New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherokee may crash when exiting #1199

Open
midwinter1993 opened this Issue Oct 16, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@midwinter1993

midwinter1993 commented Oct 16, 2017

Hi, all

A crash may happen when cherokee server exits.

After pressing Ctrl-C, server exits and frees memory (i.e. thread struct) when worker thread still running. And when worker thread use it again, the use-after-free bug crashes the program.

Following is the schedule:

                main thread                       worker thread
main {                                      thread_routine (void *data) {
  cherokee_server_free (srv) {          
    THREAD(i)->exit = true;
                                              while (likely (thread->exit == false)) {
                                                cherokee_thread_step_MULTI_THREAD (thread, false);
                                              }
                                	     thread->ended = true;
    destroy_thread (THREAD(i)) {
      cherokee_thread_wait_end (thread) {
        if (thd->ended)
          return ret_ok;
      }
      cherokee_thread_free (thread){
        ...
        free (thd);
    }
  }                                           pthread_detach (thread->thread);
  ...                                       }
}

Here, thd, THREAD(i), thread are the same struct.

@skinkie skinkie self-assigned this Oct 16, 2017

@skinkie skinkie added the t:bug label Oct 16, 2017

@skinkie

This comment has been minimized.

Show comment
Hide comment
@skinkie

skinkie Oct 16, 2017

Member

If you would shuffle thread->ended = true; and pthread_detach (thread->thread); around, will that solve the issue?

Member

skinkie commented Oct 16, 2017

If you would shuffle thread->ended = true; and pthread_detach (thread->thread); around, will that solve the issue?

@midwinter1993

This comment has been minimized.

Show comment
Hide comment
@midwinter1993

midwinter1993 Oct 16, 2017

Thx for response!

I think "shuffle thread->ended = true; and pthread_detach (thread->thread);" will fix this bug.

PS:
Function cherokee_thread_wait_end (cherokee_thread_t *thd) will join the worker thread:

ret_t
cherokee_thread_wait_end (cherokee_thread_t *thd)
{
	if (thd->ended)
		return ret_ok;

	/* Wait until the thread exits
	 */
	CHEROKEE_THREAD_JOIN (thd->thread);
	return ret_ok;
}

Joining a detached thread is undefined.
So i think there's a need to delete CHEROKEE_THREAD_JOIN (thd->thread) OR pthread_detach (thread->thread).

midwinter1993 commented Oct 16, 2017

Thx for response!

I think "shuffle thread->ended = true; and pthread_detach (thread->thread);" will fix this bug.

PS:
Function cherokee_thread_wait_end (cherokee_thread_t *thd) will join the worker thread:

ret_t
cherokee_thread_wait_end (cherokee_thread_t *thd)
{
	if (thd->ended)
		return ret_ok;

	/* Wait until the thread exits
	 */
	CHEROKEE_THREAD_JOIN (thd->thread);
	return ret_ok;
}

Joining a detached thread is undefined.
So i think there's a need to delete CHEROKEE_THREAD_JOIN (thd->thread) OR pthread_detach (thread->thread).

@skinkie

This comment has been minimized.

Show comment
Hide comment
@skinkie

skinkie Oct 16, 2017

Member

Then removing pthread_detach sounds like the actual solution.

Member

skinkie commented Oct 16, 2017

Then removing pthread_detach sounds like the actual solution.

@midwinter1993

This comment has been minimized.

Show comment
Hide comment
@midwinter1993

midwinter1993 Oct 16, 2017

I think so. :-P

midwinter1993 commented Oct 16, 2017

I think so. :-P

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment