Invalid memory access from OnWritePaddingV1Complete

Question

Invalid memory access from OnWritePaddingV1Complete

openips opened this issue 4 months ago · 9 comments

系统为openwrt ARM64 （BPI R4）客户端为https://github.com/klzgrad/naiveproxy/releases/download/naiveproxy-v127.0.6533.64-2-openwrt-aarch64_cortex-a53.tar.xz
刚开始时运行正常运行1-2天的时候直接退出
具体coredump日志如下：

root@BPI_R4:~#  gdb --core core-naive-29757-7 /usr/bin/naive
GNU gdb (GDB) 14.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-openwrt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
   <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/naive...
(No debugging symbols found in /usr/bin/naive)
[New LWP 29757]
[New LWP 29767]
[New LWP 29780]
[New LWP 29775]
Core was generated by `/usr/bin/naive /etc/naiveproxy/config_dc.json'.
Program terminated with signal SIGBUS, Bus error.
#0  0x7fd002ffcfffffff in ?? ()
[Current thread is 1 (LWP 29757)]
(gdb) bt
#0  0x7fd002ffcfffffff in ?? ()
#1  0x0000005557de4fc8 in ?? ()
#2  0x000000300181dc00 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) info sharedlibrary
From                To                  Syms Read   Shared Object Library
0x0000005557b50000  0x0000005557b50000  Yes (*)     /usr/bin/naive
                                       Yes (*)     /lib/libgcc_s.so.1
                                       Yes (*)     /lib/ld-musl-aarch64.so.1
(*): Shared library is missing debugging information.

配置文件如下：

{
  "listen": "socks://127.0.0.1:2086",
  "proxy": "quic://AAA@BBB.CCC.DDD",
  "log": "",
  "concurrency": "2"
}

前几个版本也遇到了类似的问题一直没有生成coredump 这次有了日志看看能否解决吧

Answer 1 · 2024-08-09T10:11:26.000Z

需要core

Answer 2 · 2024-08-09T11:26:59.000Z

需要core

如何做

Answer 3 · 2024-08-10T01:56:34.000Z

core-naive-29757-7贴到这里

Answer 4 · 2024-08-10T23:59:52.000Z

core-naive-29757-7.zip
core-naive-29757-7已经压缩后上传

Answer 5 · 2024-08-11T02:33:18.000Z

#0  0x7fd002ffcfffffff in ?? ()
#1  0x0000005557de4fc8 in base::OnceCallback<void (int)>::Run(int) && (this=0x30032bfc28, args=-100) at ../../base/functional/callback.h:156
#2  net::NaivePaddingSocket::OnWritePaddingV1Complete (this=0x30032bfbf0, traffic_annotation=..., rv=-100) at ../../net/tools/naive/naive_padding_socket.cc:244
#3  0x0000005557f2fda8 in base::internal::WeakReference::Flag::IsValid (this=0x30026e2070) at ../../base/memory/weak_ptr.cc:39
#4  base::internal::WeakReference::IsValid (this=<optimized out>) at ../../base/memory/weak_ptr.cc:75
#5  base::WeakPtr<net::SpdyProxyClientSocket>::get (this=<optimized out>) at ../../base/memory/weak_ptr.h:275
#6  net::SpdyProxyClientSocket::OnClose (this=0x300181dc00, status=-100) at ../../net/spdy/spdy_proxy_client_socket.cc:587
#7  0x0000005557cabab4 in net::SpdyStream::OnClose (this=0x3004079a00, status=-100) at ../../net/spdy/spdy_stream.cc:585
#8  net::SpdySession::DeleteStream (this=0x30003ac000, stream=..., status=<optimized out>) at ../../net/spdy/spdy_session.cc:2532
#9  0x0000005557cabfc0 in net::SpdySession::CloseActiveStreamIterator (this=0x30003ac000, it=..., status=-100) at ../../net/spdy/spdy_session.cc:1736
#10 0x0000005557c5efe0 in net::SpdySession::StartGoingAway (this=0x30003ac000, last_good_stream_id=0, status=net::ERR_CONNECTION_CLOSED) at ../../net/spdy/spdy_session.cc:1352
#11 0x0000005557c5f3b0 in net::SpdySession::DoDrainSession (this=0x30003ac000, err=net::ERR_CONNECTION_CLOSED, description=...) at ../../net/spdy/spdy_session.cc:2620
#12 net::SpdySession::DoReadComplete (this=0x30003ac000, result=<optimized out>) at ../../net/spdy/spdy_session.cc:1940
#13 net::SpdySession::DoReadLoop (this=0x30003ac000, expected_read_state=<optimized out>, result=<optimized out>) at ../../net/spdy/spdy_session.cc:1874
#14 net::SpdySession::PumpReadLoop (this=0x30003ac000, expected_read_state=<optimized out>, result=<optimized out>) at ../../net/spdy/spdy_session.cc:1850
#15 0x0000005557ca3780 in scoped_refptr<base::internal::BindStateBase>::scoped_refptr (this=<optimized out>, r=...) at ../../base/memory/scoped_refptr.h:257
#16 base::internal::BindStateHolder::BindStateHolder (this=<optimized out>) at ../../base/functional/callback_internal.h:172
#17 base::OnceCallback<void (int)>::Run(int) && (this=0x30006a5638, args=0) at ../../base/functional/callback.h:153
#18 net::SSLClientSocketImpl::DoReadCallback (this=0x30006a5600, rv=0) at ../../net/socket/ssl_client_socket_impl.cc:840
#19 net::SSLClientSocketImpl::RetryAllOperations (this=0x30006a5600) at ../../net/socket/ssl_client_socket_impl.cc:1480
#20 0x0000005557f202f4 in scoped_refptr<base::internal::BindStateBase>::scoped_refptr (r=..., this=<optimized out>) at ../../base/memory/scoped_refptr.h:257
#21 base::internal::BindStateHolder::BindStateHolder (this=<optimized out>) at ../../base/functional/callback_internal.h:172
#22 base::OnceCallback<void (int)>::OnceCallback(base::OnceCallback<void (int)>&&) (this=<optimized out>) at ../../base/functional/callback.h:95
#23 net::TCPClientSocket::DidCompleteRead (this=0x30016e2ad0, result=-100) at ../../net/socket/tcp_client_socket.cc:526
#24 0x0000005557f63064 in net::TCPSocketPosix::ReadIfReadyCompleted(base::OnceCallback<void (int)>, int) (this=0x30016e2ad0, callback=..., rv=-100)
    at ../../net/socket/tcp_socket_posix.cc:618

Answer 6 · 2024-08-11T04:17:16.000Z

0000000000294f10 <net::NaivePaddingSocket::OnWritePaddingV1Complete(net::NetworkTrafficAnnotationTag const&, int)>:
...
  294fa8:       f9401e75        ldr     x21, [x19, #56]  ; x21: write_callback_; x19: this
  294fac:       b900327f        str     wzr, [x19, #48]  ; write_user_payload_len_ = 0;
  294fb0:       b40002f5        cbz     x21, 29500c <net::NaivePaddingSocket::OnWritePaddingV1Complete(net::NetworkTrafficAnnotationTag const&, int)+0xfc>  ; CHECK(!holder_.is_null());
  294fb4:       f9001e7f        str     xzr, [x19, #56]  ; std::move(write_callback_)
  294fb8:       aa1503e0        mov     x0, x21
  294fbc:       f94006a8        ldr     x8, [x21, #8]
  294fc0:       2a1403e1        mov     w1, w20
->294fc4:       d63f0100        blr     x8

(gdb) p/x $x0
$44 = 0x30016e2ad0
(gdb) p/d $w1
$43 = -100
(gdb) p/x $x8
$41 = 0x7fd002ffcfffffff

Answer 7 · 2024-08-11T05:44:19.000Z

大神不知道该做什么

Answer 8 · 2024-08-11T09:50:52.000Z

(gdb) p this
$14 = (net::NaivePaddingSocket *) 0x30032bfbf0
(gdb) p *this
$15 = {transport_socket_ = 0x10d8700130000000, padding_type_ = (net::PaddingType::kVariant1 | unknown: 0xcffffffe), 
  direction_ = (net::kNumDirections | unknown: 0xef278ffc), read_user_buf_ = 0x0, read_user_buf_len_ = 65536, read_callback_ = {holder_ = {bind_state_ = {
        ptr_ = 0x0}}}, read_buf_ = {ptr_ = 0x3003d03030}, write_user_payload_len_ = 0, write_callback_ = {holder_ = {bind_state_ = {ptr_ = 0x0}}}, write_buf_ = {
    ptr_ = 0x0}, framer_ = {

NaivePaddingSocket的实例整个都损坏了。

这个问题比较困难，缺少重现方法。

但是core是可以使用的。可以继续收集多一些core再研究问题。

Answer 9 · 2024-08-11T12:27:23.000Z

好的回头有coredump再传上来