2009-05-12 16:45:14 +00:00
|
|
|
/*
|
|
|
|
* eventtest.c: Test the libvirtd event loop impl
|
|
|
|
*
|
2014-10-28 12:38:04 -06:00
|
|
|
* Copyright (C) 2009, 2011-2014 Red Hat, Inc.
|
2009-05-12 16:45:14 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 16:30:55 -06:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 18:06:23 +08:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2009-05-12 16:45:14 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include <signal.h>
|
|
|
|
#include <time.h>
|
|
|
|
|
2016-11-19 20:42:27 +03:00
|
|
|
#if HAVE_MACH_CLOCK_ROUTINES
|
|
|
|
# include <mach/clock.h>
|
|
|
|
# include <mach/mach.h>
|
|
|
|
#endif
|
|
|
|
|
2009-05-12 16:45:14 +00:00
|
|
|
#include "testutils.h"
|
|
|
|
#include "internal.h"
|
2013-05-09 14:59:04 -04:00
|
|
|
#include "virfile.h"
|
2012-12-13 15:49:48 +00:00
|
|
|
#include "virthread.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2012-12-13 17:44:57 +00:00
|
|
|
#include "virutil.h"
|
2012-12-12 16:54:55 +00:00
|
|
|
#include "vireventpoll.h"
|
2009-05-12 16:45:14 +00:00
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("tests.eventtest");
|
|
|
|
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
#define NUM_FDS 31
|
|
|
|
#define NUM_TIME 31
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
static struct handleInfo {
|
|
|
|
int pipeFD[2];
|
|
|
|
int fired;
|
|
|
|
int watch;
|
|
|
|
int error;
|
|
|
|
int delete;
|
|
|
|
} handles[NUM_FDS];
|
|
|
|
|
|
|
|
static struct timerInfo {
|
|
|
|
int timeout;
|
|
|
|
int timer;
|
|
|
|
int fired;
|
|
|
|
int error;
|
|
|
|
int delete;
|
|
|
|
} timers[NUM_TIME];
|
|
|
|
|
|
|
|
enum {
|
|
|
|
EV_ERROR_NONE,
|
|
|
|
EV_ERROR_WATCH,
|
|
|
|
EV_ERROR_FD,
|
|
|
|
EV_ERROR_EVENT,
|
|
|
|
EV_ERROR_DATA,
|
|
|
|
};
|
|
|
|
|
2015-09-29 10:55:22 -04:00
|
|
|
struct testEventResultData {
|
|
|
|
bool failed;
|
|
|
|
const char *msg;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
|
|
|
testEventResultCallback(const void *opaque)
|
|
|
|
{
|
|
|
|
const struct testEventResultData *data = opaque;
|
|
|
|
|
|
|
|
if (data->failed && data->msg)
|
|
|
|
fprintf(stderr, "%s", data->msg);
|
|
|
|
return data->failed;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2019-10-15 13:35:07 +02:00
|
|
|
G_GNUC_PRINTF(3, 4)
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(const char *name, bool failed, const char *msg, ...)
|
|
|
|
{
|
|
|
|
va_list vargs;
|
|
|
|
va_start(vargs, msg);
|
|
|
|
char *str = NULL;
|
|
|
|
struct testEventResultData data;
|
|
|
|
|
2019-10-22 14:11:15 +02:00
|
|
|
if (msg)
|
|
|
|
str = g_strdup_vprintf(msg, vargs);
|
2015-09-29 10:55:22 -04:00
|
|
|
|
|
|
|
data.failed = failed;
|
|
|
|
data.msg = str;
|
2016-05-26 17:01:50 +02:00
|
|
|
ignore_value(virTestRun(name, testEventResultCallback, &data));
|
2015-09-29 10:55:22 -04:00
|
|
|
|
|
|
|
va_end(vargs);
|
|
|
|
VIR_FREE(str);
|
|
|
|
}
|
|
|
|
|
2009-05-12 16:45:14 +00:00
|
|
|
static void
|
|
|
|
testPipeReader(int watch, int fd, int events, void *data)
|
|
|
|
{
|
|
|
|
struct handleInfo *info = data;
|
|
|
|
char one;
|
|
|
|
|
|
|
|
info->fired = 1;
|
|
|
|
|
|
|
|
if (watch != info->watch) {
|
|
|
|
info->error = EV_ERROR_WATCH;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fd != info->pipeFD[0]) {
|
|
|
|
info->error = EV_ERROR_FD;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!(events & VIR_EVENT_HANDLE_READABLE)) {
|
|
|
|
info->error = EV_ERROR_EVENT;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
if (read(fd, &one, 1) != 1) {
|
|
|
|
info->error = EV_ERROR_DATA;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
info->error = EV_ERROR_NONE;
|
|
|
|
|
|
|
|
if (info->delete != -1)
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveHandle(info->delete);
|
2009-05-12 16:45:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
testTimer(int timer, void *data)
|
|
|
|
{
|
|
|
|
struct timerInfo *info = data;
|
|
|
|
|
|
|
|
info->fired = 1;
|
|
|
|
|
|
|
|
if (timer != info->timer) {
|
|
|
|
info->error = EV_ERROR_WATCH;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
info->error = EV_ERROR_NONE;
|
|
|
|
|
|
|
|
if (info->delete != -1)
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveTimeout(info->delete);
|
2009-05-12 16:45:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static pthread_mutex_t eventThreadMutex = PTHREAD_MUTEX_INITIALIZER;
|
|
|
|
static pthread_cond_t eventThreadRunCond = PTHREAD_COND_INITIALIZER;
|
2014-10-28 12:38:04 -06:00
|
|
|
static int eventThreadRunOnce;
|
2009-05-12 16:45:14 +00:00
|
|
|
static pthread_cond_t eventThreadJobCond = PTHREAD_COND_INITIALIZER;
|
2014-10-28 12:38:04 -06:00
|
|
|
static int eventThreadJobDone;
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
|
2019-10-14 14:45:03 +02:00
|
|
|
G_GNUC_NORETURN static void *eventThreadLoop(void *data G_GNUC_UNUSED) {
|
2009-05-12 16:45:14 +00:00
|
|
|
while (1) {
|
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
2014-11-13 15:20:43 +01:00
|
|
|
while (!eventThreadRunOnce)
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_cond_wait(&eventThreadRunCond, &eventThreadMutex);
|
|
|
|
eventThreadRunOnce = 0;
|
|
|
|
pthread_mutex_unlock(&eventThreadMutex);
|
|
|
|
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRunOnce();
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
|
|
|
eventThreadJobDone = 1;
|
|
|
|
pthread_cond_signal(&eventThreadJobCond);
|
|
|
|
pthread_mutex_unlock(&eventThreadMutex);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2009-11-30 19:01:31 +00:00
|
|
|
verifyFired(const char *name, int handle, int timer)
|
2009-05-12 16:45:14 +00:00
|
|
|
{
|
|
|
|
int handleFired = 0;
|
|
|
|
int timerFired = 0;
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
size_t i;
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_FDS; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
if (handles[i].fired) {
|
|
|
|
if (i != handle) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
"Handle %zu fired, but expected %d\n", i,
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
handle);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
} else {
|
|
|
|
if (handles[i].error != EV_ERROR_NONE) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
"Handle %zu fired, but had error %d\n", i,
|
2009-11-30 19:01:31 +00:00
|
|
|
handles[i].error);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
handleFired = 1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (i == handle) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
"Handle %d should have fired, but didn't\n",
|
|
|
|
handle);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (handleFired != 1 && handle != -1) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
"Something weird happened, expecting handle %d\n",
|
|
|
|
handle);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_TIME; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
if (timers[i].fired) {
|
|
|
|
if (i != timer) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
"Timer %zu fired, but expected %d\n", i, timer);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
} else {
|
|
|
|
if (timers[i].error != EV_ERROR_NONE) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
"Timer %zu fired, but had error %d\n", i,
|
2009-11-30 19:01:31 +00:00
|
|
|
timers[i].error);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
timerFired = 1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (i == timer) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
"Timer %d should have fired, but didn't\n",
|
|
|
|
timer);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (timerFired != 1 && timer != -1) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1,
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
"Something weird happened, expecting timer %d\n",
|
|
|
|
timer);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
return EXIT_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob(void)
|
2009-05-12 16:45:14 +00:00
|
|
|
{
|
|
|
|
eventThreadRunOnce = 1;
|
|
|
|
eventThreadJobDone = 0;
|
|
|
|
pthread_cond_signal(&eventThreadRunCond);
|
|
|
|
pthread_mutex_unlock(&eventThreadMutex);
|
|
|
|
sched_yield();
|
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2009-11-30 19:01:31 +00:00
|
|
|
finishJob(const char *name, int handle, int timer)
|
2009-05-12 16:45:14 +00:00
|
|
|
{
|
|
|
|
struct timespec waitTime;
|
|
|
|
int rc;
|
2016-11-19 20:42:27 +03:00
|
|
|
#if HAVE_MACH_CLOCK_ROUTINES
|
|
|
|
clock_serv_t cclock;
|
|
|
|
mach_timespec_t mts;
|
|
|
|
|
|
|
|
host_get_clock_service(mach_host_self(), CALENDAR_CLOCK, &cclock);
|
|
|
|
clock_get_time(cclock, &mts);
|
|
|
|
mach_port_deallocate(mach_task_self(), cclock);
|
|
|
|
waitTime.tv_sec = mts.tv_sec;
|
|
|
|
waitTime.tv_nsec = mts.tv_nsec;
|
|
|
|
#else
|
2009-05-12 16:45:14 +00:00
|
|
|
clock_gettime(CLOCK_REALTIME, &waitTime);
|
2016-11-19 20:42:27 +03:00
|
|
|
#endif
|
2009-05-12 16:45:14 +00:00
|
|
|
waitTime.tv_sec += 5;
|
|
|
|
rc = 0;
|
|
|
|
while (!eventThreadJobDone && rc == 0)
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
rc = pthread_cond_timedwait(&eventThreadJobCond, &eventThreadMutex,
|
|
|
|
&waitTime);
|
2009-05-12 16:45:14 +00:00
|
|
|
if (rc != 0) {
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 1, "Timed out waiting for pipe event\n");
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
|
2009-11-30 19:01:31 +00:00
|
|
|
if (verifyFired(name, handle, timer) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
2015-09-29 10:55:22 -04:00
|
|
|
testEventReport(name, 0, NULL);
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
resetAll(void)
|
|
|
|
{
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
size_t i;
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_FDS; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
handles[i].fired = 0;
|
|
|
|
handles[i].error = EV_ERROR_NONE;
|
|
|
|
}
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_TIME; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
timers[i].fired = 0;
|
|
|
|
timers[i].error = EV_ERROR_NONE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2011-04-29 10:21:20 -06:00
|
|
|
mymain(void)
|
2009-05-12 16:45:14 +00:00
|
|
|
{
|
Convert 'int i' to 'size_t i' in tests/ files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
size_t i;
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_t eventThread;
|
|
|
|
char one = '1';
|
|
|
|
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_FDS; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
if (pipe(handles[i].pipeFD) < 0) {
|
|
|
|
fprintf(stderr, "Cannot create pipe: %d", errno);
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
char *debugEnv = getenv("LIBVIRT_DEBUG");
|
2016-03-21 14:35:37 +01:00
|
|
|
if (debugEnv && *debugEnv &&
|
|
|
|
(virLogSetDefaultPriority(virLogParseDefaultPriority(debugEnv)) < 0)) {
|
2009-08-06 15:55:07 +02:00
|
|
|
fprintf(stderr, "Invalid log level setting.\n");
|
|
|
|
return EXIT_FAILURE;
|
2009-05-12 16:45:14 +00:00
|
|
|
}
|
|
|
|
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollInit();
|
2009-05-12 16:45:14 +00:00
|
|
|
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_FDS; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
handles[i].delete = -1;
|
|
|
|
handles[i].watch =
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollAddHandle(handles[i].pipeFD[0],
|
2009-05-12 16:45:14 +00:00
|
|
|
VIR_EVENT_HANDLE_READABLE,
|
|
|
|
testPipeReader,
|
|
|
|
&handles[i], NULL);
|
|
|
|
}
|
|
|
|
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_TIME; i++) {
|
2009-05-12 16:45:14 +00:00
|
|
|
timers[i].delete = -1;
|
|
|
|
timers[i].timeout = -1;
|
|
|
|
timers[i].timer =
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollAddTimeout(timers[i].timeout,
|
2009-05-12 16:45:14 +00:00
|
|
|
testTimer,
|
|
|
|
&timers[i], NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
pthread_create(&eventThread, NULL, eventThreadLoop, NULL);
|
|
|
|
|
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
|
|
|
|
|
|
|
/* First time, is easy - just try triggering one of our
|
|
|
|
* registered handles */
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-09-03 18:25:03 +02:00
|
|
|
if (safewrite(handles[1].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Simple write", 1, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Now lets delete one before starting poll(), and
|
|
|
|
* try triggering another handle */
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveHandle(handles[0].watch);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-09-03 18:25:03 +02:00
|
|
|
if (safewrite(handles[1].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Deleted before poll", 1, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Next lets delete *during* poll, which should interrupt
|
|
|
|
* the loop with no event showing */
|
|
|
|
|
|
|
|
/* NB: this case is subject to a bit of a race condition.
|
|
|
|
* We yield & sleep, and pray that the other thread gets
|
2011-02-24 17:58:04 +00:00
|
|
|
* scheduled before we run EventRemoveHandle */
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_mutex_unlock(&eventThreadMutex);
|
|
|
|
sched_yield();
|
2019-10-02 18:01:11 +01:00
|
|
|
g_usleep(100 * 1000);
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveHandle(handles[1].watch);
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Interrupted during poll", -1, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Getting more fun, lets delete a later handle during dispatch */
|
|
|
|
|
|
|
|
/* NB: this case is subject to a bit of a race condition.
|
|
|
|
* Only 1 time in 3 does the 2nd write get triggered by
|
2009-05-12 20:44:29 +00:00
|
|
|
* before poll() exits for the first safewrite(). We don't
|
2009-05-12 16:45:14 +00:00
|
|
|
* see a hard failure in other cases, so nothing to worry
|
|
|
|
* about */
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
handles[2].delete = handles[3].watch;
|
2009-09-03 18:25:03 +02:00
|
|
|
if (safewrite(handles[2].pipeFD[1], &one, 1) != 1
|
|
|
|
|| safewrite(handles[3].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Deleted during dispatch", 2, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Extreme fun, lets delete ourselves during dispatch */
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
handles[2].delete = handles[2].watch;
|
2009-09-03 18:25:03 +02:00
|
|
|
if (safewrite(handles[2].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Deleted during dispatch", 2, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Run a timer on its own */
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[1].timer, 100);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
|
|
|
if (finishJob("Firing a timer", -1, 1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[1].timer, -1);
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Now lets delete one before starting poll(), and
|
|
|
|
* try triggering another timer */
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[1].timer, 100);
|
|
|
|
virEventPollRemoveTimeout(timers[0].timer);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
|
|
|
if (finishJob("Deleted before poll", -1, 1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[1].timer, -1);
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Next lets delete *during* poll, which should interrupt
|
|
|
|
* the loop with no event showing */
|
|
|
|
|
|
|
|
/* NB: this case is subject to a bit of a race condition.
|
|
|
|
* We yield & sleep, and pray that the other thread gets
|
2011-02-24 17:58:04 +00:00
|
|
|
* scheduled before we run EventRemoveTimeout */
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_mutex_unlock(&eventThreadMutex);
|
|
|
|
sched_yield();
|
2019-10-02 18:01:11 +01:00
|
|
|
g_usleep(100 * 1000);
|
2009-05-12 16:45:14 +00:00
|
|
|
pthread_mutex_lock(&eventThreadMutex);
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveTimeout(timers[1].timer);
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Interrupted during poll", -1, -1) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Getting more fun, lets delete a later timer during dispatch */
|
|
|
|
|
|
|
|
/* NB: this case is subject to a bit of a race condition.
|
|
|
|
* Only 1 time in 3 does the 2nd write get triggered by
|
2009-05-12 20:44:29 +00:00
|
|
|
* before poll() exits for the first safewrite(). We don't
|
2009-05-12 16:45:14 +00:00
|
|
|
* see a hard failure in other cases, so nothing to worry
|
|
|
|
* about */
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[2].timer, 100);
|
|
|
|
virEventPollUpdateTimeout(timers[3].timer, 100);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
timers[2].delete = timers[3].timer;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Deleted during dispatch", -1, 2) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[2].timer, -1);
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
resetAll();
|
|
|
|
|
|
|
|
/* Extreme fun, lets delete ourselves during dispatch */
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollUpdateTimeout(timers[2].timer, 100);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-05-12 16:45:14 +00:00
|
|
|
timers[2].delete = timers[2].timer;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Deleted during dispatch", -1, 2) != EXIT_SUCCESS)
|
2009-05-12 16:45:14 +00:00
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_FDS - 1; i++)
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveHandle(handles[i].watch);
|
2013-05-21 15:53:48 +08:00
|
|
|
for (i = 0; i < NUM_TIME - 1; i++)
|
2011-02-24 17:58:04 +00:00
|
|
|
virEventPollRemoveTimeout(timers[i].timer);
|
2009-05-12 16:45:14 +00:00
|
|
|
|
2009-08-24 17:27:55 +01:00
|
|
|
resetAll();
|
|
|
|
|
event: fix event-handling allocation crash
Regression introduced in commit e6b68d7 (Nov 2010).
Prior to that point, handlesAlloc was always a multiple of
EVENT_ALLOC_EXTENT (10), and was an int (so even if the subtraction
had been able to wrap, a negative value would be less than the count
not try to free the handles array). But after that point,
VIR_RESIZE_N made handlesAlloc grow geometrically (with a pattern of
10, 20, 30, 45 for the handles array) but still freed in multiples of
EVENT_ALLOC_EXTENT; and the count changed to size_t. Which means that
after 31 handles have been created, then 30 handles destroyed,
handlesAlloc is 5 while handlesCount is 1, and since (size_t)(1 - 5)
is indeed greater than 1, this then tried to free 10 elements, which
had the awful effect of nuking the handles array while there were
still live handles.
Nuking live handles puts libvirtd in an inconsistent state, and was
easily reproducible by starting and then stopping 60 faqemu guests.
* daemon/event.c (virEventCleanupTimeouts, virEventCleanupHandles):
Avoid integer wrap-around causing us to delete the entire array
while entries are still active.
* tests/eventtest.c (mymain): Expose the bug.
2011-01-21 12:57:03 -07:00
|
|
|
/* Make sure the last handle still works several times in a row. */
|
|
|
|
for (i = 0; i < 4; i++) {
|
|
|
|
startJob();
|
|
|
|
if (safewrite(handles[NUM_FDS - 1].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
if (finishJob("Simple write", NUM_FDS - 1, -1) != EXIT_SUCCESS)
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
|
|
|
|
resetAll();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2009-08-24 17:27:55 +01:00
|
|
|
/* Final test, register same FD twice, once with no
|
|
|
|
* events, and make sure the right callback runs */
|
|
|
|
handles[0].pipeFD[0] = handles[1].pipeFD[0];
|
|
|
|
handles[0].pipeFD[1] = handles[1].pipeFD[1];
|
|
|
|
|
2011-02-24 17:58:04 +00:00
|
|
|
handles[0].watch = virEventPollAddHandle(handles[0].pipeFD[0],
|
2009-08-24 17:27:55 +01:00
|
|
|
0,
|
|
|
|
testPipeReader,
|
|
|
|
&handles[0], NULL);
|
2011-02-24 17:58:04 +00:00
|
|
|
handles[1].watch = virEventPollAddHandle(handles[1].pipeFD[0],
|
2009-08-24 17:27:55 +01:00
|
|
|
VIR_EVENT_HANDLE_READABLE,
|
|
|
|
testPipeReader,
|
|
|
|
&handles[1], NULL);
|
2009-11-30 19:01:31 +00:00
|
|
|
startJob();
|
2009-09-03 18:25:03 +02:00
|
|
|
if (safewrite(handles[1].pipeFD[1], &one, 1) != 1)
|
|
|
|
return EXIT_FAILURE;
|
2009-11-30 19:01:31 +00:00
|
|
|
if (finishJob("Write duplicate", 1, -1) != EXIT_SUCCESS)
|
2009-08-24 17:27:55 +01:00
|
|
|
return EXIT_FAILURE;
|
2009-05-12 16:45:14 +00:00
|
|
|
|
2017-04-27 08:47:19 +02:00
|
|
|
/* pthread_kill(eventThread, SIGTERM); */
|
2009-05-12 16:45:14 +00:00
|
|
|
|
|
|
|
return EXIT_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2017-03-29 16:45:42 +02:00
|
|
|
VIR_TEST_MAIN(mymain)
|