Pure virtual function called when Session object is being destructed

Description

After the destructor of a Session object is called, it will go to the destructor of its parent class's destructor (SessionBase). Sometimes, when the SessionBase's destructor is calling event_loop->join(), some other thread will try to call the Session object's on_host_up() method. Since the Session object is destructed, on_host_up() becomes a pure virtual method, hence the crash.

Stack trace:
[worker]
#0 0x00007ffff67c84f5 in raise () from /lib64/libc.so.6
#1 0x00007ffff67c9cd5 in abort () from /lib64/libc.so.6
#2 0x00007fffef22d61d in _gnu_cxx::_verbose_terminate_handler () at ../../../../src/gcc-6.2.0/libstdc+-v3/libsupc+/vterminate.cc:95
#3 0x00007fffef22b5e6 in _cxxabiv1::_terminate (handler=<optimized out>) at ../../../../src/gcc-6.2.0/libstdc+-v3/libsupc+/eh_terminate.cc:47
#4 0x00007fffef22b631 in std::terminate () at ../../../../src/gcc-6.2.0/libstdc+-v3/libsupc+/eh_terminate.cc:57
#5 0x00007fffef22c10f in _cxxabiv1::_cxa_pure_virtual () at ../../../../src/gcc-6.2.0/libstdc+-v3/libsupc+/pure.cc:50
#6 0x00007fffefb752cd in cass::ClusterEvent::process_event (event=..., listener=0x7e2b70)
at cpp-driver-2.12.0/src/cluster.cpp:139
#7 0x00007fffefb786dc in cass::Cluster::notify_or_record (this=0x7fffdc068f70, event=...)
at cpp-driver-2.12.0/src/cluster.cpp:687
#8 0x00007fffefb77645 in cass::Cluster::notify_host_up_after_prepare (this=0x7fffdc068f70, host=...)
at cpp-driver-2.12.0/src/cluster.cpp:545
#9 0x00007fffefb78901 in cass::Cluster::on_prepare_host_up (this=0x7fffdc068f70, handler=0x7fffdc005700)
at cpp-driver-2.12.0/src/cluster.cpp:713
#10 0x00007fffefb89593 in cass::Callback<void, cass::PrepareHostHandler const*>::MemberInvoker<void (cass::Cluster::)(cass::PrepareHostHandler const), cass::Cluster>::invoke (this=0x7fffdc005728, arg=@0x7fffea8e6d48: 0x7fffdc005700)
at cpp-driver-2.12.0/src/callback.hpp:94
#11 0x00007fffefbfc408 in cass::Callback<void, cass::PrepareHostHandler const*>::operator() (this=0x7fffdc005720, arg=@0x7fffea8e6d48: 0x7fffdc005700)
at cpp-driver-2.12.0/src/callback.hpp:71
#12 0x00007fffefbfb3e9 in cass::PrepareHostHandler::on_close (this=0x7fffdc005700, connection=0x7fffdc000ad0)
at cpp-driver-2.12.0/src/prepare_host_handler.cpp:77
#13 0x00007fffefc93e44 in cass::Connection::on_close (this=0x7fffdc000ad0)
at cpp-driver-2.12.0/src/connection.cpp:351
#14 0x00007fffefc929de in cass::ConnectionHandler::on_close (this=0x7fffdc000960)
at cpp-driver-2.12.0/src/connection.cpp:84
#15 0x00007fffefcbeb8c in cass::Socket::handle_close (this=0x7fffdc8047f0)
at cpp-driver-2.12.0/src/socket.cpp:392
#16 0x00007fffefcbea8d in cass::Socket::on_close (handle=0x7fffdc8047f8)
at cpp-driver-2.12.0/src/socket.cpp:377
#17 0x00007fffefce6bd5 in uv__finish_close (handle=0x7fffdc8047f8) at src/unix/core.c:282
#18 uv__run_closing_handles (loop=0x7e4358) at src/unix/core.c:296
#19 uv_run (loop=0x7e4358, mode=UV_RUN_DEFAULT) at src/unix/core.c:366
#20 0x00007fffefbbd1ec in cass::EventLoop::handle_run (this=0x7e4350)
at cpp-driver-2.12.0/src/event_loop.cpp:172
#21 0x00007fffefbbd1ae in cass::EventLoop::internal_on_run (arg=0x7e4350)
at cpp-driver-2.12.0/src/event_loop.cpp:167
#22 0x00007ffff73c4aa1 in start_thread () from /lib64/libpthread.so.0
#23 0x00007ffff687ec4d in clone () from /lib64/libc.so.6

[main]
#0 0x00007ffff73c52fd in pthread_join () from /lib64/libpthread.so.0
#1 0x00007fffefcee95e in uv_thread_join (tid=<optimized out>) at src/unix/thread.c:252
#2 0x00007fffefbbce4e in cass::EventLoop::join (this=0x7e4350)
at cpp-driver-2.12.0/src/event_loop.cpp:105
#3 0x00007fffefc1b125 in cass::SessionBase::~SessionBase (this=0x7e2b70, __in_chrg=<optimized out>)
at cpp-driver-2.12.0/src/session_base.cpp:49
#4 0x00007fffefc14b5c in cass::Session::~Session (this=0x7e2b70, __in_chrg=<optimized out>)
at cpp-driver-2.12.0/src/session.cpp:300
#5 0x00007fffefc14c1c in cass::Session::~Session (this=0x7e2b70, __in_chrg=<optimized out>)
at cpp-driver-2.12.0/src/session.cpp:303
#6 0x00007fffefc13f3c in cass_session_free (session=0x7e2b70)
at cpp-driver-2.12.0/src/session.cpp:46
[outside of cpp-driver-2.12.0 library]

Environment

CentOS 6.1, gcc 7.3.0

Pull Requests

None

Activity

Show:

Michael Penick

August 19, 2020, 12:39 PM

Copy link to comment

Thanks for the bug report. I'll take a look.

Michael Penick

August 19, 2020, 7:47 PM

Copy link to comment

I think this is a lifetime bug where `Cluster`'s lifetime ends before `PrepareHostHandler`'s lifetime.

Michael Penick

August 20, 2020, 6:18 PM

Copy link to comment

Created a draft PR: https://github.com/datastax/cpp-driver/pull/483. I'm going to attempt to reproduce the original issue using the unpatched code (which might be hard) to ensure the changes are indeed fixing the issue.

Assignee

Unassigned

Reporter

Heng Xiao

Labels

None

PM Priority

None

Reproduced in

None

External issue ID

None

Doc Impact

None

Reviewer

None

Pull Request

None

Size

None

Affects versions

2.12.0

Priority

Critical

Configure