[Libwebsockets] Segfault

"Andy Green (林安廸)" andy at warmcat.com
Fri Jan 18 15:04:47 CET 2013


On 18/01/13 21:20, the mail apparently from Jack Mitchell included:

Hi -

> Today I tried out the latest libwebsockets master in my embedded
> application and gave it a good thrashing. I managed to reproduce a
> segfault a few times - I have had this issue before but thought I had
> fixed it but it has reared it's ugly head again in this new release. I

Hm sorry to hear that but I am glad to hear you are beating on the 
library HEAD.

> have attached a valgrind trace below in the hope that someone could help
> me out.
>
> I think it is trying to write to a dead socket (null pointer) and
> bailing out. Should there be some extra error checking somewhere to
> ensure that a dead socket is never written to?

Until this week it would have been too expensive, but with the new 
lookup array approach it should be possible to cheaply confirm the 
struct websocket you have hold of still jibes with the pollfd it claims 
to hold and the fds match.

I added an api lws_confirm_legit_wsi()

http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/commit/?id=acbaee649ab62beb34609d4b79e8814a2913430f

and used it on libwebsocket_write... if you think that's the problem you 
can sprinkle them around and see if it fires.  It looks for any 
inconsistency between what the struct websocket thinks its position in 
in the polling table and what the polling table thinks.

I wasn't really able to tie up the valgrind log with the idea something 
blows segfaults.  The log shows a memcpy inside deflate is reading 2 
bytes it shouldn't?

-Andy

> I'm going to investigate some more and will let you know if I find a
> solution!
>
> ==1722== Invalid read of size 2
> ==1722==    at 0x481172C: memcpy (mc_replace_strmem.c:838)
> ==1722==    by 0x4AC2A53: flush_pending (deflate.c:651)
> ==1722==    by 0x4AC3E83: deflate (deflate.c:869)
> ==1722==    by 0x499087B: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:224)
> ==1722==    by 0x498F9CF: libwebsocket_write (output.c:323)
> ==1722==    by 0xEC5B: webSock_genericSendRecieve
> (webInterface_webSockets.c:99)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==    by 0x498B45B: libwebsockets_broadcast (libwebsockets.c:2411)
> ==1722==    by 0xEEAB: webSock_broadcastJsonObject
> (webInterface_webSockets.c:223)
> ==1722==    by 0xD81F: XX86socket_handleReceive (XX86_socket.c:110)
> ==1722==    by 0xED9B: webSock_genericSendRecieve
> (webInterface_webSockets.c:147)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==  Address 0x4ec62e0 is 0 bytes after a block of size 65,536 alloc'd
> ==1722==    at 0x480F7C0: malloc (vg_replace_malloc.c:263)
> ==1722==    by 0x4AC51F7: deflateInit2_ (deflate.c:301)
> ==1722==    by 0x49906AF: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:42)
> ==1722==    by 0x498D2AB: handshake_0405 (handshake.c:427)
> ==1722==    by 0x498D92B: libwebsocket_read (handshake.c:690)
> ==1722==    by 0x498CA27: libwebsocket_service_fd (libwebsockets.c:887)
> ==1722==    by 0x498CC1F: libwebsocket_service (libwebsockets.c:1376)
> ==1722==    by 0xA93F: main (R0005.c:108)
> ==1722==
> ==1722== Invalid read of size 2
> ==1722==    at 0x4811720: memcpy (mc_replace_strmem.c:838)
> ==1722==    by 0x4AC2A53: flush_pending (deflate.c:651)
> ==1722==    by 0x4AC3E83: deflate (deflate.c:869)
> ==1722==    by 0x499087B: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:224)
> ==1722==    by 0x498F9CF: libwebsocket_write (output.c:323)
> ==1722==    by 0xEC5B: webSock_genericSendRecieve
> (webInterface_webSockets.c:99)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==    by 0x498B45B: libwebsockets_broadcast (libwebsockets.c:2411)
> ==1722==    by 0xEEAB: webSock_broadcastJsonObject
> (webInterface_webSockets.c:223)
> ==1722==    by 0xD81F: XX86socket_handleReceive (XX86_socket.c:110)
> ==1722==    by 0xED9B: webSock_genericSendRecieve
> (webInterface_webSockets.c:147)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==  Address 0x4ec62e2 is 2 bytes after a block of size 65,536 alloc'd
> ==1722==    at 0x480F7C0: malloc (vg_replace_malloc.c:263)
> ==1722==    by 0x4AC51F7: deflateInit2_ (deflate.c:301)
> ==1722==    by 0x49906AF: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:42)
> ==1722==    by 0x498D2AB: handshake_0405 (handshake.c:427)
> ==1722==    by 0x498D92B: libwebsocket_read (handshake.c:690)
> ==1722==    by 0x498CA27: libwebsocket_service_fd (libwebsockets.c:887)
> ==1722==    by 0x498CC1F: libwebsocket_service (libwebsockets.c:1376)
> ==1722==    by 0xA93F: main (R0005.c:108)
> ==1722==
> ==1722== Invalid write of size 2
> ==1722==    at 0x4811724: memcpy (mc_replace_strmem.c:838)
> ==1722==    by 0x4AC2A53: flush_pending (deflate.c:651)
> ==1722==    by 0x4AC3E83: deflate (deflate.c:869)
> ==1722==    by 0x499087B: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:224)
> ==1722==    by 0x498F9CF: libwebsocket_write (output.c:323)
> ==1722==    by 0xEC5B: webSock_genericSendRecieve
> (webInterface_webSockets.c:99)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==    by 0x498B45B: libwebsockets_broadcast (libwebsockets.c:2411)
> ==1722==    by 0xEEAB: webSock_broadcastJsonObject
> (webInterface_webSockets.c:223)
> ==1722==    by 0xD81F: XX86socket_handleReceive (XX86_socket.c:110)
> ==1722==    by 0xED9B: webSock_genericSendRecieve
> (webInterface_webSockets.c:147)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==  Address 0x4dcdcbe is 0 bytes after a block of size 65,558 alloc'd
> ==1722==    at 0x480F8C0: realloc (vg_replace_malloc.c:632)
> ==1722==    by 0x4990833: lws_extension_callback_deflate_frame
> (extension-deflate-frame.c:248)
> ==1722==    by 0x498F9CF: libwebsocket_write (output.c:323)
> ==1722==    by 0xEFB7: webSock_writeJsonObject
> (webInterface_webSockets.c:272)
> ==1722==    by 0xB08F: XX86data_writeAllDataToSocket (XX86_data.c:54)
> ==1722==    by 0xD8A7: XX86socket_handleReceive (XX86_socket.c:47)
> ==1722==    by 0xED9B: webSock_genericSendRecieve
> (webInterface_webSockets.c:147)
> ==1722==    by 0x498B39B: user_callback_handle_rxflow
> (libwebsockets.c:1666)
> ==1722==    by 0x498EF03: libwebsocket_rx_sm (parsers.c:870)
> ==1722==    by 0x498F037: libwebsocket_interpret_incoming_packet
> (parsers.c:941)
> ==1722==    by 0x498D757: libwebsocket_read (handshake.c:723)
> ==1722==    by 0x498CAFB: libwebsocket_service_fd (libwebsockets.c:1227)
> ==1722==
>
>
>




More information about the Libwebsockets mailing list