to->pending->tqh_last is 0xFFFFFFFFFFFFFFFF。
I'm debuging tor. And it throw an error at function timeouts_sched,
The version is: release-0.3.2
this is the stack:
tor.exe!timeouts_sched(timeouts * T=0x0000000000517e90, timeout * to=0x0000000003307450, unsigned __int64 expires=2123027) 行 355 C tor.exe!timeouts_add(timeouts * T=0x0000000000517e90, timeout * to=0x0000000003307450, unsigned __int64 timeout=6290) 行 394 C tor.exe!timer_schedule(timeout * t=0x0000000003307450, const timeval * tv=0x000000000027dee8) 行 300 C tor.exe!channelpadding_schedule_padding(channel_s * chan=0x00000000032f7c80, int in_ms=629) 行 478 C tor.exe!channelpadding_decide_to_pad_channel(channel_s * chan=0x00000000032f7c80) 行 783 C tor.exe!run_connection_housekeeping(int i=3, __int64 now=1513329560) 行 1132 C tor.exe!run_scheduled_events(__int64 now=1513329560) 行 1464 C tor.exe!second_elapsed_callback(periodic_timer_t * timer=0x00000000042a5550, void * arg=0x0000000000000000) 行 2216 C tor.exe!periodic_timer_cb(__int64 fd=-1, short what=1, void * arg=0x00000000042a5550) 行 187 C tor.exe!event_persist_closure(event_base * base=0x00000000004e8fa0, event * ev=0x000000000427d200) 行 1532 C tor.exe!event_process_active_single_queue(event_base * base=0x00000000004e8fa0, evcallback_list * activeq=0x00000000004e8eb0, int max_to_process=2147483647, const timeval * endtime=0x0000000000000000) 行 1591 C tor.exe!event_process_active(event_base * base=0x00000000004e8fa0) 行 1689 C tor.exe!event_base_loop(event_base * base=0x00000000004e8fa0, int flags=0) 行 1912 C tor.exe!run_main_loop_once() 行 2631 C tor.exe!run_main_loop_until_done() 行 2685 C tor.exe!do_main_loop() 行 2599 C tor.exe!tor_main(int argc=1, char * * argv=0x000000000046c850) 行 3780 C tor.exe!main(int argc=1, char * * argv=0x000000000046c850) 行 34 C
1.Run tor 2.when it say Bootstrapped 100%: Done, disable network 3.enable network It will crush.
timeout.c #if !defined WHEEL_NUM #define WHEEL_NUM 4 #endif
...
struct timeouts { struct timeout_list wheel[WHEEL_NUM][WHEEL_LEN], expired; ... }
In function timeouts_sched, int wheel, slot; ... wheel = timeout_wheel(rem); ... to->pending = &T->wheel[wheel][slot];
if wheel >= WHEEL_NUM, it will crush.
Trac:
Username: sx5486510