commit | 5f31f01a8c60858d3607df43c77977408f1dc180 | [log] [tgz] |
---|---|---|
author | David Garcia Quintas <dgq@google.com> | Tue Dec 19 08:49:15 2017 -0800 |
committer | David Garcia Quintas <dgq@google.com> | Tue Dec 19 08:49:15 2017 -0800 |
tree | 77304b062556d83a956d243c28ae2fbbb34c39c2 | |
parent | 1bedfa3963c59756fc513f2ed38171d789bafa57 [diff] |
Fix use-after-free caused by unsync'd access in tcp_client_posix. tc_on_alarm() and on_writable() race, resulting in the following: ``` D1219 08:59:33.425951347 86323 tcp_client_posix.cc:143] CLIENT_CONNECT: ipv4:127.0.0.1:27465: on_writable: error="No Error" D1219 08:59:33.426032150 86342 tcp_client_posix.cc:104] CLIENT_CONNECT: ipv4:127.0.0.1:27465: on_alarm: error="No Error" // At this point, note that the callbacks are running on different threads. D1219 08:59:33.426063521 86323 tcp_client_posix.cc:218] XXX on_writable ac->addr_str 0x603000008dd0 before unlock. # refs 2->1. Done 0 // on_writable() unrefs while still holding the lock. Because refs > 0, it marks its "done" as false and unlocks. D1219 08:59:33.426125130 86342 tcp_client_posix.cc:113] XXX tc_on_alarm ac->addr_str 0x603000008dd0 before unlock. # refs 1->0. Done 1 // right after on_writable() unlocks, tc_on_alarm() acquires the lock and unrefs, this time getting to zero and marking its "done" as true. // It then proceeds to destroy "ac", and, in particular for this failure, "ac->addr_str". D1219 08:59:33.426139370 86323 tcp_client_posix.cc:234] XXX on_writable about to read from ac->addr_str 0x603000008dd0. Done 0, error=OS Error // When on_writable() tries to read ac->addr_str to assemble its error details, it causes a use-after-free. ``` The problem is the lock isn't held long enough by on_writable(). Alternatively, a copy of ac->addr_str could be made in on_writable() while still holding the lock, but that seems more fragile. It doesn't seem that holding the lock longer would be a performance issue, given we are in a failure scenario.
Copyright 2015 Google Inc.
You can find more detailed documentation and examples in the doc and examples directories respectively.
See INSTALL for installation instructions for various platforms.
See tools/run_tests for more guidance on how to run various test suites (e.g. unit tests, interop tests, benchmarks)
See Performance dashboard for the performance numbers for the latest released version.
This repository contains source code for gRPC libraries for multiple languages written on top of shared C core library src/core.
Libraries in different languages may be in different states of development. We are seeking contributions for all of these libraries.
Language | Source |
---|---|
Shared C [core library] | src/core |
C++ | src/cpp |
Ruby | src/ruby |
Python | src/python |
PHP | src/php |
C# | src/csharp |
Objective-C | src/objective-c |
Java source code is in the grpc-java repository. Go source code is in the grpc-go repository. NodeJS source code is in the grpc-node repository.
See MANIFEST.md for a listing of top-level items in the repository.
Remote Procedure Calls (RPCs) provide a useful abstraction for building distributed applications and services. The libraries in this repository provide a concrete implementation of the gRPC protocol, layered over HTTP/2. These libraries enable communication between clients and servers using any combination of the supported languages.
Developers using gRPC typically start with the description of an RPC service (a collection of methods), and generate client and server side interfaces which they use on the client-side and implement on the server side.
By default, gRPC uses Protocol Buffers as the Interface Definition Language (IDL) for describing both the service interface and the structure of the payload messages. It is possible to use other alternatives if desired.
Starting from an interface definition in a .proto file, gRPC provides Protocol Compiler plugins that generate Client- and Server-side APIs. gRPC users typically call into these APIs on the Client side and implement the corresponding API on the server side.
Synchronous RPC calls, that block until a response arrives from the server, are the closest approximation to the abstraction of a procedure call that RPC aspires to.
On the other hand, networks are inherently asynchronous and in many scenarios, it is desirable to have the ability to start RPCs without blocking the current thread.
The gRPC programming surface in most languages comes in both synchronous and asynchronous flavors.
gRPC supports streaming semantics, where either the client or the server (or both) send a stream of messages on a single RPC call. The most general case is Bidirectional Streaming where a single gRPC call establishes a stream where both the client and the server can send a stream of messages to each other. The streamed messages are delivered in the order they were sent.
The gRPC protocol specifies the abstract requirements for communication between clients and servers. A concrete embedding over HTTP/2 completes the picture by fleshing out the details of each of the required operations.
A gRPC RPC comprises of a bidirectional stream of messages, initiated by the client. In the client-to-server direction, this stream begins with a mandatory Call Header
, followed by optional Initial-Metadata
, followed by zero or more Payload Messages
. The server-to-client direction contains an optional Initial-Metadata
, followed by zero or more Payload Messages
terminated with a mandatory Status
and optional Status-Metadata
(a.k.a.,Trailing-Metadata
).
The abstract protocol defined above is implemented over HTTP/2. gRPC bidirectional streams are mapped to HTTP/2 streams. The contents of Call Header
and Initial Metadata
are sent as HTTP/2 headers and subject to HPACK compression. Payload Messages
are serialized into a byte stream of length prefixed gRPC frames which are then fragmented into HTTP/2 frames at the sender and reassembled at the receiver. Status
and Trailing-Metadata
are sent as HTTP/2 trailing headers (a.k.a., trailers).
gRPC inherits the flow control mechanisms in HTTP/2 and uses them to enable fine-grained control of the amount of memory used for buffering in-flight messages.