Run a relay under valgrind with "myfamily moria1", and then ctrl-C it once it bootstraps. Upon exit, you'll get: ``` ==17604== Invalid free() / delete / delete[] / realloc() ==17604== at 0x4C29E90: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==17604== by 0x277E75: config_free_lines (confline.c:323) ==17604== by 0x1F56F2: or_options_free (config.c:898) ==17604== by 0x1F6583: config_free_all (config.c:907) ==17604== by 0x157CCC: tor_free_all (main.c:3238) ==17604== by 0x157DB0: tor_cleanup (main.c:3310) ==17604== by 0x2614E5: hibernate_begin (hibernate.c:818) ==17604== by 0x1584E9: process_signal (main.c:2686) ==17604== by 0x1584E9: signal_callback (main.c:2663) ==17604== by 0x5361A14: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) ==17604== by 0x156E23: run_main_loop_once (main.c:2594) ==17604== by 0x156E23: run_main_loop_until_done (main.c:2648) ==17604== by 0x156E23: do_main_loop (main.c:2561) ==17604== by 0x15A664: tor_main (main.c:3745) ==17604== by 0x152628: main (tor_main.c:34) ==17604== Address 0x668f9a0 is 0 bytes inside an unallocated block of size 16 in arena "client" ``` User DeS originally found this bug on legacy/trac#22255, with this stack trace: ``` ==33656== Invalid free() / delete / delete[] / realloc() ==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==33656== by 0x1A4378: routerinfo_free (routerlist.c:3172) ==33656== by 0x199BF6: router_rebuild_descriptor (router.c:2449) ==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013) ==33656== by 0x1D183E: channel_tls_process_netinfo_cell (channeltls.c:1679) ==33656== by 0x1D183E: channel_tls_handle_cell (channeltls.c:1133) ==33656== by 0x2137A0: connection_or_process_cells_from_inbuf (connection_or.c:2085) ==33656== by 0x20ABE4: connection_handle_read_impl (connection.c:3451) ==33656== by 0x153CB0: conn_read_callback (main.c:736) ==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) ==33656== by 0x154DDC: run_main_loop_once (main.c:2594) ==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648) ==33656== by 0x154DDC: do_main_loop (main.c:2561) ==33656== by 0x158594: tor_main (main.c:3745) ==33656== by 0x1507C8: main (tor_main.c:34) ==33656== Address 0x6453720 is 0 bytes inside a block of size 42 free'd ==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==33656== by 0x1995BC: router_build_fresh_descriptor (router.c:2327) ==33656== by 0x199BE2: router_rebuild_descriptor (router.c:2445) ==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013) ==33656== by 0x1D183E: channel_tls_process_netinfo_cell (channeltls.c:1679) ==33656== by 0x1D183E: channel_tls_handle_cell (channeltls.c:1133) ==33656== by 0x2137A0: connection_or_process_cells_from_inbuf (connection_or.c:2085) ==33656== by 0x20ABE4: connection_handle_read_impl (connection.c:3451) ==33656== by 0x153CB0: conn_read_callback (main.c:736) ==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) ==33656== by 0x154DDC: run_main_loop_once (main.c:2594) ==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648) ==33656== by 0x154DDC: do_main_loop (main.c:2561) ==33656== by 0x158594: tor_main (main.c:3745) ==33656== by 0x1507C8: main (tor_main.c:34) ==33656== ==33656== Invalid free() / delete / delete[] / realloc() ==33656== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==33656== by 0x1995BC: router_build_fresh_descriptor (router.c:2327) ==33656== by 0x199BE2: router_rebuild_descriptor (router.c:2445) ==33656== by 0x199CD2: router_get_my_routerinfo (router.c:2013) ==33656== by 0x19A358: router_my_exit_policy_is_reject_star (router.c:1963) ==33656== by 0x247025: dns_resolve_impl.constprop.9 (dns.c:720) ==33656== by 0x249A68: dns_resolve (dns.c:614) ==33656== by 0x2101BA: connection_exit_begin_conn (connection_edge.c:3292) ==33656== by 0x17B4A0: connection_edge_process_relay_cell (relay.c:1648) ==33656== by 0x17CCD8: circuit_receive_relay_cell (relay.c:328) ==33656== by 0x1EF725: command_process_relay_cell (command.c:542) ==33656== by 0x1EF725: command_process_cell (command.c:196) ==33656== by 0x1D19A2: channel_tls_handle_cell (channeltls.c:1152) ==33656== Address 0x6452e10 is 80 bytes inside a block of size 128 alloc'd ==33656== at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==33656== by 0x5858E68: CRYPTO_realloc (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==33656== by 0x58DF3B9: sk_dup (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==33656== by 0x55D900D: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x55D13B3: SSL_set_cipher_list (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x29407E: tor_tls_session_secret_cb (tortls.c:1599) ==33656== by 0x55AD7D5: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x55B1DAC: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x55BF863: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x2973A2: tor_tls_handshake (tortls.c:1901) ==33656== by 0x216D7F: connection_tls_continue_handshake (connection_or.c:1420) ==33656== by 0x217137: connection_tls_start_handshake (connection_or.c:1372) ==33656== ==33656== Invalid read of size 8 ==33656== at 0x58E41E1: EVP_MD_CTX_cleanup (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==33656== by 0x58E463D: EVP_MD_CTX_destroy (in /lib/x86_64-linux-gnu/libcrypto.so.1.0.0) ==33656== by 0x55BA0D0: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x55B789B: ??? (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x55D44DA: SSL_free (in /lib/x86_64-linux-gnu/libssl.so.1.0.0) ==33656== by 0x295BD5: tor_tls_free (tortls.c:1794) ==33656== by 0x204EA7: connection_free_ (connection.c:572) ==33656== by 0x1536BD: conn_close_if_marked (main.c:908) ==33656== by 0x1536BD: close_closeable_connections (main.c:700) ==33656== by 0x153FE0: run_scheduled_events (main.c:1474) ==33656== by 0x153FE0: second_elapsed_callback (main.c:2175) ==33656== by 0x5363F23: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5.1.9) ==33656== by 0x154DDC: run_main_loop_once (main.c:2594) ==33656== by 0x154DDC: run_main_loop_until_done (main.c:2648) ==33656== by 0x154DDC: do_main_loop (main.c:2561) ==33656== by 0x158594: tor_main (main.c:3745) ==33656== Address 0x699aeaf2 is not stack'd, malloc'd or (recently) free'd ``` Once we've resolved this ticket, we should take a closer look at that last "Invalid read of size 8" stanza, and open a new ticket for it if needed.