Bug 1051441

Summary: Broker segfault when wrong filter used
Product: Red Hat Enterprise MRG Reporter: Pavel Moravec <pmoravec>
Component: qpid-cppAssignee: Gordon Sim <gsim>
Status: CLOSED ERRATA QA Contact: Petra Svobodová <psvobodo>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: gsim, iboverma, jross, lzhaldyb, pematous, psvobodo
Target Milestone: 3.0Keywords: TestCaseProvided
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-0.22-33 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-24 15:09:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 785156, 1010399    

Description Pavel Moravec 2014-01-10 09:53:52 UTC 
Description of problem:
Client using weird filter and delete-on-close lifetime policy over AMQP 1.0, broker segfaults.


Version-Release number of selected component (if applicable):
qpid-cpp-server-0.22-31.el6.x86_64


How reproducible:
100%


Steps to Reproduce:
rm -rf /var/lib/qpidd/* ; service qpidd restart

qpid-receive -a "FilterQueue; {create: always, link: { filter: { value:'broadcast.Public.#', name: legacy-amqp-topic-binding, descriptor: 77567109365764 } }, node: { properties: {'lifetime-policy':'delete-on-close' } } }" --connection-options="{protocol:amqp1.0}"

qpid-stat -q | grep FilterQueue

qpid-receive -a "FilterQueue; {create: always, link: { filter: { value:'broadcast.Public.#', name: legacy-amqp-topic-binding, descriptor: 77567109365764 } }, node: { properties: {'lifetime-policy':'delete-on-close' } } }" --connection-options="{protocol:amqp1.0}"

(now broker segfaulted)


Actual results:
1st qpid-receive raises:
qpid-receive: Link detached by peer with amqp:internal-error: Found illegal character

qpid-stat shows the queue exists, despite it should have been deleted due to lifetime policy

2nd qpid-receive terminates as broker is down


Expected results:
Just error log is print. qpid-stat shouldn't show the queue exists, 2nd qpid-receive should cause segfault.


Additional info:
Backtrace of segfault:
(gdb) bt
#0  0x0000003768c32925 in raise () from /lib64/libc.so.6
#1  0x0000003768c34105 in abort () from /lib64/libc.so.6
#2  0x0000003768c2ba4e in __assert_fail_base () from /lib64/libc.so.6
#3  0x0000003768c2bb10 in __assert_fail () from /lib64/libc.so.6
#4  0x000000376c5e7f02 in qpid::broker::Queue::QueueUsers::addLifecycleController (this=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Queue.cpp:1707
#5  0x000000376c5e82c6 in qpid::broker::Queue::markInUse (this=0x1b72e40, controlling=true)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Queue.cpp:518
#6  0x00007f50c964ef3a in qpid::broker::amqp::OutgoingFromQueue::OutgoingFromQueue (this=0x1b54810, broker=..., source="FilterQueue", 
    target="FilterQueue", q=<value optimized out>, l=0x1b40fc0, session=..., o=..., type=qpid::broker::CONSUMER, e=false, p=true)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Outgoing.cpp:73
#7  0x00007f50c9667469 in qpid::broker::amqp::Session::setupOutgoing (this=0x1b76cb0, link=0x1b40fc0, source=<value optimized out>, 
    name="FilterQueue") at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Session.cpp:445
#8  0x00007f50c96698a0 in qpid::broker::amqp::Session::attach (this=0x1b76cb0, link=0x1b40fc0)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Session.cpp:357
#9  0x00007f50c9626dd1 in qpid::broker::amqp::Connection::process (this=0x7f50ac0015d8)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Connection.cpp:270
#10 0x00007f50c96257fb in qpid::broker::amqp::Connection::decode (this=0x7f50ac0015d8, buffer=<value optimized out>, 
    size=<value optimized out>) at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Connection.cpp:127
#11 0x00007f50c9659ba1 in qpid::broker::amqp::Sasl::decode (this=0x7f50ac001580, buffer=<value optimized out>, size=295)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/amqp/Sasl.cpp:49
#12 0x000000376d196a70 in qpid::sys::AsynchIOHandler::readbuff (this=0x1b54da0, buff=0x1b55420)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/AsynchIOHandler.cpp:130
#13 0x000000376d129e94 in operator() (this=0x1b3c540, h=...) at /usr/include/boost/function/function_template.hpp:1013
#14 qpid::sys::posix::AsynchIO::readable (this=0x1b3c540, h=...) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/posix/AsynchIO.cpp:453
#15 0x000000376d19b123 in boost::function1<void, qpid::sys::DispatchHandle&>::operator() (this=<value optimized out>, 
    a0=<value optimized out>) at /usr/include/boost/function/function_template.hpp:1013
#16 0x000000376d19a271 in qpid::sys::DispatchHandle::processEvent (this=0x1b3c548, type=qpid::sys::Poller::READABLE)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/DispatchHandle.cpp:280
#17 0x000000376d14c712 in process (this=0x1a5a480) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/Poller.h:131
#18 qpid::sys::Poller::run (this=0x1a5a480) at /usr/src/debug/qpid-0.22/cpp/src/qpid/sys/epoll/EpollPoller.cpp:522
#19 0x000000376c5c0112 in qpid::broker::Broker::run (this=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:443
#20 0x000000000040a964 in qpid::broker::QpiddDaemon::child (this=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/posix/QpiddBroker.cpp:149
#21 0x000000376c593753 in qpid::broker::Daemon::fork (this=0x7fffaecf86c0)
    at /usr/src/debug/qpid-0.22/cpp/src/qpid/broker/Daemon.cpp:91
#22 0x000000000040750a in qpid::broker::QpiddBroker::execute (this=<value optimized out>, options=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/posix/QpiddBroker.cpp:193
#23 0x000000000040cb24 in qpid::broker::run_broker (argc=4, argv=0x7fffaecf8cf8, hidden=<value optimized out>)
    at /usr/src/debug/qpid-0.22/cpp/src/qpidd.cpp:108
#24 0x0000003768c1ed1d in __libc_start_main () from /lib64/libc.so.6
#25 0x0000000000406b99 in _start ()
Comment 1 Pavel Moravec 2014-01-10 12:46:59 UTC 
Just a note, when removing '#' from:

value:'broadcast.Public.#'

within filter, no issue appears. (weird as filter syntax does not prohibit '#' char).
Comment 2 Gordon Sim 2014-01-10 22:23:57 UTC 
Fixed upstream: https://svn.apache.org/r1557272
Comment 4 Pavel Moravec 2014-02-14 09:39:57 UTC 
(In reply to Pavel Moravec from comment #0)
> Expected results:
> Just error log is print. qpid-stat shouldn't show the queue exists, 2nd
> qpid-receive should cause segfault.

2nd qpid-receive should NOT cause segfault, of course.
Comment 5 Petra Svobodová 2014-03-07 07:34:47 UTC 
The issue does not occur yet. 
Broker is still running if the client uses wrong filter and delete-on-close lifetime policy over AMQP 1.0; neither the "FilterQueue" is displayed by qpid-stat -q tool.

Verified on packages qpid-cpp-0.22-35 and qpid-tools-0.22-8 on Rhel6-i686 and Rhel6-x86_64.

--> VERIFIED
Comment 6 errata-xmlrpc 2014-09-24 15:09:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html