Make PendingWriteQueue.recycle() update its state before triggering an event
Related: #3212 Motivation: PendingWriteQueue.recycle() updates its data structure after triggering a channelWritabilityChanged() event. It causes a rare corruption such as double free when channelWritabilityChanged() method accesses the PendingWriteQueue. Modifications: Update the state of PendingWriteQueue before triggering an event. Result: Fix a rare double-free problem
This commit is contained in:
Trustin Lee
parent
1122189771
commit
1e35d06efb
@ -217,11 +217,11 @@ public final class PendingWriteQueue {
|
||||
}
|
||||
|
||||
private void recycle(PendingWrite write) {
|
||||
PendingWrite next = write.next;
|
||||
final PendingWrite next = write.next;
|
||||
final long writeSize = write.size;
|
||||
|
||||
buffer.decrementPendingOutboundBytes(write.size);
|
||||
write.recycle();
|
||||
size --;
|
||||
|
||||
if (next == null) {
|
||||
// Handled last PendingWrite so rest head and tail
|
||||
head = tail = null;
|
||||
@ -230,6 +230,9 @@ public final class PendingWriteQueue {
|
||||
head = next;
|
||||
assert size > 0;
|
||||
}
|
||||
|
||||
write.recycle();
|
||||
buffer.decrementPendingOutboundBytes(writeSize);
|
||||
}
|
||||
|
||||
private static void safeFail(ChannelPromise promise, Throwable cause) {
|
||||
|
||||
@ -20,9 +20,13 @@ import io.netty.buffer.ByteBuf;
|
||||
import io.netty.buffer.Unpooled;
|
||||
import io.netty.channel.embedded.EmbeddedChannel;
|
||||
import io.netty.util.CharsetUtil;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Test;
|
||||
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
|
||||
import static org.hamcrest.Matchers.*;
|
||||
import static org.junit.Assert.*;
|
||||
|
||||
public class PendingWriteQueueTest {
|
||||
|
||||
@Test
|
||||
@ -30,7 +34,7 @@ public class PendingWriteQueueTest {
|
||||
assertWrite(new TestHandler() {
|
||||
@Override
|
||||
public void flush(ChannelHandlerContext ctx) throws Exception {
|
||||
Assert.assertFalse("Should not be writable anymore", ctx.channel().isWritable());
|
||||
assertFalse("Should not be writable anymore", ctx.channel().isWritable());
|
||||
|
||||
ChannelFuture future = queue.removeAndWrite();
|
||||
future.addListener(new ChannelFutureListener() {
|
||||
@ -49,7 +53,7 @@ public class PendingWriteQueueTest {
|
||||
assertWrite(new TestHandler() {
|
||||
@Override
|
||||
public void flush(ChannelHandlerContext ctx) throws Exception {
|
||||
Assert.assertFalse("Should not be writable anymore", ctx.channel().isWritable());
|
||||
assertFalse("Should not be writable anymore", ctx.channel().isWritable());
|
||||
|
||||
ChannelFuture future = queue.removeAndWriteAll();
|
||||
future.addListener(new ChannelFutureListener() {
|
||||
@ -86,6 +90,55 @@ public class PendingWriteQueueTest {
|
||||
}, 3);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldFireChannelWritabilityChangedAfterRemoval() {
|
||||
final AtomicReference<ChannelHandlerContext> ctxRef = new AtomicReference<ChannelHandlerContext>();
|
||||
final AtomicReference<PendingWriteQueue> queueRef = new AtomicReference<PendingWriteQueue>();
|
||||
final ByteBuf msg = Unpooled.copiedBuffer("test", CharsetUtil.US_ASCII);
|
||||
|
||||
final EmbeddedChannel channel = new EmbeddedChannel(new ChannelInboundHandlerAdapter() {
|
||||
@Override
|
||||
public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
|
||||
ctxRef.set(ctx);
|
||||
queueRef.set(new PendingWriteQueue(ctx));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void channelWritabilityChanged(ChannelHandlerContext ctx) throws Exception {
|
||||
final PendingWriteQueue queue = queueRef.get();
|
||||
|
||||
final ByteBuf msg = (ByteBuf) queue.current();
|
||||
if (msg == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
assertThat(msg.refCnt(), is(1));
|
||||
|
||||
// This call will trigger another channelWritabilityChanged() event because the number of
|
||||
// pending bytes will go below the low watermark.
|
||||
//
|
||||
// If PendingWriteQueue.remove() did not remove the current entry before triggering
|
||||
// channelWritabilityChanged() event, we will end up with attempting to remove the same
|
||||
// element twice, resulting in the double release.
|
||||
queue.remove();
|
||||
|
||||
assertThat(msg.refCnt(), is(0));
|
||||
}
|
||||
});
|
||||
|
||||
channel.config().setWriteBufferLowWaterMark(1);
|
||||
channel.config().setWriteBufferHighWaterMark(3);
|
||||
|
||||
final PendingWriteQueue queue = queueRef.get();
|
||||
|
||||
// Trigger channelWritabilityChanged() by adding a message that's larger than the high watermark.
|
||||
queue.add(msg, channel.newPromise());
|
||||
|
||||
channel.finish();
|
||||
|
||||
assertThat(msg.refCnt(), is(0));
|
||||
}
|
||||
|
||||
private static void assertWrite(ChannelHandler handler, int count) {
|
||||
final ByteBuf buffer = Unpooled.copiedBuffer("Test", CharsetUtil.US_ASCII);
|
||||
final EmbeddedChannel channel = new EmbeddedChannel(handler);
|
||||
@ -96,29 +149,29 @@ public class PendingWriteQueueTest {
|
||||
for (int i = 0; i < buffers.length; i++) {
|
||||
buffers[i] = buffer.duplicate().retain();
|
||||
}
|
||||
Assert.assertTrue(channel.writeOutbound(buffers));
|
||||
Assert.assertTrue(channel.finish());
|
||||
assertTrue(channel.writeOutbound(buffers));
|
||||
assertTrue(channel.finish());
|
||||
channel.closeFuture().syncUninterruptibly();
|
||||
|
||||
for (int i = 0; i < buffers.length; i++) {
|
||||
assertBuffer(channel, buffer);
|
||||
}
|
||||
buffer.release();
|
||||
Assert.assertNull(channel.readOutbound());
|
||||
assertNull(channel.readOutbound());
|
||||
}
|
||||
|
||||
private static void assertBuffer(EmbeddedChannel channel, ByteBuf buffer) {
|
||||
ByteBuf written = (ByteBuf) channel.readOutbound();
|
||||
Assert.assertEquals(buffer, written);
|
||||
assertEquals(buffer, written);
|
||||
written.release();
|
||||
}
|
||||
|
||||
private static void assertQueueEmpty(PendingWriteQueue queue) {
|
||||
Assert.assertTrue(queue.isEmpty());
|
||||
Assert.assertEquals(0, queue.size());
|
||||
Assert.assertNull(queue.current());
|
||||
Assert.assertNull(queue.removeAndWrite());
|
||||
Assert.assertNull(queue.removeAndWriteAll());
|
||||
assertTrue(queue.isEmpty());
|
||||
assertEquals(0, queue.size());
|
||||
assertNull(queue.current());
|
||||
assertNull(queue.removeAndWrite());
|
||||
assertNull(queue.removeAndWriteAll());
|
||||
}
|
||||
|
||||
private static void assertWriteFails(ChannelHandler handler, int count) {
|
||||
@ -129,16 +182,16 @@ public class PendingWriteQueueTest {
|
||||
buffers[i] = buffer.duplicate().retain();
|
||||
}
|
||||
try {
|
||||
Assert.assertFalse(channel.writeOutbound(buffers));
|
||||
Assert.fail();
|
||||
assertFalse(channel.writeOutbound(buffers));
|
||||
fail();
|
||||
} catch (Exception e) {
|
||||
Assert.assertTrue(e instanceof TestException);
|
||||
assertTrue(e instanceof TestException);
|
||||
}
|
||||
Assert.assertFalse(channel.finish());
|
||||
assertFalse(channel.finish());
|
||||
channel.closeFuture().syncUninterruptibly();
|
||||
|
||||
buffer.release();
|
||||
Assert.assertNull(channel.readOutbound());
|
||||
assertNull(channel.readOutbound());
|
||||
}
|
||||
|
||||
private static class TestHandler extends ChannelDuplexHandler {
|
||||
@ -149,15 +202,15 @@ public class PendingWriteQueueTest {
|
||||
public void channelActive(ChannelHandlerContext ctx) throws Exception {
|
||||
super.channelActive(ctx);
|
||||
assertQueueEmpty(queue);
|
||||
Assert.assertTrue("Should be writable", ctx.channel().isWritable());
|
||||
assertTrue("Should be writable", ctx.channel().isWritable());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise) throws Exception {
|
||||
queue.add(msg, promise);
|
||||
Assert.assertFalse(queue.isEmpty());
|
||||
Assert.assertEquals(++ expectedSize, queue.size());
|
||||
Assert.assertNotNull(queue.current());
|
||||
assertFalse(queue.isEmpty());
|
||||
assertEquals(++expectedSize, queue.size());
|
||||
assertNotNull(queue.current());
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
Loading…
Reference in New Issue
Block a user