Problem/Opportunity
When deactivating services there's a crash, caused by leaking JSONRPC::LinkType.
ResourceMonitor holds pointers to IResource-s such as sockets. When JSONRPC::LinkType is leaked, corresponding socket (WPEFramework::Web::WebSocketLinkType<WPEFramework::Core::SocketStream, WPEFramework::Web::Response, WPEFramework::Web::Request, WPEFramework::Web::WebSocket::ResponseAllocator&>::HandlerType<WPEFramework::Core::SocketStream>) isn't closed or unregistered from ResourceMonitor. When unloading a library that contains template classes need to ensure that any instantiated template classes or objects created from them are properly destroyed before the library is unloaded.
Signature:
Any Seg fault in ResourceMonitorType::Worker():
Thread 3 "Monitor::IResou" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 12024.12032]
Downloading source file /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h
0x00071c52 in WPEFramework::Core::ResourceMonitorType<WPEFramework::Core::IResource, WPEFramework::Core::Void>::Worker (this=0x3a0d58)
at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h:424
warning: 424 /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h: No such file or directory
(gdb) bt
#0 0x00071c52 in WPEFramework::Core::ResourceMonitorType<WPEFramework::Core::IResource, WPEFramework::Core::Void>::Worker (this=0x3a0d58)
at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h:424
#1 0xb3d2937c in WPEFramework::Core::Thread::StartThread (cClassPointer=0x3a0918) at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/Thread.cpp:194
#2 0xb3adcc86 in start_thread (arg=0x5d37d15d) at pthread_create.c:442
#3 0xb3b2d3c0 in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:74 from /home/npoltorapavlo/Downloads/gdb/lib/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
It crashes calling function on "entry" object in ResourceMonitor.h. Gdb shows _vptr.IResource address is not mapped.
(gdb) p *entry
$12 = {_vptr.IResource = 0xaad9f7fc}
I debugged one seg fault, in process mappings before crash address was in:
0xaad9c000 0xaada1000 0x5000 0x3c000 r--p /usr/lib/wpeframework/plugins/libWPEFrameworkXCast.so
on crash, address wasn't mapped - plugin deactivated/destroyed/unloaded.
Cast entry to WebSocketLinkType::HandlerType :
(gdb) p *(WPEFramework::Web::WebSocketLinkType<WPEFramework::Core::SocketStream, WPEFramework::Web::Response, WPEFramework::Web::Request, WPEFramework::Web::WebSocket::ResponseAllocator&>::HandlerType<WPEFramework::Core::SocketStream> *)entry
m_Socket = 23
m_State = 209
m_ReceiveBuffer = 0xaa5b9110 "\201y{\"jsonrpc\":\"2.0\",\"method\":\"temporary1.statechange\"...
_parent = @0xaa5b80a8
shows socket not destroyed, state not 0, active Controller "statechange" subscription.
Going though _parent addresses, CommunicationChannel instance:
(gdb) p *(WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement>::CommunicationChannel *) 0xaa5b8078
_observers = {<std::__cxx11::_List_base<WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement>*...
_M_next = 0xa721c4f8, _M_prev = 0xa734b5e8}, _M_size = 2
shows 2 active LinkType.
Code of that plugin, shows 2 LinkType objects created with "new", Subscribe is called, no "delete". I.e. leak:
WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement> *m_ControllerObj = nullptr;
WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement> *m_NetworkPluginObj = nullptr;
m_ControllerObj = new WPEFramework::JSONRPC::LinkType<Core::JSON::IElement>("", "", false);
m_NetworkPluginObj = new WPEFramework::JSONRPC::LinkType<Core::JSON::IElement>(_T(NETWORK_CALLSIGN_VER),"");
m_ControllerObj->Subscribe<JsonObject>(THUNDER_RPC_TIMEOUT, _T("statechange"),&XCastImplementation::eventHandler_pluginState,this);
--- no delete ---
Looks like ResourceMonitor crash can happen whenever there are leaked JSONRPC::LinkType-s in the plugin that unloaded.
Steps to reproduce
for item in "org.rdk.Bluetooth" ... "org.rdk.Network"; do
curl -X PUT http://127.0.0.1:9998/Service/Controller/Deactivate/$item &
done
sends multiple deactivate calls (40).
Expected Behavior
No crash
Actual Behavior
Crash
Notes (Optional)
No response
Problem/Opportunity
When deactivating services there's a crash, caused by leaking JSONRPC::LinkType.
ResourceMonitor holds pointers to IResource-s such as sockets. When JSONRPC::LinkType is leaked, corresponding socket (WPEFramework::Web::WebSocketLinkType<WPEFramework::Core::SocketStream, WPEFramework::Web::Response, WPEFramework::Web::Request, WPEFramework::Web::WebSocket::ResponseAllocator&>::HandlerType<WPEFramework::Core::SocketStream>) isn't closed or unregistered from ResourceMonitor. When unloading a library that contains template classes need to ensure that any instantiated template classes or objects created from them are properly destroyed before the library is unloaded.
Signature:
Any Seg fault in ResourceMonitorType::Worker():
It crashes calling function on "entry" object in ResourceMonitor.h. Gdb shows _vptr.IResource address is not mapped.
I debugged one seg fault, in process mappings before crash address was in:
on crash, address wasn't mapped - plugin deactivated/destroyed/unloaded.
Cast entry to WebSocketLinkType::HandlerType :
shows socket not destroyed, state not 0, active Controller "statechange" subscription.
Going though _parent addresses, CommunicationChannel instance:
shows 2 active LinkType.
Code of that plugin, shows 2 LinkType objects created with "new", Subscribe is called, no "delete". I.e. leak:
Looks like ResourceMonitor crash can happen whenever there are leaked JSONRPC::LinkType-s in the plugin that unloaded.
Steps to reproduce
sends multiple deactivate calls (40).
Expected Behavior
No crash
Actual Behavior
Crash
Notes (Optional)
No response