![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
#985 closed defect (worksforme)
Write to freed memory area with IoCompletionPort (IOCP) ioqueue backend may lead to application crash
| Reported by: | bennylp | Owned by: | bennylp |
|---|---|---|---|
| Priority: | normal | Milestone: | release-1.5.5 |
| Component: | pjlib | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: |
Description
Using IoCompletionPort (IOCP) ioqueue backend, which is the default backend on Win32 on Release build, may lead to write access to memory area that has been freed before. This potentially could crash the application, or random memory corruption.
This symptom can be detected with Visual Studio 2005 (but not with Visual Studio 6).
Explanation about this bug is as follows.
- When socket is closed, Windows automatically unregisters the socket from the IOCP. Any pending operations to the socket are also cancelled.
- But when the next time the IOCP is polled with GetQueuedCompletionStatus(), Windows would still report an event to the pending operations that have been cancelled above.
- If the memory that corresponds to the WSAOVERLAPPED structure that was registered for the asynchronous operation has been freed (for example, the pool is released), Windows will write some values to these area that was previously occupied by the WSAOVERLAPPED structure.
Change History (3)
comment:1 Changed 15 years ago by bennylp
- Milestone changed from release-1.6 to release-1.7
comment:2 Changed 15 years ago by bennylp
- Milestone changed from release-1.7 to release-1.5.5
- Resolution set to worksforme
- Status changed from new to closed
comment:3 Changed 15 years ago by bennylp
(The above should read milestone:release-1.5.5 instead of 1.6).
Note: See
TracTickets for help on using
tickets.
Turns out this has been "fixed" in milestone:release-1.6 by ticket #1015, by disabling IOCP backend altogether.
Changing the milestone to 1.5.5 and closing the ticket.