Bug #8391
closedCrash in active Wt::Http::Client destructor if started outside WApplication
100%
Description
Crash reason¶
The destructor of Http::Client
calls abort which asynchronously aborts the http request.
If impl->hasServer()
is false, a pointer to the Client's impl_
member is passed to asyncStop; see https://github.com/emweb/wt/blob/master/src/Wt/Http/Client.C#L850
This member will be destructed briefly after this call, as abort is called from inside the Http::Client
destructor.
However, in the asynchronously executed stop function (https://github.com/emweb/wt/blob/master/src/Wt/Http/Client.C#L178), this (possibly) dangling pointer will be dereferenced.
Note that this code was added in commit 9c44b4e3c2 with commit message "Fixed possible race condition when resetting impl_ of HTTP Client". However it is unclear to me which in which scenario the mentioned race condition is avoided.
Steps to reproduce the issue¶
- Start a new thread
- Start a (long running) http request using
Wt::Http::Client
- Destruct the
Wt::Http::Client
object (before the http request is finished.
Files
Updated by Roel Standaert over 3 years ago
- Status changed from New to InProgress
- Assignee set to Roel Standaert
- Target version set to 4.6.0
Updated by Roel Standaert over 3 years ago
- File issue_8391.cpp issue_8391.cpp added
Added a simple test that reproduces this issue when built with address sanitizer.
Updated by Roel Standaert over 3 years ago
- Status changed from InProgress to Review
Updated by Roel Standaert over 3 years ago
- Status changed from Review to Implemented @Emweb
Updated by Roel Standaert over 3 years ago
- Status changed from Implemented @Emweb to Resolved
Updated by Roel Standaert about 3 years ago
- Status changed from Resolved to Closed