Actions
Bug #37767
closedlibrgw crash due to local variables deallocated
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
debug info:
ceph version 14.0.1-2013-g0ccdc79 (0ccdc799384801faa728d5429e82b522ee3b618b) nautilus (dev)
1: (()+0xf30a46) [0x7f375a7c1a46]
2: (()+0xf5d0) [0x7f37596845d0]
3: (std::string::size() const+0x18) [0x7f375a19f832]
4: (std::string::empty() const+0x18) [0x7f375a19e790]
5: (rgw_obj_key::empty() const+0x18) [0x7f375a1ce836]
6: (rgw_obj::empty() const+0x1c) [0x7f375a37c738]
7: (rgw::putobj::RadosWriter::~RadosWriter()+0xf6) [0x7f375a3eb19a]
8: (rgw::putobj::ManifestObjectProcessor::~ManifestObjectProcessor()+0x8b) [0x7f375a1d3637]
9: (rgw::putobj::AtomicObjectProcessor::~AtomicObjectProcessor()+0x61) [0x7f375a1e482d]
10: (std::_Optional_payload<rgw::putobj::AtomicObjectProcessor, false, false>::~_Optional_payload()+0x27) [0x7f375a1e488f]
11: (std::_Optional_base<rgw::putobj::AtomicObjectProcessor>::~_Optional_base()+0x18) [0x7f375a1dd1fc]
12: (std::optional<rgw::putobj::AtomicObjectProcessor>::~optional()+0x18) [0x7f375a1dd234]
13: (rgw::RGWWriteRequest::~RGWWriteRequest()+0xa7) [0x7f375a2087d1]
14: (rgw::RGWWriteRequest::~RGWWriteRequest()+0x18) [0x7f375a208832]
15: (rgw::RGWFileHandle::write_finish(unsigned int)+0x200) [0x7f375a1c68d6]
16: (rgw::RGWFileHandle::close()+0x44) [0x7f375a1c697e]
17: (rgw_close()+0x3b) [0x7f375a1c9a0f]
18: ./test() [0x4022cc]
19: (__libc_start_main()+0xf5) [0x7f3758aab3d5]
20: ./test() [0x401b69]
NOTE: a copy of the executable, or `objdump -rdS <executable>` is needed to interpret this.
Class RadosWriter has private member 'head_obj' which is a const ref:
class RadosWriter : public DataProcessor {
Aio *const aio;
RGWRados *const store;
const RGWBucketInfo& bucket_info;
RGWObjectCtx& obj_ctx;
const rgw_obj& head_obj;
RGWSI_RADOS::Obj stripe_obj;
RawObjSet written; // set of written objects for deletion
public:
RadosWriter(Aio *aio, RGWRados *store, const RGWBucketInfo& bucket_info,
RGWObjectCtx& obj_ctx, const rgw_obj& head_obj)
: aio(aio), store(store), bucket_info(bucket_info),
obj_ctx(obj_ctx), head_obj(head_obj)
{}
~RadosWriter();
...
};
However, in librgw, head_obj is given by a local var, which will cause memory leak in RGWWriteRequest::exec_finish(), when processor is destructed.
int RGWWriteRequest::exec_start() {
rgw_obj obj{s->bucket, s->object};
...
processor.emplace(&*aio, get_store(), s->bucket_info,
s->bucket_owner.get_id(),
*static_cast<RGWObjectCtx *>(s->obj_ctx),
obj, olh_epoch, s->req_id);
op_ret = processor->prepare();
...
} /* exec_start */
Updated by Tao CHEN over 5 years ago
Here is the patch:
https://github.com/ceph/ceph/pull/25715
Updated by Casey Bodley about 5 years ago
- Is duplicate of Bug #38769: rgw: nfs: librgw/NFS fails due to missing service setup added
Updated by Casey Bodley about 5 years ago
- Status changed from New to Duplicate
fixed by https://github.com/ceph/ceph/pull/26981, with backports being tracked in https://tracker.ceph.com/issues/38769
Actions