Merge pull request #686 from cole-miller/fix-loop-async

Fix use-after-free in unit tests
canonical · Aug 21, 2024 · 6035a35 · 6035a35
2 parents 6e24f8c + 9387b77
commit 6035a35
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 10 deletions.
diff --git a/src/gateway.c b/src/gateway.c
@@ -36,6 +36,8 @@ void gateway__init(struct gateway *g,
 	g->random_state = seed;
 }
 
+/* FIXME: This function becomes unsound when using the new thread pool, since
+ * the request callbacks will race with operations running in the pool. */
 void gateway__leader_close(struct gateway *g, int reason)
 {
 	if (g == NULL || g->leader == NULL) {

diff --git a/src/lib/threadpool.c b/src/lib/threadpool.c
@@ -559,22 +559,21 @@ int pool_init(pool_t *pool,
 		return rc;
 	}
 
-	rc = uv_async_init(loop, &pi->outq_async, work_done);
-	if (rc != 0) {
-		uv_mutex_destroy(&pi->outq_mutex);
-		free(pi);
-		return rc;
-	}
-
 	static uv_once_t once = UV_ONCE_INIT;
 	uv_once(&once, thread_key_create);
 	if (thread_key_create_err != 0) {
-		uv_close((uv_handle_t *)&pi->outq_async, NULL);
 		uv_mutex_destroy(&pi->outq_mutex);
 		free(pi);
 		return thread_key_create_err;
 	}
 
+	rc = uv_async_init(loop, &pi->outq_async, work_done);
+	if (rc != 0) {
+		uv_mutex_destroy(&pi->outq_mutex);
+		free(pi);
+		return rc;
+	}
+
 	pool_threads_init(pool);
 
 	return 0;

diff --git a/src/lib/threadpool.h b/src/lib/threadpool.h
@@ -104,8 +104,20 @@ int pool_init(pool_t *pool,
 	      uv_loop_t *loop,
 	      uint32_t threads_nr,
 	      uint32_t qos_prio);
-void pool_fini(pool_t *pool);
+/**
+ * Start the closing sequence for the thread pool.
+ *
+ * This signals the threads of the pool to finish their work and exit. The pool
+ * threads will not be joined, and the resources held by the pool will not be
+ * released, until pool_fini is called. Before calling pool_fini, the event loop
+ * that was used to create this pool must be run to completion (that is, until
+ * uv_run returns 0).
+ */
 void pool_close(pool_t *pool);
+/**
+ * Finish the closing sequence for the thread pool and release resources.
+ */
+void pool_fini(pool_t *pool);
 void pool_queue_work(pool_t *pool,
 		     pool_work_t *w,
 		     uint32_t cookie,

diff --git a/test/raft/unit/test_snapshot.c b/test/raft/unit/test_snapshot.c
@@ -458,6 +458,7 @@ static void *pool_set_up(MUNIT_UNUSED const MunitParameter params[],
 static void pool_tear_down(void *data)
 {
 	pool_close(&global_fixture.pool);
+	uv_run(uv_default_loop(), UV_RUN_DEFAULT);
 	pool_fini(&global_fixture.pool);
 	free(data);
 }

diff --git a/test/unit/test_conn.c b/test/unit/test_conn.c
@@ -72,11 +72,11 @@ static void connCloseCb(struct conn *conn)
 
 #define TEAR_DOWN                         \
 	pool_close(pool_ut_fallback());   \
-	pool_fini(pool_ut_fallback());    \
 	conn__stop(&f->conn_test.conn);   \
 	while (!f->conn_test.closed) {    \
 		test_uv_run(&f->loop, 1); \
 	};                                \
+	pool_fini(pool_ut_fallback());    \
 	TEAR_DOWN_RAFT;                   \
 	TEAR_DOWN_CLIENT;                 \
 	TEAR_DOWN_REGISTRY;               \
@@ -339,6 +339,16 @@ TEST_CASE(exec, result, NULL)
 
 TEST_CASE(exec, close_while_in_flight, NULL)
 {
+#ifdef DQLITE_NEXT
+	/* When sqlite3_step runs on the thread pool, calling conn__stop
+	 * from the main thread while a request is in flight is racy, and
+	 * can lead to a use-after-free on the prepared statement object.
+	 * Disable this test until we have a solution for this problem. */
+	(void)data;
+	(void)params;
+	return MUNIT_SKIP;
+#else
+
 	struct exec_fixture *f = data;
 	uint64_t last_insert_id;
 	uint64_t rows_affected;
@@ -356,6 +366,7 @@ TEST_CASE(exec, close_while_in_flight, NULL)
 	pool_ut_fallback()->flags |= POOL_FOR_UT_NON_CLEAN_FINI;
 
 	return MUNIT_OK;
+#endif
 }
 
 /******************************************************************************