[Vortex] invalid write in __vortex_channel_common_rpy

Francis Brosnan Blazquez francis at aspl.es
Wed Aug 11 10:27:59 CEST 2010


> Hi Francis,

Hi Dexter,

Sorry for the delay. I've been out of the office. 

Thanks for reporting in any case!

> We're investigating an issue with our program, and running it with
> valgrind we got this relative often:

Ok,

> ==2743== Invalid write of size 4
> ==2743==    at 0x5B0C78F: __vortex_channel_common_rpy (in/usr/lib/libvortex.so.0.0.0)
> ==2743==    by 0x564B3B5:MessageTransportServer::response(Glib::RefPtr<Message const>,DBTransactionMsg::ResponseType, MessageId) (transport.cc:471)
> ==2743==    by 0x564F896:sigc::internal::slot_call2<sigc::bind_functor<-1,sigc::bound_mem_functor3<void, MessageTransportServer,Glib::RefPtr<Message const>, DBTransactionMsg::ResponseType,MessageId>, MessageId, sigc::nil, MessageId, MessageId, MessageId, MessageId, MessageId>, void, Glib::RefPtr<Message const>,DBTransactionMsg::ResponseType>::call_it(sigc::internal::slot_rep*,Glib::RefPtr<Message const> const&, DBTransactionMsg::ResponseTypeconst&) (mem_fun.h:1985)
> ==2743==    by 0x564FCBC:MessageCondAsyncTransportImpl::signal(Glib::RefPtr<MessageHandler>)(slot.h:593)
> ==2743==    by 0x563A9CD:MessageHandler::push_response(Glib::RefPtr<Message const>,DBTransactionMsg::ResponseType) (transport.cc:233)
> ==2743==    by 0x564F93A:sigc::internal::slot_call2<sigc::bound_mem_functor2<void,MessageHandler, Glib::RefPtr<Message const>,DBTransactionMsg::ResponseType>, void, Glib::RefPtr<Message const>,DBTransactionMsg::ResponseType>::call_it(sigc::internal::slot_rep*,Glib::RefPtr<Message const> const&, DBTransactionMsg::ResponseTypeconst&) (mem_fun.h:1917)
> ==2743==    by 0x4E9BF38:MessageProcEngineDatabase::process_messages_impl(DBTransactionMsgconst*) (slot.h:593)
> ==2743==    by 0x563A05B: MessageProcThread::process_messages()(transport.cc:308)
> ==2743==    by 0x6F0AD31: (within /usr/lib/libglibmm-2.4.so.1.2.0)
> ==2743==    by 0x75D4D23: (within /usr/lib/libglib-2.0.so.0.2000.0)
> ==2743==    by 0x652D3F6: start_thread (in /lib/libpthread-2.7.so)
> ==2743==    by 0x8E23B4C: clone (in /lib/libc-2.7.so)
> ==2743==  Address 0x1031a010 is 456 bytes inside a block of size 744 free'd
> ==2743==    at 0x4C21B2E: free (vg_replace_malloc.c:323)
> ==2743==    by 0x5B0D95A: __vortex_channel_0_frame_received_close_msg (in /usr/lib/libvortex.so.0.0.0)
> ==2743==    by 0x5B0A603: __vortex_channel_invoke_received_handler (in /usr/lib/libvortex.so.0.0.0)
> ==2743==    by 0x5B155FF: __vortex_thread_pool_dispatcher (in /usr/lib/libvortex.so.0.0.0)
> ==2743==    by 0x652D3F6: start_thread (in /lib/libpthread-2.7.so)
> ==2743==    by 0x8E23B4C: clone (in /lib/libc-2.7.so)
> 
> The attached patch seems to fix this problem. (but maybe it was
> intended to set the being_sending variable after unlocking the mutex?)

Ok, I've been checking the code but it is not clear to me how the race
happens and how your patch fixes the issue. It would be very helpful to
know on which line happens the free (your trace do not include that) and
on which line happens invalid write.

Maybe you can post another valgrind trace but also including vortex
debug lines (where jump happens).

I've compared these portion of code with 1.1 series and are essentially
the same (only a couple of modifications to include global
notifications). 

Taking together all pieces it looks like the channel that was closed
previously, and was reused later by MessageTransportServer::response
causing the invalid write. 

Cheers!

> We're still using the old 1.0.17.b3739.g3739 version.

...maybe you could consider switching to 1.1 series and see if the bug
still persists. It won't take you more effort than tracing why you get
this wrong ref. 

> cheers.
> _______________________________________________
> Vortex mailing list
> Vortex at lists.aspl.es
> http://lists.aspl.es/cgi-bin/mailman/listinfo/vortex
-- 
Francis Brosnan Blazquez <francis at aspl.es>
ASPL



More information about the Vortex mailing list