On Tue, Apr 6, 2021 at 4:16 PM Ted Ross <[email protected]> wrote: > On Tue, Apr 6, 2021 at 3:28 PM Ganesh Murthy <[email protected]> wrote: > > > On Tue, Apr 6, 2021 at 2:57 PM Ted Ross <[email protected]> wrote: > > > > > Hi Ganesh, > > > > > > Yes, multiple links can share the same owning_addr. It looks, from a > > > reading of the backtrace, that it might not be the address that's > double > > > freed, but it might be the outstanding_deliveries field of the address > > > that's being freed here. > > > > > It does look like the crash occurs due to the double freeing of > > outstanding_deliveries but grep-ing for outstanding_deliveries, it is > freed > > only > > in that code and nowhere else. That is what leads me to think that the > > address itself is being double-freed. > > > > If multiple link->owning_addr(s) can point to the same addr, should we > use > > the qdr_address_t's ref_count field to avoid such crashes? Increase the > > ref_count when an addr is assigned to a link->owning_addr and decrease > > the ref_count when the link->owning_addr is set to zero ? This ref_count > is > > already used when deleting qdr_address_t objects. > > > > qdr_check_addr_CT already looks at the number of rlinks and inlinks for the > address. I believe that every link that claims the address as it's > owning_addr should be listed in one of those two lists. That should > protect against address-double-frees on link detach. > ok, fair enough. So, if the addr is not the one being double freed and the router is crashing on line 608 - free(addr->outstanding_deliveries); - and considering that the only place outstanding_deliveries is freed is in line 608, the other possibility is that two addresses share the same outstanding_deliveries which seems impossible ?
> > > > > > Thanks. > > > > > > > > -Ted > > > > > > On Tue, Apr 6, 2021 at 12:16 PM Ganesh Murthy <[email protected]> > > wrote: > > > > > > > I have a quick question about qdr_link_t's owning_addr field ( > > > > > > > > > > > > > > https://github.com/apache/qpid-dispatch/blob/1.15.0/src/router_core/router_core_private.h#L437 > > > > ) > > > > > > > > Can the owning_addr on many links point to the same address ? > > > > > > > > For example, can the following be true? > > > > > > > > link1->owning_addr = my_addr > > > > link2->owning_addr = my_addr > > > > > > > > The reason I ask is because of the ASAN crash seen here - > > > > > > > > > > > > > > https://issues.apache.org/jira/browse/DISPATCH-2019?focusedCommentId=17314238&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17314238 > > > > (you will have to "git checkout > > ead503c94926f732fba7ddd5ee0826aa3bcd2c79" > > > > for the line numbers on the backtrace to match up). > > > > > > > > Looking at that backtrace, it *seems* like two links got detaches and > > > both > > > > links point to the same owning_addr. The first detach call to the > core > > > > frees the owning_addr object while the second detach on a different > > link > > > > with the same owning_addr causes a double free to happen. > > > > The reason I ask is because I have been unable to reproduce this > crash > > > so I > > > > am left to guess that this might be the reason for the crash. > > > > > > > > Thanks. > > > > > > > > > >
