[Ace-users] [tao-users] PRF: Segfault when sending too much data

Johnny Willemsen jwillemsen at remedy.nl
Fri Nov 23 00:43:07 CST 2007


Hi,

Thanks for using the PRF form. Can you put this in bugzilla (see
http://deuce.doc.wustl.edu/bugzilla/index.cgi). Be aware that resources for
free support are really minimal at this moment, consider getting commercial
support to fix this issue, for example from Remedy IT, see www.theaceorb.nl
for our services

Regards,

Johnny Willemsen
Remedy IT
Postbus 101
2650 AC  Berkel en Rodenrijs
The Netherlands
www.theaceorb.nl / www.remedy.nl  

*** Integrated compile and test statistics see
http://scoreboard.theaceorb.nl ***
*** Commercial service and support for ACE/TAO/CIAO             ***
*** See http://www.theaceorb.nl/en/support.html                 ***

"Andre Kostur" <akostur at incognito.com> wrote in message
news:<mailman.2937.1195778610.5286.tao-users at mail.cse.wustl.edu>...
    TAO VERSION: 1.6.1

    ACE VERSION: 5.6.1

 

    HOST MACHINE and OPERATING SYSTEM: Xen VM of Linux/i386
v2.6.18-5-xen-vserver-686, Debian 4.0

 

    COMPILER NAME AND VERSION (AND PATCHLEVEL): gcc version 4.1.2
20061115 (prerelease) (Debian 4.1.1-21)

 

    THE $ACE_ROOT/ace/config.h FILE [if you use a link to a platform-

    specific file, simply state which one]:

#define ACE_AS_STATIC_LIBS                      1

#define TAO_AS_STATIC_LIBS                      1

#define ACE_HAS_STANDARD_CPP_LIBRARY            1

#define ACE_HAS_IPV6                            1

#define ACE_USES_IPV4_IPV6_MIGRATION              1

#include "ace/config-linux.h"

 

    THE $ACE_ROOT/include/makeinclude/platform_macros.GNU FILE [if you

    use a link to a platform-specific file, simply state which one

    (unless this isn't used in this case, e.g., with Microsoft Visual

    C++)]:

ACE_COMPONENTS=FOR_TAO

exceptions        = 1

debug             = 0

optimize          = 1

static_libs_only  = 1

xt_reactor        = 0

fl_reactor        = 0

ssl               = 1

ipv6              = 1

zlib              = 1

LDFLAGS          += -L$(ACE_ROOT)/ace/$(TARGET_PLATFORM)

VDIR            = .obj/$(TARGET_PLATFORM)/

INSLIB          = $(ACE_ROOT)/ace/$(TARGET_PLATFORM)

include $(ACE_ROOT)/include/makeinclude/platform_linux.GNU

 

    CONTENTS OF $ACE_ROOT/bin/MakeProjectCreator/config/default.features

    (used by MPC when you generate your own makefiles):

ssl           = 1

ipv6          = 1

zlib          = 1

 

    AREA/CLASS/EXAMPLE AFFECTED: TAO Block Flushing Strategy

 

    DOES THE PROBLEM AFFECT:

        COMPILATION? No

        LINKING? No

            On Unix systems, did you run make realclean first?

        EXECUTION? Yes

        OTHER (please specify)? n/a

 

    SYNOPSIS:

 

Attempting to send too much data through an out parameter when
ORBFlushingStrategy is set to blocking causes a segfault.

 

    DESCRIPTION:

 

Attempting to send too much data through an out parameter when
ORBFlushingStrategy is set to blocking causes a segfault.

 

    REPEAT BY:

 

Code:

 

#include <ace/OS.h>

#include <tao/corba.h>

#include <tao/PortableServer/PortableServer.h>

#include <iostream>

#include "corbarpc/ctestS.h"

 

using namespace std;

 

class ctest_impl : public virtual POA_ctest

{

public:

        CORBA::Long ctestfn(CORBA::Long size, ctest::UCSeq_out data)

        {

                cout << "ctestfn called for " << size << " objects" <<
endl;

 

                data = new ctest::UCSeq;

 

                data->length(size);

 

                for (size_t i = 0; i < data->length(); ++i)

                {

                        data[i] = (rand() % 26) + 'A';

                }

 

                return 0;

        }

};

 

int main(int argc, char * argv[])

{

  try

  {

  if ((argc == 1) || (argc > 3))

  {

        cout << "Server Mode" << endl;

 

        CORBA::ORB_var orb = CORBA::ORB_init(argc, argv);

 

        CORBA::Object_var obj =
orb->resolve_initial_references("RootPOA");

 

        PortableServer::POA_var poa = PortableServer::POA::_narrow(obj);

 

        PortableServer::POAManager_var mgr = poa->the_POAManager();

 

        mgr->activate();

 

        ctest_impl servant;

 

        ctest_var object = servant._this();

 

        CORBA::String_var str = orb->object_to_string(object);

 

        cout << str << endl;

 

        orb->run();

  }

  else

  {

        cout << "Client Mode" << endl;

 

        CORBA::ORB_var orb = CORBA::ORB_init(argc, argv);

 

        CORBA::Object_var obj = orb->string_to_object(argv[1]);

 

        if (CORBA::is_nil(obj))

        {

                cout << "Nil reference" << endl;

                return EXIT_FAILURE;

        } 

 

        ctest_var ctestVar;

 

        ctestVar = ctest::_narrow(obj);

 

        cout << "Calling ctestfn" << endl;

 

        ctest::UCSeq_var data;

 

        ctestVar->ctestfn(ACE_OS::atoi(argv[2]), data);

 

        cout << "Received " << data->length() << " bytes" << endl;

  }

 

  ACE_OS::sleep(10);

  }

  catch(...)

  {

        cout << "An exception" << endl;

  }

 

  return EXIT_SUCCESS;

}

 

 

 

IDL:

 

interface ctest {

        typedef sequence<char> UCSeq;

 

        long ctestfn(in long size, out UCSeq data);

};

 

 

Run the server as:

 

ctest -ORBSvcConfDirective "static Server_Strategy_Factory
\"-ORBConcurrency reactive -ORBPOALock thread
-ORBAllowReactivationOfSystemids 0\"" -ORBSvcConfDirective "static
Resource_Factory \"-ORBConnectionCacheMax 10 -ORBNativeWcharCodeSet
0x00010109 -ORBFlushingStrategy blocking\"" -ORBSvcConfDirective "static
Client_Strategy_Factory \"-ORBWaitStrategy rw -ORBTransportMuxStrategy
exclusive -ORBConnectStrategy blocked -ORBConnectionHandlerCleanup 1\""
-ORBStdProfileComponents 0 -ORBDebug -ORBDebugLevel 10

 

Run the client as:

 

ctest  <IOR Shown by above server> <number of bytes>

 

 

If you run the ctest client with a value of 131368, the program executes
as expected.  But if you use 131369, the server will segfault.  Stack
trace as follows:

 

#0  0x464c5f4f in ?? ()

#1  0x0811cb28 in TAO_Block_Flushing_Strategy::flush_message ()

#2  0x080fd390 in TAO_Transport::send_reply_message_i ()

#3  0x080fdce4 in TAO_Transport::send_message_shared_i ()

#4  0x08130329 in TAO_IIOP_Transport::send_message_shared ()

#5  0x0812fec1 in TAO_IIOP_Transport::send_message ()

#6  0x080f5061 in TAO_ServerRequest::tao_send_reply ()

#7  0x0805b678 in TAO_ServantBase::synchronous_upcall_dispatch ()

#8  0x0804d861 in POA_ctest::_dispatch (this=0xbf81e0e0,
req=@0xbf81d568, 

    servant_upcall=0xbf81cfe4) at ctestS.cpp:765

#9  0x080756d5 in TAO_Object_Adapter::dispatch_servant ()

#10 0x08075d54 in TAO_Object_Adapter::dispatch ()

#11 0x08101e5a in TAO_Adapter_Registry::dispatch ()

#12 0x080e1674 in TAO_Request_Dispatcher::dispatch ()

#13 0x0813ab22 in TAO_GIOP_Message_Base::process_request ()

#14 0x081368e0 in TAO_GIOP_Message_Base::process_request_message ()

#15 0x080f910f in TAO_Transport::process_parsed_messages ()

#16 0x080fcc06 in TAO_Transport::handle_input_parse_data ()

#17 0x080fcdf3 in TAO_Transport::handle_input ()

#18 0x08134459 in TAO_Connection_Handler::handle_input_internal ()

#19 0x08134646 in TAO_Connection_Handler::handle_input_eh ()

#20 0x08125f1f in TAO_IIOP_Connection_Handler::handle_input ()

#21 0x08180eb0 in ACE_TP_Reactor::handle_socket_events ()

#22 0x0818122c in ACE_TP_Reactor::handle_events ()

#23 0x080ca787 in TAO_ORB_Core::run ()

#24 0x080c6ca5 in CORBA::ORB::run ()

#25 0x0804cf2f in main (argc=12, argv=0xb7e5db60) at ctest.cpp:55

 

 

The TAO logs of the failing call, starting from when the server receives
the request:

 

TAO (28497|3084175040) - ORB_Core::run, start [run]

TAO (28497|3084175040) - ORB_Core::run, calling handle_events()

TAO (28497|3084175040) - Transport_Cache_Manager::fill_set_i,
current_size = 0, cache_maximum = 10

TAO (28497|3084175040) - Concurrency_Strategy::activate_svc_handler,
opened as TAO_SERVER_ROLE

TAO (28497|3084175040) - IIOP_Connection_Handler::open, The local addr
is <::ffff:192.168.74.17:40394> 

TAO (28497|3084175040) - IIOP_Connection_Handler::open, IIOP connection
to peer <[::ffff:192.168.75.81]:39725> on 11

TAO (28497|3084175040) - IIOP_Endpoint::set, cannot determine hostname:
No such file or directory

TAO (28497|3084175040) - Transport_Cache_Manager::bind_i: Transport[11]
;hash 1363887085

TAO (28497|3084175040) - Transport_Cache_Manager::bind_i, cache size is
[1]

TAO (28497|3084175040) - Transport[11]::register_handler

TAO (28497|3084175040) - ORB_Core::run, handle_events() returns 1

TAO (28497|3084175040) - ORB_Core::run, calling handle_events()

TAO (28497|3084175040) - Connection_Handler[11]::handle_input, handle =
11/11

TAO (28497|3084175040) - Transport[11]::handle_input

TAO (28497|3084175040) - Transport[11]::process_queue_head, 0 enqueued

TAO (28497|3084175040) - Transport[11]::handle_input_parse_data, enter

TAO (28497|3084175040) - Transport[11]::handle_input_parse_data, read 76
bytes

TAO (28497|3084175040) - GIOP_Message_State::parse_message_header_i

TAO (28497|3084175040) - GIOP_Message_State::get_version_info

TAO (28497|3084175040) - GIOP_Message_State::get_byte_order_info

TAO (28497|3084175040) - Transport[11]::process_parsed_messages,
entering (missing data == 0)

TAO (28497|3084175040) - GIOP_Message_Base::dump_msg, recv GIOP v1.2
msg, 64 data bytes, other endian, Type Request[1]

GIOP message - HEXDUMP 76 bytes

47 49 4f 50 01 02 00 00  00 00 00 40 00 00 00 01   GIOP....... at ....

03 00 00 00 00 00 00 00  00 00 00 17 14 01 0f 00   ................

52 53 54 9f 20 46 47 61  52 07 00 00 00 00 00 01   RST. FGaR.......

00 00 00 00 00 00 00 08  63 74 65 73 74 66 6e 00   ........ctestfn.

00 00 00 00 00 00 00 00  00 02 01 29               ...........)    

ctestfn called for 131369 objects

TAO (28497|3084175040) - GIOP_Message_Base::dump_msg, send GIOP v1.2
msg, 131389 data bytes, my endian, Type Reply[1]

GIOP message - HEXDUMP 131401 bytes (showing first 912 bytes)

47 49 4f 50 01 02 01 01  3d 01 02 00 01 00 00 00   GIOP....=.......

00 00 00 00 00 00 00 00  00 00 00 00 29 01 02 00   ............)...

4e 57 4c 52 42 42 4d 51  42 48 43 44 41 52 5a 4f   NWLRBBMQBHCDARZO

57 4b 4b 59 48 49 44 44  51 53 43 44 58 52 4a 4d   WKKYHIDDQSCDXRJM

4f 57 46 52 58 53 4a 59  42 4c 44 42 45 46 53 41   OWFRXSJYBLDBEFSA

52 43 42 59 4e 45 43 44  59 47 47 58 58 50 4b 4c   RCBYNECDYGGXXPKL

4f 52 45 4c 4c 4e 4d 50  41 50 51 46 57 4b 48 4f   ORELLNMPAPQFWKHO

50 4b 4d 43 4f 51 48 4e  57 4e 4b 55 45 57 48 53   PKMCOQHNWNKUEWHS

51 4d 47 42 42 55 51 43  4c 4a 4a 49 56 53 57 4d   QMGBBUQCLJJIVSWM

44 4b 51 54 42 58 49 58  4d 56 54 52 52 42 4c 4a   DKQTBXIXMVTRRBLJ

50 54 4e 53 4e 46 57 5a  51 46 4a 4d 41 46 41 44   PTNSNFWZQFJMAFAD

52 52 57 53 4f 46 53 42  43 4e 55 56 51 48 46 46   RRWSOFSBCNUVQHFF

42 53 41 51 58 57 50 51  43 41 43 45 48 43 48 5a   BSAQXWPQCACEHCHZ

56 46 52 4b 4d 4c 4e 4f  5a 4a 4b 50 51 50 58 52   VFRKMLNOZJKPQPXR

4a 58 4b 49 54 5a 59 58  41 43 42 48 48 4b 49 43   JXKITZYXACBHHKIC

51 43 4f 45 4e 44 54 4f  4d 46 47 44 57 44 57 46   QCOENDTOMFGDWDWF

43 47 50 58 49 51 56 4b  55 59 54 44 4c 43 47 44   CGPXIQVKUYTDLCGD

45 57 48 54 41 43 49 4f  48 4f 52 44 54 51 4b 56   EWHTACIOHORDTQKV

57 43 53 47 53 50 51 4f  51 4d 53 42 4f 41 47 55   WCSGSPQOQMSBOAGU

57 4e 4e 59 51 58 4e 5a  4c 47 44 47 57 50 42 54   WNNYQXNZLGDGWPBT

52 57 42 4c 4e 53 41 44  45 55 47 55 55 4d 4f 51   RWBLNSADEUGUUMOQ

43 44 52 55 42 45 54 4f  4b 59 58 48 4f 41 43 48   CDRUBETOKYXHOACH

57 44 56 4d 58 58 52 44  52 59 58 4c 4d 4e 44 51   WDVMXXRDRYXLMNDQ

54 55 4b 57 41 47 4d 4c  45 4a 55 55 4b 57 43 49   TUKWAGMLEJUUKWCI

42 58 55 42 55 4d 45 4e  4d 45 59 41 54 44 52 4d   BXUBUMENMEYATDRM

59 44 49 41 4a 58 4c 4f  47 48 49 51 46 4d 5a 48   YDIAJXLOGHIQFMZH

4c 56 49 48 4a 4f 55 56  53 55 59 4f 59 50 41 59   LVIHJOUVSUYOYPAY

55 4c 59 45 49 4d 55 4f  54 45 48 5a 52 49 49 43   ULYEIMUOTEHZRIIC

46 53 4b 50 47 47 4b 42  42 49 50 5a 5a 52 5a 55   FSKPGGKBBIPZZRZU

43 58 41 4d 4c 55 44 46  59 4b 47 52 55 4f 57 5a   CXAMLUDFYKGRUOWZ

47 49 4f 4f 4f 42 50 50  4c 45 51 4c 57 50 48 41   GIOOOBPPLEQLWPHA

50 4a 4e 41 44 51 48 44  43 4e 56 57 44 54 58 4a   PJNADQHDCNVWDTXJ

42 4d 59 50 50 50 48 41  55 58 4e 53 50 55 53 47   BMYPPPHAUXNSPUSG

44 48 49 49 58 51 4d 42  46 4a 58 4a 43 56 55 44   DHIIXQMBFJXJCVUD

4a 53 55 59 49 42 59 45  42 4d 57 53 49 51 59 4f   JSUYIBYEBMWSIQYO

59 47 59 58 59 4d 5a 45  56 59 50 5a 56 4a 45 47   YGYXYMZEVYPZVJEG

45 42 45 4f 43 46 55 46  54 53 58 44 49 58 54 49   EBEOCFUFTSXDIXTI

47 53 49 45 45 48 4b 43  48 5a 44 46 4c 49 4c 52   GSIEEHKCHZDFLILR

4a 51 46 4e 58 5a 54 51  52 53 56 42 53 50 4b 59   JQFNXZTQRSVBSPKY

48 53 45 4e 42 50 50 4b  51 54 50 44 44 42 55 4f   HSENBPPKQTPDDBUO

54 42 42 51 43 57 49 56  52 46 58 4a 55 4a 4a 44   TBBQCWIVRFXJUJJD

44 4e 54 47 45 49 51 56  44 47 41 49 4a 56 57 43   DNTGEIQVDGAIJVWC

59 41 55 42 57 45 57 50  4a 56 59 47 45 48 4c 4a   YAUBWEWPJVYGEHLJ

58 45 50 42 50 49 57 55  51 5a 44 5a 55 42 44 55   XEPBPIWUQZDZUBDU

42 5a 56 41 46 53 50 51  50 51 57 55 5a 49 46 57   BZVAFSPQPQWUZIFW

4f 56 59 44 44 57 59 56  56 42 55 52 43 5a 4d 47   OVYDDWYVVBURCZMG

59 4a 47 46 44 58 56 54  4e 55 4e 4e 45 53 4c 53   YJGFDXVTNUNNESLS

50 4c 57 55 49 55 50 46  58 4c 5a 42 4b 4e 48 4b   PLWUIUPFXLZBKNHK

57 50 50 41 4e 4c 54 43  46 49 52 4a 43 44 44 53   WPPANLTCFIRJCDDS

4f 5a 4f 59 56 45 47 55  52 46 57 43 53 46 4d 4f   OZOYVEGURFWCSFMO

58 45 51 4d 52 4a 4f 57  52 47 48 57 4c 4b 4f 42   XEQMRJOWRGHWLKOB

4d 45 41 48 4b 47 43 43  4e 41 45 48 48 53 56 45   MEAHKGCCNAEHHSVE

59 4d 51 50 58 48 4c 52  4e 55 4e 59 46 44 5a 52   YMQPXHLRNUNYFDZR

48 42 41 53 4a 45 55 59  47 41 46 4f 55 42 55 54   HBASJEUYGAFOUBUT

50 4e 49 4d 55 57 46 4a  51 53 4a 58 56 4b 51 44   PNIMUWFJQSJXVKQD

4f 52 58 58 56 52 57 43  54 44 53 4e 45 4f 47 56   ORXXVRWCTDSNEOGV

42 50 4b 58 4c 50 47 44  49 52 42 46 43 52 49 51   BPKXLPGDIRBFCRIQ

TAO (28497|3084175040) - Transport[11]::cleanup_queue, byte_count =
131400

TAO (28497|3084175040) - Transport[11]::cleanup_queue, after transfer,
bc = 0, all_sent = 0, ml = 1

TAO (28497|3084175040) - Transport[11]::drain_queue_helper, byte_count =
131400, head_is_empty = 0

TAO (28497|3084175040) - Transport[11]::drain_queue_i, helper retval = 1

TAO (28497|3084175040) - Transport[11]::send_reply_message_i, preparing
to add to queue before leaving

TAO (28497|3084175040) - Transport[11]::handle_output

TAO (28497|3084175040) - Transport[11]::cleanup_queue, byte_count = 1

TAO (28497|3084175040) - Transport[11]::cleanup_queue, after transfer,
bc = 0, all_sent = 1, ml = 0

TAO (28497|3084175040) - Transport[11]::drain_queue_helper, byte_count =
1, head_is_empty = 1

TAO (28497|3084175040) - Transport[11]::drain_queue_i, helper retval = 1

TAO (28497|3084175040) - Transport[11]::handle_output, drain_queue
returns 0/12

 

 

The data contents are OK, it's random text data.  The client reports
success in receiving the data, but the server crashes.  With one byte
less of data, it results in the initial transmission of 131400 bytes,
and the system doesn't have to loop to send the remainder of the data,
and the server works.  131401 bytes to send, it sends the first 131400,
eventually is able to send the last byte of data, and then crashes.

 

 

 

Regards,

 

Andre Kostur

Incognito Software Inc.

Senior Software Design Engineer

T: +1(604)678-2864

F: +1(604)688-4339

E: akostur at incognito.com

 

www.incognito.com

 


----------



More information about the Ace-users mailing list