Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use after free in listener (data race) #1657

Closed
gdamore opened this issue Apr 24, 2023 · 0 comments
Closed

Use after free in listener (data race) #1657

gdamore opened this issue Apr 24, 2023 · 0 comments
Assignees
Labels

Comments

@gdamore
Copy link
Contributor

gdamore commented Apr 24, 2023

There is a race condition on listener shutdown that can cause a problem because the reference counting we use does not allow for ownership of the socket. This looks like this in tests:

WARNING: ThreadSanitizer: data race (pid=4501)
[1275](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1276)
  Write of size 8 at 0x7b7000000878 by thread T10:
[1276](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1277)
    #0 free <null> (bus_test+0x53574) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1277](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1278)
    #1 nni_free /home/runner/work/nng/nng/src/platform/posix/posix_alloc.c:33:2 (bus_test+0x100b01) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1278](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1279)
    #2 nni_listener_destroy /home/runner/work/nng/nng/src/core/listener.c:44:2 (bus_test+0xeb644) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1279](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1280)
    #3 listener_reap /home/runner/work/nng/nng/src/core/socket.c:1675:2 (bus_test+0xf8bfa) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1280](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1281)
    #4 reap_worker /home/runner/work/nng/nng/src/core/reap.c:58:5 (bus_test+0xf293f) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1281](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1282)
    #5 nni_thr_wrap /home/runner/work/nng/nng/src/core/thread.c:94:3 (bus_test+0xfc360) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1282](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1283)
    #6 nni_plat_thr_main /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:266:2 (bus_test+0x1022aa) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1283](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1284)

[1284](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1285)
  Previous write of size 4 at 0x7b7000000878 by main thread (mutexes: write M0):
[1285](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1286)
    #0 nni_listener_rele /home/runner/work/nng/nng/src/core/listener.c:309:10 (bus_test+0xec4d5) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1286](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1287)
    #1 nni_listener_close /home/runner/work/nng/nng/src/core/listener.c:323:3 (bus_test+0xec5bc) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1287](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1288)
    #2 nni_sock_shutdown /home/runner/work/nng/nng/src/core/socket.c:696:3 (bus_test+0xf3d22) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1288](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1289)
    #3 nni_sock_close /home/runner/work/nng/nng/src/core/socket.c:781:2 (bus_test+0xf4235) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1289](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1290)
    #4 nng_close /home/runner/work/nng/nng/src/nng.c:45:2 (bus_test+0xdcd5e) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1290](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1291)
    #5 test_bug1247 /home/runner/work/nng/nng/src/sp/protocol/bus0/bus_test.c:401:2 (bus_test+0xdba91) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1291](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1292)
    #6 test_do_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1026:9 (bus_test+0xdc82e) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1292](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1293)
    #7 test_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1122:23 (bus_test+0xd6cea) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1293](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1294)
    #8 main /home/runner/work/nng/nng/src/testing/acutest.h:1724:13 (bus_test+0xd49c1) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1294](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1295)

[1295](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1296)
  Mutex M0 (0x55c2bfac1200) created at:
[1296](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1297)
    #0 pthread_mutex_lock <null> (bus_test+0x722ca) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1297](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1298)
    #1 nni_pthread_mutex_lock /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:84:12 (bus_test+0x1019f5) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1298](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1299)
    #2 nni_plat_mtx_lock /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:146:2 (bus_test+0x1019b5) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1299](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1300)
    #3 nni_mtx_lock /home/runner/work/nng/nng/src/core/thread.c:27:2 (bus_test+0xfbdd5) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1300](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1301)
    #4 nni_listener_create /home/runner/work/nng/nng/src/core/listener.c:245:2 (bus_test+0xebad8) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1301](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1302)
    #5 nng_listen /home/runner/work/nng/nng/src/nng.c:585:12 (bus_test+0xdea27) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1302](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1303)
    #6 test_bug1247 /home/runner/work/nng/nng/src/sp/protocol/bus0/bus_test.c:398:2 (bus_test+0xdb99c) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1303](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1304)
    #7 test_do_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1026:9 (bus_test+0xdc82e) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1304](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1305)
    #8 test_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1122:23 (bus_test+0xd6cea) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1305](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1306)
    #9 main /home/runner/work/nng/nng/src/testing/acutest.h:1724:13 (bus_test+0xd49c1) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1306](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1307)

[1307](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1308)
  Thread T10 'nng:reap2' (tid=4513, running) created by main thread at:
[1308](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1309)
    #0 pthread_create <null> (bus_test+0x5473d) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1309](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1310)
    #1 nni_plat_thr_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:279:7 (bus_test+0x1021c9) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1310](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1311)
    #2 nni_thr_init /home/runner/work/nng/nng/src/core/thread.c:121:12 (bus_test+0xfc194) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1311](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1312)
    #3 nni_reap_sys_init /home/runner/work/nng/nng/src/core/reap.c:110:12 (bus_test+0xf27c7) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1312](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1313)
    #4 nni_init_helper /home/runner/work/nng/nng/src/core/init.c:36:13 (bus_test+0xea5de) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1313](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1314)
    #5 nni_plat_init /home/runner/work/nng/nng/src/platform/posix/posix_thread.c:422:12 (bus_test+0x1026a9) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1314](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1315)
    #6 nni_init /home/runner/work/nng/nng/src/core/init.c:55:10 (bus_test+0xea56c) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1315](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1316)
    #7 nni_sock_open /home/runner/work/nng/nng/src/core/socket.c:637:13 (bus_test+0xf2e0a) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1316](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1317)
    #8 nni_proto_open /home/runner/work/nng/nng/src/sp/protocol.c:22:12 (bus_test+0x106475) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1317](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1318)
    #9 nng_bus0_open /home/runner/work/nng/nng/src/sp/protocol/bus0/bus.c:541:10 (bus_test+0x10386c) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1318](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1319)
    #10 test_bug1247 /home/runner/work/nng/nng/src/sp/protocol/bus0/bus_test.c:395:2 (bus_test+0xdb8d1) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1319](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1320)
    #11 test_do_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1026:9 (bus_test+0xdc82e) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1320](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1321)
    #12 test_run_ /home/runner/work/nng/nng/src/testing/acutest.h:1122:23 (bus_test+0xd6cea) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1321](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1322)
    #13 main /home/runner/work/nng/nng/src/testing/acutest.h:1724:13 (bus_test+0xd49c1) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3)
[1322](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1323)

[1323](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1324)
SUMMARY: ThreadSanitizer: data race (/home/runner/work/nng/nng/build/src/sp/protocol/bus0/bus_test+0x53574) (BuildId: b1c88138202ffa20c9053dba1cfd365980a442f3) in free
[1324](https://github.com/nanomsg/nng/actions/runs/4751371234/jobs/8441096131?pr=1655#step:6:1325)

Adding an assert that the listener refcnt never drops to zero causes it to consistently fail on this test as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant