-
Notifications
You must be signed in to change notification settings - Fork 412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the subscriber's destructor does not wait until currently processing callbacks are exited #2447
Comments
This is just an initial thought, I haven't looked at the nav2 ticket. Destructors in c++ must not be called while an object is in use. ROS already has mechanisms to ensure this. |
So, when we actively call the |
Correct, while a subscription callback is executing, the rclcpp/rclcpp/src/rclcpp/executor.cpp Lines 538 to 555 in 5e14a28
Where
The |
I need to completely release the shared pointer of the subscription (or just make sure the shared pointer has been released after |
I think there may be something problematic in the architecture of the node that you are running under ASAN. I posted some observations on the original upstream issue: ros-navigation/navigation2#4166 (comment) |
greatly thanks for your help ~ |
@GoesM since this is an upstream issue, I'm going to close it out. Feel free to reopen (or open a new issue) if you find something else related here. |
Thanks a lot, for all of your help and patience~ |
Bug report
Required Info:
Steps to reproduce issue
the subscriber's destructor does not wait until currently processing callbacks are exited, which may cause troubles like UAF, null-pointer bugs.
Details are shown in navigation2 stack: ros-navigation/navigation2#4166
Expected behavior
We believe that the destructor of subscriber should have mechanisms to ensure complete release of relevant resources and fully exit ongoing works.
Actual behavior
there's no such mechanism.
Additional information
If there is no wait mechanism implemented in the subscriber's destructor to ensure that currently processing callbacks are exited beforehand, it could introduce the possibility of the freed pointer being accessed by ongoing tasks within the subscriber.
Consequently, this scenario may lead to instances of Use-After-Free (UAF) and null-pointer bugs. One illustrative example can be found within the navigation2 stack, as documented in the following issue: ros-navigation/navigation2#4166
The text was updated successfully, but these errors were encountered: