curl / Mailing Lists / curl-library / Single Mail


Access violation in Curl_hash_add

From: Jake Fehr (jfehr) <>
Date: Thu, 8 Dec 2016 23:27:47 +0000

Hi there,

We are getting crash reports in the field that are pointing to Curl_hash_add. This is a portion of the stack trace:

xxx!Curl_hash_add+0x38 [c:\code\curl-7.51.0\lib\hash.c @ 140]
000007fe`f970d5a4 : 000007fe`f971b944 00000000`092b3570 00000000`000001bb 00000000`03131cb0 : xxx!conncache_add_bundle+0x26 [c:\code\curl-7.51.0\lib\conncache.c @ 168]
000007fe`f96e762d : 00000000`0b3eaa00 00000000`0904fdf0 00000000`01a3f448 00000000`0d2eb940 : xxx!Curl_conncache_add_conn+0x84 [c:\code\curl-7.51.0\lib\conncache.c @ 219]
000007fe`f96e7759 : 0009b460`00000000 00000000`0d2eb950 00000000`01a3f4f8 000007fe`00000000 : xxx!create_conn+0x8bd [c:\code\curl-7.51.0\lib\url.c @ 6246]
000007fe`f96e9825 : 00000000`0d2eb940 00000000`01a3f530 00000000`00000000 000007fe`f96e93f5 : xxx!Curl_connect+0x29 [c:\code\curl-7.51.0\lib\url.c @ 6393]
000007fe`f96ea40e : 00000000`0b0c5e70 0009b460`00015b73 00000000`00000000 00000000`00000000 : xxx!multi_runsingle+0x265 [c:\code\curl-7.51.0\lib\multi.c @ 1422]
000007fe`f96dd3a1 : 0009b460`00015b73 00000000`00000000 0009b460`00015b73 000007fe`f96e90b2 : xxx!curl_multi_perform+0x4e [c:\code\curl-7.51.0\lib\multi.c @ 2139]
000007fe`f96dd4de : 00000000`0d2eb940 00000000`00000000 00000000`00000000 00000000`00000000 : xxx!easy_transfer+0xb1 [c:\code\curl-7.51.0\lib\easy.c @ 700]
000007fe`f96cbce0 : 00000000`09b8fe48 00000000`09b8fbe0 00000000`0d2eb940 00000000`016814a0 : xxx!easy_perform+0xde [c:\code\curl-7.51.0\lib\easy.c @ 787]
000007fe`f96c9684 : 01d24fe9`394051a9 00000000`09b8fbe0 00000000`09b98090 00000000`00000000 : xxx!_re+0x520 [c:\code\s\cl.c @ 200]

These are the registers and disassembled code at the time of the crash:

0:056> .ecxr
rax=0000000000000001 rbx=000000000b3eaa00 rcx=0000000003131cfe
rdx=0000000000000001 rsi=000000000000001e rdi=000000000b0c5f30
rip=000007fef96f53c8 rsp=0000000001a3f320 rbp=0000000003131ce0
r8=0000000000000003  r9=0000000003131cfe r10=000000000904fdf0
r11=000007fef96a0000 r12=0000000000000000 r13=000000000904fdf0
r14=0000000000000000 r15=0000000000000000

call    qword ptr [rdi+8]
mov     r10,qword ptr [rdi]
mov     r12,qword ptr [r10+rax*8]
mov     rbx,qword ptr [r12]

This is the code for Curl_hash_add and the FETCH_LIST macro:

#define FETCH_LIST(x,y,z) x->table[x->hash_func(y, z, x->slots)]

void *
Curl_hash_add(struct curl_hash *h, void *key, size_t key_len, void *p)
  struct curl_hash_element *he;
  struct curl_llist_element *le;
  struct curl_llist *l = FETCH_LIST (h, key, key_len); <-- crash in FETCH_LIST here

  for(le = l->head; le; le = le->next) {
    he = (struct curl_hash_element *) le->ptr;
    if(h->comp_func(he->key, he->key_len, key, key_len)) {
      Curl_llist_remove(l, le, (void *)h);

  he = mk_hash_element(key, key_len, p);
  if(he) {
    if(Curl_llist_insert_next(l, l->tail, he)) {
      return p; /* return the new entry */
     * Couldn't insert it, destroy the 'he' element and the key again. We
     * don't call hash_element_dtor() since that would also call the
     * "destructor" for the actual data 'p'. When we fail, we shall not touch
     * that data.

  return NULL; /* failure */

It looks like the crash is happening in the macro when the assembled code (mov     r12,qword ptr [r10+rax*8]) tries to load the pointer for x->hash_func.

We noticed the same crash in 7.50.1 and 7.51. I’m not sure when this may have been introduced. We jumped from 7.3x to 7.50.1 so it may exist in 7.4x variants as well.

Any thoughts on what might be causing this?

Our use of Curl is pretty straightforward:

1. Call curl_easy_init()

2. Make (and check the result of) several calls to curl_easy_setopt(), setting up proxy, url, port, ssl, etc.

3. Call curl_easy_perform()

I can provide the code if needed.


List admin:
Received on 2016-12-09