My Oracle Support Banner

Process Crash Occurs Using Tuxedo tpfree() API With A Pointer That Is Already Released Implicitly By tprealloc() (Doc ID 2139893.1)

Last updated on MAY 30, 2023

Applies to:

Oracle Tuxedo - Version 12.1.3 and later
Information in this document applies to any platform.

Symptoms

On Tuxedo 12.1.3: If request Tuxedo buffer is reallocated in another thread, Tuxedo crashes after trying to call Tuxedo API  tpfree() the original request buffer which is implicitly freed by Tuxedo API tprealloc().

Tuxedo tprealloc() happened in a different thread, reallocated buffer is freed (0x0x1cb6ad8) but it also tries to free original buffer that was reallocated (0x0x1cb14b8) and then crashes (Tuxedo ubb configuration group/serverid TMS_GROUP/400)

Tuxedo ULOG, with Tuxedo tracing turned on, contains-

134839.830.tuxMachine!MULTI.....: TRACE:at: { tpservice({"DOREALLOC_M", 0x0, 0x0x1cb14b8, 4096, 0, 0, {1458733712, 0, 56}})
134839.834.tuxMachine!MULTI.....: TRACE:tr: trace("*:ulog:dye")
134839.834.tuxMachine!MULTI.....: TRACE:tr: dye
134839.835.tuxMachine!MULTI.....: TRACE:at: { tprealloc(0x0x1cb14b8, 16384)
134839.835.tuxMachine!MULTI.....: TRACE:at: } tprealloc = 0x0x1cb6ad8
134839.836.tuxMachine!MULTI.....: TRACE:at: { tpreturn(2, 0, 0x0x1cb6ad8, 0, 0x0)
134839.836.tuxMachine!MULTI.....: TRACE:ia: { tpfree(0x0x1cb6ad8)
134839.836.tuxMachine!MULTI.....: TRACE:ia: } tpfree
134839.836.tuxMachine!MULTI.....: TRACE:at: } tpreturn [long jump]
134839.836.tuxMachine!MULTI.....: TRACE:at: } tpservice
134839.836.tuxMachine!MULTI.....: TRACE:at: { tpfree(0x0x1cb14b8)
134854.549.tuxMachine!TMSYSEVT.....: TRACE:ia: { tpservice({"..TMSYSPOST", 0x4, 0x0x1d026b8, 740, 0, 2147483648, {1458733712, 0, 56}})
134854.550.tuxMachine!TMSYSEVT.....: TRACE:ia: { tptypes(0x0x1d026b8, 0x0x7fff6f055b80, 0x0x7fff6f055b60)
134854.550.tuxMachine!TMSYSEVT.....: TRACE:ia: } tptypes = 4096
134854.550.tuxMachine!TMSYSEVT.....: TRACE:ia: { tpreturn(2, 0, 0x0x1d026b8, 4096, 0x0)
134854.550.tuxMachine!TMSYSEVT.....: TRACE:ia: } tpreturn [long jump]
134854.550.tuxMachine!TMSYSEVT.....: TRACE:ia: } tpservice
134857.437.tuxMachine!BBL....: LIBTUX_CAT:541: WARN: Server TMS_GROUP/400 terminated


Stack trace of core:

(gdb) bt
#0 0x00007f781ea83cfb in _tmfmsg_free () from {TUX_DIR}/lib/libtux.so
#1 0x00007f781ea02ff4 in _tpfree_internal () from {TUX_DIR}/lib/libtux.so
#2 0x00007f781ea03236 in tpfree () from {TUX_DIR}/lib/libtux.so
#3 0x00007f781ea735aa in _tmsvrthrmain () from {TUX_DIR}/lib/libtux.so
#4 0x00007f781d879dc5 in start_thread () from /lib64/libpthread.so.0
#5 0x00007f781d5aa17d in clone () from /lib64/libc.so.6

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.