Issue Details (XML | Word | Printable)

Key: CORE-6224
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Vlad Khorsun
Reporter: Kovalenko Dmitry
Votes: 0
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

[AV] Re-destruction of the rem_port object

Created: 13/Jan/20 08:09 AM   Updated: 20/Apr/20 10:19 AM
Component/s: Engine
Affects Version/s: 3.0.5
Fix Version/s: 4.0 Beta 2, 3.0.6

File Attachments: 1. File 2020_02_06--fb_bug-core-6224.7z (3.43 MB)

Environment: Test of IBProvider builtin client for Firebird.

QA Status: No test


 Description  « Hide
FB3.0.5.33225 x64 SuperServer.

Connection through TCP/IP.

-------
Under mt-tesing of IBProvider builtin client for Firebird, Firebird crash on the destroy of rem_port object.

This is a reproducible problem on the "clear" build of server.

Run parameters [for history]
target\vs2019-x64-Debug\test_db_client_fb_1.exe /thread_count 10 /auto /log_dir _logs /log_file_prefix fb03-0-4 /inet_host HOME4 /db d:\database\ram\ibp_test_fb30_d3.gdb /db_user GAMER /db_password vermut /new_db_dir d:\database\ram\ /isc_api_library fbclient_30.dll /cn_str "remote:protocol_arch=symmetric,generic;remote:wire_compression=required" /dbms "FB-3" /test RemoteFB.WORK.019.StmtExecute.*

-------- [The "best" case of crash]

I made some changes in FB sources for better undertand of problem.

CRASH THREAD [ID 31192 - not sure at current time]

virtual int release() const
{
fb_assert(m_refCnt.value() > 0); //<- HERE

STACK:
  firebird.exe!fb_assert_impl(const char * msg, const char * file, int line, bool do_abort)Строка 48 C++
> firebird.exe!Firebird::RefCounted::release()Строка 45 C++
  firebird.exe!rem_port::release()Строка 1162 C++
  firebird.exe!Firebird::RefPtr<rem_port>::assign(rem_port * const p)Строка 276 C++
  firebird.exe!Firebird::RefPtr<rem_port>::operator=(rem_port * p)Строка 182 C++
  firebird.exe!server_req_t::~server_req_t()Строка 130 C++
  firebird.exe!server_req_t::`scalar deleting destructor'(unsigned int) C++
  firebird.exe!loopThread(void * __formal)Строка 6180 C++
  firebird.exe!`anonymous namespace'::ThreadArgs::run()Строка 78 C++
  firebird.exe!threadStart(void * arg)Строка 97 C++
  ucrtbased.dll!thread_start<unsigned int (__cdecl*)(void *),1>(void * const parameter)Строка 97 C++
  kernel32.dll!BaseThreadInitThunk() Нет данных
  ntdll.dll!RtlUserThreadStart() Нет данных

LOCAL VARIABLES:
- this 0x00000000008ca1d0 {m_refCnt={...} m_debug__WAS_DELETED=-572662307 } const Firebird::RefCounted *
+ __vfptr 0xdddddddddddddddd {???, ???, ???} void * *
- m_refCnt {...} Firebird::AtomicCounter
+ Firebird::PlatformAtomicCounter {counter=-2459565876494606883 } Firebird::PlatformAtomicCounter
m_debug__WAS_DELETED -572662307 long
refCnt -858993460 const int

NOTE ON THE this - is is 0x00000000008ca1d0

------ TRACE INFORMATION, WHICH WAS CREATED __BEFORE__ CRASH:

It is dirrect call of rem_port::release from "static void disconnect(rem_port* const port)" (inet.cpp). Decrement from 2 to 1.

REM_PORT_RLS - 0x00000000008ca1d0. TID: 31192. R: 1. STACK:
firebird.exe!rem_port::release
firebird.exe!disconnect
firebird.exe!rem_port::disconnect
firebird.exe!rem_port::disconnect
firebird.exe!process_packet
firebird.exe!loopThread
firebird.exe!`anonymous namespace'::ThreadArgs::run
firebird.exe!threadStart
ucrtbased.dll!thread_start<unsigned int (__cdecl*)(void *),1>
kernel32.dll!BaseThreadInitThunk
ntdll.dll!RtlUserThreadStart

It is destroy of rem_port object. Decrement from 1 to 0.

REM_PORT_DCR - 0x00000000008ca1d0. TID: 31192. STACK:
firebird.exe!rem_port::~rem_port
firebird.exe!rem_port::`scalar deleting destructor'
firebird.exe!Firebird::RefCounted::release
firebird.exe!rem_port::release
firebird.exe!Firebird::RefPtr<rem_port>::~RefPtr<rem_port>
firebird.exe!DecrementRequestsQueued::~DecrementRequestsQueued
firebird.exe!process_packet
firebird.exe!loopThread
firebird.exe!`anonymous namespace'::ThreadArgs::run
firebird.exe!threadStart
ucrtbased.dll!thread_start<unsigned int (__cdecl*)(void *),1>
kernel32.dll!BaseThreadInitThunk
ntdll.dll!RtlUserThreadStart


 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Kovalenko Dmitry added a comment - 13/Jan/20 08:26 AM
At current time, I have a test fix for this problem.

General idea - do not use direct calls of 'rem_port::release' method and rem_port::addRef in rem_port constructor.

Kovalenko Dmitry made changes - 06/Feb/20 07:06 AM
Field Original Value New Value
Security Developers [ 10012 ]
Kovalenko Dmitry added a comment - 06/Feb/20 07:08 AM
Test application

Kovalenko Dmitry made changes - 06/Feb/20 07:08 AM
Attachment 2020_02_06--fb_bug-core-6224.7z [ 13421 ]
Vlad Khorsun added a comment - 01/Mar/20 01:22 PM
Please, confirm - it is not happens without wire compression.
Why test application send 16KB of excess zero's within op_execute in tests "RemoteFB.WORK.019.StmtExecute.*core_bug_4785" ?
Is it reproducible with Firebird client (fbclient.dll) ?

Kovalenko Dmitry added a comment - 01/Mar/20 06:40 PM
>Please, confirm - it is not happens without wire compression.

This problem appeared after adding (and enabling) connection compression support.

Before (without wire compression) these tests not crash server.

RUS. Да, проблема появилась после включения сжатия данных подключения. Ранее (без сжатия) проблем с этими тестами не наблюдалось.

>Why test application send 16KB of excess zero's within op_execute in tests "RemoteFB.WORK.019.StmtExecute.*core_bug_4785" ?

It is special test for another (old) problem in server - CORE-4785.

>Is it reproducible with Firebird client (fbclient.dll) ?

I did not create similar tests for fbclient.dll.

Vlad Khorsun added a comment - 01/Mar/20 08:07 PM
> >Is it reproducible with Firebird client (fbclient.dll) ?

> I did not create similar tests for fbclient.dll.

I.e. it is not possible to reproduce it with standard (read correct) client implementation, am I right ?

Network server have a problem, no doubt, and I'll fix it - I just want to find out the real severity of this bug.

Vlad Khorsun made changes - 05/Mar/20 09:15 PM
Assignee Vlad Khorsun [ hvlad ]
Vlad Khorsun made changes - 05/Mar/20 09:32 PM
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 4.0 Beta 2 [ 10888 ]
Fix Version/s 3.0.6 [ 10889 ]
Resolution Fixed [ 1 ]
Dmitry Yemanov made changes - 20/Apr/20 10:19 AM
Security Developers [ 10012 ]