You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/04/14 11:58:00 UTC

[jira] [Created] (DISPATCH-2045) qd_hash_internal_remove_item writes to freed (pooled) memory on router shutdown

Jiri Daněk created DISPATCH-2045:
------------------------------------

             Summary: qd_hash_internal_remove_item writes to freed (pooled) memory on router shutdown
                 Key: DISPATCH-2045
                 URL: https://issues.apache.org/jira/browse/DISPATCH-2045
             Project: Qpid Dispatch
          Issue Type: Bug
    Affects Versions: 1.16.0
            Reporter: Jiri Daněk
         Attachments: 0001-DISPATCH-2039-WIP-add-prints-around-hash-inserts-and.patch, hashcrash.conf

Apply the attached patch (), run router with the attached config, wait a moment, then stop the router. Note the following lines in the router output

{code}
inserting key M0$management
inserting key L$management
inserting key L$_management_internal
inserting key Corg.apache
inserting key CFakeBroker
inserting key LlinkRoute/0
inserting key Dorg.apache
inserting key LlinkRoute/1

^C

freeing item 0x61100000de10 with key 2/apache
zeroing the handle pointer, of value 0x61100000de10
freeing hash handle 0x611000034f10 for item (nil)
freeing item 0x61100000df50 with key 1/org
zeroing the handle pointer, of value 0x61100000df50
freeing hash handle 0x611000035050 for item (nil)
freeing item 0x611000030050 with key Corg.apache
zeroing the handle pointer, of value 0x611000030050
freeing hash handle 0x611000035190 for item (nil)
freeing hash handle 0x611000034c90 for item 0x61100000db90
freeing item 0x61100000dcd0 with key CFakeBroker
zeroing the handle pointer, of value 0x61100000dcd0
freeing hash handle 0x611000034dd0 for item (nil)
freeing item 0x61100000d7d0 with key 2/apache
zeroing the handle pointer, of value 0x61100000d7d0
freeing hash handle 0x6110000348d0 for item (nil)
freeing item 0x61100000d910 with key 1/org
zeroing the handle pointer, of value 0x61100000d910
freeing hash handle 0x611000034a10 for item (nil)
freeing item 0x61100000da50 with key Dorg.apache
zeroing the handle pointer, of value 0x61100000da50
freeing hash handle 0x611000034b50 for item (nil)
freeing hash handle 0x611000034790 for item 0x61100000d690
freeing item 0x611000030410 with key M0$management
zeroing the handle pointer, of value 0x611000030410
freeing hash handle 0x611000035550 for item (nil)
freeing item 0x6110000302d0 with key L$management
zeroing the handle pointer, of value 0x6110000302d0
freeing hash handle 0x611000035410 for item (nil)
freeing item 0x611000030190 with key L$_management_internal
zeroing the handle pointer, of value 0x611000030190
freeing hash handle 0x6110000352d0 for item (nil)
freeing item 0x61100000db90 with key LlinkRoute/0
zeroing the handle pointer, of value 0x9999999999999999
freeing item 0x61100000d690 with key LlinkRoute/1
zeroing the handle pointer, of value 0x9999999999999999
freeing item 0x611000007290 with key router
{code}

The problem is at the end, writing to memory set to {{#define QD_MEMORY_FREE 0x99}}.

{noformat}
freeing item 0x61100000db90 with key LlinkRoute/0
zeroing the handle pointer, of value 0x9999999999999999
freeing item 0x61100000d690 with key LlinkRoute/1
zeroing the handle pointer, of value 0x9999999999999999
freeing item 0x611000007290 with key router
{noformat}

That is because a handle can be freed before the item, which happened in this case, in {{freeing hash handle 0x611000034790 for item 0x61100000d690}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org