Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
proton-0.7
-
None
Description
The 'star_topology' Messenger test are throwing the occasional seg-fault. Here's a valgrind backtrace:
proton_tests.soak.MessengerTests.test_star_topology_valgrind ...................................................................................................... fail
Error during test: Traceback (most recent call last):
File "./tests/python/proton-test", line 352, in run
phase()
File "/home/kgiusti/work/proton/0.7/qpid-proton-0.7/tests/python/proton_tests/soak.py", line 348, in test_star_topology_valgrind
self._do_star_topology_test( MessengerReceiverValgrind, MessengerSenderValgrind )
File "/home/kgiusti/work/proton/0.7/qpid-proton-0.7/tests/python/proton_tests/soak.py", line 280, in _do_star_topology_test
self._do_test(iterations)
File "/home/kgiusti/work/proton/0.7/qpid-proton-0.7/tests/python/proton_tests/soak.py", line 112, in _do_test
R.stderr()))
AssertionError: Command '['/usr/bin/valgrind', '--error-exitcode=1', '--quiet', '--trace-children=yes', '--leak-check=full', '--suppressions=/home/kgiusti/work/proton/0.7/qpid-proton-0.7/tests/python/proton_tests/valgrind.supp', 'msgr-recv', '-X', 'READY', '-a', 'amqp://~0.0.0.0:62305,amqp://~0.0.0.0:57030,amqp://~0.0.0.0:63714', '-c', '1530', '-t', '60', '-R']' failed status=1: '==16855== Invalid read of size 8
==16855== at 0x4C258CE: pn_compare (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C25959: pn_equals (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C25D79: pn_list_index (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C25DE8: pn_list_remove (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C445FE: pn_listener_ctx_free (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C442D1: pni_listener_finalize (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C4AC22: pn_selectable_finalize (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C25745: pn_finalize (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C256BE: pn_decref (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C257E0: pn_free (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C4B126: pn_selectable_free (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C46AED: pni_wait (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== Address 0x4ea6bb0 is 16 bytes before a block of size 56 alloc'd
==16855== at 0x4A06409: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16855== by 0x4C443ED: pn_listener_ctx (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4C47928: pn_messenger_subscribe (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/proton-c/libqpid-proton.so.2.0.0)
==16855== by 0x4021CE: main (in /home/kgiusti/work/proton/0.7/qpid-proton-0.7/build/tests/tools/apps/c/msgr-recv)
==16855==
The problem is that the pn_listener_ctx is allocated using malloc:
pn_listener_ctx_t *ctx = (pn_listener_ctx_t *) malloc(sizeof(pn_listener_ctx_t));
ctx->messenger = messenger;
but it is stored on a pn_list (messenger->listeners) - which assumes it is derived from an "object" type. When messenger tries to clean up a listener, the pn_list attempts to access the non-existing clazz header.