Originally posted by [b]Ai4rei[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=4856
Originally reported in Map server crashIn an environment, where the amount of simultanously connected clients aproaches FD_SETSIZE a memory corruption occurs
due yet unknown reason. To reproduce with sane dimensions (how it is currently being done):
- Compile servers with enabled shortlists (default) and FD_SETSIZE=1024 (windows), also tested with debian, where system FD_SETSIZE is also around this value.
- Start up server and connect 1000 clients.
- Disconnect all clients at once.
- The server fatal errors on select (windows, "socket functions used on something, that is not a socket") or segfaults in send_shortlist_do_sends due to invalid fd used with session[] (linux).
Workarounds:Workaround for this issue is currently to increase FD_SETSIZE or disable SEND_SHORTLIST.
Cause:The defect is in send_shortlist_do_sends on line:
CODE
memset(send_shortlist_set, 0, sizeof(send_shortlist_set));
this wipes all bits, that indicate that a fd is already on the list. While this would work if the list was not changed through send_shortlist_add_fd until send_shortlist_do_sends exits, calls to socket's func_send can cause set_eof, which adds fds to the shortlist. send_shortlist_add_fd does not recognize, that the fd is potentially still in the array, thus adds a copy of it. This way send_shortlist_array grows, until it overflows FD_SETSIZE starting to corrupt memory around and depending on platform causing other side effects.
Possibly Related Bugreports:bugreport:4646bugreport:3504bugreport:2475This post has been edited by Ai4rei: Apr 8 2011, 08:33 PM