[
https://issues.apache.org/jira/browse/PROTON-1837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alan Conway updated PROTON-1837:
--------------------------------
Description:
There is a disabled test to reproduce this problem, see
test_duplicate_link_client() in
[https://github.com/alanconway/qpid-proton/blob/master/c/tests/connection_driver.c#L498]
pni_process does all pending link opens before all pending link closes, it does
not respect the order of individual open/close calls in the code. This doesn't
cause a problem for distinct links but if a link of the same name is
opened/closed/reopened very quickly it can cause a problem:
For example if l1 and l2 are both pn_links with name "x" then this sequence:
{code:java}
open(l1); close(l1); open(l2){code}
generates this illegal protocol sequence:
{code:java}
attach("x"); attach("x"); detach(0) // 0 is the handle assigned to "x"{code}
instead of the intended legal sequence:
{code:java}
attach("x"); detach(0); attach("x") // detach(0) detaches the first "x" so
second "x" is allowed{code}
NOTE: This applies to all endpoints, not just links but since connections and
sessions don't have client-assignable names that can clash, the problem only
shows up for links and only if the detach/attach for the same name is processed
in the same transport batch. This is unlikely in practice and was discovered
only because of investigation of PROTON-1832.
was:
Proton has an invalid read error in pn_transport_unbind_handles under specific
circumstances where the same name is used to create 2 different incoming links
on the same session.
This patch demonstrates
{code:java}
1 file changed, 43 insertions(+), 2 deletions(-)
c/tests/connection_driver.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
modified c/tests/connection_driver.c
@@ -48,6 +48,24 @@ static pn_event_type_t open_handler(test_handler_t *th,
pn_event_t *e) {
return PN_EVENT_NONE;
}
+/* Like open_handler but also reply to REMOTE_CLOSE */
+static pn_event_type_t open_close_handler(test_handler_t *th, pn_event_t *e) {
+ switch (pn_event_type(e)) {
+ case PN_CONNECTION_REMOTE_CLOSE:
+ pn_connection_open(pn_event_connection(e));
+ break;
+ case PN_SESSION_REMOTE_CLOSE:
+ pn_session_open(pn_event_session(e));
+ break;
+ case PN_LINK_REMOTE_CLOSE:
+ pn_link_close(pn_event_link(e));
+ break;
+ default:
+ return open_handler(th, e);
+ }
+ return PN_EVENT_NONE;
+}
+
/* Handler that returns control on PN_DELIVERY and stores the delivery on the
handler */
static pn_event_type_t delivery_handler(test_handler_t *th, pn_event_t *e) {
switch (pn_event_type(e)) {
@@ -442,6 +458,30 @@ static void test_session_flow_control(test_t *t) {
test_connection_drivers_destroy(&client, &server);
}
+/* Regression test for crash caused by using the same name for multiple links
on same session. */
+static void test_duplicate_link(test_t *t) {
+ /* Set up the initial link */
+ test_connection_driver_t client, server;
+ test_connection_drivers_init(t, &client, open_close_handler, &server,
open_close_handler);
+ pn_connection_open(client.driver.connection);
+ pn_session_t *ssn = pn_session(client.driver.connection);
+ pn_session_open(ssn);
+ pn_link_t *x = pn_sender(ssn, "x");
+ pn_link_open(x);
+ /* Close the link and open a new link with same name.
+ NOTE: close and duplicate open must be in the same batch of events
+ */
+ pn_link_close(x);
+ pn_link_open(pn_sender(ssn, "x"));
+ test_connection_drivers_run(&client, &server);
+ /* At this point the server has 2 handle map entries for the same link.
+ Freeing the link is correct, refcounting will keep it in memory,
+ but the extra handle map entry will cause a core dump in
pn_transport_unbind_handles
+ */
+ pn_link_free(server.handler.link);
+ test_connection_drivers_destroy(&client, &server);
+}
+
int main(int argc, char **argv) {
int failed = 0;
RUN_ARGV_TEST(failed, t, test_message_transfer(&t));
@@ -449,5 +489,6 @@ int main(int argc, char **argv) {
RUN_ARGV_TEST(failed, t, test_message_abort(&t));
RUN_ARGV_TEST(failed, t, test_message_abort_mixed(&t));
RUN_ARGV_TEST(failed, t, test_session_flow_control(&t));
+ RUN_ARGV_TEST(failed, t, test_duplicate_link(&t));
return failed;
}
{code}
> [c] client generates invalid attach/detach sequence
> ---------------------------------------------------
>
> Key: PROTON-1837
> URL: https://issues.apache.org/jira/browse/PROTON-1837
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: proton-c-0.22.0
> Reporter: Alan Conway
> Assignee: Alan Conway
> Priority: Major
> Fix For: proton-c-0.23.0
>
>
> There is a disabled test to reproduce this problem, see
> test_duplicate_link_client() in
> [https://github.com/alanconway/qpid-proton/blob/master/c/tests/connection_driver.c#L498]
> pni_process does all pending link opens before all pending link closes, it
> does not respect the order of individual open/close calls in the code. This
> doesn't cause a problem for distinct links but if a link of the same name is
> opened/closed/reopened very quickly it can cause a problem:
> For example if l1 and l2 are both pn_links with name "x" then this sequence:
> {code:java}
> open(l1); close(l1); open(l2){code}
> generates this illegal protocol sequence:
> {code:java}
> attach("x"); attach("x"); detach(0) // 0 is the handle assigned to "x"{code}
> instead of the intended legal sequence:
> {code:java}
> attach("x"); detach(0); attach("x") // detach(0) detaches the first "x" so
> second "x" is allowed{code}
> NOTE: This applies to all endpoints, not just links but since connections and
> sessions don't have client-assignable names that can clash, the problem only
> shows up for links and only if the detach/attach for the same name is
> processed in the same transport batch. This is unlikely in practice and was
> discovered only because of investigation of PROTON-1832.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
