[zeromq-dev] zmq crash when using PGM

纪明 jiming at yafco.com
Tue Aug 14 12:40:13 CEST 2018

在 2018-08-14 17:49, Luca Boccassi 写道:
> On Mon, 2018-08-13 at 14:52 +0800, 纪明 wrote:
>> Hi all:
>>       We are using ZMQ to do some multicast work. The service keep
>> crashing, and we found it has something to do with pgm_receiver.
>>       Specifically, there is a function called
>> zmq::pgm_receiver_t::restart_input(), when it receives some data, it
>> calls decoder to decode the message. On line 132, it checks if the
>> message size is greater than zero. If yes, it will call
>> process_input()
>> function to decode the message. However, when insize is greater than
>> zero, inpos could point to null. When this happens, zmq crashes when
>> calling memcpy to copy something to the memory that inpos points to.
>> This actually looks like a threading issue to us.
>>       We really appreciate if anyone familiar with this zmq could
>> point
>> out a solution to this. We are using zmq in a real time environment,
>> occassional message drop is more acceptable than crashing the
>> service.
>> We tried to change the source code a little bit, from "if (insize >
>> 0)"
>> to "if (insize > 0 && inpos)". It caused other problem.
>> Thanks a lot in advance.
>> Ming
> Are you using a socket from multiple threads by any chance?
No, we are only using socket with the same ip in one thread. We suspect 
there is threading issue inside zmq that causes inpos to become null 
magically.  We did a dirty fix on process_input function, and the change 
seems to save our system from crashing. We are worrying if a message 
could be processed partially now. We will be in trouble in that 
situation too. The change we made is:

int zmq::pgm_receiver_t::process_input (v1_decoder_t *decoder)
     zmq_assert (session != NULL);

        // Change that seems to prevent crashing
         const void* pTmp = static_cast<const void*>(inpos);
         if (pTmp == nullptr) {
                 return -1;
         else {
         while (insize > 0) {
                 size_t n = 0;
                 int rc = decoder->decode (inpos, insize, n);
                 if (rc == -1)
                 return -1;
                 inpos += n;
                 insize -= n;
                 if (rc == 0)
                 rc = session->push_msg (decoder->msg ());
                 if (rc == -1) {
                 errno_assert (errno == EAGAIN);
                 return -1;
     return 0;

> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20180814/d63670d3/attachment.htm>

More information about the zeromq-dev mailing list