1030406 – segfault in Queue::isExpired() when debug logging for queue enabled

Bug 1030406 - segfault in Queue::isExpired() when debug logging for queue enabled

Summary: segfault in Queue::isExpired() when debug logging for queue enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-cpp
Sub Component:
Version:	2.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	2.4.4
Target Release:	---
Assignee:	Gordon Sim
QA Contact:	Leonid Zhaldybin
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1090810 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-14 11:27 UTC by Gordon Sim
Modified:	2018-12-09 17:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:	qpid-cpp-0.18-19
Doc Type:	Bug Fix
Doc Text:	Cause: The message properties were printed without holding the lock. Consequence: Another thread could be modifying them at the same time, causing memory corruption. Fix: The lock is now held while printing the properties. Result: Concurrent modification should be prevented.
Clone Of:
Environment:
Last Closed:	2014-02-11 08:28:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:0130	0	normal	SHIPPED_LIVE	Red Hat Enterprise MRG Messaging 2 update	2014-02-11 13:27:57 UTC

Description Gordon Sim 2013-11-14 11:27:52 UTC

Description of problem:

There is a log statement in Queue::isExpired() that if enabled can cause a segfault when the message is logged as expired while already being delivered from some other queue.

Version-Release number of selected component (if applicable):

I tested against tip of current 0.18-mrg tree

How reproducible:

Fairly reliably

Steps to Reproduce:
1. start broker with --log-enable info+ --log-enable debug+:Queue
2. for i in `seq 10`; do ./src/tests/qpid-receive --address amq.fanout --print-content false -f & done
3. ./src/tests/qpid-send --address amq.fanout --ttl 2 --messages 100000 -P a=b -P c=d --content-size 512

Actual results:

Broker eventually segfaults and inspection of core dump shows it was in Queue::isExpired()

Expected results:

No segfault

Additional info:

I ran the reproducer above three times in a row and each time the broker cored before the sender completed. However this is essentially a race condition so it may be harder or easier on different platforms, and the value for ttl and the number of senders and receivers will likely affect it.

Comment 3 Gordon Sim 2013-11-14 11:50:12 UTC

Candidate fix available in http://git.app.eng.bos.redhat.com/rh-qpid.git/log/?h=0.18-mrg-BZ1030406

Comment 6 Leonid Zhaldybin 2014-01-30 15:26:25 UTC

Tested on RHEL5.10 and RHEL6.5 (both i386 and x86_64). This issue has been
fixed.

Packages used for testing:

RHEL5:
python-qpid-0.18-9.el5_10
python-qpid-qmf-0.18-20.el5_10
qpid-cpp-client-0.18-20.el5_10
qpid-cpp-client-devel-0.18-20.el5_10
qpid-cpp-client-devel-docs-0.18-20.el5_10
qpid-cpp-client-rdma-0.18-20.el5_10
qpid-cpp-client-ssl-0.18-20.el5_10
qpid-cpp-server-0.18-20.el5_10
qpid-cpp-server-cluster-0.18-20.el5_10
qpid-cpp-server-devel-0.18-20.el5_10
qpid-cpp-server-ha-0.18-20.el5_10
qpid-cpp-server-rdma-0.18-20.el5_10
qpid-cpp-server-ssl-0.18-20.el5_10
qpid-cpp-server-store-0.18-20.el5_10
qpid-cpp-server-xml-0.18-20.el5_10
qpid-java-client-0.18-8.el5_9
qpid-java-common-0.18-8.el5_9
qpid-java-example-0.18-8.el5_9
qpid-jca-0.18-8.el5
qpid-jca-xarecovery-0.18-8.el5
qpid-jca-zip-0.18-8.el5
qpid-qmf-0.18-20.el5_10
qpid-qmf-devel-0.18-20.el5_10
qpid-tests-0.18-2.el5
qpid-tools-0.18-10.el5_9
ruby-qpid-qmf-0.18-20.el5_10

RHEL6:
python-qpid-0.18-9.el6
python-qpid-qmf-0.18-20.el6
qpid-cpp-client-0.18-20.el6
qpid-cpp-client-devel-0.18-20.el6
qpid-cpp-client-devel-docs-0.18-20.el6
qpid-cpp-client-rdma-0.18-20.el6
qpid-cpp-client-ssl-0.18-20.el6
qpid-cpp-server-0.18-20.el6
qpid-cpp-server-cluster-0.18-20.el6
qpid-cpp-server-devel-0.18-20.el6
qpid-cpp-server-ha-0.18-20.el6
qpid-cpp-server-rdma-0.18-20.el6
qpid-cpp-server-ssl-0.18-20.el6
qpid-cpp-server-store-0.18-20.el6
qpid-cpp-server-xml-0.18-20.el6
qpid-java-client-0.18-8.el6_4
qpid-java-common-0.18-8.el6_4
qpid-java-example-0.18-8.el6_4
qpid-jca-0.18-8.el6
qpid-jca-xarecovery-0.18-8.el6
qpid-jca-zip-0.18-8.el6
qpid-qmf-0.18-20.el6
qpid-qmf-devel-0.18-20.el6
qpid-tests-0.18-2.el6
qpid-tools-0.18-10.el6_4
ruby-qpid-qmf-0.18-20.el6

-> VERIFIED

Comment 8 errata-xmlrpc 2014-02-11 08:28:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0130.html

Comment 9 Pavel Moravec 2014-06-15 12:49:41 UTC

*** Bug 1090810 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.