[
https://issues.apache.org/jira/browse/GUACAMOLE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16190116#comment-16190116
]
Michael Jumper commented on GUACAMOLE-384:
------------------------------------------
{quote}
Thanks for the info, Michael. I don't have any idea yet for this one. Is it
another thread trying to write to the freed terminal? Do you have any clue?
{quote}
Yes, that's what I meant by the comment above.
The thread in this case is the SSH client thread, created to handle the
underlying SSH connection after the first user joins:
https://github.com/apache/incubator-guacamole-server/blob/d35cc7a83e8dfdaa44cbd3b02c70e9407197155a/src/protocols/ssh/user.c#L56-L70
If you look at the free handler for the {{guac_client}} created for the SSH
connection, you can see that the terminal is freed prior to waiting for the
thread to finish:
https://github.com/apache/incubator-guacamole-server/blob/d35cc7a83e8dfdaa44cbd3b02c70e9407197155a/src/protocols/ssh/client.c#L73-L74
This creates a race condition which could result in data being written by the
client thread to the freed terminal, causing a segfault. The fix may be as
simple as switching the order of those lines, but such a change will need to be
carefully verified. The SSH client thread depends on certain conditions for the
thread to terminate. If switching those lines results in a chance of those
conditions not occurring, then we'll be replacing a low-impact segfault with
high-impact deadlock.
The SSH client and input threads should probably take the client running state
into account (the value manipulated by {{guac_client_stop()}}), to ensure they
will terminate regardless of the current state of the terminal or underlying
SSH connection.
> Terminal writes during disconnect may segfault
> ----------------------------------------------
>
> Key: GUACAMOLE-384
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-384
> Project: Guacamole
> Issue Type: Bug
> Components: Terminal
> Affects Versions: 0.9.12-incubating
> Environment: GNU/Linux x86_64
> Reporter: Phillip Arcuri
> Priority: Minor
>
> In a stress test we kick off an SSH session every second. The session does a
> minimal amount of work and exits after a few seconds. A ps -ef shows we have
> 2 to 6 instances running at one time. About 1 in 10 of the instances cores
> with corrupted buffer data at line buffer.c:108.:
> (gdb) p *buffer
> $2 = {default_character = {value = -1269703408, attributes = {bold = 170,
> reverse = 42, cursor = false, underscore = false, foreground = 0,
> background = 0}, width = -1269422328}, rows = 0x2aaab456fa30, top =
> 686, length = 0, available = 686}
> As an aside I also see roughly 1 in 100 instances become a zombie process
> hung in pthread_join. Doubt that is related, but thought I'd mention it.
> This is a blocker for our deployment of a guacamole-enabled feature-set.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
