ACCESS VIOLATION - Writing to nullptr

Question

ACCESS VIOLATION - Writing to nullptr

ratzrattillo opened this issue 2 years ago · comments

While working with libzmq, which currently embeds wepoll 1.5.8, i had several crashes due to access violations.
These seem to stem from a special behaviour caused by GetQueuedCompletionStatusEx().

This function sometimes returns success (TRUE), containing a positive completion_count (e.g. 1), but still contain an iocp_events[0].lpOverlapped structure with a NULL value. The function is called in line 1223:
https://github.com/piscisaureus/wepoll/blob/dist/wepoll.c#L1223

Later on, wepoll tries to write to this memory location in line 1842:
https://github.com/piscisaureus/wepoll/blob/dist/wepoll.c#L1842

Attached you can find some screenshots of my debug session:

A fix would be highly appreciated :)

John Nunley · Answer 1 · Thu Jan 26 2023 05:23:31 GMT+0800 (China Standard Time)

Is this behavior documented in GetCompletionPacketEx? Unless external packets are sent via the IOCP handle this shouldn't be an issue, if my memory of the Windows I/O API serves me right.

Otherwise, #20 may fix this.

ratzrattillo · Answer 2 · Thu Jan 26 2023 16:56:03 GMT+0800 (China Standard Time)

The following Remark i found in: https://learn.microsoft.com/en-us/windows/win32/fileio/getqueuedcompletionstatusex-func#remarks

This function returns TRUE when at least one pending I/O is completed, but it is possible that one or more I/O operations failed. Note that it is up to the user of this function to check the list of returned entries in the lpCompletionPortEntries parameter to determine which of them correspond to any possible failed I/O operations by looking at the status contained in the lpOverlapped member in each OVERLAPPED_ENTRY.

It is not clearly stating that lpOverlapped can be NULL, when more than 0 completions have been dequed, however it is the behavior i experienced.

Is there a plan to merge #20 ?

Bert Belder · Answer 3 · Sun Feb 12 2023 23:47:09 GMT+0800 (China Standard Time)

It's hard to believe a NULL lpOverlapped would just randomly show up on the completion port.

Are you using the async_io crate by any chance? Because they use a forked version of wepoll that deliberately people posts NULL packets to the completion port.

John Nunley · Answer 4 · Mon Feb 13 2023 00:51:11 GMT+0800 (China Standard Time)

libzmq is written in C++ and doesn't use async-io. In addition, there are no crates that depend on async-io that have reported this bug as far as I know.

Are there any places in libzmq where an IOCP packet is manually posted to the wepoll port?

Bert Belder · Answer 5 · Mon Feb 13 2023 01:01:51 GMT+0800 (China Standard Time)

libzmq is written in C++ and doesn't use async-io.

The OP is reporting they are using Rust, so they could be using async-io.

In addition, there are no crates that depend on async-io that have reported this bug as far as I know.

Crates that depend on async-io depend on https://github.com/aclysma/wepoll-ffi which is a patched wepoll that supports this, so I wouldn't expect them to run into this issue in isolation. It only becomes a problem when they use async-io and then link with a "stock" wepoll.

Other than that I can't think of any other way this could ever happen. The latest version of wepoll has been out for more than 2.5 years, and it is used enough in production that if this were a wepoll bug, it would have come up a lot earlier. So there must be something particular to the OP's setup that causes this.

Bert Belder · Answer 6 · Mon Feb 13 2023 01:03:09 GMT+0800 (China Standard Time)

In fact, looking at the stack trace, I'm pretty convinced this is the issue now:

John Nunley · Answer 7 · Mon Feb 13 2023 01:56:02 GMT+0800 (China Standard Time)

Thanks for the catch @piscisaureus! I've opened smol-rs/polling#85 and aclysma/wepoll-ffi#1 to address this

John Nunley · Answer 8 · Thu Mar 09 2023 03:00:22 GMT+0800 (China Standard Time)

As of version v2.6.0, polling now no longer uses wepoll. This issue can probably be closed.