[Boost-bugs] [Boost C++ Libraries] #10624: win_object_handle_service race condition on destroy

Subject: [Boost-bugs] [Boost C++ Libraries] #10624: win_object_handle_service race condition on destroy
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2014-10-07 04:38:51

• Next message: Boost C++ Libraries: "[Boost-bugs] [Boost C++ Libraries] #10625: Compilation with nvcc produces error: unknown asm constraint modifier ', '"
• Previous message: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10623: Minor typo in Boost.Align"

#10624: win_object_handle_service race condition on destroy
--------------------------------------+----------------------------
 Reporter: Rowan Wyborn <rwyborn@…> | Owner: chris_kohlhoff
     Type: Bugs | Status: new
Milestone: To Be Determined | Component: asio
  Version: Boost 1.54.0 | Severity: Problem
 Keywords: |
--------------------------------------+----------------------------
 I caught a random crash in our code base that appears to be due to a race
 condition in win_object_handle_service. Reproduction steps are essentially
 just:

 boost::asio::windows::object_handle* handle = new
 boost::asio::windows::object_handle(service, hEvent);[[BR]]
 handle->async_wait(...);[[BR]]
 SetEvent(hEvent);[[BR]]
 delete handle;

 The race condition occurs in win_object_handle_service::wait_callback. The
 last few lines of code in this method are:

     lock.unlock();[[BR]]
     impl->owner_->io_service_.post_deferred_completions(completed_ops);

 The problem is that while the delete of the handle waits on the same lock
 as the wait_callback, the call into impl->owner_->io_service_ happens
 outside the scope of that lock.
 Hence there is a race condition that can trigger under multi-
 threaded/heavy load scenarios where the delete may execute before the call
 to >io_service_.post_deferred_completions happens

     lock.unlock();[[BR]]
     <----- delete executes here[[BR]]
     impl->owner_->io_service_.post_deferred_completions(completed_ops);

 This leaves impl->owner_ pointing at deleted/unintialized memory, and
 hence the post_deferred_completions call randomly crashes. I can repro
 this 100% of the time by just adding a Sleep to emulate load:

    lock.unlock();[[BR]]
    Sleep(1000);[[BR]]
    impl->owner_->io_service_.post_deferred_completions(completed_ops);

-- 
Ticket URL: <https://svn.boost.org/trac/boost/ticket/10624>
Boost C++ Libraries <http://www.boost.org/>
Boost provides free peer-reviewed portable C++ source libraries.

• Next message: Boost C++ Libraries: "[Boost-bugs] [Boost C++ Libraries] #10625: Compilation with nvcc produces error: unknown asm constraint modifier ', '"
• Previous message: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10623: Minor typo in Boost.Align"

This archive was generated by hypermail 2.1.7 : 2017-02-16 18:50:17 UTC