fix: crash when huge write #1099

ZhongChaoqiang · 2022-04-26T07:58:16Z

Related-Issue

Change

when buffer of slog is more 2GB, then flush to slog file, it maybe crash.

src/aio/disk_engine.cpp

…e_write

acelyc111 · 2022-04-27T09:21:58Z

@ZhongChaoqiang The CI failed at https://github.com/XiaoMi/rdsn/runs/6189338284?check_suite_focus=true#step:8:1807, plz check it.

ZhongChaoqiang · 2022-04-27T09:25:15Z

ok, I’m checking it dsn_aio_test这个用例会core，debug信息如下： [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". --Type <RET> for more, q to quit, c to continue without paging--c Core was generated by `./dsn_aio_test'. Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. [Current thread is 1 (Thread 0x7fb4e6f12700 (LWP 27730))] (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007fb4eccdf859 in __GI_abort () at abort.c:79 #2 0x00007fb4ecd4a29e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb4ece7408f "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155 #3 0x00007fb4ecdecaea in __GI___fortify_fail (msg=msg@entry=0x7fb4ece74077 "stack smashing detected") at fortify_fail.c:26 #4 0x00007fb4ecdecab6 in __stack_chk_fail () at stack_chk_fail.c:24 #5 0x000055dd0c6ea2b7 in dsn::disk_engine::complete_io ( this=0x55dd0c79fbe8 <dsn::utils::singleton<dsn::disk_engine>::instance()::_instance>, aio=aio@entry=0x55dd0ecfd600, err=..., bytes=12) at /usr/include/c++/9/bits/basic_string.h:2300 #6 0x000055dd0c6edadd in dsn::aio_provider::complete_io (this=this@entry=0x55dd0ec30040, aio=aio@entry=0x55dd0ecfd600, err=..., err@entry=..., bytes=<optimized out>) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/aio/aio_provider.cpp:36 #7 0x000055dd0c6eb5f1 in dsn::native_linux_aio_provider::aio_internal (this=0x55dd0ec30040, aio_tsk=0x55dd0ecfd600) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/aio/native_linux_aio_provider.cpp:165 #8 0x000055dd0c66b49a in dsn::task::exec_internal (this=0x55dd0ecfac30) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/runtime/task/task.cpp:176 #9 0x000055dd0c68285e in dsn::task_worker::loop (this=0x55dd0ed02000) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/runtime/task/task_worker.cpp:224 #10 0x000055dd0c682a7f in dsn::task_worker::run_internal (this=0x55dd0ed02000) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/runtime/task/task_worker.cpp:204 #11 0x00007fb4ecfa0d84 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6 #12 0x00007fb4ed2b0609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #13 0x00007fb4ecddc163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 (gdb) f 5 #5 0x000055dd0c6ea2b7 in dsn::disk_engine::complete_io ( this=0x55dd0c79fbe8 <dsn::utils::singleton<dsn::disk_engine>::instance()::_instance>, aio=aio@entry=0x55dd0ecfd600, err=..., bytes=12) at /usr/include/c++/9/bits/basic_string.h:2300 2300 c_str() const _GLIBCXX_NOEXCEPT (gdb) f 6 #6 0x000055dd0c6edadd in dsn::aio_provider::complete_io (this=this@entry=0x55dd0ec30040, aio=aio@entry=0x55dd0ecfd600, err=..., err@entry=..., bytes=<optimized out>) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/aio/aio_provider.cpp:36 36 _engine->complete_io(aio, err, bytes); (gdb) p err $1 = <optimized out> (gdb) f 7 #7 0x000055dd0c6eb5f1 in dsn::native_linux_aio_provider::aio_internal (this=0x55dd0ec30040, aio_tsk=0x55dd0ecfd600) at /opt/zhongchaoqiang/incubator-pegasus/rdsn/src/aio/native_linux_aio_provider.cpp:165 165 complete_io(aio_tsk, err, processed_bytes); (gdb) p err $2 = {_internal_code = 0} (gdb) p processed_bytes $3 = 12

acelyc111 · 2022-04-27T11:05:22Z

@ZhongChaoqiang
See details here, it tells you what the problem is.
The variable in src/aio/disk_engine.cpp L269 is uint32_t sz;, but in src/aio/disk_engine.cpp L56, we want to dereference it as an uint64_t (uint64_t &sz = *(uint64_t *)plength;). So stack-buffer-overflow error occurs, and may cause following coredump.

ZhongChaoqiang · 2022-04-28T03:34:56Z

@ZhongChaoqiang See details here, it tells you what the problem is. The variable in src/aio/disk_engine.cpp L269 is uint32_t sz;, but in src/aio/disk_engine.cpp L56, we want to dereference it as an uint64_t (uint64_t &sz = *(uint64_t *)plength;). So stack-buffer-overflow error occurs, and may cause following coredump.

Thanks very much

acelyc111 · 2022-04-28T06:31:34Z

Thanks for your contribution!
Could you describe how do you troubleshooting the bug you found when write with huge thoughput, and create a specify issue?

xihong08 · 2022-04-28T07:40:23Z

Thanks for your contribution! Could you describe how do you troubleshooting the bug you found when write with huge thoughput, and create a specify issue?
@acelyc111 . i can describe detailed case. this maybe happened on the server side in busying write status，and crash happened in aio_task::collapse ::memcpy(dest, b.buffer, b.size); it resulting by memory overwriting . and root cause is integer overflow，coz aio_context's buffer_size is 4 bytes, in dsn::file::write_vector file_io.cpp L128 , the aio_context's buffer_size may be overflow when to be written data size more 4GB, so crash it later.

fix: crash when huge write

d7d1722

foreverneverer previously approved these changes Apr 26, 2022

View reviewed changes

acelyc111 reviewed Apr 26, 2022

View reviewed changes

src/aio/disk_engine.cpp Outdated Show resolved Hide resolved

fix: crash when huge write

16b1d1f

ZhongChaoqiang dismissed foreverneverer’s stale review via 16b1d1f April 27, 2022 07:35

Merge branch 'master' of https://github.com/XiaoMi/rdsn into fix_larg…

680a2d6

…e_write

fix: crash when huge write

88dc9c6

acelyc111 approved these changes Apr 28, 2022

View reviewed changes

foreverneverer approved these changes Apr 28, 2022

View reviewed changes

acelyc111 merged commit 3f0c632 into XiaoMi:master Apr 28, 2022

foreverneverer mentioned this pull request Jul 15, 2022

Release 2.4.0 apache/incubator-pegasus#1032

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: crash when huge write #1099

fix: crash when huge write #1099

ZhongChaoqiang commented Apr 26, 2022

acelyc111 commented Apr 27, 2022

ZhongChaoqiang commented Apr 27, 2022 via email •

edited by acelyc111

Loading

acelyc111 commented Apr 27, 2022 •

edited

Loading

ZhongChaoqiang commented Apr 28, 2022

acelyc111 commented Apr 28, 2022

xihong08 commented Apr 28, 2022 •

edited

Loading

fix: crash when huge write #1099

fix: crash when huge write #1099

Conversation

ZhongChaoqiang commented Apr 26, 2022

Related-Issue

Change

acelyc111 commented Apr 27, 2022

ZhongChaoqiang commented Apr 27, 2022 via email • edited by acelyc111 Loading

acelyc111 commented Apr 27, 2022 • edited Loading

ZhongChaoqiang commented Apr 28, 2022

acelyc111 commented Apr 28, 2022

xihong08 commented Apr 28, 2022 • edited Loading

ZhongChaoqiang commented Apr 27, 2022 via email •

edited by acelyc111

Loading

acelyc111 commented Apr 27, 2022 •

edited

Loading

xihong08 commented Apr 28, 2022 •

edited

Loading