Bug 1030406

Summary: segfault in Queue::isExpired() when debug logging for queue enabled
Product: Red Hat Enterprise MRG Reporter: Gordon Sim <gsim>
Component: qpid-cppAssignee: Gordon Sim <gsim>
Status: CLOSED ERRATA QA Contact: Leonid Zhaldybin <lzhaldyb>
Severity: unspecified Docs Contact:
Priority: high    
Version: 2.5CC: esammons, freznice, gsim, iboverma, jross, lzhaldyb, mcressma, pmoravec, sauchter
Target Milestone: 2.4.4   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qpid-cpp-0.18-19 Doc Type: Bug Fix
Doc Text:
Cause: The message properties were printed without holding the lock. Consequence: Another thread could be modifying them at the same time, causing memory corruption. Fix: The lock is now held while printing the properties. Result: Concurrent modification should be prevented.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-11 08:28:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gordon Sim 2013-11-14 11:27:52 UTC 
Description of problem:

There is a log statement in Queue::isExpired() that if enabled can cause a segfault when the message is logged as expired while already being delivered from some other queue.

Version-Release number of selected component (if applicable):

I tested against tip of current 0.18-mrg tree

How reproducible:

Fairly reliably

Steps to Reproduce:
1. start broker with --log-enable info+ --log-enable debug+:Queue
2. for i in `seq 10`; do ./src/tests/qpid-receive --address amq.fanout --print-content false -f & done
3. ./src/tests/qpid-send --address amq.fanout --ttl 2 --messages 100000 -P a=b -P c=d --content-size 512

Actual results:

Broker eventually segfaults and inspection of core dump shows it was in Queue::isExpired()

Expected results:

No segfault

Additional info:

I ran the reproducer above three times in a row and each time the broker cored before the sender completed. However this is essentially a race condition so it may be harder or easier on different platforms, and the value for ttl and the number of senders and receivers will likely affect it.
Comment 3 Gordon Sim 2013-11-14 11:50:12 UTC 
Candidate fix available in http://git.app.eng.bos.redhat.com/rh-qpid.git/log/?h=0.18-mrg-BZ1030406
Comment 6 Leonid Zhaldybin 2014-01-30 15:26:25 UTC 
Tested on RHEL5.10 and RHEL6.5 (both i386 and x86_64). This issue has been
fixed.

Packages used for testing:

RHEL5:
python-qpid-0.18-9.el5_10
python-qpid-qmf-0.18-20.el5_10
qpid-cpp-client-0.18-20.el5_10
qpid-cpp-client-devel-0.18-20.el5_10
qpid-cpp-client-devel-docs-0.18-20.el5_10
qpid-cpp-client-rdma-0.18-20.el5_10
qpid-cpp-client-ssl-0.18-20.el5_10
qpid-cpp-server-0.18-20.el5_10
qpid-cpp-server-cluster-0.18-20.el5_10
qpid-cpp-server-devel-0.18-20.el5_10
qpid-cpp-server-ha-0.18-20.el5_10
qpid-cpp-server-rdma-0.18-20.el5_10
qpid-cpp-server-ssl-0.18-20.el5_10
qpid-cpp-server-store-0.18-20.el5_10
qpid-cpp-server-xml-0.18-20.el5_10
qpid-java-client-0.18-8.el5_9
qpid-java-common-0.18-8.el5_9
qpid-java-example-0.18-8.el5_9
qpid-jca-0.18-8.el5
qpid-jca-xarecovery-0.18-8.el5
qpid-jca-zip-0.18-8.el5
qpid-qmf-0.18-20.el5_10
qpid-qmf-devel-0.18-20.el5_10
qpid-tests-0.18-2.el5
qpid-tools-0.18-10.el5_9
ruby-qpid-qmf-0.18-20.el5_10

RHEL6:
python-qpid-0.18-9.el6
python-qpid-qmf-0.18-20.el6
qpid-cpp-client-0.18-20.el6
qpid-cpp-client-devel-0.18-20.el6
qpid-cpp-client-devel-docs-0.18-20.el6
qpid-cpp-client-rdma-0.18-20.el6
qpid-cpp-client-ssl-0.18-20.el6
qpid-cpp-server-0.18-20.el6
qpid-cpp-server-cluster-0.18-20.el6
qpid-cpp-server-devel-0.18-20.el6
qpid-cpp-server-ha-0.18-20.el6
qpid-cpp-server-rdma-0.18-20.el6
qpid-cpp-server-ssl-0.18-20.el6
qpid-cpp-server-store-0.18-20.el6
qpid-cpp-server-xml-0.18-20.el6
qpid-java-client-0.18-8.el6_4
qpid-java-common-0.18-8.el6_4
qpid-java-example-0.18-8.el6_4
qpid-jca-0.18-8.el6
qpid-jca-xarecovery-0.18-8.el6
qpid-jca-zip-0.18-8.el6
qpid-qmf-0.18-20.el6
qpid-qmf-devel-0.18-20.el6
qpid-tests-0.18-2.el6
qpid-tools-0.18-10.el6_4
ruby-qpid-qmf-0.18-20.el6

-> VERIFIED
Comment 8 errata-xmlrpc 2014-02-11 08:28:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0130.html
Comment 9 Pavel Moravec 2014-06-15 12:49:41 UTC 
*** Bug 1090810 has been marked as a duplicate of this bug. ***