Unsafe reentrant call to io_flush
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libmemcached |
Fix Released
|
Medium
|
Brian Aker |
Bug Description
While trying to use buffered mode to set a big number of pretty big values (3333 bytes exactly in my test!), it ends up pretty quickly with an error "CLIENT_ERROR bad data chunk".
By looking more closely to the message that triggered that error, it seems one message is ill-formed, containing one part of its normal content but the end of the previous one.
The problem seems to come from:
1) memcached_io_write calls io_flush
2) io_flush calls io_wait
3) io_wait calls memcached_purge
4) memcached_purge calls memcached_io_write
5) and finally memcached_io_write calls io_flush again ...
the problem being write_buffer and write_offset_buffer are copied at the beginning of io_flush and only reset at the end. So if 2) has already written some data, it is not reflected into the buffer of the offset when entering io_flush for the second time, which will resend the beginning of the buffer that was already sent.
Basically, if we have in the buffer [abcdefghijkl], we might send something like [abcdabcdefghij
One solution is flag io_wait call as "ptr->root-
One other solution would be to have a start_offset being kept up 2 date at every loop of the send calls.
Related branches
- Libmemcached-developers: Pending requested
-
Diff: 206 lines (+88/-39)3 files modifiedlibmemcached/memcached_io.c (+40/-37)
libmemcached/memcached_server.h (+1/-0)
tests/function.c (+47/-2)
Changed in libmemcached: | |
status: | Fix Committed → Fix Released |
Hi Jean-Charles,
when using your patch, I have a problem with ptr->write_ buffer_ start_offset having some crazy values from time to time.
It looks like it's never initialized. I'm not sure that I understand your patch correctly, but I have the impression that it is safe to put it to 0 at the beginning of _io_flush, isn't it ?
Regards,
Colin