[asterisk-dev] [Code Review] 4188: segfault when playing back voicemail under high concurrency with an IMAP backend
Matt Jordan
reviewboard at asterisk.org
Tue Dec 2 08:28:55 CST 2014
> On Nov. 18, 2014, 7:25 a.m., Matt Jordan wrote:
> > From http://www.washington.edu/imap/documentation/internal.txt.html:
> >
> > {quote}
> > * * * IMPORTANT * * *
> >
> > Any multi-threaded application should test stream->lock prior to
> > calling any c-client stream functions. Any attempt to call a
> > mail_xxx() function while one is already in progress on the same
> > stream will cause the application to fail in unpredictable ways.
> >
> > Note that this check is insufficient in a preemptive-scheduling
> > multi-tasking application due to the possibility of a timing race.
> > Such applications must be written so that only one process accesses
> > the stream, or to have a higher level lock.
> >
> > Since MAIL operations will not finish until they are completed, a
> > single-tasking application does not have to worry about this problem,
> > except in the callback invoked from MAIL (e.g. mm_exists(), etc.) in which
> > case the stream is *always* locked.
> > {quote}
> >
> > So, a few things from this:
> > (1) Based on the description from the UW IMAP documentation, locking vms->lock is sufficient *if* other mail accesses also lock the same vms object for that stream. If that isn't happening, then your patch probably won't fix anything, since both mail_open calls were already protected by the vms->lock and your global lock doesn't protect any other mail_XXXX accesses. The only way your patch would affect anything is if there were two different vms objects being used to open the same stream at the same time.
> > (2) Your backtrace on the issue doesn't show concurrent accesses to vm_execmain - although a lot of symbols are missing - so right now it's impossible to tell who the offending accesses are. It's also impossible to know if it is due to two concurrent accesses of mail_open with different vms objects, or something else.
> >
> > Generally, I'm not this patch fixes your issue.
>
> Ben Smithurst wrote:
> The concern we found was that some code called by mail_open uses static variables, specifically the ip_nametoaddr function - at least the ip6_unix.c implementation of it, which is where we're seeing crashes. We believe the problem may be 2 DIFFERENT streams are being opened at once, correctly locked individually, but ultimately causing a conflict with a static variable deep inside the uw-imap code.
Thanks for pointing out the issue in the IMAP library.
Apparently UW IMAP decided that the implementation of sockaddr needed help:
* There is some amazingly bad design in IPv6 sockets.
*
* Supposedly, the new getnameinfo() and getaddrinfo() functions create an
* abstraction that is not dependent upon IPv4 or IPv6. However, the
* definition of getnameinfo() requires that the caller pass the length of
* the sockaddr instead of deriving it from sa_family. The man page says
* that there's an sa_len member in the sockaddr, but actually there isn't.
* This means that any caller to getnameinfo() and getaddrinfo() has to know
* the size for the protocol family used by that sockaddr.
*
* The new sockaddr_in6 is bigger than the generic sockaddr (which is what
* connect(), accept(), bind(), getpeername(), getsockname(), etc. expect).
* Rather than increase the size of sockaddr, there's a new sockaddr_storage
* which is only usable for allocating space.
*/
Fantasic.
You're correct that they use static variables in ip_nametoaddr. It certainly has no hope of being thread safe. Given the status of the UW IMAP library, I would suspect we will have to work around any issues in the library.
Looking at the UW IMAP source, ip_nametoaddr is called on opening of a TCP client connection in tcp_open, which is called from mail_open. Grepping the source for other locations that call this function, we find that it is also called from tcp_canonical and tcp_isclienthost. These in turn are called as such:
tcp_canonical:
-- called from c-client/mail.c:mail_usable_network_stream
-- called from c-client/pop3.c:pop3_status
-- called from c-client/mail.c:mail_open_work
-- called from c-client/imap4r1.c:imap_status
-- called from c-client/nntp.c:nntp_status
Of these, the only one that we would call indirectly is mail_open_work through mail_open - which is already protected by your mutex. We currently don't call imap_status - but if we did, it would also need to be protected by the same mutex.
tcp_isclienthost:
-- called from env_unix.c:dorc when set plaintext-allowed-clients appears in the .rc file, which is only called on server_init/env_init (and should only happen once). Given that, there doesn't seem to be any reason to worry about this call.
This patch should be sufficient.
- Matt
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4188/#review13790
-----------------------------------------------------------
On Nov. 17, 2014, 9:03 a.m., David Duncan Ross Palmer wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4188/
> -----------------------------------------------------------
>
> (Updated Nov. 17, 2014, 9:03 a.m.)
>
>
> Review request for Asterisk Developers.
>
>
> Bugs: ASTERISK-24516
> https://issues.asterisk.org/jira/browse/ASTERISK-24516
>
>
> Repository: Asterisk
>
>
> Description
> -------
>
> Asterisk segfaults when playing back voicemail under high concurrency with an IMAP backend
>
>
> Diffs
> -----
>
> /trunk/apps/app_voicemail.c 427675
>
> Diff: https://reviewboard.asterisk.org/r/4188/diff/
>
>
> Testing
> -------
>
> Rapid load testing performed with {{SIPp}}:
> {code}
> sipp -sn uac -d 7000 -s ‘*1’ 127.0.0.1 -l 400 -mp 5606
> {code}
>
>
> Thanks,
>
> David Duncan Ross Palmer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141202/2660471c/attachment.html>
More information about the asterisk-dev
mailing list