Invalid free on timeout

[Jesin]

I ran auracle outdated (compiled from f338d45) during a brief period when all my connections to aur.archlinux.org:443 (even through other programs) were timing out. The initial line of the output seems fine, but I imagine the rest of this was not intended:

error: UNKNOWN: Failed to connect to aur.archlinux.org port 443: Connection timed out
free(): invalid pointer
Aborted (core dumped)

If you'd like me to send you the coredump file, my version of the binary, the libraries it loads, and/or any other relevant info, just let me know.

[falconindy]

A symbolized stack trace would be helpful.

[falconindy]

Well, I suppose the good news is that I can reproduce this auracle --baseurl http://10.255.255.1 outdated.

[falconindy]

This is a bug in the cancellation logic that leads to the io source being unref'd multiple times because we receive two events with CURL_POLL_REMOVE. Here's a backtrace of where it goes bad:

(gdb) bt                                                                                                                                     
#0  aur::AurImpl::DispatchSocketCallback (this=0x618000000480, s=<optimized out>, action=4, io=<optimized out>) at ../src/aur/aur.cc:330                                                                                                                                                   
#1  0x00007ffff74fa4e1 in singlesocket () from /usr/lib/libcurl.so.4                                                                         
#2  0x00007ffff74fe622 in curl_multi_remove_handle () from /usr/lib/libcurl.so.4                                                             
#3  0x000055555570e833 in aur::AurImpl::FinishRequest (this=<optimized out>, curl=0x623000005500, result=<optimized out>, dispatch_callback=<optimized out>) at ../src/aur/aur.cc:462
#4  0x0000555555708cc1 in std::__do_visit<std::__detail::__variant::__deduce_visit_result<void>, aur::AurImpl::Cancel(const value_type&)::Visitor, const std::variant<void*, sd_event_source*>&> (__visitor=...) at /usr/include/c++/10.2.0/variant:869
#5  std::visit<aur::AurImpl::Cancel(const value_type&)::Visitor, const std::variant<void*, sd_event_source*>&> (__visitor=...) at /usr/include/c++/10.2.0/variant:1710                                                                                                                     
#6  aur::AurImpl::Cancel (this=0x618000000480, request=...) at ../src/aur/aur.cc:291
#7  0x00005555557090f6 in aur::AurImpl::CancelAll (this=0x618000000480) at ../subprojects/abseil-cpp-20200225.2/absl/container/internal/raw_hash_set.h:311                                                                                                                                 
#8  0x000055555570f08d in aur::AurImpl::CheckFinished (this=0x618000000480) at ../src/aur/aur.cc:485                                         
#9  0x000055555570f341 in aur::AurImpl::DispatchSocketCallback (this=0x618000000480, s=<optimized out>, action=4, io=<optimized out>) at ../src/aur/aur.cc:332
#10 0x00007ffff74fb092 in Curl_multi_closed () from /usr/lib/libcurl.so.4                                                                    
#11 0x00007ffff74cc631 in Curl_closesocket () from /usr/lib/libcurl.so.4                                                                                                                                                                                                                   
#12 0x00007ffff74df551 in Curl_disconnect () from /usr/lib/libcurl.so.4                                                                      
#13 0x00007ffff74fc354 in multi_done () from /usr/lib/libcurl.so.4                                                                                                                                                                                                                         
#14 0x00007ffff74fcc91 in multi_runsingle () from /usr/lib/libcurl.so.4                                                                      
#15 0x00007ffff74fe1d1 in multi_socket () from /usr/lib/libcurl.so.4                                                                                                                                                                                                                       
#16 0x00007ffff74fe354 in curl_multi_socket_action () from /usr/lib/libcurl.so.4
#17 0x000055555570f60d in aur::AurImpl::OnCurlTimer (userdata=0x618000000480) at ../src/aur/aur.cc:401                                                                                                                                                                                     
#18 0x00007ffff7466b3e in ?? () from /usr/lib/libsystemd.so.0                                                                                
#19 0x00007ffff746821e in sd_event_dispatch () from /usr/lib/libsystemd.so.0                                                                 
#20 0x00007ffff746a6a9 in sd_event_run () from /usr/lib/libsystemd.so.0                                                                      
#21 0x0000555555704bd3 in aur::AurImpl::Wait (this=0x618000000480) at ../src/aur/aur.cc:495                                                  
#22 0x000055555563ee8a in auracle::Auracle::GetOutdatedPackages (this=<optimized out>, args=std::vector of length 0, capacity 0, packages=<optimized out>) at /usr/include/c++/10.2.0/bits/unique_ptr.h:421
#23 0x0000555555656816 in auracle::Auracle::Outdated (this=<optimized out>, args=..., options=...) at ../src/auracle/auracle.cc:564          
#24 0x0000555555596c7f in main (argc=<optimized out>, argv=<optimized out>) at ../subprojects/abseil-cpp-20200225.2/absl/container/internal/raw_hash_set.h:311                                                                                                                             

I'd take a patch for fixing this, but I don't know if I'll have time to look into this myself.

[falconindy]

Fixing this seems to involve ripping out the cancellation logic. Working on a patch...

[Jesin]

Thanks. Sorry for vanishing for a few days, but I'm glad to see you fixed it.