Segmentation fault in in tr_isTorrent

[Dimerson]

Hello.

I have a transmission-daemon (2.94-2) on debian testing.
I noticed that when there is not enough free space on the hard drive, the added torrent starts loading and after a while it stops as there is not enough free space. After deleting this torrent (and Data), the partially downloaded file (.part) is not deleted and the transmission daemon crashes (on 1-3 minutes after deleting).

For the test, I tried the nightly build transmission-master-r3d9fd25269.tar.xz - it’s all the same.

here
"preallocation" : 1
"rename-partial-files": true

backtrace from core file:

Code: Select all

warning: core file may not match specified executable file.
[New LWP 32512]
[New LWP 32514]
[New LWP 32510]
[New LWP 32511]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/transmission-daemon -f --log-error'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x004d2569 in tr_isTorrent (tor=0x4002) at torrent.h:334
334	    return tor != NULL && tor->magicNumber == TORRENT_MAGIC_NUMBER && tr_isSession(tor->session);
[Current thread is 1 (Thread 0xb6544b40 (LWP 32512))]
#0  0x004d2569 in tr_isTorrent (tor=0x4002) at torrent.h:334
#1  0x004d540f in tr_torrentInfo (tor=0x4002) at torrent.c:1249
#2  0x004fef5e in tr_torrentHasMetadata (tor=0x4002) at transmission.h:1641
#3  0x004ff023 in tr_cpHasAll (cp=0xaffab83c) at completion.h:84
#4  0x004ffb4c in tr_cpMissingBlocksInPiece (cp=0xaffab83c, piece=727) at completion.c:242
#5  0x004fe0bc in tr_cpPieceIsComplete (cp=0xaffab83c, i=727) at completion.h:106
#6  0x004fe0ed in tr_torrentPieceIsComplete (tor=0xaffab650, i=727) at torrent.h:417
#7  0x004fe1dc in getBlockRun (cache=0xb50d70, pos=0, info=0x706859e0) at cache.c:104
#8  0x004fe2af in calcRuns (cache=0xb50d70, runs=0x706859e0) at cache.c:140
#9  0x004fecee in tr_cacheFlushDone (cache=0xb50d70) at cache.c:407
#10 0x004cb1e7 in onSaveTimer (foo=-1, bar=1, vsession=0xb508e0) at session.c:569
#11 0xb7f49b7b in ?? () from /lib/i386-linux-gnu/libevent-2.1.so.6
#12 0xb7f4a3b1 in event_base_loop () from /lib/i386-linux-gnu/libevent-2.1.so.6
#13 0xb7f4a60a in event_base_dispatch () from /lib/i386-linux-gnu/libevent-2.1.so.6
#14 0x004e273c in libeventThreadFunc (veh=0xb50da0) at trevent.c:263
#15 0x004c83a3 in ThreadFunc (_t=0xb39ce0) at platform.c:104
#16 0xb7946fd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
#17 0xb785a286 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
#0  0x004d2569 in tr_isTorrent (tor=0x4002) at torrent.h:334
No locals.
#1  0x004d540f in tr_torrentInfo (tor=0x4002) at torrent.c:1249
No locals.
#2  0x004fef5e in tr_torrentHasMetadata (tor=0x4002) at transmission.h:1641
No locals.
#3  0x004ff023 in tr_cpHasAll (cp=0xaffab83c) at completion.h:84
No locals.
#4  0x004ffb4c in tr_cpMissingBlocksInPiece (cp=0xaffab83c, piece=727) at completion.c:242
No locals.
#5  0x004fe0bc in tr_cpPieceIsComplete (cp=0xaffab83c, i=727) at completion.h:106
No locals.
#6  0x004fe0ed in tr_torrentPieceIsComplete (tor=0xaffab650, i=727) at torrent.h:417
No locals.
#7  0x004fe1dc in getBlockRun (cache=0xb50d70, pos=0, info=0x706859e0) at cache.c:104
        b = 0x8d90e330
        n = 24962
        blocks = 0x78c39840
        ref = 0x90d59cd0
        block = 186368
        len = 256
#8  0x004fe2af in calcRuns (cache=0xb50d70, runs=0x706859e0) at cache.c:140
        rank = 5123043
        pos = 0
        n = 24962
        i = 0
        now = 1556101290
#9  0x004fecee in tr_cacheFlushDone (cache=0xb50d70) at cache.c:407
        i = 0
        n = 5704304
        runs = 0x706859e0
        err = 0
#10 0x004cb1e7 in onSaveTimer (foo=-1, bar=1, vsession=0xb508e0) at session.c:569
        tor = 0x0
        session = 0xb508e0
#11 0xb7f49b7b in ?? () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#12 0xb7f4a3b1 in event_base_loop () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#13 0xb7f4a60a in event_base_dispatch () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#14 0x004e273c in libeventThreadFunc (veh=0xb50da0) at trevent.c:263
        base = 0xb5c00600
        eh = 0xb50da0
#15 0x004c83a3 in ThreadFunc (_t=0xb39ce0) at platform.c:104
        t = 0xb39ce0
#16 0xb7946fd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        start = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1214914560, -1235989696, -1214914560, -1235992152, 1683784966, -469611259}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#17 0xb785a286 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
No locals.

Thread 4 (Thread 0xb6d45b40 (LWP 32511)):
#0  0xb7fcbd71 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb79514f7 in __libc_read (nbytes=4, buf=0xb6d450cc, fd=3) at ../sysdeps/unix/sysv/linux/read.c:26
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = 0
        sc_ret = <optimized out>
        sc_ret = <optimized out>
        sc_ret = <optimized out>
        __value = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
#2  __libc_read (fd=3, buf=0xb6d450cc, nbytes=4) at ../sysdeps/unix/sysv/linux/read.c:24
        sc_ret = <optimized out>
        __value = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
#3  0x004c6ee0 in signal_handler_thread_main (arg=0x0) at daemon-posix.c:79
        sig = -1216811168
#4  0xb7946fd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        start = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1214914560, -1227596992, -1214914560, -1227599448, 1685882119, -469611259}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#5  0xb785a286 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
No locals.

Thread 3 (Thread 0xb6d47240 (LWP 32510)):
#0  0xb7fcbd71 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb785a6b3 in epoll_wait (epfd=5, events=0xb50750, maxevents=32, timeout=999) at ../sysdeps/unix/sysv/linux/epoll_wait.c:30
No locals.
#2  0xb7f54b70 in ?? () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#3  0xb7f4a1ee in event_base_loop () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#4  0xb7f4a60a in event_base_dispatch () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#5  0x004c6951 in daemon_start (raw_arg=0xbfe0b774, foreground=true) at daemon.c:752
        boolVal = true
        pid_filename = 0x0
        pidfile_created = false
        session = 0xb508e0
        status_ev = 0xb4d910
        watchdir = 0x0
        arg = 0xbfe0b774
        settings = 0xbfe0b774
        configDir = 0xb4d7a0 "/var/lib/transmission-daemon/.config/transmission-daemon"
#6  0x004c71d4 in dtr_daemon (cb=0xbfe0b760, cb_arg=0xbfe0b774, foreground=true, exit_code=0xbfe0b76c, error=0xbfe0b75c) at daemon-posix.c:220
        signal_thread = 3067370304
#7  0x004c6d0e in main (argc=3, argv=0xbfe0b864) at daemon.c:868
        data = {settings = {type = 8 '\b', key = 3219175320, val = {b = false, d = 1.6975966340370259e-312, i = 343597383936, s = {type = (unknown: 256), quark = 80, len = 11854656, str = {buf = '\000' <repeats 15 times>, str = 0x0}}, l = {alloc = 256, count = 80, vals = 0xb4e340}}}, configDir = 0xb4d7a0 "/var/lib/transmission-daemon/.config/transmission-daemon", paused = false}
        foreground = true
        ret = 1
        cb = {on_start = 0x4c6356 <daemon_start>, on_stop = 0x4c6329 <daemon_stop>, on_reconfigure = 0x4c61ea <daemon_reconfigure>}
        error = 0x0

Thread 2 (Thread 0xb0cffb40 (LWP 32514)):
#0  0xb7fcbd71 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7852903 in __GI___select (timeout=0xb0cff024, exceptfds=0xb0cfef90, writefds=0xb0cfef10, readfds=0xb0cfee90, nfds=0) at ../sysdeps/unix/sysv/linux/select.c:41
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = 0
        sc_ret = <optimized out>
        sc_ret = <optimized out>
        sc_ret = <optimized out>
        __value = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
#2  __GI___select (nfds=0, readfds=0xb0cfee90, writefds=0xb0cfef10, exceptfds=0xb0cfef90, timeout=0xb0cff024) at ../sysdeps/unix/sysv/linux/select.c:37
        sc_ret = <optimized out>
        __value = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
        sc_cancel_oldtype = <optimized out>
        resultvar = <optimized out>
        resultvar = <optimized out>
#3  0x004eed51 in tr_select (nfds=0, r_fd_set=0xb0cfee90, w_fd_set=0xb0cfef10, c_fd_set=0xb0cfef90, t=0xb0cff024) at web.c:356
No locals.
#4  0x004ef1eb in tr_webThreadFunc (vsession=0xb508e0) at web.c:494
        usec = 200000
        r_fd_set = {__fds_bits = {0 <repeats 32 times>}}
        max_fd = -1
        t = {tv_sec = 0, tv_usec = 148177}
        w_fd_set = {__fds_bits = {0 <repeats 32 times>}}
        c_fd_set = {__fds_bits = {0 <repeats 32 times>}}
        msec = 200
        unused = 0
        msg = 0x0
        mcode = CURLM_OK
        str = 0xb030c7b0 "`\004\061\260\200\004\060\260/transmission-daemon/.config/transmission-daemon/cookies.txt"
        multi = 0xb030e400
        web = 0xb030fde0
        taskCount = 0
        task = 0x758012f0
        session = 0xb508e0
#5  0x004c83a3 in ThreadFunc (_t=0xb339c500) at platform.c:104
        t = 0xb339c500
#6  0xb7946fd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        start = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1214914560, -1328547008, -1214914560, -1328549464, 1396475147, -469611259}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#7  0xb785a286 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
No locals.

Thread 1 (Thread 0xb6544b40 (LWP 32512)):
#0  0x004d2569 in tr_isTorrent (tor=0x4002) at torrent.h:334
No locals.
#1  0x004d540f in tr_torrentInfo (tor=0x4002) at torrent.c:1249
No locals.
#2  0x004fef5e in tr_torrentHasMetadata (tor=0x4002) at transmission.h:1641
No locals.
#3  0x004ff023 in tr_cpHasAll (cp=0xaffab83c) at completion.h:84
No locals.
#4  0x004ffb4c in tr_cpMissingBlocksInPiece (cp=0xaffab83c, piece=727) at completion.c:242
No locals.
#5  0x004fe0bc in tr_cpPieceIsComplete (cp=0xaffab83c, i=727) at completion.h:106
No locals.
#6  0x004fe0ed in tr_torrentPieceIsComplete (tor=0xaffab650, i=727) at torrent.h:417
No locals.
#7  0x004fe1dc in getBlockRun (cache=0xb50d70, pos=0, info=0x706859e0) at cache.c:104
        b = 0x8d90e330
        n = 24962
        blocks = 0x78c39840
        ref = 0x90d59cd0
        block = 186368
        len = 256
#8  0x004fe2af in calcRuns (cache=0xb50d70, runs=0x706859e0) at cache.c:140
        rank = 5123043
        pos = 0
        n = 24962
        i = 0
        now = 1556101290
#9  0x004fecee in tr_cacheFlushDone (cache=0xb50d70) at cache.c:407
        i = 0
        n = 5704304
        runs = 0x706859e0
        err = 0
#10 0x004cb1e7 in onSaveTimer (foo=-1, bar=1, vsession=0xb508e0) at session.c:569
        tor = 0x0
        session = 0xb508e0
#11 0xb7f49b7b in ?? () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#12 0xb7f4a3b1 in event_base_loop () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#13 0xb7f4a60a in event_base_dispatch () from /lib/i386-linux-gnu/libevent-2.1.so.6
No symbol table info available.
#14 0x004e273c in libeventThreadFunc (veh=0xb50da0) at trevent.c:263
        base = 0xb5c00600
        eh = 0xb50da0
#15 0x004c83a3 in ThreadFunc (_t=0xb39ce0) at platform.c:104
        t = 0xb39ce0
#16 0xb7946fd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
        ret = <optimized out>
        start = <optimized out>
        pd = <optimized out>
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1214914560, -1235989696, -1214914560, -1235992152, 1683784966, -469611259}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#17 0xb785a286 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108
No locals.

Any way for remove this problem ? tia.

[mike.dld]

Since you seem to be building Transmission from sources, and if you're using recent enough compiler, try adding `-fsanitize=address` to your CFLAGS and reproducing this again.

[Dimerson]

Thanks for the answer.

I rebuilt the nightly build
with 'fsanitize=address'.

When trying to download a torrent, which obviously does not have enough disk space, the transmission-daemon process froze. Partially downloaded file was not writen to disk.
No .part file there. After 10+ minutes of waiting, I have use kil -KILL for stop transmission-daemon.

In the log file I see the following:

Code: Select all

Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == AddressSanitizer's allocator is terminating the process of returning 0
Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == If you don’t like this behavior set allocator_may_return_null = 1
Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.c:216 "(( 0))! = (0) "(0x0, 0x0)
Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == AddressSanitizer's allocator is terminating the process of returning 0
Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == If you don’t like this behavior set allocator_may_return_null = 1
Apr 25 13:46:08 server transmission-daemon [19340]: == 19340 == AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.c:216 "(( 0))! = (0) "(0x0, 0x0)
Apr 25 14:04:37 server systemd [1]: transmission-daemon.service: Main process exited, code = killed, status = 9 / KILL
Apr 25 14:04:37 server systemd [1]: transmission-daemon.service: Failed with result 'signal'.

Mya be here problem ?

Code: Select all

static void tr_torrentDeleteLocalData(tr_torrent* tor, tr_fileFunc func)
{
    TR_ASSERT(tr_isTorrent(tor));

    if (func == NULL)
    {
        func = tr_sys_path_remove;
    }

    /* close all the files because we're about to delete them */
    tr_cacheFlushTorrent(tor->session->cache, tor);
    tr_fdTorrentClose(tor->session, tor->uniqueId);

    deleteLocalData(tor, func);
}

[mike.dld]

The idea was to reproduce the issue, sending SIGKILL means you weren't able to do that. If you were to succeed, AddressSanitized would print some helpful information. Please try a few more times if possible.

[Dimerson]

OK.

ASAN_OPTIONS=allocator_may_return_null=1 (without it no extra info)

logs files:

Code: Select all

==3470==ERROR: AddressSanitizer: heap-use-after-free on address 0xa8a5b66c at pc 0x00525caa bp 0xb1ffec38 sp 0xb1ffec2c
READ of size 4 at 0xa8a5b66c thread T2
    #0 0x525ca9 in tr_cpHasAll /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/completion.h:84
    #1 0x5285a8 in tr_cpMissingBlocksInPiece /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/completion.c:242
    #2 0x5231dc in tr_cpPieceIsComplete /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/completion.h:106
    #3 0x52320d in tr_torrentPieceIsComplete /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.h:417
    #4 0x52355c in getBlockRun /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/cache.c:104
    #5 0x52383b in calcRuns /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/cache.c:140
    #6 0x525351 in tr_cacheFlushDone /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/cache.c:407
    #7 0x499eba in onSaveTimer /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/session.c:569
    #8 0xb78eeb7a  (/lib/i386-linux-gnu/libevent-2.1.so.6+0x20b7a)
    #9 0xb78ef3b0 in event_base_loop (/lib/i386-linux-gnu/libevent-2.1.so.6+0x213b0)
    #10 0xb78ef609 in event_base_dispatch (/lib/i386-linux-gnu/libevent-2.1.so.6+0x21609)
    #11 0x4d6f09 in libeventThreadFunc /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/trevent.c:263
    #12 0x494423 in ThreadFunc /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/platform.c:104
    #13 0xb7996320  (/lib/i386-linux-gnu/libasan.so.5+0x4a320)
    #14 0xb72e9fd1 in start_thread /build/glibc-XJ8bty/glibc-2.28/nptl/pthread_create.c:486
    #15 0xb71ff285 in __clone (/lib/i386-linux-gnu/libc.so.6+0xfa285)

0xa8a5b66c is located 492 bytes inside of 2268-byte region [0xa8a5b480,0xa8a5bd5c)
freed by thread T2 here:
    #0 0xb7a37254 in free (/lib/i386-linux-gnu/libasan.so.5+0xeb254)
    #1 0x4d7cbd in tr_free /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/utils.c:152
    #2 0x4b7eec in freeTorrent /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.c:1747
    #3 0x4b998e in closeTorrent /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.c:2086
    #4 0x4b9c6a in removeTorrent /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.c:2127
    #5 0x4d77a8 in tr_runInEventThread /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/trevent.c:335
    #6 0x4b9e3e in tr_torrentRemove /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.c:2143
    #7 0x59e1fb in torrentRemove /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/rpcimpl.c:346
    #8 0x5ab4b9 in tr_rpc_request_exec_json /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/rpcimpl.c:2647
    #9 0x58036c in handle_rpc_from_json /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/rpc-server.c:504
    #10 0x5804e9 in handle_rpc /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/rpc-server.c:516
    #11 0x58160d in handle_request /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/rpc-server.c:746
    #12 0xb790d747  (/lib/i386-linux-gnu/libevent-2.1.so.6+0x3f747)

previously allocated by thread T2 here:
    #0 0xb7a37794 in calloc (/lib/i386-linux-gnu/libasan.so.5+0xeb794)
    #1 0x4d7c3a in tr_malloc0 /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/utils.c:133
    #2 0x4b211f in tr_torrentNew /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/torrent.c:1155
    #3 0x4a2b08 in sessionLoadTorrents /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/session.c:2148
    #4 0x4d69e5 in readFromPipe /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/trevent.c:201
    #5 0xb78ee91a  (/lib/i386-linux-gnu/libevent-2.1.so.6+0x2091a)

Thread T2 created by T0 here:
    #0 0xb7a1fb50 in pthread_create (/lib/i386-linux-gnu/libasan.so.5+0xd3b50)
    #1 0x4944f4 in tr_threadNew /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/platform.c:131
    #2 0x4d71fe in tr_eventInit /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/trevent.c:289
    #3 0x49a35e in tr_sessionInit /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/session.c:628
    #4 0x48f864 in daemon_start /home/dima/transmission/nightly-testing-001/transmission-2.94+/daemon/daemon.c:644
    #5 0x491844 in dtr_daemon /home/dima/transmission/nightly-testing-001/transmission-2.94+/daemon/daemon-posix.c:220
    #6 0x490c22 in main /home/dima/transmission/nightly-testing-001/transmission-2.94+/daemon/daemon.c:868
    #7 0xb711fb40 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/dima/transmission/nightly-testing-001/transmission-2.94+/libtransmission/completion.h:84 in tr_cpHasAll
Shadow bytes around the buggy address:
  0x3514b670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3514b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3514b690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x3514b6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x3514b6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3514b710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3470==ABORTING

Hope this can help to find some problems here.