Fix span lifecycle with smart pointers to prevent use-after-free in async RPC callbacks (#3068)

Author: lhh

src/brpc/builtin/rpcz_service.cpp

@@ -185,16 +185,35 @@ static void PrintElapse(std::ostream& os, int64_t cur_time,
 
 static void PrintAnnotations(
     std::ostream& os, int64_t cur_time, int64_t* last_time,
-    SpanInfoExtractor** extractors, int num_extr) {
+    SpanInfoExtractor** extractors, int num_extr, const RpczSpan* span) {
     int64_t anno_time;
     std::string a;
+    const char* span_type_str = "Span";
+    if (span) {
+        switch (span->type()) {
+        case SPAN_TYPE_SERVER:
+            span_type_str = "ServerSpan";
+            break;
+        case SPAN_TYPE_CLIENT:
+            span_type_str = "ClientSpan";
+            break;
+        case SPAN_TYPE_BTHREAD:
+            span_type_str = "BthreadSpan";
+            break;
+        }
+    }
+
     // TODO: Going through all extractors is not strictly correct because 
     // later extractors may have earlier annotations.
     for (int i = 0; i < num_extr; ++i) {
         while (extractors[i]->PopAnnotation(cur_time, &anno_time, &a)) {
             PrintRealTime(os, anno_time);
             PrintElapse(os, anno_time, last_time);
-            os << ' ' << WebEscape(a);
+            os << ' ';
+            if (span) {
+                os << '[' << span_type_str << ' ' << SPAN_ID_STR << '=' << Hex(span->span_id()) << "] ";
+            }
+            os << WebEscape(a);
             if (a.empty() || butil::back_char(a) != '\n') {
                 os << '\n';
             }
@@ -204,12 +223,12 @@ static void PrintAnnotations(
 
 static bool PrintAnnotationsAndRealTimeSpan(
     std::ostream& os, int64_t cur_time, int64_t* last_time,
-    SpanInfoExtractor** extr, int num_extr) {
+    SpanInfoExtractor** extr, int num_extr, const RpczSpan* span) {
     if (cur_time == 0) {
         // the field was not set.
         return false;
     }
-    PrintAnnotations(os, cur_time, last_time, extr, num_extr);
+    PrintAnnotations(os, cur_time, last_time, extr, num_extr, span);
     PrintRealTime(os, cur_time);
     PrintElapse(os, cur_time, last_time);
     return true;
@@ -239,9 +258,10 @@ static void PrintClientSpan(
         extr[num_extr++] = server_extr;
     }
     extr[num_extr++] = &client_extr;
-    // start_send_us is always set for client spans.
-    CHECK(PrintAnnotationsAndRealTimeSpan(os, span.start_send_real_us(),
-                                          last_time, extr, num_extr));
+    if (!PrintAnnotationsAndRealTimeSpan(os, span.start_send_real_us(),
+                                           last_time, extr, num_extr, &span)) {
+        os << " start_send_real_us:not-set";
+    }
     const Protocol* protocol = FindProtocol(span.protocol());
     const char* protocol_name = (protocol ? protocol->name : "Unknown");
     const butil::EndPoint remote_side(butil::int2ip(span.remote_ip()), span.remote_port());
@@ -271,12 +291,12 @@ static void PrintClientSpan(
     os << std::endl;
 
     if (PrintAnnotationsAndRealTimeSpan(os, span.sent_real_us(),
-                                        last_time, extr, num_extr)) {
-        os << " Requested(" << span.request_size() << ") [1]" << std::endl;
+                                        last_time, extr, num_extr, &span)) {
+        os << " [ClientSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Requested(" << span.request_size() << ") [1]" << std::endl;
     }
     if (PrintAnnotationsAndRealTimeSpan(os, span.received_real_us(),
-                                        last_time, extr, num_extr)) {
-        os << " Received response(" << span.response_size() << ")";
+                                        last_time, extr, num_extr, &span)) {
+        os << " [ClientSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Received response(" << span.response_size() << ")";
         if (span.base_cid() != 0 && span.ending_cid() != 0) {
             int64_t ver = span.ending_cid() - span.base_cid();
             if (ver >= 1) {
@@ -289,18 +309,18 @@ static void PrintClientSpan(
     }
 
     if (PrintAnnotationsAndRealTimeSpan(os, span.start_parse_real_us(),
-                                        last_time, extr, num_extr)) {
-        os << " Processing the response in a new bthread" << std::endl;
+                                        last_time, extr, num_extr, &span)) {
+        os << " [ClientSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Processing the response in a new bthread" << std::endl;
     }
 
     if (PrintAnnotationsAndRealTimeSpan(
             os, span.start_callback_real_us(),
-            last_time, extr, num_extr)) {
-        os << (span.async() ? " Enter user's done" : " Back to user's callsite") << std::endl;
+            last_time, extr, num_extr, &span)) {
+        os << " [ClientSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] " << (span.async() ? " Enter user's done" : " Back to user's callsite") << std::endl;
     }
 
     PrintAnnotations(os, std::numeric_limits<int64_t>::max(),
-                     last_time, extr, num_extr);
+                     last_time, extr, num_extr, &span);
 }
 
 static void PrintClientSpan(std::ostream& os,const RpczSpan& span,
@@ -318,7 +338,15 @@ static void PrintBthreadSpan(std::ostream& os, const RpczSpan& span, int64_t* la
         extr[num_extr++] = server_extr;
     }
     extr[num_extr++] = &client_extr;
-    PrintAnnotations(os, std::numeric_limits<int64_t>::max(), last_time, extr, num_extr);
+
+    // Print span id for bthread span context identification
+    os << " [BthreadSpan " << SPAN_ID_STR << '=' << Hex(span.span_id());
+    if (span.parent_span_id() != 0) {
+        os << " parent_span=" << Hex(span.parent_span_id());
+    }
+    os << "] ";
+
+    PrintAnnotations(os, std::numeric_limits<int64_t>::max(), last_time, extr, num_extr, &span);
 }
 
 static void PrintServerSpan(std::ostream& os, const RpczSpan& span,
@@ -348,16 +376,16 @@ static void PrintServerSpan(std::ostream& os, const RpczSpan& span,
     os << std::endl;
     if (PrintAnnotationsAndRealTimeSpan(
             os, span.start_parse_real_us(),
-            &last_time, extr, ARRAY_SIZE(extr))) {
-        os << " Processing the request in a new bthread" << std::endl;
+            &last_time, extr, ARRAY_SIZE(extr), &span)) {
+        os << " [ServerSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Processing the request in a new bthread" << std::endl;
     }
 
     bool entered_user_method = false;
     if (PrintAnnotationsAndRealTimeSpan(
             os, span.start_callback_real_us(),
-            &last_time, extr, ARRAY_SIZE(extr))) {
+            &last_time, extr, ARRAY_SIZE(extr), &span)) {
         entered_user_method = true;
-        os << " Enter " << WebEscape(span.full_method_name()) << std::endl;
+        os << " [ServerSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Enter " << WebEscape(span.full_method_name()) << std::endl;
     }
 
     const int nclient = span.client_spans_size();
@@ -372,22 +400,22 @@ static void PrintServerSpan(std::ostream& os, const RpczSpan& span,
 
     if (PrintAnnotationsAndRealTimeSpan(
             os, span.start_send_real_us(),
-            &last_time, extr, ARRAY_SIZE(extr))) {
+            &last_time, extr, ARRAY_SIZE(extr), &span)) {
         if (entered_user_method) {
-            os << " Leave " << WebEscape(span.full_method_name()) << std::endl;
+            os << " [ServerSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Leave " << WebEscape(span.full_method_name()) << std::endl;
         } else {
-            os << " Responding" << std::endl;
+            os << " [ServerSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Responding" << std::endl;
         }
     }
 
     if (PrintAnnotationsAndRealTimeSpan(
             os, span.sent_real_us(),
-            &last_time, extr, ARRAY_SIZE(extr))) {
-        os << " Responded(" << span.response_size() << ')' << std::endl;
+            &last_time, extr, ARRAY_SIZE(extr), &span)) {
+        os << " [ServerSpan " << SPAN_ID_STR << '=' << Hex(span.span_id()) << "] Responded(" << span.response_size() << ')' << std::endl;
     }
 
     PrintAnnotations(os, std::numeric_limits<int64_t>::max(),
-                     &last_time, extr, ARRAY_SIZE(extr));
+                      &last_time, extr, ARRAY_SIZE(extr), &span);
 }
 
 class RpczSpanFilter : public SpanFilter {

src/brpc/channel.cpp

@@ -37,6 +37,7 @@
 #include "brpc/details/usercode_backup_pool.h"       // TooManyUserCode
 #include "brpc/rdma/rdma_helper.h"
 #include "brpc/policy/esp_authenticator.h"
+#include "brpc/details/controller_private_accessor.h"
 
 namespace brpc {
 
@@ -490,7 +491,7 @@ void Channel::CallMethod(const google::protobuf::MethodDescriptor* method,
     }
     cntl->set_used_by_rpc();
 
-    if (cntl->_sender == NULL && IsTraceable(Span::tls_parent())) {
+    if (cntl->_sender == NULL && IsTraceable(Span::tls_parent().get())) {
         const int64_t start_send_us = butil::cpuwide_time_us();
         const std::string* method_name = NULL;
         if (_get_method_name) {
@@ -501,13 +502,16 @@ void Channel::CallMethod(const google::protobuf::MethodDescriptor* method,
             const static std::string NULL_METHOD_STR = "null-method";
             method_name = &NULL_METHOD_STR;
         }
-        Span* span = Span::CreateClientSpan(
+        std::shared_ptr<Span> span = Span::CreateClientSpan(
             *method_name, start_send_real_us - start_send_us);
-        span->set_log_id(cntl->log_id());
-        span->set_base_cid(correlation_id);
-        span->set_protocol(_options.protocol);
-        span->set_start_send_us(start_send_us);
-        cntl->_span = span;
+        if (span) {
+            ControllerPrivateAccessor accessor(cntl);
+            span->set_log_id(cntl->log_id());
+            span->set_base_cid(correlation_id);
+            span->set_protocol(_options.protocol);
+            span->set_start_send_us(start_send_us);
+            accessor.set_span(span);
+        }
     }
     // Override some options if they haven't been set by Controller
     if (cntl->timeout_ms() == UNSET_MAGIC_NUM) {
@@ -608,9 +612,7 @@ void Channel::CallMethod(const google::protobuf::MethodDescriptor* method,
         // be woken up by callback when RPC finishes (succeeds or still
         // fails after retry)
         Join(correlation_id);
-        if (cntl->_span) {
-            cntl->SubmitSpan();
-        }
+        cntl->SubmitSpan();
         cntl->OnRPCEnd(butil::gettimeofday_us());
     }
 }

src/brpc/controller.cpp

@@ -183,8 +183,8 @@ static void CreateIgnoreAllRead() { s_ignore_all_read = new IgnoreAllRead; }
 // you don't have to set the fields to initial state after deletion since
 // they'll be set uniformly after this method is called.
 void Controller::ResetNonPods() {
-    if (_span) {
-        Span::Submit(_span, butil::cpuwide_time_us());
+    if (auto span = _span.lock()) {
+        Span::Submit(span, butil::cpuwide_time_us());
     }
     _error_text.clear();
     _remote_side = butil::EndPoint();
@@ -240,7 +240,7 @@ void Controller::ResetNonPods() {
 void Controller::ResetPods() {
     // NOTE: Make the sequence of assignments same with the order that they're
     // defined in header. Better for cpu cache and faster for lookup.
-    _span = NULL;
+    _span.reset();
     _flags = 0;
 #ifndef BAIDU_INTERNAL
     set_pb_bytes_to_base64(true);
@@ -450,9 +450,9 @@ void Controller::SetFailed(const std::string& reason) {
         AppendServerIdentiy();
     }
     _error_text.append(reason);
-    if (_span) {
-        _span->set_error_code(_error_code);
-        _span->Annotate(reason);
+    if (auto span = _span.lock()) {
+        span->set_error_code(_error_code);
+        span->Annotate(reason);
     }
     UpdateResponseHeader(this);
 }
@@ -479,9 +479,9 @@ void Controller::SetFailed(int error_code, const char* reason_fmt, ...) {
     va_start(ap, reason_fmt);
     butil::string_vappendf(&_error_text, reason_fmt, ap);
     va_end(ap);
-    if (_span) {
-        _span->set_error_code(_error_code);
-        _span->AnnotateCStr(_error_text.c_str() + old_size, 0);
+    if (auto span = _span.lock()) {
+        span->set_error_code(_error_code);
+        span->AnnotateCStr(_error_text.c_str() + old_size, 0);
     }
     UpdateResponseHeader(this);
 }
@@ -507,9 +507,9 @@ void Controller::CloseConnection(const char* reason_fmt, ...) {
     va_start(ap, reason_fmt);
     butil::string_vappendf(&_error_text, reason_fmt, ap);
     va_end(ap);
-    if (_span) {
-        _span->set_error_code(_error_code);
-        _span->AnnotateCStr(_error_text.c_str() + old_size, 0);
+    if (auto span = _span.lock()) {
+        span->set_error_code(_error_code);
+        span->AnnotateCStr(_error_text.c_str() + old_size, 0);
     }
     UpdateResponseHeader(this);
 }
@@ -943,9 +943,9 @@ void Controller::EndRPC(const CompletionInfo& info) {
     }
     // RPC finished, now it's safe to release `LoadBalancerWithNaming'
     _lb.reset();
-    if (_span) {
-        _span->set_ending_cid(info.id);
-        _span->set_async(_done);
+    if (auto span = _span.lock()) {
+        span->set_ending_cid(info.id);
+        span->set_async(_done);
         // Submit the span if we're in async RPC. For sync RPC, the span
         // is submitted after Join() to get a more accurate resuming timestamp.
         if (_done) {
@@ -1019,12 +1019,16 @@ void Controller::DoneInBackupThread() {
 
 void Controller::SubmitSpan() {
     const int64_t now = butil::cpuwide_time_us();
-    _span->set_start_callback_us(now);
-    if (_span->local_parent()) {
-        _span->local_parent()->AsParent();
+    if (auto span = _span.lock()) {
+        span->set_start_callback_us(now);
+        if (auto parent_span = span->local_parent().lock()) {
+            if (parent_span->is_active()) {
+                parent_span->AsParent();
+            }
+        }
+        Span::Submit(span, now);
+        _span.reset();
     }
-    Span::Submit(_span, now);
-    _span = NULL;
 }
 
 void Controller::HandleSendFailed() {
@@ -1122,8 +1126,7 @@ void Controller::IssueRPC(int64_t start_realtime_us) {
         CHECK_EQ(_remote_side, tmp_sock->remote_side());
     }
 
-    Span* span = _span;
-    if (span) {
+    if (auto span = _span.lock()) {
         if (_current_call.nretry == 0) {
             span->set_remote_side(_remote_side);
         } else {
@@ -1235,15 +1238,15 @@ void Controller::IssueRPC(int64_t start_realtime_us) {
     int rc;
     size_t packet_size = 0;
     if (user_packet_guard) {
-        if (span) {
+        if (auto span = _span.lock()) {
             packet_size = user_packet_guard->EstimatedByteSize();
         }
         rc = _current_call.sending_sock->Write(user_packet_guard, &wopt);
     } else {
         packet_size = packet.size();
         rc = _current_call.sending_sock->Write(&packet, &wopt);
     }
-    if (span) {
+    if (auto span = _span.lock()) {
         if (_current_call.nretry == 0) {
             span->set_sent_us(butil::cpuwide_time_us());
             span->set_request_size(packet_size);
@@ -1387,8 +1390,18 @@ const Controller* Controller::sub(int index) const {
     return NULL;
 }
 
-uint64_t Controller::trace_id() const { return _span ? _span->trace_id() : 0; }
-uint64_t Controller::span_id() const { return _span ? _span->span_id() : 0; }
+uint64_t Controller::trace_id() const {
+    if (auto span = _span.lock()) {
+        return span->trace_id();
+    }
+    return 0;
+}
+uint64_t Controller::span_id() const {
+    if (auto span = _span.lock()) {
+        return span->span_id();
+    }
+    return 0;
+}
 
 void* Controller::session_local_data() {
     if (_session_local_data) {

src/brpc/controller.h

@@ -25,6 +25,7 @@
 #include <functional>                          // std::function
 #include <gflags/gflags.h>                     // Users often need gflags
 #include <string>
+#include <memory>
 #include "butil/intrusive_ptr.hpp"             // butil::intrusive_ptr
 #include "bthread/errno.h"                     // Redefine errno
 #include "butil/endpoint.h"                    // butil::EndPoint
@@ -803,7 +804,7 @@ friend void policy::ProcessThriftRequest(InputMessageBase*);
 private:
     // NOTE: align and group fields to make Controller as compact as possible.
 
-    Span* _span;
+    std::weak_ptr<Span> _span;
     uint32_t _flags; // all boolean fields inside Controller
     int32_t _error_code;
     std::string _error_text;