another free() crash (#19177) · Issues · The Tor Project / Core / Tor

another free() crash

this is still on commit 0f80dd2 - maybe just another variant of legacy/trac#19128 or legacy/trac#19175 : ``` ============================================================ T= 1464221042 Tor 0.2.8.2-alpha-dev (git-684babee8491c3e9) died: Caught signal 11 /usr/bin/tor(+0x1435c9)[0x7a2491b5c9] /lib64/libc.so.6(cfree+0x14)[0x3aaf152f244] /lib64/libc.so.6(cfree+0x14)[0x3aaf152f244] /usr/bin/tor(tor_cert_free+0x51)[0x7a2487bca1] /usr/bin/tor(+0x86cef)[0x7a2485ecef] /usr/bin/tor(+0x8c4c0)[0x7a248644c0] /usr/bin/tor(routerlist_remove_old_routers+0x665)[0x7a24866bb5] /usr/bin/tor(+0x3d615)[0x7a24815615] /usr/bin/tor(+0x57ac3)[0x7a2482fac3] /usr/lib64/libevent-2.0.so.5(event_base_loop+0xcc0)[0x3aaf27d3840] /usr/bin/tor(do_main_loop+0x235)[0x7a248190c5] /usr/bin/tor(tor_main+0x1b35)[0x7a2481c745] /usr/bin/tor(main+0x2b)[0x7a248146ab] /lib64/libc.so.6(__libc_start_main+0x114)[0x3aaf14cd734] /usr/bin/tor(_start+0x29)[0x7a248146f9] ``` and gdb out is ``` Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x64656d616e6e55) at malloc.c:2945 2945 malloc.c: No such file or directory. #0 __GI___libc_free (mem=0x64656d616e6e55) at malloc.c:2945 #1 0x0000007a2487bca1 in tor_cert_free (cert=0x7a2bfb3830) at src/or/torcert.c:119 #2 0x0000007a2485ecef in signed_descriptor_free (sd=0x7a2d0410e0) at src/or/routerlist.c:2935 #3 0x0000007a24863fd6 in routerlist_remove_old (rl=<optimized out>, sd=<optimized out>, idx=<optimized out>, idx@entry=1242) at src/or/routerlist.c:3309 #4 0x0000007a248644c0 in routerlist_remove_old_cached_routers_with_id ( now=now@entry=1464221041, cutoff=cutoff@entry=1463789041, lo=lo@entry=1241, hi=hi@entry=1243, retain=retain@entry=0x7a2cd11040) at src/or/routerlist.c:3821 #5 0x0000007a24866bb5 in routerlist_remove_old_routers () at src/or/routerlist.c:3940 #6 0x0000007a24815615 in check_descriptor_callback (now=1464221041, options=<optimized out>) at src/or/main.c:1858 #7 0x0000007a2482fac3 in periodic_event_dispatch (fd=<optimized out>, what=<optimized out>, data=0x7a24c20340 <periodic_events+512>) at src/or/periodic.c:52 #8 0x000003aaf27d3840 in event_process_active_single_queue ( activeq=0x7a282e6cd0, base=0x7a282e7ab0) at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1368 #9 event_process_active (base=<optimized out>) at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1438 #10 event_base_loop (base=0x7a282e7ab0, flags=flags@entry=0) at /var/tmp/portage/dev-libs/libevent-2.0.22/work/libevent-2.0.22-stable/event.c:1639 #11 0x0000007a248190c5 in run_main_loop_once () at src/or/main.c:2537 #12 run_main_loop_until_done () at src/or/main.c:2583 #13 do_main_loop () at src/or/main.c:2509 #14 0x0000007a2481c745 in tor_main (argc=<optimized out>, argv=<optimized out>) at src/or/main.c:3638 #15 0x0000007a248146ab in main (argc=<optimized out>, argv=<optimized out>) at src/or/tor_main.c:30 warning: target file /proc/1917/cmdline contained unexpected null characters Saved corefile /root/core (gdb) quit A debugging session is active. Inferior 1 [process 1917] will be detached. Quit anyway? (y or n) [answered Y; input not from terminal] Detaching from program: /usr/bin/tor, process 1917 ``` Neither gdb nor tor are running but I do have a core file (and the logs)

issue