search

eclipse / paho.mqtt.rust

paho.mqtt.rust
Other
516 stars 102 forks source link

SIGSEGV @Socket_getReadySocket() - Socket.c:498 #176

Closed dwrobel closed 1 year ago

dwrobel commented 1 year ago

I observed a SIGSEGV while attempting to copy data to 0 address. Short excerpt:

(gdb) p mod_s.saved.fds
$6 = (struct pollfd *) 0x0

See full backtrace:

[dw@dell sun2000-homie]$ coredumpctl  debug 783875
           PID: 783875 (sun2000-homie)
           UID: 1000 (dw)
           GID: 1000 (dw)
        Signal: 11 (SEGV)
     Timestamp: Sat 2022-11-26 15:50:12 CET (4min 44s ago)
  Command Line: target/debug/sun2000-homie
    Executable: /home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie
 Control Group: /user.slice/user-1000.slice/user@1000.service/app.slice/app-org.gnome.Terminal.slice/vte-spawn-3372d904-03f4-455d-ab77-443b6cde01a3.scope
          Unit: user@1000.service
     User Unit: vte-spawn-3372d904-03f4-455d-ab77-443b6cde01a3.scope
         Slice: user-1000.slice
     Owner UID: 1000 (dw)
       Boot ID: 30dbb554d175419ea4078ff005a3df8d
    Machine ID: e1af0b98c8a0487684ebb3e4e957c13a
      Hostname: dell-wifi
       Storage: /var/lib/systemd/coredump/core.sun2000-homie.1000.30dbb554d175419ea4078ff005a3df8d.783875.1669474212000000.zst (present)
     Disk Size: 308.9K
       Package: openssl/3.0.5-2.fc36
      build-id: a97d564309ce3dffa9df822f31f75bb612da938b
       Message: Process 783875 (sun2000-homie) of user 1000 dumped core.

                Module /home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie with build-id a97d564309ce3dffa9df822f31f75bb612da938b
                Metadata for module /home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie owned by FDO found: {
                    "type" : "rpm",
                    "name" : "openssl",
                    "version" : "3.0.5-2.fc36",
                    "architecture" : "x86_64",
                    "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                }

                Module linux-vdso.so.1 with build-id 28de22885e5a5f761e8b05fe6d610d65bb875b04
                Module libz.so.1 with build-id aec7e77c3a6ce5dd195a8c86a8fb1178715cf45f
                Metadata for module libz.so.1 owned by FDO found: {
                    "type" : "rpm",
                    "name" : "zlib",
                    "version" : "1.2.11-33.fc36",
                    "architecture" : "x86_64",
                    "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                }

                Module ld-linux-x86-64.so.2 with build-id 2aa5962e15d15765ad42186dfbfe781fe04ca380
                Module libc.so.6 with build-id 85c438f4ff93e21675ff174371c9c583dca00b2c
                Module libm.so.6 with build-id bb4e131d89132b4f4f70f131218052e223310b15
                Module libgcc_s.so.1 with build-id d2af939e688fb4b2daf4f58d3af527f04c1c6cf3
                Module libcrypto.so.3 with build-id 3c1b40eeebd055df267c67775fe8d9a877c45ce1
                Metadata for module libcrypto.so.3 owned by FDO found: {
                    "type" : "rpm",
                    "name" : "openssl",
                    "version" : "3.0.5-2.fc36",
                    "architecture" : "x86_64",
                    "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                }

                Module libssl.so.3 with build-id fe834a609af3487913ad9d5992470268774e1b70
                Metadata for module libssl.so.3 owned by FDO found: {
                    "type" : "rpm",
                    "name" : "openssl",
                    "version" : "3.0.5-2.fc36",
                    "architecture" : "x86_64",
                    "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                }

                Stack trace of thread 783878:
                #0  0x00007feaafb57f88 __memcpy_avx_unaligned_erms (libc.so.6 + 0x157f88)
                #1  0x000056351a8f8c51 n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x762c51)
                #2  0x000056351a8f084b n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x75a84b)
                #3  0x000056351a8ee056 n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x758056)
                #4  0x00007feaafa8cded start_thread (libc.so.6 + 0x8cded)
                #5  0x00007feaafb12370 __clone3 (libc.so.6 + 0x112370)

                Stack trace of thread 783877:
                #0  0x00007feaafa899d9 __futex_abstimed_wait_common64 (libc.so.6 + 0x899d9)
                #1  0x00007feaafa8c4c4 __pthread_cond_wait_common (libc.so.6 + 0x8c4c4)
                #2  0x000056351a8fd492 n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x767492)
                #3  0x000056351a8ed79c n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x75779c)
                #4  0x00007feaafa8cded start_thread (libc.so.6 + 0x8cded)
                #5  0x00007feaafb12370 __clone3 (libc.so.6 + 0x112370)

                Stack trace of thread 783879:
                #0  0x00007feaafb0afbd syscall (libc.so.6 + 0x10afbd)
                #1  0x000056351a928965 n/a (/home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie + 0x792965)
                ELF object binary architecture: AMD x86-64

GNU gdb (GDB) Fedora 12.1-2.fc36
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie...
[New LWP 783878]
[New LWP 783877]
[New LWP 783879]
[New LWP 783875]

This GDB supports auto-downloading debuginfo from the following URLs:
https://debuginfod.fedoraproject.org/ 
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit.
Downloading 0.03 MB separate debug info for system-supplied DSO at 0x7ffcd9f12000
[Thread debugging using libthread_db enabled]                                                                                                                                                                                                
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `target/debug/sun2000-homie'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:374
374     movq    %rsi, (%rdi)
[Current thread is 1 (Thread 0x7feaaf1fe640 (LWP 783878))]
warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts
of file /home/dw/projects/modbus/sun2000-homie/target/debug/sun2000-homie.
Use `info auto-load python-scripts [REGEXP]' to list them.
(gdb) bt
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:374
#1  0x000056351a8f8c51 in Socket_getReadySocket (more_work=0, timeout=1000, mutex=0x56351acedd60 <socket_mutex_store>, rc=0x7feaaf1fdb0c) at /home/dw/.cargo/registry/src/github.com-1ecc6299db9ec823/paho-mqtt-sys-0.7.0/paho.mqtt.c/src/Socket.c:498
#2  0x000056351a8f084b in MQTTAsync_cycle (sock=0x7feaaf1fdc24, timeout=1000, rc=0x7feaaf1fdc28) at /home/dw/.cargo/registry/src/github.com-1ecc6299db9ec823/paho-mqtt-sys-0.7.0/paho.mqtt.c/src/MQTTAsyncUtils.c:2903
#3  0x000056351a8ee056 in MQTTAsync_receiveThread (n=0x56351b638fd0) at /home/dw/.cargo/registry/src/github.com-1ecc6299db9ec823/paho-mqtt-sys-0.7.0/paho.mqtt.c/src/MQTTAsyncUtils.c:1992
#4  0x00007feaafa8cded in start_thread (arg=<optimized out>) at pthread_create.c:442
#5  0x00007feaafb12370 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) fr 1
#1  0x000056351a8f8c51 in Socket_getReadySocket (more_work=0, timeout=1000, mutex=0x56351acedd60 <socket_mutex_store>, rc=0x7feaaf1fdb0c) at /home/dw/.cargo/registry/src/github.com-1ecc6299db9ec823/paho-mqtt-sys-0.7.0/paho.mqtt.c/src/Socket.c:498
498         memcpy(mod_s.saved.fds, mod_s.fds, mod_s.nfds * sizeof(struct pollfd));
(gdb) p mod_s
$1 = {connect_pending = 0x56351b62cf80, write_pending = 0x56351b62ccf0, nfds = 1, fds = 0x56351b6374c0, saved = {cur_fd = -1, nfds = 0, fds = 0x0}}
(gdb) p mod_s.saved.fds
$2 = (struct pollfd *) 0x0
(gdb) p &mod_s.saved.fds
$3 = (struct pollfd **) 0x56351acee0a8 <mod_s+40>
(gdb) p &mod_s.fds
$4 = (struct pollfd **) 0x56351acee098 <mod_s+24>
(gdb) p mod_s.nfds
$5 = 1
(gdb) l
493             if (mod_s.saved.fds)
494                 mod_s.saved.fds = realloc(mod_s.saved.fds, mod_s.nfds * sizeof(struct pollfd));
495             else
496                 mod_s.saved.fds = malloc(mod_s.nfds * sizeof(struct pollfd));
497         }
498         memcpy(mod_s.saved.fds, mod_s.fds, mod_s.nfds * sizeof(struct pollfd));
499 
500         if (mod_s.saved.nfds == 0)
501         {
502             sock = 0;
(gdb) p mod_s.saved.fds
$6 = (struct pollfd *) 0x0
(gdb) p mod_s.fds
$7 = (struct pollfd *) 0x56351b6374c0
(gdb) p mod_s.saved
$8 = {cur_fd = -1, nfds = 0, fds = 0x0}
(gdb)
fpagliughi commented 1 year ago

Can you provide some more information about how to recreate this, or a small code sample.

dwrobel commented 1 year ago

I'm afraid not. However, I saw that there were similar reports and few days later fixes landed: https://github.com/eclipse/paho.mqtt.c/commit/c3048f90f1f9c6901ccbb4ec52ad709cf0366dbd, https://github.com/eclipse/paho.mqtt.c/commit/76a01f5ae803b978fbeede6b6af7cbb4dd11d7b2.

fpagliughi commented 1 year ago

OK. Thanks for reporting it. Let’s hope it’s fixed, but if not, please re-open this.