[jira] [Commented] (QPID-3877) Modifying a message's headers may cause a broker crash.

Thu, 22 Mar 2012 07:48:47 -0700 

    [ 
https://issues.apache.org/jira/browse/QPID-3877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13235604#comment-13235604
 ] 

Justin Ross commented on QPID-3877:
-----------------------------------

Reviewed by Gordon.  Approved for 0.16.
                
> Modifying a message's headers may cause a broker crash.
> -------------------------------------------------------
>
>                 Key: QPID-3877
>                 URL: https://issues.apache.org/jira/browse/QPID-3877
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.16
>            Reporter: Ken Giusti
>            Assignee: Ken Giusti
>             Fix For: 0.17
>
>
> Adjusting the message's TTL header can cause a crash if another thread is 
> attempting to encode the same message.  The below trace is from valgrind 
> while the store is in use:
> ==15071== Thread 4:
> ==15071== Invalid read of size 8
> ==15071==    at 0x52661F0: qpid::framing::DeliveryProperties::bodySize() 
> const (DeliveryProperties.cpp:198)
> ==15071==    by 0x5266248: qpid::framing::DeliveryProperties::encodedSize() 
> const (DeliveryProperties.cpp:209)
> ==15071==    by 0x52CC3D4: qpid::framing::AMQHeaderBody::encodedSize() const 
> (AMQHeaderBody.h:45)
> ==15071==    by 0x52CAFEE: qpid::framing::AMQFrame::encodedSize() const 
> (AMQFrame.cpp:46)
> ==15071==    by 0x4DB3B55: qpid::broker::Message::encodedHeaderSize() const 
> (frame_functors.h:39)
> ==15071==    by 0x5C1FBFC: 
> mrg::msgstore::MessageStoreImpl::msgEncode(std::vector<char, 
> std::allocator<char> >&, 
> boost::intrusive_ptr<qpid::broker::PersistableMessage> const&) (Messag\
> eStoreImpl.cpp:1311)
> ==15071==    by 0x5C31E8D: 
> mrg::msgstore::MessageStoreImpl::store(qpid::broker::PersistableQueue const*, 
> mrg::msgstore::TxnCtxt*, 
> boost::intrusive_ptr<qpid::broker::PersistableMessage\
> > const&, bool) (MessageStoreImpl.cpp:1331)
> ==15071==    by 0x5C32A0B: 
> mrg::msgstore::MessageStoreImpl::enqueue(qpid::broker::TransactionContext*, 
> boost::intrusive_ptr<qpid::broker::PersistableMessage> const&, 
> qpid::broker::Per\
> sistableQueue const&) (MessageStoreImpl.cpp:1303)
> ==15071==    by 0x4DBE65F: 
> qpid::broker::MessageStoreModule::enqueue(qpid::broker::TransactionContext*, 
> boost::intrusive_ptr<qpid::broker::PersistableMessage> const&, 
> qpid::broker::Pe\
> rsistableQueue const&) (MessageStoreModule.cpp:125)
> ==15071==    by 0x4DCFF31: 
> qpid::broker::Queue::enqueue(qpid::broker::TransactionContext*, 
> boost::intrusive_ptr<qpid::broker::Message>&, bool) (Queue.cpp:811)
> ==15071==    by 0x4DD1951: 
> qpid::broker::Queue::deliver(boost::intrusive_ptr<qpid::broker::Message>) 
> (Queue.cpp:171)
> ==15071==    by 0x4D798DE: 
> qpid::broker::DeliverableMessage::deliverTo(boost::shared_ptr<qpid::broker::Queue>
>  const&) (DeliverableMessage.cpp:33)
> ==15071==  Address 0xca1d548 is 56 bytes inside a block of size 248 free'd
> ==15071==    at 0x4A0545F: operator delete(void*) (vg_replace_malloc.c:387)
> ==15071==    by 0x52CB195: qpid::framing::AMQFrame::cloneBody() 
> (RefCounted.h:42)
> ==15071==    by 0x4DB37DE: qpid::broker::Message::getHeaderBody() 
> (Message.cpp:351)
> ==15071==    by 0x4DB7471: qpid::framing::DeliveryProperties* 
> qpid::broker::Message::getModifiableProperties<qpid::framing::DeliveryProperties>()
>  (Message.h:208)
> ==15071==    by 0x4DB65E7: qpid::broker::Message::adjustTtl() 
> (Message.cpp:416)
> ==15071==    by 0x4D7BB60: 
> qpid::broker::DeliveryRecord::deliver(qpid::framing::Handler<qpid::framing::AMQFrame&>&,
>  qpid::framing::SequenceNumber, unsigned short) (DeliveryRecord.cpp:\
> 80)
> ==15071==    by 0x4E1A9B9: 
> qpid::broker::SessionState::deliver(qpid::broker::DeliveryRecord&, bool) 
> (SessionState.cpp:380)
> ==15071==    by 0x4DFD345: 
> qpid::broker::SemanticState::ConsumerImpl::deliver(qpid::broker::QueuedMessage&)
>  (SemanticState.cpp:342)
> ==15071==    by 0x4DD519C: 
> qpid::broker::Queue::dispatch(boost::shared_ptr<qpid::broker::Consumer>) 
> (Queue.cpp:393)
> ==15071==    by 0x4E00759: 
> qpid::broker::SemanticState::ConsumerImpl::doOutput() (SemanticState.cpp:741)
> ==15071==    by 0x52F174C: qpid::sys::AggregateOutput::doOutput() 
> (AggregateOutput.cpp:59)
> ==15071==    by 0x4D6FC18: qpid::broker::Connection::doOutput() 
> (Connection.cpp:354)
> ==15071==
> Gordon correctly points out that the message lock must be held while the 
> headers are being encoded.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to