[runtime env] Fix segfault by sending RPC reply only after we're done accessing the request #28409
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simon-mo
approved these changes
Sep 9, 2022
|
hmm is it possible to add a test..or better prevent this from happening again. cc @iycheng |
|
This is a classic hidden use-after-free. (not for this PR) Can the |
|
Yeah, we need improve this. I'll create a ticket |
fishbone
approved these changes
Sep 11, 2022
ilee300a
pushed a commit
to ilee300a/ray
that referenced
this pull request
Sep 12, 2022
… accessing the request (ray-project#28409) In the current design, the owner of the gRPC request object is the gRPC call, so when the gRPC reply is sent the request object is destroyed. This caused a race condition in the runtime env gRPC handler where sometimes a request object was being accessed after it was being destroyed, causing a segfault. This PR moves the gRPC reply after the request object is used. As a followup, we should improve the design so the developer doesn't need to be aware of these memory issues. Signed-off-by: ilee300a <ilee300@anyscale.com>
justinvyu
pushed a commit
to justinvyu/ray
that referenced
this pull request
Sep 14, 2022
… accessing the request (ray-project#28409) In the current design, the owner of the gRPC request object is the gRPC call, so when the gRPC reply is sent the request object is destroyed. This caused a race condition in the runtime env gRPC handler where sometimes a request object was being accessed after it was being destroyed, causing a segfault. This PR moves the gRPC reply after the request object is used. As a followup, we should improve the design so the developer doesn't need to be aware of these memory issues.
matthewdeng
pushed a commit
that referenced
this pull request
Sep 15, 2022
… accessing the request (#28409) In the current design, the owner of the gRPC request object is the gRPC call, so when the gRPC reply is sent the request object is destroyed. This caused a race condition in the runtime env gRPC handler where sometimes a request object was being accessed after it was being destroyed, causing a segfault. This PR moves the gRPC reply after the request object is used. As a followup, we should improve the design so the developer doesn't need to be aware of these memory issues.
7 tasks
fishbone
added a commit
that referenced
this pull request
Sep 27, 2022
…on. (#28661) It's easy to use the request after the call is finished which will lead to a segment fault. We've already got crashes due to this #28409 The root cause is that right now the lifecycle of the request is aligned with the call but not the handler. If in the handler, we called the reply function, the request is going to be invalid. This unintuitive behavior is very easy to produce bugs, and this PR just fixes it: The const ref is change to a value and the data is moved to the value. In this way, the lifecycle of the request is decoupled with the call and no perf regression is expected.
scv119
pushed a commit
that referenced
this pull request
Sep 29, 2022
… accessing the request (#28409) In the current design, the owner of the gRPC request object is the gRPC call, so when the gRPC reply is sent the request object is destroyed. This caused a race condition in the runtime env gRPC handler where sometimes a request object was being accessed after it was being destroyed, causing a segfault. This PR moves the gRPC reply after the request object is used. As a followup, we should improve the design so the developer doesn't need to be aware of these memory issues.
WeichenXu123
pushed a commit
to WeichenXu123/ray
that referenced
this pull request
Dec 19, 2022
…on. (ray-project#28661) It's easy to use the request after the call is finished which will lead to a segment fault. We've already got crashes due to this ray-project#28409 The root cause is that right now the lifecycle of the request is aligned with the call but not the handler. If in the handler, we called the reply function, the request is going to be invalid. This unintuitive behavior is very easy to produce bugs, and this PR just fixes it: The const ref is change to a value and the data is moved to the value. In this way, the lifecycle of the request is decoupled with the call and no perf regression is expected. Signed-off-by: Weichen Xu <weichen.xu@databricks.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why are these changes needed?
Debugged together with @iycheng.
In the current design, the owner of the gRPC request object is the gRPC call, so when the gRPC reply is sent the request object is destroyed. This caused a race condition in the runtime env gRPC handler where sometimes a request object was being accessed after it was being destroyed, causing a segfault. This PR moves the gRPC reply after the request object is used.
As a followup, we should improve the design so the developer doesn't need to be aware of these memory issues.
Related issue number
Closes #28198
Checks
git commit -s) in this PR.scripts/format.shto lint the changes in this PR.