[zeromq-dev] Seg Fault in zmq_msg_size() ZeroMQ 2.1.4
Martin Sustrik
sustrik at 250bpm.com
Wed Apr 6 07:07:21 CEST 2011
Hi Bob,
> I've been testing ZeroMQ 2.1.4 and I've run into a problem that
> occurs far too often, but not all the time, and I wanted to get any
> ideas of what I can do to make it happen less, or if I need to submit
> a patch to the 2.1.x code. It's detailed in the gist
> https://gist.github.com/903836 and basically, it appears that in the
> function zmq_msg_size(), the last line is being hit, and the
> msg_->context might be NULL. It certainly causes a seg fault whose
> backtrace is included in the gist.
No idea how that can happen. I believe msg->content is not supposed to
be NULL.
> After talking it over on IRC, the
> question was raised that the encoder_t::message_ready() has a
> potential bug in it - that the first thing done is to close the
> message, and then if it's not re-inited, the size is called. Seems
> that the closed message would have problems generating 'size'.
I think the code is OK. Note that in_progress message is initialised in
source->read (&in_prograss) call, which pops next message from the pipe.
If there's no message in the pipe, read() returns false, which causes
zmq_msg_init() to be called. So the message is re-initialised in all cases.
> So it
> seems that zmq_msg_size() should check the msg->context to make sure
> it's not NULL before accessing the size... and there's a question
> about the basic logic of the message_ready() method and calling
> zmq_msg_size() on the message after calling zmq_msg_close()?
I think the above comment explains the logic.
> If it's
> something on my end - something I'm passing in that makes these
> conditions occur, then please let me know and I'll trap for it before
> sending. If it's a bug, and you want me to submit a patch for
> zmq_msg_size(), just let me know.
It definitely looks like a bug, please do fill in a report. As usual,
minimal test case would be highly appreciated
> If there's a logic issue in
> message_ready(), I need a little more background or digging before
> I'm ready to tackle that - for it seems to work most of the time.
Maybe a memory overwrite for a different thread? A race condition?
Anyway, the encoder is a message encoding state machine. It goes through
several steps when converting the message into its binary format that
will be sent to the wire later on. message_ready is the step of the
state machine where previous message was fully written and a new one is
retrieved from a pipe. The code below size++ actually writes the 'size'
field of the binary format (see zmq_tcp(7)).
Martin
More information about the zeromq-dev
mailing list