Skip to content
This repository has been archived by the owner on Jan 7, 2022. It is now read-only.

Commit

Permalink
Fix use-after-free in AllServerReadStreams::sendShardStatusToClient()
Browse files Browse the repository at this point in the history 
Summary:
Got a segfault with this stack trace:

  (gdb) bt
  #0  0x00007ff56c2919cf in raise () from /usr/local/fbcode/platform007/lib/libpthread.so.0
  #1  0x0000000002a9656a in facebook::logdevice::handle_fatal_signal (sig=<optimized out>) at logdevice/server/fatalsignal.cpp:58
  #2  <signal handler called>
  #3  facebook::logdevice::configuration::Node::getNumShards (this=0x7fe60c71c610) at logdevice/common/configuration/Node.h:258
  #4  facebook::logdevice::AllServerReadStreams::sendShardStatusToClient (this=<optimized out>, cid=...) at logdevice/server/read_path/AllServerReadStreams.cpp:769
  #5  0x0000000002a9ec3b in facebook::logdevice::AllServerReadStreams::onShardStatusChanged (this=0x7ff4fcbd5c00) at logdevice/server/read_path/AllServerReadStreams.cpp:740
  #6  0x0000000002f9b2d1 in facebook::logdevice::ShardAuthoritativeStatusManager::notifySubscribers (this=<optimized out>) at logdevice/common/ShardAuthoritativeStatusMap.cpp:197
  #7  0x0000000002f9b21e in facebook::logdevice::UpdateShardAuthoritativeMapRequest::execute (this=<optimized out>) at logdevice/common/ShardAuthoritativeStatusMap.cpp:138
  #8  0x0000000002fd4a0e in facebook::logdevice::Worker::processRequest (this=0x7ff56953d600, rq=std::unique_ptr<facebook::logdevice::Request> containing 0x7ff480557e90) at logdevice/common/Worker.cpp:1282
  #9  0x0000000002fdb424 in facebook::logdevice::Worker::forcePost(std::unique_ptr<facebook::logdevice::Request, std::default_delete<facebook::logdevice::Request> >&, signed char)::$_9::operator()() (this=<optimized out>) at logdevice/common/Worker.cpp:1405
  #10 folly::detail::function::FunctionTraits<void ()>::callSmall<facebook::logdevice::Worker::forcePost(std::unique_ptr<facebook::logdevice::Request, std::default_delete<facebook::logdevice::Request> >&, signed char)::$_9>(folly::detail::function::Data&) (p=...) at folly/Function.h:360
  #11 0x0000000002fd581b in folly::detail::function::FunctionTraits<void ()>::operator()() (this=0x0) at folly/Function.h:376
  #12 facebook::logdevice::Worker::pickAndExecuteTask (this=<optimized out>, priority_hint=<optimized out>) at logdevice/common/Worker.cpp:1342
  #13 0x0000000002fdaa62 in facebook::logdevice::Worker::addWithPriority(folly::Function<void ()>, signed char)::$_8::operator()() const (this=<optimized out>) at logdevice/common/Worker.cpp:1388
  #14 folly::detail::function::FunctionTraits<void ()>::callSmall<facebook::logdevice::Worker::addWithPriority(folly::Function<void ()>, signed char)::$_8>(folly::detail::function::Data&) (p=...) at folly/Function.h:360
  #15 0x00000000032de717 in folly::detail::function::FunctionTraits<void ()>::operator()() (this=<optimized out>) at folly/Function.h:376
  #16 facebook::logdevice::EventLoop::add(folly::Function<void ()>)::$_0::operator()() (this=0x7fee0ba685a0) at logdevice/common/EventLoop.cpp:159
  #17 folly::detail::function::FunctionTraits<void ()>::callBig<facebook::logdevice::EventLoop::add(folly::Function<void ()>)::$_0>(folly::detail::function::Data&) (p=...) at folly/Function.h:367
  #18 0x0000000000606428 in folly::detail::function::FunctionTraits<void ()>::operator()() (this=0x7fee0ba685a0) at folly/Function.h:376
  #19 facebook::logdevice::EventLoopTaskQueue::executeTasks (this=<optimized out>, num_tasks_to_dequeue=1) at logdevice/common/EventLoopTaskQueue.cpp:151
  #20 0x0000000000605801 in facebook::logdevice::EventLoopTaskQueue::haveTasksEventHandler(void*, short)::$_0::operator()(unsigned long) const (n=1, this=<optimized out>) at logdevice/common/EventLoopTaskQueue.cpp:119
  #21 facebook::logdevice::LifoEventSemImpl<std::atomic>::AsyncWaiter::processBatch<facebook::logdevice::EventLoopTaskQueue::haveTasksEventHandler(void*, short)::$_0&>(facebook::logdevice::EventLoopTaskQueue::haveTasksEventHandler(void*, short)::$_0&, unsigned long) (this=0x7ff56986a4f0, func=..., maxBatchSize=<optimized out>) at logdevice/common/LifoEventSem.h:205
  #22 facebook::logdevice::EventLoopTaskQueue::haveTasksEventHandler (arg=<optimized out>, what=<optimized out>) at logdevice/common/EventLoopTaskQueue.cpp:124
  #23 0x0000000000603f52 in facebook::logdevice::EventHandler<&facebook::logdevice::EventLoopTaskQueue::haveTasksEventHandler, &facebook::logdevice::(anonymous namespace)::preflight_noop, &facebook::logdevice::(anonymous namespace)::postflight_noop> (what=<optimized out>, arg=0x20) at logdevice/common/EventHandler.h:92
  #24 0x0000000000603e08 in event_process_active_single_queue (base=0x7ff561bddd00, activeq=0x7ff56983c230, max_to_process=2147483647, endtime=0x0) at logdevice/external/libevent-2.1.3-alpha/event.c:1449
  #25 0x000000000548641c in event_process_active (base=<optimized out>) at logdevice/external/libevent-2.1.3-alpha/event.c:1596
  #26 ld_event_base_loop (base=0x7ff561bddd00, flags=<optimized out>) at logdevice/external/libevent-2.1.3-alpha/event.c:1819
  #27 0x00000000032dda80 in facebook::logdevice::EventLoop::run (this=0x7ff56953d600) at logdevice/common/EventLoop.cpp:222
  #28 0x00000000032dd279 in facebook::logdevice::EventLoop::enter (self=0x20) at logdevice/common/EventLoop.cpp:173
  #29 0x00007ff56c2866b6 in start_thread () from /usr/local/fbcode/platform007/lib/libpthread.so.0
  #30 0x00007ff56b967ebf in clone () from /usr/local/fbcode/platform007/lib/libc.so.6

This diff fixes a bug that could cause this.

Reviewed By: gdrane

Differential Revision: D15887025

fbshipit-source-id: eb6b214ae33a0f36506d0d65d95f33469a6cbae1
  • Loading branch information
@al13n321 @facebook-github-bot
al13n321 authored and facebook-github-bot committed Jun 21, 2019
1 parent ed53a07 commit 8215d91
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion logdevice/server/read_path/AllServerReadStreams.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -764,7 +764,9 @@ void AllServerReadStreams::sendShardStatusToClient(ClientID cid) {
// node configuration. Leaving this here for backward compatibility until that
// code is deployed everywhere.
auto my_node_id = Worker::onThisThread()->processor_->getMyNodeID();
auto node = Worker::onThisThread()->getServerConfig()->getNode(my_node_id);
std::shared_ptr<ServerConfig> server_config =
Worker::onThisThread()->getServerConfig();
const configuration::Node* node = server_config->getNode(my_node_id);
ld_check(node);
hdr.num_shards_deprecated = node->getNumShards();

Expand Down

0 comments on commit 8215d91

Please sign in to comment.