ChallengeThe code review bug that gives me nightmares
I was writing a fairly low level piece of code recently, this is deep in the guts of how RavenDB handles query. I’m adding a cache for some processing inside of RavenDB and the performance benefits are amazing (three orders of magnitude better). As you can imagine, this is the sort of things that I would really like to get into the main codebase. So I did all the usual taxes, created a pull request and moved to other things. Part of our process is to review all pull requests by another pair of eyes. And while there was some minor comments about the code, there was one comment asking about a particular line that had be break out in cold sweat.
I created a simpler reproduction for discussion purposes, here is the code:
Take a look, and let’s me know if you see the bug and its consequences.
More posts in "Challenge" series:
- (04 Jan 2023) what does this code print?
- (14 Dec 2022) What does this code print?
- (01 Jul 2022) Find the stack smash bug… – answer
- (30 Jun 2022) Find the stack smash bug…
- (03 Jun 2022) Spot the data corruption
- (06 May 2022) Spot the optimization–solution
- (05 May 2022) Spot the optimization
- (06 Apr 2022) Why is this code broken?
- (16 Dec 2021) Find the slow down–answer
- (15 Dec 2021) Find the slow down
- (03 Nov 2021) The code review bug that gives me nightmares–The fix
- (02 Nov 2021) The code review bug that gives me nightmares–the issue
- (01 Nov 2021) The code review bug that gives me nightmares
- (16 Jun 2021) Detecting livelihood in a distributed cluster
- (21 Apr 2020) Generate matching shard id–answer
- (20 Apr 2020) Generate matching shard id
- (02 Jan 2020) Spot the bug in the stream
- (28 Sep 2018) The loop that leaks–Answer
- (27 Sep 2018) The loop that leaks
- (03 Apr 2018) The invisible concurrency bug–Answer
- (02 Apr 2018) The invisible concurrency bug
- (31 Jan 2018) Find the bug in the fix–answer
- (30 Jan 2018) Find the bug in the fix
- (19 Jan 2017) What does this code do?
- (26 Jul 2016) The race condition in the TCP stack, answer
- (25 Jul 2016) The race condition in the TCP stack
- (28 Apr 2015) What is the meaning of this change?
- (26 Sep 2013) Spot the bug
- (27 May 2013) The problem of locking down tasks…
- (17 Oct 2011) Minimum number of round trips
- (23 Aug 2011) Recent Comments with Future Posts
- (02 Aug 2011) Modifying execution approaches
- (29 Apr 2011) Stop the leaks
- (23 Dec 2010) This code should never hit production
- (17 Dec 2010) Your own ThreadLocal
- (03 Dec 2010) Querying relative information with RavenDB
- (29 Jun 2010) Find the bug
- (23 Jun 2010) Dynamically dynamic
- (28 Apr 2010) What killed the application?
- (19 Mar 2010) What does this code do?
- (04 Mar 2010) Robust enumeration over external code
- (16 Feb 2010) Premature optimization, and all of that…
- (12 Feb 2010) Efficient querying
- (10 Feb 2010) Find the resource leak
- (21 Oct 2009) Can you spot the bug?
- (18 Oct 2009) Why is this wrong?
- (17 Oct 2009) Write the check in comment
- (15 Sep 2009) NH Prof Exporting Reports
- (02 Sep 2009) The lazy loaded inheritance many to one association OR/M conundrum
- (01 Sep 2009) Why isn’t select broken?
- (06 Aug 2009) Find the bug fixes
- (26 May 2009) Find the bug
- (14 May 2009) multi threaded test failure
- (11 May 2009) The regex that doesn’t match
- (24 Mar 2009) probability based selection
- (13 Mar 2009) C# Rewriting
- (18 Feb 2009) write a self extracting program
- (04 Sep 2008) Don't stop with the first DSL abstraction
- (02 Aug 2008) What is the problem?
- (28 Jul 2008) What does this code do?
- (26 Jul 2008) Find the bug fix
- (05 Jul 2008) Find the deadlock
- (03 Jul 2008) Find the bug
- (02 Jul 2008) What is wrong with this code
- (05 Jun 2008) why did the tests fail?
- (27 May 2008) Striving for better syntax
- (13 Apr 2008) calling generics without the generic type
- (12 Apr 2008) The directory tree
- (24 Mar 2008) Find the version
- (21 Jan 2008) Strongly typing weakly typed code
- (28 Jun 2007) Windsor Null Object Dependency Facility
The bug is in the contract of
byte ComputeHashAndPutInCachemethod: it does not ensure that returned value is valid for long enough to actually be able to use it safely. Cache eviction may happen at any time and will cause return of byte array to pool => concurrent access to byte array may happen (between threads or in the same thread)
Similar to what @dmitry_vk said, the problem is that the
bytedirectly from the
_cacheis returned directly to the consumer. This creates two issues. The first is what @dmitry_vk said, that the array could be returned to the pool and the value updated while the consumer is using it. The second is that the consumer could edit the array themselves and break the relationship between the filename and the correct hash. For correctness reasons, the consumer should never have a reference to a
bytedirectly. Correct here would be to either receive a
bytefrom the consumer and update that using the current hash value, or to return a new array with the value. Also, there is still a race condition, since the array could be evicted and returned while copying the bytes to the new array, so a more complete ownership model will need to be used to handle that case as well.
I stopped looking for "the" bug when I saw
retyrnand thought "this code's never been near a compiler, who knows what it does" :-)
I didn't see anything in CacheExtensions.Set documentation about what happens when the value is overwritten, i.e. when Set is called twice with the same key. Does the previous value gets evicted? If not, there's a memory leak here.
Yep, that is a classic use after free bug, which isn't typically present in managed languages.
Thanks, that got entered when I formatted the code for the blog. Fixed now.
When looking at the code, yes, the eviction is called in that case.
I do not know how MemoryCache works but I see the following issues (includes what some others have already said): 1. You are allocating byte and returning it while it may already be released as soon as it was placed in the cache or the caller might keep it after it has been release in the future. You would need to return a copy of the array. 2. You are returning reference to allocated byte array which means that the caller could change it. Again this requires returning a copy of the array or (if you solved the alloc/free issue in some other way) wrap it in something like ReadOnlyMemory. 3. If you have multiple calls for the same file you might have multiple hash calculations running which is not really a bug but it could be a performance degradation issue. This could be solved with some sort of synchronization mechanism (via Task or TaskCompletionSource or something like that) but it might make the code over complicated.