of size 1 ==21699== at 0x80C6C2D: routerlist_descriptors_added (routerlist.c:2752) ==21699== by 0x80C7169: router_load_routers_from_string (routerlist.c:2870) ==21699== by 0x80C077D: router_reload_router_list_impl (routerlist.c:566) ==21699== by 0x80C0818: router_reload_router_list (routerlist.c:594) ==21699== by 0x80A7A2E: do_main_loop (main.c:1330) ==21699== by 0x80A8F26: tor_main (main.c:2606) ==21699== by 0x80DD9D9: main (tor_main.c:28) ==21699== Address 0x51EC212 is 154 bytes inside a block of size 172 free'd ==21699== at 0x401CFA5: free (vg_replace_malloc.c:233) ==21699== by 0x80C3992: routerinfo_free (routerlist.c:1761) ==21699== by 0x80C51FF: routerlist_replace (routerlist.c:2195) ==21699== by 0x80C6053: router_add_to_routerlist (routerlist.c:2484) ==21699== by 0x80C712F: router_load_routers_from_string (routerlist.c:2841) ==21699== by 0x80C077D: router_reload_router_list_impl (routerlist.c:566) ==21699== by 0x80C0818: router_reload_router_list (routerlist.c:594) ==21699== by 0x80A7A2E: do_main_loop (main.c:1330) ==21699== by 0x80A8F26: tor_main (main.c:2606) ==21699== by 0x80DD9D9: main (tor_main.c:28)
I only notice this now because I recently changed the call to control_event_descriptors_changed() so we also look at the ri's when we're not listening for certain controller events -- see routerlist_descriptors_added().
I notice there are a few other places that call router_add_to_routerlist() and expect ri to be usable if it doesn't fail -- including in dirserv.c, which might explain some of these "routerlist has a freed routerinfo" bugs we keep seeing on authorities.
So the first question is: what's the chain of events that causes router_add_to_routerlist() to return >=0 yet to free the routerinfo?
[Automatically added by flyspray2trac: Operating System: All]