Crash on gc_mark()

Hi,

I am doing a Ruby binding for libnids library
(http://libnids.sourceforge.net)

Libnids uses callback functions which are triggered on packet capture.
Now apparently my binding is working fine, but it is crashing after
capturing for around 5-10 minutes.

Crash looks like this:

[DATA] 192.168.0.49:52071 → 63.245.209.21:80 [SEND: 474] [RECV: 0]
[NEW CONNECTION] 192.168.0.49:55510 → 213.150.45.196:80
examples/tcp.rb:12: [BUG] Segmentation fault
ruby 1.8.4 (2005-12-24) [i686-linux]

A gdb backtrace looks like this:

#0 0xb7d20941 in kill () from /lib/libc.so.6
#1 0xb7d206e5 in raise () from /lib/libc.so.6
#2 0xb7d21a66 in abort () from /lib/libc.so.6
#3 0xb7e9a5dc in rb_bug () from /usr/lib/libruby18.so.1.8
#4 0xb7ebac79 in rb_gc_mark () from /usr/lib/libruby18.so.1.8
#5 0xb7eba862 in rb_mark_tbl () from /usr/lib/libruby18.so.1.8
#6 0xb7f00b6f in st_foreach () from /usr/lib/libruby18.so.1.8
#7 0xb7eba89f in rb_mark_tbl () from /usr/lib/libruby18.so.1.8
#8 0xb7ebab8b in rb_gc_mark () from /usr/lib/libruby18.so.1.8
#9 0xb7eba7a9 in rb_source_filename () from /usr/lib/libruby18.so.1.8
#10 0xb7ebb844 in rb_gc_mark_frame () from /usr/lib/libruby18.so.1.8
#11 0xb7eba3c3 in rb_newobj () from /usr/lib/libruby18.so.1.8
#12 0xb7f00c69 in st_foreach () from /usr/lib/libruby18.so.1.8
#13 0xb7f00cdf in st_foreach () from /usr/lib/libruby18.so.1.8
#14 0xb7f00d71 in rb_str_new () from /usr/lib/libruby18.so.1.8
#15 0xb7f00db3 in rb_str_new2 () from /usr/lib/libruby18.so.1.8
#16 0xb7ecf750 in rb_fix2str () from /usr/lib/libruby18.so.1.8
#17 0xb7ecf7ef in rb_fix2str () from /usr/lib/libruby18.so.1.8
#18 0xb7eb46f3 in rb_throw () from /usr/lib/libruby18.so.1.8
#19 0xb7ea7918 in rb_with_disable_interrupt () from
/usr/lib/libruby18.so.1.8
#20 0xb7ea8214 in rb_with_disable_interrupt () from
/usr/lib/libruby18.so.1.8
#21 0xb7ea854a in rb_apply () from /usr/lib/libruby18.so.1.8
#22 0x000000a1 in ?? ()
#23 0x00000c51 in ?? ()
#24 0x00000000 in ?? ()

Crash occurs on the following extension code:

static void libnids_internal_register_tcp(struct tcp_stream *ts, void
**param)
{
VALUE client_data;
VALUE client_data_offset;
VALUE client_data_len;
VALUE client_data_new_len;
VALUE client_state;
VALUE server_data;
VALUE server_data_offset;
VALUE server_data_len;
VALUE server_data_new_len;
VALUE server_state;
VALUE nids_state;
VALUE src_addr;
VALUE dst_addr;
VALUE src_port;
VALUE dst_port;
VALUE hash;

DEBUG_PRINT(“TCP callback triggered”);

if(rb_object_tcp_cb == (VALUE) NULL) {
DEBUG_PRINT(“TCP callback method not set”);
return;
}

src_addr = rb_str_new2((char*)inet_ntoa(((struct
in_addr
)&(ts->addr.saddr))));
dst_addr = rb_str_new2((char*)inet_ntoa(((struct
in_addr
)&(ts->addr.daddr))));
src_port = INT2FIX(ts->addr.source);
dst_port = INT2FIX(ts->addr.dest);

client_data = rb_str_new2(“”);
server_data = rb_str_new2(“”);
client_data_offset = INT2FIX(0);
client_data_len = INT2FIX(0);
client_data_new_len = INT2FIX(0);
server_data_offset = INT2FIX(0);
server_data_len = INT2FIX(0);
server_data_new_len = INT2FIX(0);

nids_state = INT2FIX(ts->nids_state);

switch(ts->nids_state) {
case NIDS_JUST_EST:
ts->client.collect++;
ts->server.collect++;
break;

  case NIDS_DATA:
     client_data = rb_str_cat(client_data, ts->client.data,

ts->client.count);
client_data_offset = INT2FIX(ts->client.offset);
client_data_len = INT2FIX(ts->client.count);
client_data_new_len = INT2FIX(ts->client.count_new);

     server_data = rb_str_cat(server_data, ts->server.data,

ts->server.count);
server_data_offset = INT2FIX(ts->server.offset);
server_data_len = INT2FIX(ts->server.count);
server_data_new_len = INT2FIX(ts->server.count_new);

     break;

  default:
     DEBUG_PRINT("Unknown nids state from TCP callback");
     return;

}

hash = rb_hash_new();

rb_hash_aset(hash, rb_str_new2(“saddress”), src_addr);
rb_hash_aset(hash, rb_str_new2(“daddress”), dst_addr);
rb_hash_aset(hash, rb_str_new2(“sport”), src_port);
rb_hash_aset(hash, rb_str_new2(“dport”), dst_port);
rb_hash_aset(hash, rb_str_new2(“nids_state”), nids_state);
rb_hash_aset(hash, rb_str_new2(“client_state”), client_state);
rb_hash_aset(hash, rb_str_new2(“client_data”), client_data);
rb_hash_aset(hash, rb_str_new2(“client_data_offset”),
client_data_offset);
rb_hash_aset(hash, rb_str_new2(“client_data_len”), client_data_len);
rb_hash_aset(hash, rb_str_new2(“client_data_new_len”),
client_data_new_len);
rb_hash_aset(hash, rb_str_new2(“server_state”), server_state);
rb_hash_aset(hash, rb_str_new2(“server_data”), server_data);
rb_hash_aset(hash, rb_str_new2(“server_data_offset”),
server_data_offset);
rb_hash_aset(hash, rb_str_new2(“server_data_len”), server_data_len);
rb_hash_aset(hash, rb_str_new2(“server_data_new_len”),
server_data_new_len);

rb_funcall(rb_cObject, rb_intern(“send”),
2,
rb_object_tcp_cb,
hash);

//DEBUG_PRINT(“Invoking garbage collector”);
//rb_funcall(rb_mGC, rb_intern(“start”), 0);

return;
}

Amazingly if I uncomment the last two lines in the above function and
let the garbage collector to run then ruby is aborted immediately with
the following result:

compaq ruby-libnids # ruby examples/tcp.rb
[NEW CONNECTION] 192.168.0.49:54346 → 216.239.63.19:443
[DATA] 192.168.0.49:54346 → 216.239.63.19:443 [SEND: 120] [RECV: 0]
examples/tcp.rb:22: [BUG] rb_gc_mark(): unknown data type
0x2f(0x8078b28) non object
ruby 1.8.4 (2005-12-24) [i686-linux]

Aborted

I am quite new to ruby extension development, so I think I might be
doing something wrong.
Some pointers will be useful.

Thanks,

abhisek

Hi,

In message “Re: [ruby-dev:29372] Crash on gc_mark()”
on Fri, 1 Sep 2006 16:16:50 +0900, “Abhisek Datta”
[email protected] writes:

|Libnids uses callback functions which are triggered on packet capture.
|Now apparently my binding is working fine, but it is crashing after
|capturing for around 5-10 minutes.
|
|Crash looks like this:

You haven’t initialized local variables client_state and server_state,
so that hash refers uninitialized non-object garbage. That’s the
reason why GC crashed.

						matz.