You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/02/20 00:58:44 UTC

[jira] [Commented] (MESOS-7143) ABORT checks its preconditions incorrectly and incompletely

    [ https://issues.apache.org/jira/browse/MESOS-7143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873919#comment-15873919 ] 

James Peach commented on MESOS-7143:
------------------------------------

Similarly the {{ABORT}} macro is optimistic. It lets you pass multiple arguments but {{_Abort}} only takes 1 message:

{code}
#define ABORT(...) _Abort(_ABORT_PREFIX, __VA_ARGS__)
{code}

For _Abort itself, consider annotating the arguments to be non-null and removing the checks. It's not cool to abort without an actionable message.

> ABORT checks its preconditions incorrectly and incompletely
> -----------------------------------------------------------
>
>                 Key: MESOS-7143
>                 URL: https://issues.apache.org/jira/browse/MESOS-7143
>             Project: Mesos
>          Issue Type: Bug
>          Components: stout
>    Affects Versions: 0.23.0
>            Reporter: Benjamin Bannier
>            Priority: Minor
>              Labels: coverity, tech-debt
>
> Currently, stout's {{ABORT}} (which is mapped to {{_Abort}}) checks it precondition incompletely and incorrectly.
> Its current control flow is roughly
> {code}
> void _Abort(const char* prefix, const char* message)
> {
>   size_t prefix_len = strlen(prefix);
>   size_t message_len = strlen(message);
>   
>   // Async-safe write.
>    while(::write(2, prefix, prefix_len) == -1 && errno == EINTR);
>    while(message != nullptr &&
>          ::write(2, message, message_len) == -1 && errno == EINTR);
> }
> {code}
> We here check the precondition {{message != nullptr}} after we already have called {{strlen(message)}}; calling {{strlen}} on a {{nullptr}} already triggers undefined behavior.
> Similarly, we never guard against a {{prefix}} which is {{nullptr}}, but unconditionally call {{strlen}} on it.
> It seems it should be possible to assert that neither {{prefix}} nor {{message}} are {{nullptr}} before any use.
> This was diagnosed by coverity as CID-1400833, and has been present in all releases since 0.23.0.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)