Project

General

Profile

Actions
Copy link

Bug #2493

closed

UnixStreamFace::processErrorCode invalid read when app with active FaceMonitor quits

Added by Junxiao Shi over 10 years ago. Updated almost 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Faces
Target version:
v0.4
Start date:
Due date:
% Done:

0%

Estimated time:

Description

NFD commit:0d6d036e4f0a504c856453788808794c122adfaf on Ubuntu 12.04

Snippet to reproduce:

// g++ --std=c++0x x.cpp `pkg-config --cflags --libs libndn-cxx`

#include <ndn-cxx/management/nfd-face-monitor.hpp>

int main()
{
  ndn::Face face;

  ndn::nfd::FaceMonitor facemon(face);
  facemon.onNotification.connect(std::bind([]{}));
  facemon.start();

  face.processEvents();
  return 0;
}

Steps to reproduce:

  1. console A: sudo valgrind nfd, wait until initialization completes
  2. console B: ./a.out (the binary compiled from snippet above)
  3. wait 5~20 seconds
  4. console B: press CTRL+C

Actual: valgrind complains

==7938== Invalid read of size 8
==7938==    at 0x5DCA60: std::__shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, (__gnu_cxx::_Lock_policy)2>::operator->() const (shared_ptr_base.h:945)
==7938==    by 0x5DD9AE: nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::processErrorCode(boost::system::error_code const&) (stream-face.hpp:215)
==7938==    by 0x5E0163: nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::handleSend(boost::system::error_code const&, unsigned long) (stream-face.hpp:253)

Note: This error occurs only for the first time when a.out is terminated. If a.out is started again and then terminated, the error won't appear again.

Expected: no such error

Files

nohup.out (57.4 KB) nohup.out full valgrind log Junxiao Shi, 02/08/2015 12:22 PM
Actions
Copy link
 #1

Updated by Lan Wang over 10 years ago

  • Assignee set to Vince Lehman
Actions
Copy link
 #2

Updated by Davide Pesavento over 10 years ago

Is this still relevant after #2489?

Actions
Copy link
 #3

Updated by Junxiao Shi over 10 years ago

  • Subject changed from UnixStreamFace::processErrorCode invalid read when RIB daemon quits to UnixStreamFace::processErrorCode invalid read when app with active FaceMonitor quits
  • Description updated (diff)
  • Target version changed from v0.3 to v0.4

This Bug still exists although it's impossible to reproduce with original steps. I've updated the steps.

Actions
Copy link
 #4

Updated by Davide Pesavento over 10 years ago

  • Status changed from New to In Progress
  • Assignee changed from Vince Lehman to Davide Pesavento
  • Start date deleted (02/08/2015)

Confirmed with ASan.

Actions
Copy link
 #5

Updated by Alex Afanasyev over 10 years ago

By confirmed you mean the error still appears or the error no longer reproducible?

Actions
Copy link
 #6

Updated by Davide Pesavento over 10 years ago

The existence of the bug is confirmed.

==27264==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500006e2a0 at pc 0x6b1538 bp 0x7fffa2c80470 sp 0x7fffa2c80460
READ of size 8 at 0x62500006e2a0 thread T0
    #0 0x6b1537 in std::__shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, (__gnu_cxx::_Lock_policy)2>::operator->() const /usr/include/c++/4.9/bits/shared_ptr_base.h:1048
    #1 0x6b1537 in nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::processErrorCode(boost::system::error_code const&) ../daemon/face/stream-face.hpp:215
    #2 0x6b6e66 in nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::handleSend(boost::system::error_code const&, unsigned long) ../daemon/face/stream-face.hpp:253
    #3 0x6b89af in operator()<const boost::system::error_code&, long unsigned int const&, void> /usr/include/c++/4.9/functional:569
    #4 0x6b89af in __call<void, const boost::system::error_code&, long unsigned int const&, 0ul, 1ul, 2ul> /usr/include/c++/4.9/functional:1264
    #5 0x6b89af in operator()<const boost::system::error_code&, long unsigned int const&, void> /usr/include/c++/4.9/functional:1323
    #6 0x6b89af in boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(boost::system::error_code const&, unsigned long)> (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >::operator()(boost::system::error_code const&, unsigned long, int) /usr/include/boost/asio/impl/write.hpp:345
    #7 0x6b89af in boost::asio::detail::binder2<boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(boost::system::error_code const&, unsigned long)> (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >, boost::system::error_code, unsigned long>::operator()() /usr/include/boost/asio/detail/bind_handler.hpp:127
    #8 0x6b89af in asio_handler_invoke<boost::asio::detail::binder2<boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >, boost::system::error_code, long unsigned int> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
    #9 0x6b89af in invoke<boost::asio::detail::binder2<boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >, boost::system::error_code, long unsigned int>, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
    #10 0x6b89af in asio_handler_invoke<boost::asio::detail::binder2<boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >, boost::system::error_code, long unsigned int>, boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> > /usr/include/boost/asio/impl/write.hpp:565
    #11 0x6b89af in invoke<boost::asio::detail::binder2<boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> >, boost::system::error_code, long unsigned int>, boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol>, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(const boost::system::error_code&, long unsigned int)>(nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> > > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
    #12 0x6b89af in boost::asio::detail::reactive_socket_send_op<boost::asio::const_buffers_1, boost::asio::detail::write_op<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, boost::asio::const_buffers_1, boost::asio::detail::transfer_all_t, std::_Bind<std::_Mem_fn<void (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>::*)(boost::system::error_code const&, unsigned long)> (nfd::StreamFace<boost::asio::local::stream_protocol, nfd::LocalFace>*, std::_Placeholder<1>, std::_Placeholder<2>)> > >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/reactive_socket_send_op.hpp:107
    #13 0x45be22 in boost::asio::detail::task_io_service::run(boost::system::error_code&) (/home/davide/NFD/build/bin/nfd+0x45be22)
    #14 0x4614da in nfd::NfdRunner::run() (/home/davide/NFD/build/bin/nfd+0x4614da)
    #15 0x44af2a in main ../daemon/main.cpp:294
    #16 0x7fca5c40eec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #17 0x44a64b (/home/davide/NFD/build/bin/nfd+0x44a64b)

0x62500006e2a0 is located 416 bytes inside of 9320-byte region [0x62500006e100,0x625000070568)
freed by thread T0 here:
    #0 0x7fca5ee0763f in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5863f)
    #1 0x6a3c3e in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/4.9/ext/new_allocator.h:110
    #2 0x6a3c3e in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:383
    #3 0x6a3c3e in std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/4.9/bits/shared_ptr_base.h:535

previously allocated by thread T0 here:
    #0 0x7fca5ee0713f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
    #1 0x69e60d in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
    #2 0x69e60d in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
    #3 0x69e60d in __shared_count<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > >&> /usr/include/c++/4.9/bits/shared_ptr_base.h:616
    #4 0x69e60d in __shared_ptr<std::allocator<nfd::UnixStreamFace>, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > >&> /usr/include/c++/4.9/bits/shared_ptr_base.h:1090
    #5 0x69e60d in shared_ptr<std::allocator<nfd::UnixStreamFace>, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > >&> /usr/include/c++/4.9/bits/shared_ptr.h:316
    #6 0x69e60d in allocate_shared<nfd::UnixStreamFace, std::allocator<nfd::UnixStreamFace>, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > >&> /usr/include/c++/4.9/bits/shared_ptr.h:588
    #7 0x69e60d in make_shared<nfd::UnixStreamFace, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > >&> /usr/include/c++/4.9/bits/shared_ptr.h:604
    #8 0x69e60d in nfd::UnixStreamChannel::handleSuccessfulAccept(boost::system::error_code const&, std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > const&, std::function<void (std::shared_ptr<nfd::Face> const&)> const&, std::function<void (std::string const&)> const&) ../daemon/face/unix-stream-channel.cpp:145
    #9 0x6aa401 in boost::_mfi::mf4<void, nfd::UnixStreamChannel, boost::system::error_code const&, std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > const&, std::function<void (std::shared_ptr<nfd::Face> const&)> const&, std::function<void (std::string const&)> const&>::operator()(nfd::UnixStreamChannel*, boost::system::error_code const&, std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > const&, std::function<void (std::shared_ptr<nfd::Face> const&)> const&, std::function<void (std::string const&)> const&) const /usr/include/boost/bind/mem_fn_template.hpp:506
    #10 0x6aa401 in operator()<boost::_mfi::mf4<void, nfd::UnixStreamChannel, const boost::system::error_code&, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> >&, const std::function<void(const std::shared_ptr<nfd::Face>&)>&, const std::function<void(const std::basic_string<char>&)>&>, boost::_bi::list1<const boost::system::error_code&> > /usr/include/boost/bind/bind.hpp:525
    #11 0x6aa401 in operator()<boost::system::error_code> /usr/include/boost/bind/bind_template.hpp:47
    #12 0x6aa401 in boost::asio::detail::binder1<boost::_bi::bind_t<void, boost::_mfi::mf4<void, nfd::UnixStreamChannel, boost::system::error_code const&, std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > const&, std::function<void (std::shared_ptr<nfd::Face> const&)> const&, std::function<void (std::string const&)> const&>, boost::_bi::list5<boost::_bi::value<nfd::UnixStreamChannel*>, boost::arg<1> (*)(), boost::_bi::value<std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > >, boost::_bi::value<std::function<void (std::shared_ptr<nfd::Face> const&)> >, boost::_bi::value<std::function<void (std::string const&)> > > >, boost::system::error_code>::operator()() /usr/include/boost/asio/detail/bind_handler.hpp:47
    #13 0x6aa401 in asio_handler_invoke<boost::asio::detail::binder1<boost::_bi::bind_t<void, boost::_mfi::mf4<void, nfd::UnixStreamChannel, const boost::system::error_code&, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> >&, const std::function<void(const std::shared_ptr<nfd::Face>&)>&, const std::function<void(const std::basic_string<char>&)>&>, boost::_bi::list5<boost::_bi::value<nfd::UnixStreamChannel*>, boost::arg<1> (*)(), boost::_bi::value<std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> > >, boost::_bi::value<std::function<void(const std::shared_ptr<nfd::Face>&)> >, boost::_bi::value<std::function<void(const std::basic_string<char>&)> > > >, boost::system::error_code> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
    #14 0x6aa401 in invoke<boost::asio::detail::binder1<boost::_bi::bind_t<void, boost::_mfi::mf4<void, nfd::UnixStreamChannel, const boost::system::error_code&, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> >&, const std::function<void(const std::shared_ptr<nfd::Face>&)>&, const std::function<void(const std::basic_string<char>&)>&>, boost::_bi::list5<boost::_bi::value<nfd::UnixStreamChannel*>, boost::arg<1> (*)(), boost::_bi::value<std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> > >, boost::_bi::value<std::function<void(const std::shared_ptr<nfd::Face>&)> >, boost::_bi::value<std::function<void(const std::basic_string<char>&)> > > >, boost::system::error_code>, boost::_bi::bind_t<void, boost::_mfi::mf4<void, nfd::UnixStreamChannel, const boost::system::error_code&, const std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> >&, const std::function<void(const std::shared_ptr<nfd::Face>&)>&, const std::function<void(const std::basic_string<char>&)>&>, boost::_bi::list5<boost::_bi::value<nfd::UnixStreamChannel*>, boost::arg<1> (*)(), boost::_bi::value<std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol> > >, boost::_bi::value<std::function<void(const std::shared_ptr<nfd::Face>&)> >, boost::_bi::value<std::function<void(const std::basic_string<char>&)> > > > > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
    #15 0x6aa401 in boost::asio::detail::reactive_socket_accept_op<boost::asio::basic_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, boost::asio::local::stream_protocol, boost::_bi::bind_t<void, boost::_mfi::mf4<void, nfd::UnixStreamChannel, boost::system::error_code const&, std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > const&, std::function<void (std::shared_ptr<nfd::Face> const&)> const&, std::function<void (std::string const&)> const&>, boost::_bi::list5<boost::_bi::value<nfd::UnixStreamChannel*>, boost::arg<1> (*)(), boost::_bi::value<std::shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> > > >, boost::_bi::value<std::function<void (std::shared_ptr<nfd::Face> const&)> >, boost::_bi::value<std::function<void (std::string const&)> > > > >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/reactive_socket_accept_op.hpp:123

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/4.9/bits/shared_ptr_base.h:1048 std::__shared_ptr<boost::asio::basic_stream_socket<boost::asio::local::stream_protocol, boost::asio::stream_socket_service<boost::asio::local::stream_protocol> >, (__gnu_cxx::_Lock_policy)2>::operator->() const
Shadow bytes around the buggy address:
  0x0c4a80005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80005c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a80005c50: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80005ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==27264==ABORTING
Actions
Copy link
 #7

Updated by Davide Pesavento over 10 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 50

http://gerrit.named-data.net/1798 implements a simple fix for the use-after-free, but I believe more discussion is needed. For example, the send request could (should) simply be suppressed if the face is being closed.

Actions
Copy link
 #8

Updated by Alex Afanasyev over 10 years ago

In processErrors() method of StreamFace, we now have three error conditions that do not cause call to face->fail():

if (error == boost::asio::error::broken_pipe ||         // socket closed or shut down
    error == boost::asio::error::operation_aborted ||   // when cancel() is called
    error == boost::asio::error::shut_down)             // after shutdown() is called
  return;

if (!m_socket->is_open())
  {
    this->fail("Connection closed");
    return;
  }

Are these three codes are comprehensive? Is there a reason why "fail" should not be called on them? Are there negative consequences of calling fail twice?

Actions
Copy link
 #9

Updated by Davide Pesavento over 10 years ago

Calling fail() twice is harmless. The second invocation is effectively a no-op.

As I said in gerrit, the error handling and the closing of faces would benefit from an overhaul, as it is quite fragile right now.

Actions
Copy link
 #10

Updated by Junxiao Shi over 10 years ago

Change 1798 is abandoned. Is there another solution?

Actions
Copy link
 #11

Updated by Davide Pesavento over 10 years ago

  • Status changed from Feedback to In Progress
  • % Done changed from 50 to 10

Not yet.

Actions
Copy link
 #12

Updated by Davide Pesavento about 10 years ago

  • Assignee deleted (Davide Pesavento)
  • % Done changed from 10 to 0

I won't have time to work on this task for a while.

Actions
Copy link
 #13

Updated by Junxiao Shi about 10 years ago

  • Status changed from In Progress to New
Actions
Copy link
 #14

Updated by Junxiao Shi almost 10 years ago

UnixStreamFace is deleted in #3165 and replaced by UnixStreamTransport. I'll verify whether the same bug exists in UnixStreamTransport.

Actions
Copy link
 #15

Updated by Junxiao Shi almost 10 years ago

  • Status changed from New to Rejected

This bug no longer exists after #3165.

Actions
Copy link
 #16

Updated by Davide Pesavento almost 10 years ago

My suggestion in note-7 still applies... Any send attempt while the face is not in the UP state should be suppressed.

Actions
Copy link
 #17

Updated by Junxiao Shi almost 10 years ago

Any send attempt while the face is not in the UP state should be suppressed.

No. When a Transport is DOWN, BFD feature must be able to transmit in order to detect when it's UP again.

Actions
Copy link
 #18

Updated by Davide Pesavento almost 10 years ago

Ok. When it is not UP or DOWN then... The point was that the transmission shouldn't happen while the transport is being closed.

Actions
Copy link

Also available in: Atom PDF