send shortlist corrupts memory

Originally posted by Ai4rei
http://www.eathena.w...er&showbug=4856

Originally reported in Map server crash

In an environment, where the amount of simultanously connected clients aproaches FD_SETSIZE a memory corruption occurs due yet unknown reason. To reproduce with sane dimensions (how it is currently being done):

• Compile servers with enabled shortlists (default) and FD_SETSIZE=1024 (windows), also tested with debian, where system FD_SETSIZE is also around this value.
• Start up server and connect 1000 clients.
• Disconnect all clients at once.
• The server fatal errors on select (windows, "socket functions used on something, that is not a socket") or segfaults in send_shortlist_do_sends due to invalid fd used with session[] (linux).

Workarounds:
Workaround for this issue is currently to increase FD_SETSIZE or disable SEND_SHORTLIST.

Cause:
The defect is in send_shortlist_do_sends on line:
this wipes all bits, that indicate that a fd is already on the list. While this would work if the list was not changed through send_shortlist_add_fd until send_shortlist_do_sends exits, calls to socket's func_send can cause set_eof, which adds fds to the shortlist. send_shortlist_add_fd does not recognize, that the fd is potentially still in the array, thus adds a copy of it. This way send_shortlist_array grows, until it overflows FD_SETSIZE starting to corrupt memory around and depending on platform causing other side effects.

Possibly Related Bugreports:
bugreport:4646
bugreport:3504
bugreport:2475

This post has been edited by Ai4rei: Apr 8 2011, 08:33 PM