UnimplementedAsyncRequest constructor races with GenericAsyncRequest causing crashes

[snaury]

What version of gRPC and what language are you using?

The bug seems to be very old, so the exact version does not matter.

What operating system (Linux, Windows,...) and version?

Linux

What runtime / compiler are you using (e.g. python version or version of gcc)

We use clang, but the compiler doesn't matter.

What did you do?

We call cq->Next(&tag, ok) from multiple threads.

What did you expect to see?

We expect to only ever see values of tags that we provided.

What did you see instead?

Recently we started to occasionally see our grpc servers crashing right after the call to cq->Next. Debugging showed, that Next returns true, indicating the event is available, however tag turned out to be nullptr. Since we cast it to our interface and call a method on it, this caused crashes when loading a vptr. Further debugging showed that the call to FinalizeResult in CompletionQueue::AsyncNextInternal returns true, but the tag is nullptr. When inspecting core_cq_tag we observed the object is actually UnimplementedAsyncRequest, however UnimplementedAsyncRequest::FinalizeResult should always returns false, so it was puzzling at first how it could ever return true.

Turns out there's a race in UnimplementedAsyncRequest constructor. When it calls to GenericAsyncRequest, it starts the request right there, however the vptr is pointing to GenericAsyncRequest at that time. Later UnimplementedAsyncRequest updates vptr to its vtable, but it looks like the request may already start being handled on another thread, and AsyncNextInternal manages to catch it in a state when vptr is still pointing to GenericAsyncRequest, calling GenericAsyncRequest::FinalizeResult. It returns true, bypassing UnimplementedAsyncRequest override, and it indeed has tag initialized to nullptr by default.

It looks like our users tried using a new grpc service, which was not served by our server yet, this triggered a lot of unimplemented requests, which started triggering the race under heavy load. Workaround of delaying grpc_server_request_call in GenericAsyncRequest until UnimplementedAsyncRequest constructor body stopped crashes for us, confirming that the problem is indeed with UnimplementedAsyncRequest.

[snaury]

Btw, I can see that something similar was previously detected by tsan in #17044, but it was marked as stale for some reason?

[yijiem]

To ease debugging, is it possible for you to provide a minimal client/server example that repros or might repro this issue?

[snaury]

It hope it wouldn't be too hard (2 threads serving the same cq server side, lots of channels/threads making requests to non-existant service client side), but it will take some time for me.

[snaury]

Here's a reproducer: https://github.com/snaury/grpc-unimplemented-bug

Takes less than a second to crash with 2 server threads (the default) on my macbook air m1:

% ./build.sh && ./hello-server
Accepting requests
zsh: segmentation fault  ./hello-server

...another window:
% ./hello-client unknown
12: 
0 ok/s 355511 fail/s
14: failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:50051: Failed to connect to remote host: Connection refused
0 ok/s 403382 fail/s

Doesn't crash with 1 server thread:

% ./build.sh && ./hello-server 1
Accepting requests
^C

...another window:
% ./hello-client unknown
12: 
0 ok/s 55944 fail/s
12: 
0 ok/s 57663 fail/s
...

Here's an example of how this looks under lldb:

% ./build.sh && lldb ./hello-server
(lldb) target create "./hello-server"
Current executable set to '/Users/<redacted>/grpc-unimplemented-bug/hello-server' (arm64).
(lldb) run
Process 79647 launched: '/Users/<redacted>/grpc-unimplemented-bug/hello-server' (arm64)
Accepting requests
Process 79647 stopped
* thread #15, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000100004bf4 hello-server`ServerImpl::RunWorker() + 68
hello-server`ServerImpl::RunWorker:
->  0x100004bf4 <+68>: ldr    x8, [x0]
    0x100004bf8 <+72>: ldr    x8, [x8]
    0x100004bfc <+76>: and    w1, w9, #0x1
    0x100004c00 <+80>: blr    x8
Target 0: (hello-server) stopped.
(lldb) disassemble 
hello-server`ServerImpl::RunWorker:
    0x100004bb0 <+0>:  sub    sp, sp, #0x30
    0x100004bb4 <+4>:  stp    x29, x30, [sp, #0x20]
    0x100004bb8 <+8>:  add    x29, sp, #0x20
    0x100004bbc <+12>: stur   x0, [x29, #-0x8]
    0x100004bc0 <+16>: ldur   x8, [x29, #-0x8]
    0x100004bc4 <+20>: str    x8, [sp]
    0x100004bc8 <+24>: b      0x100004bcc               ; <+28>
    0x100004bcc <+28>: ldr    x8, [sp]
    0x100004bd0 <+32>: add    x0, x8, #0x28
    0x100004bd4 <+36>: bl     0x100004c14               ; std::__1::unique_ptr<grpc::ServerCompletionQueue, std::__1::default_delete<grpc::ServerCompletionQueue> >::operator->() const
    0x100004bd8 <+40>: add    x1, sp, #0x10
    0x100004bdc <+44>: add    x2, sp, #0xf
    0x100004be0 <+48>: bl     0x100035008               ; symbol stub for: grpc::CompletionQueue::Next(void**, bool*)
    0x100004be4 <+52>: tbz    w0, #0x0, 0x100004c08     ; <+88>
    0x100004be8 <+56>: b      0x100004bec               ; <+60>
    0x100004bec <+60>: ldr    x0, [sp, #0x10]
    0x100004bf0 <+64>: ldrb   w9, [sp, #0xf]
->  0x100004bf4 <+68>: ldr    x8, [x0]
    0x100004bf8 <+72>: ldr    x8, [x8]
    0x100004bfc <+76>: and    w1, w9, #0x1
    0x100004c00 <+80>: blr    x8
    0x100004c04 <+84>: b      0x100004bcc               ; <+28>
    0x100004c08 <+88>: ldp    x29, x30, [sp, #0x20]
    0x100004c0c <+92>: add    sp, sp, #0x30
    0x100004c10 <+96>: ret    

Note how it's crashing on address 0 when loading a vtable from tag, which is nullptr.

[yijiem]

Thanks for the excellent example @snaury! I ran the example and it easily repros the crash on my machine as well. Attached TSAN report for the server: https://gist.githubusercontent.com/yijiem/ae6ed887b66c95acd28913b1bb8ec7ad/raw/3095225764eee53fa27d32f69cb83d213de56dc3/gistfile1.txt

[yijiem]

This should be fixed by #32547. Thanks again for the report and the reproducer!