search

MailCore / mailcore2

MailCore 2 provide a simple and asynchronous API to work with e-mail protocols IMAP, POP and SMTP. The API has been redesigned from ground up.
Other
2.59k stars 623 forks source link

crash caused by concurrency #1917

Open Vincentzzg opened 3 years ago

Vincentzzg commented 3 years ago

My email application is developed using Mailcore2. The development process is good, but the released application has collected a lot of crashes, all of which are in the Mailcore2 library.

The crash log is as follows:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x00009b1a732b3bb0
VM Region Info: 0x9b1a732b3bb0 is not in any region.  Bytes after previous region: 170056867330993  
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      commpage (reserved)     1000000000-7000000000 [384.0G] ---/--- SM=NUL  ...(unallocated)
--->  
      UNUSED SPACE AT END

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [1957]
Triggered by Thread:  0

Thread 0 name:
Thread 0 Crashed:
0   MailCore                        0x0000000108339fe4 -[MCOIMAPSession folderStatusOperation:] + 64 (MCOIMAPSession.mm:216)
1   MailCore                        0x0000000108339fdc -[MCOIMAPSession folderStatusOperation:] + 56 (MCOIMAPSession.mm:216)

After a long time of analysis and research, I found that the crash was caused by the early release of the IMAPAsyncSession * _session object in the MCOIMAPSession under concurrent conditions.

The problem should be because the MC_SAFE_RELEASE macro is not locked. The _session object was released early, and subsequent access to _session caused the EXC_BAD_ACCESS to crash.

If two threads run the release() function at the same time, like the following:

截屏2021-05-19 上午10 30 57

At this time, other pointers to the _session object become dangling pointers