Bug 1030406 - segfault in Queue::isExpired() when debug logging for queue enabled
segfault in Queue::isExpired() when debug logging for queue enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
2.5
Unspecified Unspecified
high Severity unspecified
: 2.4.4
: ---
Assigned To: Gordon Sim
Leonid Zhaldybin
:
: 1090810 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-14 06:27 EST by Gordon Sim
Modified: 2014-11-09 17:39 EST (History)
9 users (show)

See Also:
Fixed In Version: qpid-cpp-0.18-19
Doc Type: Bug Fix
Doc Text:
Cause: The message properties were printed without holding the lock. Consequence: Another thread could be modifying them at the same time, causing memory corruption. Fix: The lock is now held while printing the properties. Result: Concurrent modification should be prevented.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-11 03:28:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gordon Sim 2013-11-14 06:27:52 EST
Description of problem:

There is a log statement in Queue::isExpired() that if enabled can cause a segfault when the message is logged as expired while already being delivered from some other queue.

Version-Release number of selected component (if applicable):

I tested against tip of current 0.18-mrg tree

How reproducible:

Fairly reliably

Steps to Reproduce:
1. start broker with --log-enable info+ --log-enable debug+:Queue
2. for i in `seq 10`; do ./src/tests/qpid-receive --address amq.fanout --print-content false -f & done
3. ./src/tests/qpid-send --address amq.fanout --ttl 2 --messages 100000 -P a=b -P c=d --content-size 512

Actual results:

Broker eventually segfaults and inspection of core dump shows it was in Queue::isExpired()

Expected results:

No segfault

Additional info:

I ran the reproducer above three times in a row and each time the broker cored before the sender completed. However this is essentially a race condition so it may be harder or easier on different platforms, and the value for ttl and the number of senders and receivers will likely affect it.
Comment 3 Gordon Sim 2013-11-14 06:50:12 EST
Candidate fix available in http://git.app.eng.bos.redhat.com/rh-qpid.git/log/?h=0.18-mrg-BZ1030406
Comment 6 Leonid Zhaldybin 2014-01-30 10:26:25 EST
Tested on RHEL5.10 and RHEL6.5 (both i386 and x86_64). This issue has been
fixed.

Packages used for testing:

RHEL5:
python-qpid-0.18-9.el5_10
python-qpid-qmf-0.18-20.el5_10
qpid-cpp-client-0.18-20.el5_10
qpid-cpp-client-devel-0.18-20.el5_10
qpid-cpp-client-devel-docs-0.18-20.el5_10
qpid-cpp-client-rdma-0.18-20.el5_10
qpid-cpp-client-ssl-0.18-20.el5_10
qpid-cpp-server-0.18-20.el5_10
qpid-cpp-server-cluster-0.18-20.el5_10
qpid-cpp-server-devel-0.18-20.el5_10
qpid-cpp-server-ha-0.18-20.el5_10
qpid-cpp-server-rdma-0.18-20.el5_10
qpid-cpp-server-ssl-0.18-20.el5_10
qpid-cpp-server-store-0.18-20.el5_10
qpid-cpp-server-xml-0.18-20.el5_10
qpid-java-client-0.18-8.el5_9
qpid-java-common-0.18-8.el5_9
qpid-java-example-0.18-8.el5_9
qpid-jca-0.18-8.el5
qpid-jca-xarecovery-0.18-8.el5
qpid-jca-zip-0.18-8.el5
qpid-qmf-0.18-20.el5_10
qpid-qmf-devel-0.18-20.el5_10
qpid-tests-0.18-2.el5
qpid-tools-0.18-10.el5_9
ruby-qpid-qmf-0.18-20.el5_10

RHEL6:
python-qpid-0.18-9.el6
python-qpid-qmf-0.18-20.el6
qpid-cpp-client-0.18-20.el6
qpid-cpp-client-devel-0.18-20.el6
qpid-cpp-client-devel-docs-0.18-20.el6
qpid-cpp-client-rdma-0.18-20.el6
qpid-cpp-client-ssl-0.18-20.el6
qpid-cpp-server-0.18-20.el6
qpid-cpp-server-cluster-0.18-20.el6
qpid-cpp-server-devel-0.18-20.el6
qpid-cpp-server-ha-0.18-20.el6
qpid-cpp-server-rdma-0.18-20.el6
qpid-cpp-server-ssl-0.18-20.el6
qpid-cpp-server-store-0.18-20.el6
qpid-cpp-server-xml-0.18-20.el6
qpid-java-client-0.18-8.el6_4
qpid-java-common-0.18-8.el6_4
qpid-java-example-0.18-8.el6_4
qpid-jca-0.18-8.el6
qpid-jca-xarecovery-0.18-8.el6
qpid-jca-zip-0.18-8.el6
qpid-qmf-0.18-20.el6
qpid-qmf-devel-0.18-20.el6
qpid-tests-0.18-2.el6
qpid-tools-0.18-10.el6_4
ruby-qpid-qmf-0.18-20.el6

-> VERIFIED
Comment 8 errata-xmlrpc 2014-02-11 03:28:45 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0130.html
Comment 9 Pavel Moravec 2014-06-15 08:49:41 EDT
*** Bug 1090810 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.