[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13821286#comment-13821286
 ] 

Flavio Junqueira commented on ZOOKEEPER-1519:
-

What should we do with this issue? It sounds like we haven't converged.

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
Assignee: Daniel Lescohier
 Fix For: 3.4.6, 3.5.0

 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Jacky007 (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13822117#comment-13822117
 ] 

Jacky007 commented on ZOOKEEPER-1519:
-

I don't think this is a problem. The caller should hold the json.dumps(value), 
and free it in callback if needed.

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
Assignee: Daniel Lescohier
 Fix For: 3.4.6, 3.5.0

 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Marshall McMullen (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13785884#comment-13785884
 ] 

Marshall McMullen commented on ZOOKEEPER-1519:
--

I agree with Flavio... All the work I did in the C client made the same 
contract that the caller owns the memory not the C client. This is typical of 
all async interfaces I've used (e.g. asio, etc). 

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
Assignee: Daniel Lescohier
 Fix For: 3.4.6, 3.5.0

 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Flavio Junqueira (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13783752#comment-13783752
 ] 

Flavio Junqueira commented on ZOOKEEPER-1519:
-

Hi there, I believe the contract with the C client is that the application 
manages the memory allocation of the data it passes to async calls, so I'm not 
really happy about copying the data. I'm fine with improving documentation, 
though.

A different issue seems to be with the python client. I don't know enough about 
it to determine if this could be fixed on its side instead of applying the fix 
proposed here.

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
Assignee: Daniel Lescohier
 Fix For: 3.4.6, 3.5.0

 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Patrick Hunt (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13784159#comment-13784159
 ] 

Patrick Hunt commented on ZOOKEEPER-1519:
-

[~henryr] any insight here?

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
Assignee: Daniel Lescohier
 Fix For: 3.4.6, 3.5.0

 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13587340#comment-13587340
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-1519:
---

Does sizeof *(void *) work?

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Raul Gutierrez Segales (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13587351#comment-13587351
 ] 

Raul Gutierrez Segales commented on ZOOKEEPER-1519:
---

Don't think so: http://fpaste.org/iwjf/

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Daniel Lescohier (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13587520#comment-13587520
 ] 

Daniel Lescohier commented on ZOOKEEPER-1519:
-

You're correct. I didn't have time to test the patch, but I wanted to get it 
out there for discussion.

I looked further, and the callers get void* data from the public API with no 
length parameter.  So, the public API does not allow us to copy the data.

In order to fix it, it looks like a public API change is required.  Either:

 1. Document in the API that the caller cannot free that memory until the 
zookeeper library is done with it (which also means it can't be a pointer to 
memory on the stack).  I assume that the library is done with it once it calls 
the completion callback? So the program can free it once it gets the same 
pointer back in a callback (or when the zookeeper connection is closed). I 
think this would make it hard to integrate with scripting languages like 
Python, because the scripting language C interface would have to copy the 
memory, account for it in some global structure, and free it once it sees that 
pointer again in a callback or when the zookeeper connection is closed.

 2. Document in the API that the void * must be malloc'ed memory, and the 
ownership is passed to the library (which means the caller copies it, and the 
library frees it). That's also a difficult API.

 3. Add a data length parameter to the API, so the library can copy it.

 4. Don't use a void * for the 'data' parameter, use something else.


 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Daniel Lescohier (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13587562#comment-13587562
 ] 

Daniel Lescohier commented on ZOOKEEPER-1519:
-

Never mind my comments about 'data'. I was confusing 'value' with 'data.'  
'value' is copied when it is serialized. So, I don't see where the submitter's 
original problem can occur.

'data' is all right, because it should be passed by reference.  In the zkpython 
bindings, it's used to hold a reference to the Python callable object that 
should be called on the callback.  That's a python object, so it's refcounted.  
'completion' is the zkpython C function that is called, and calls the python 
callable object that is cast to a Python object and called with the Python API.


 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3, 3.3.6
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius
 Attachments: zookeeper-1519.patch


 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Stephen Tyree (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13422447#comment-13422447
 ] 

Stephen Tyree commented on ZOOKEEPER-1519:
--

Duplicating the data wouldn't help in circumstances where the data is a 
structure contain malloc'd memory, i.e.:

struct Foo {
  const char* bar;
};


 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius

 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Mark Gius (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13422461#comment-13422461
 ] 

Mark Gius commented on ZOOKEEPER-1519:
--

Then perhaps the solution is to document a contract between aysnc calls and 
library consumers that the data pointer needs to be alive until after the async 
call has complete (or been submitted, or whatever).  

Or maybe async calls need another argument for a cleanup function that frees 
the data pointer.

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius

 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (ZOOKEEPER-1519) Zookeeper Async calls can reference free()'d memory

[Mark Gius (JIRA)]

[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13422538#comment-13422538
 ] 

Mark Gius commented on ZOOKEEPER-1519:
--

well, I don't think zookeeper would handle such a struct correctly anyway, 
because zookeeper treats whatever you throw into that argument like a byte 
array.  So zookeeper will persist the memory location of the inner-malloc()'d 
memory, but not the memory itself. 

 Zookeeper Async calls can reference free()'d memory
 ---

 Key: ZOOKEEPER-1519
 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1519
 Project: ZooKeeper
  Issue Type: Bug
  Components: c client
Affects Versions: 3.3.3
 Environment: Ubuntu 11.10, Ubuntu packaged Zookeeper 3.3.3 with some 
 backported fixes.
Reporter: Mark Gius

 zoo_acreate() and zoo_aset() take a char * argument for data and prepare a 
 call to zookeeper.  This char * doesn't seem to be duplicated at any point, 
 making it possible that the caller of the asynchronous function might 
 potentially free() the char * argument before the zookeeper library completes 
 its request.  This is unlikely to present a real problem unless the freed 
 memory is re-used before zookeeper consumes it.  I've been unable to 
 reproduce this issue using pure C as a result.
 However, ZKPython is a whole different story.  Consider this snippet:
   ok = zookeeper.acreate(handle, path, json.dumps(value), 
  acl, flags, callback)
   assert ok == zookeeper.OK
 In this snippet, json.dumps() allocates a string which is passed into the 
 acreate().  When acreate() returns, the zookeeper request has been 
 constructed with a pointer to the string allocated by json.dumps().  Also 
 when acreate() returns, that string is now referenced by 0 things (ZKPython 
 doesn't bump the refcount) and the string is eligible for garbage collection 
 and re-use.  The Zookeeper request now has a pointer to dangerous freed 
 memory.
 I've been seeing odd behavior in our development environments for some time 
 now, where it appeared as though two separate JSON payloads had been joined 
 together.  Python has been allocating a new JSON string in the middle of the 
 old string that an incomplete zookeeper async call had not yet processed.
 I am not sure if this is a behavior that should be documented, or if the C 
 binding implementation needs to be updated to create copies of the data 
 payload provided for aset and acreate.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira