Bug: Seg fault in ResourceMonitorType::Worker() when deactivating RDK services caused by leaking JSONRPC::LinkType-s

[npoltorapavlo]

Problem/Opportunity

When deactivating services there's a crash, caused by leaking JSONRPC::LinkType.

Signature:
Any Seg fault in ResourceMonitorType::Worker():

Thread 3 "Monitor::IResou" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 12024.12032]
Downloading source file /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h
0x00071c52 in WPEFramework::Core::ResourceMonitorType<WPEFramework::Core::IResource, WPEFramework::Core::Void>::Worker (this=0x3a0d58)                                 
    at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h:424
warning: 424	/usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h: No such file or directory
(gdb) bt
#0  0x00071c52 in WPEFramework::Core::ResourceMonitorType<WPEFramework::Core::IResource, WPEFramework::Core::Void>::Worker (this=0x3a0d58)
    at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/../core/ResourceMonitor.h:424
#1  0xb3d2937c in WPEFramework::Core::Thread::StartThread (cClassPointer=0x3a0918) at /usr/src/debug/wpeframework/4.4-r0/git/Source/core/Thread.cpp:194
#2  0xb3adcc86 in start_thread (arg=0x5d37d15d) at pthread_create.c:442
#3  0xb3b2d3c0 in ?? () at ../sysdeps/unix/sysv/linux/arm/clone.S:74 from /home/npoltorapavlo/Downloads/gdb/lib/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

It crashes calling function on "entry" object in ResourceMonitor.h. Gdb shows _vptr.IResource address is not mapped.

(gdb) p *entry
$12 = {_vptr.IResource = 0xaad9f7fc}

I debugged one seg fault, in process mappings before crash address was in:

0xaad9c000 0xaada1000     0x5000    0x3c000  r--p   /usr/lib/wpeframework/plugins/libWPEFrameworkXCast.so

on crash, address wasn't mapped - plugin deactivated/destroyed/unloaded.
Cast entry to WebSocketLinkType::HandlerType :

(gdb) p *(WPEFramework::Web::WebSocketLinkType<WPEFramework::Core::SocketStream, WPEFramework::Web::Response, WPEFramework::Web::Request, WPEFramework::Web::WebSocket::ResponseAllocator&>::HandlerType<WPEFramework::Core::SocketStream> *)entry
m_Socket = 23
m_State = 209
m_ReceiveBuffer = 0xaa5b9110 "\201y{\"jsonrpc\":\"2.0\",\"method\":\"temporary1.statechange\"...
_parent = @0xaa5b80a8

shows socket not destroyed, state not 0, active Controller "statechange" subscription.
Going though _parent addresses, CommunicationChannel instance:

(gdb) p *(WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement>::CommunicationChannel *) 0xaa5b8078
_observers = {<std::__cxx11::_List_base<WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement>*...
_M_next = 0xa721c4f8, _M_prev = 0xa734b5e8}, _M_size = 2

shows 2 active LinkType.

Code of that plugin, shows 2 LinkType objects created with "new", Subscribe is called, no "delete". I.e. leak:

WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement> *m_ControllerObj = nullptr;
WPEFramework::JSONRPC::LinkType<WPEFramework::Core::JSON::IElement> *m_NetworkPluginObj = nullptr;
m_ControllerObj = new WPEFramework::JSONRPC::LinkType<Core::JSON::IElement>("", "", false);
m_NetworkPluginObj = new WPEFramework::JSONRPC::LinkType<Core::JSON::IElement>(_T(NETWORK_CALLSIGN_VER),"");
m_ControllerObj->Subscribe<JsonObject>(THUNDER_RPC_TIMEOUT, _T("statechange"),&XCastImplementation::eventHandler_pluginState,this);
--- no delete ---

Looks like ResourceMonitor crash can happen whenever there are leaked JSONRPC::LinkType-s in the plugin that unloaded.
At least 2 libraries that produce crash:
libWPEFrameworkXCast.so
libWPEFrameworkNetwork.so

Steps to reproduce

for item in "org.rdk.Bluetooth" ... "org.rdk.Network"; do
  curl -X PUT http://127.0.0.1:9998/Service/Controller/Deactivate/$item &
done 

sends multiple deactivate calls (40).

Expected Behavior

No crash

Actual Behavior

Crash

Notes (Optional)

No response

[npoltorapavlo]

Manually found in public repos:

https://github.com/rdkcentral/entservices-infra/blob/develop/RDKShell/RDKShell.cpp
Global LinkType variable "gSystemServiceConnection" is used to subscribe event to a non-static function and "this" pointer, no unsubscribe. Variable will receive events after "this" destroys and crash. Variable only destroys when library unloads.

https://github.com/rdkcentral/systemtimemgr/blob/develop/systimerfactory/dtttimersrc.cpp
Local LinkType variable "wpeclient" is used to subscribe event to a global function dttTimeavailable, no unsubscribe. Variable goes out of scope immediately after subscribe.

https://github.com/rdkcentral/control/blob/develop/src/auth/ctrlm_thunder_plugin_authservice.cpp
"this->plugin_client" and "this->controller_client" are used to subscribe events to non-static functions like ctrlm_thunder_plugin_authservice_t::_on_sat_change and "this" pointer, no unsubscribe. "plugin_client" is created with "new" and deleted in ~ctrlm_thunder_plugin_t() i.e. variable can receive events when derived class is destroyed but base class is not yet destroyed and crash.

https://github.com/rdkcentral/ttsengine/blob/develop/ttsclient/Service.cpp
Static local variable "&controller" is created with "new" and leaked. Variable is used to subscribe event to a static function, no unsubscribe. Variable can receive events when library unloads, use destroyed static variables and crash.

https://github.com/rdkcentral/entservices-mediaanddrm/blob/develop/TextToSpeech/impl/SatToken.cpp
Member variable "m_authService" is created with "new" and leaked. Variable is used to subscribe event to a non-static function SatToken::serviceAccessTokenChangedEventHandler and "this" pointer, no unsubscribe. Variable will receive events after class destroys and crash.
https://github.com/rdkcentral/entservices-mediaanddrm/blob/develop/TextToSpeech/impl/NetworkStatusObserver.cpp
Same bug for "m_networkService".

https://github.com/rdkcentral/entservices-casting/blob/develop/XCast/XCastImplementation.cpp
Member variable "m_SystemPluginObj" is created with "new" and leaked. Variable is used to subscribe event to a non-static function XCastImplementation::onFriendlyNameUpdateHandler and "this" pointer, no unsubscribe. Variable will receive events after class destroys and crash.

https://github.com/rdkcentral/entservices-softwareupdate/blob/develop/MaintenanceManager/MaintenanceManager.cpp
Local LinkType variable "thunder_client" is created with "new" and leaked. Variable is used to subscribe event to a non-static function MaintenanceManager::internetStatusChangeEventHandler and "this" pointer, no unsubscribe. Variable will receive events after class destroys and crash.

https://github.com/rdkcentral/xdialserver/blob/main/server/plat/gdial.cpp
Global LinkType variable "controllerRemoteObject" is created with "new" and leaked.

https://github.com/rdk-e/entservices-inputoutput/blob/develop/HdmiInput/HdmiInput.cpp
Member LinkType variables "m_client" and "m_tv_client" are created with "new" and leaked. Variable is used to subscribe event to a non-static function HdmiInput::onGameModeEventHandler and "this" pointer, no unsubscribe. Variable will receive events after class destroys and crash.

https://github.com/rdk-e/miracast-application-cpc/blob/develop/MiracastApp/RDK/ThunderUtils.cpp
Member LinkType variable "controller" is leaked.

https://github.com/rdk-e/airplay-daemon-cpc/blob/develop/AirPlaySDK/ADK/PAL/RDK/ThunderUtils.cpp
Member LinkType variable "controller" is leaked.
https://github.com/rdk-e/airplay-daemon-cpc/blob/develop/AirPlaySDK/Platform/ThunderPersistUtils.cpp
Member LinkType variable "persistsObj" is leaked.

https://github.com/rdk-e/airplay-application-cpc/blob/develop/RDK/Media/ThunderUtils.cpp
Member LinkType variable "controller" is leaked.

https://github.com/rdk-e/rdkservices-cpc/blob/develop/PlaybackSync/LinchpinPluginRPC.cpp
Member LinkType variable "m_linchpinConnection" is used to subscribe events to non-static functions like LinchpinPluginRPC::onNotifyMessageReceived and "this" pointer, no unsubscribe. Variable destroys when class members destroy. Depending on the destruction order of class members handler function may use class members that have been destroyed already and crash.