activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "python (JIRA)" <j...@apache.org>
Subject [jira] Created: (AMQCPP-184) TransportFilter::fire() crashes after accessing a dangling pointer during exception in ActiveMQConnectionFactory::createConnection()
Date Wed, 18 Jun 2008 18:21:00 GMT
TransportFilter::fire() crashes after accessing a dangling pointer during exception in ActiveMQConnectionFactory::createConnection()
------------------------------------------------------------------------------------------------------------------------------------

                 Key: AMQCPP-184
                 URL: https://issues.apache.org/activemq/browse/AMQCPP-184
             Project: ActiveMQ C++ Client
          Issue Type: Bug
    Affects Versions: 2.1.3
         Environment: Windows XP/Server 2003
            Reporter: python
            Assignee: Nathan Mittler


This problems was seen on:

Versions:
ActiveMQ-cpp-2.1.3 (WindowsServer2003/XP)
ActiveMQ Broker 5.1 (WindowsServer2003)

This looks similar to issue [AMQCPP-122|https://issues.apache.org/activemq/browse/AMQCPP-122],
which was fixed in 2.1, but I don't see how IOTransport::run() and error handling have been
properly synchronized. 

Steps to reproduce:
# Continuously try to reconnect to an activemq broker that has run out of memory.
# This may eventually produce the crash (could take several hours to produce depending on
frequency of reconnect attempts).
# Running activemq-cpp through purify can help reproduce this problem more easily. 
# A "R6025 pure virtual function call" error message may be printed out to the console when
this error happens.

Backtraces:

Thread 1:
{noformat}
activemq::transport::TransportFilter::fire()  + 0x48 bytes          
activemq::transport::TransportFilter::fire()  + 0x48 bytes          
activemq::transport::IOTransport::fire()  + 0x48 bytes                
activemq::transport::IOTransport::run()  + 0x7f bytes                
activemq::concurrent::Thread::runCallback()  + 0x45 bytes      
msvcr80.dll!781329bb()
{noformat}

The crash happens on this line:
	exceptionListener->onTransportException( this, ex );

Thread 2:
{noformat}
activemq::concurrent::Thread::join()  Line 108       C++
activemq::transport::IOTransport::close()  Line 143           C++
activemq::transport::TransportFilter::close()  Line 213       C++
activemq::transport::filters::TcpTransport::close()  Line 143 + 0xb bytes    C++
activemq::transport::filters::ResponseCorrelator::close()  Line 241 C++
activemq::transport::filters::ResponseCorrelator::~ResponseCorrelator()  Line 64   C++
activemq::transport::filters::ResponseCorrelator::`scalar deleting destructor'()  + 0xf bytes
C++
activemq::core::ActiveMQConnectionFactory::createConnection(const std::basic_string<char,std::char_traits<char>,std::allocator<char>
activemq::core::ActiveMQConnectionFactory::createConnection()  Line 66 + 0x3a bytes     C++
{noformat}

During ActiveMQConnectionFactory::createConnection() an exception is thrown and the transport
object is deleted. Unfortunately,
while being deleted this object is still being used by Thread#1 (IOTransport::run). 

I greatly reduced the likelihood of this problem by calling setTransportExceptionListener(NULL)
in TransportFilter's destructor. 


After doing that, another crash will start to appear (under the same test conditions) with
the following backtrace:

Thread 1:
{noformat}
activemq::connector::openwire::OpenWireCommandReader::readCommand()  Line 71 + 0x1e bytes
   C++
activemq::transport::IOTransport::run()  Line 166 + 0x19 bytes       C++
activemq::concurrent::Thread::runCallback(void * param=0x02a750b0)  Line 152 + 0x13 bytes
           C++
msvcr80d.dll!_callthreadstartex()  Line 348 + 0xf bytes    C
msvcr80d.dll!_threadstartex(void * ptd=0x02a6b8c0)  Line 331    C
kernel32.dll!7c80b683() 
ntdll.dll!7c91b686()     
{noformat}

The crash happens on this line:
	return openWireFormat->unmarshal( dataInputStream );

Thread 2:
{noformat}
activemq::concurrent::Thread::join()  Line 108       C++
activemq::transport::IOTransport::close()  Line 143           C++
activemq::transport::TransportFilter::close()  Line 213       C++
activemq::transport::filters::TcpTransport::close()  Line 143 + 0xb bytes    C++
activemq::transport::filters::ResponseCorrelator::close()  Line 241 C++
activemq::transport::filters::ResponseCorrelator::~ResponseCorrelator()  Line 64   C++
activemq::transport::filters::ResponseCorrelator::`scalar deleting destructor'()  + 0xf bytes
C++
activemq::core::ActiveMQConnectionFactory::createConnection(const std::basic_string<char,std::char_traits<char>,std::allocator<char>
activemq::core::ActiveMQConnectionFactory::createConnection()  Line 66 + 0x3a bytes     C++
{noformat}

This second problem is similar to the first and seems to be caused when the OpenWireConnector
is deleted before IOTransport::close() is called. Since IOTransport::run() tries to use the
OpenWireConnector (via OpenWireCommandReader::readCommand()), a crash can occur.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message