in buffer.c : for (chain = buf->first; remaining >= chain->off; chain = next) { next = chain->next; remaining -= chain->off; if (chain == *buf->last_with_datap) { buf->last_with_datap = &buf->first; } if (&chain->next == buf->last_with_datap) buf->last_with_datap = &buf->first; if (CHAIN_PINNED_R(chain)) { EVUTIL_ASSERT(remaining == 0); chain->misalign += chain->off; chain->off = 0; break; } else evbuffer_chain_free(chain); } this line : "remaining >= chain->off" cause segment fault
Program terminated with signal 11, Segmentation fault. #0 evbuffer_drain (buf=0x97baed8, len=900) at buffer.c:983 983 remaining >= chain->off; (gdb) bt #0 evbuffer_drain (buf=0x97baed8, len=900) at buffer.c:983 #1 0xb734a7d7 in evbuffer_write_atmost (buffer=0x97baed8, fd=10, howmuch=16384) at buffer.c:2375 #2 0xb734cf4a in bufferevent_writecb (fd=10, event=4, arg=0x97bad78) at bufferevent_sock.c:261 #3 0xb7344580 in event_process_active_single_queue (base=0x902bd20, flags=<value optimized out>) at event.c:1346 #4 event_process_active (base=0x902bd20, flags=<value optimized out>) at event.c:1416 #5 event_base_loop (base=0x902bd20, flags=<value optimized out>) at event.c:1617 #6 0xb73451a5 in event_base_dispatch (event_base=0x902bd20) at event.c:1446 #7 0x0804fda8 in start_ipcclient (ipcclient=0xbffc6060, protocol_node=0x93ed69c) at ipcclient.c:504 #8 0x0804a1f2 in main (argc=5, argv=0xbffc6134) at main.c:232 (gdb) p *buf $1 = {first = 0x97bab70, last = 0x97ba350, last_with_datap = 0x97baed8, total_len = 60, n_add_for_cb = 0, n_del_for_cb = 0, lock = 0x0, own_lock = 0, freeze_start = 0, freeze_end = 0, deferred_cbs = 0, flags = 1, cb_queue = 0x0, refcnt = 1, deferred = {cb_next = {tqe_next = 0x0, tqe_prev = 0x0}, queued = 0, cb = 0, arg = 0x0}, callbacks = {tqh_first = 0x9721bc8, tqh_last = 0x9721bc8}, parent = 0x97bad78} (gdb) p *buf->first $2 = {next = 0x9a080e8, buffer_len = 159097672, misalign = 0, off = 0, flags = 0, buffer = 0x97bab88 "sasipc\001"} (gdb) p *buf->first->next $3 = {next = 0x0, buffer_len = 295009, misalign = 163680152, off = 159099752, flags = 0, buffer = 0x0} (gdb) p remaining $4 = 0 You can see this line: for (chain = buf->first; remaining >= chain->off; chain = next) If next is NULL, the program must cause segmentation fault Is this a bug?