Memory corruption due to race condition introduced by https://github.com/sonic-net/sonic-swss/pull/4400

[venkit-nexthop]

@deepak-singhal0408 @prabhataravind @prsunny for viz

This problem is caused by the changes in PR #4400

This change is exposing a race condition that can lead to memory corruption. We noticed Orchagent's ZMQ thread crash when METADATA configuration is changed and Orchagent is sent SIGTERM.

Before this change, orchagent terminated via _exit() on SIGTERM and ~OrchDaemon never ran.

This is where main thread is:

  main()  main.cpp:1047
  └── shared_ptr<OrchDaemon>::~shared_ptr   shared_ptr.h:175
      └── ~OrchDaemon                       orchdaemon.cpp:139
          └── ~PortsOrch                    portsorch.h:151
              └── ~FlexCounterTaggedCachedManager / ~FlexCounterCachedManager
                  └── ~FlexCounterManager   flex_counter_manager.cpp:138
                      └── stopFlexCounterPolling   saihelper.cpp:1106
                          └── sai_switch_api->set_switch_attribute
                              └── sairedis::Sai/Server/ClientServerSai::set
                                  └── RedisRemoteSaiInterface::set / notifyCounterOperations
                                      └── RedisRemoteSaiInterface::waitForResponse   RedisRemoteSaiInterface.cpp:935
                                          └── ZeroMQChannel::wait   ZeroMQChannel.cpp:279
                                              └── zmq_poll          ← BLOCKED HERE

1. ~FlexCounterManager makes blocking SAI calls during destruction, round-tripping through sairedis's ZMQ channel to syncd. Main thread parks in zmq_poll.
2. Meanwhile, multiple ZMQ I/O threads remain alive for various contexts (sairedis channel, north-side ZmqServer, and any ZmqProducerStateTables owned by orchs that were already deleted earlier in the reverse-order loop).
3. Orchs deleted earlier likely freed memory still referenced by in-flight ZMQ messages — those zmq_ctx_term calls never happen because owners go out of scope without explicit termination. The crashing thread then dereferences a freed message buffer.
4. The new async swss recorder thread (SwSSRec::setAsync(true), started lazily via ensureAsyncWorkerLocked()) adds another draining background thread sharing state with destructed orchs — second-order risk.

The graceful-shutdown signal handlers were added for one narrow purpose: to drain the new async swss.rec worker's queue on SIGTERM/SIGINT so pending records aren't lost on shutdown. Without it, _exit() on SIGTERM would discard whatever the recorder worker hadn't yet flushed to disk.
The problem with the implementation: rather than signaling just the recorder worker to drain and then calling _exit(), the PR set gOrchShutdownRequested, which lets start() return and triggers the entire ~OrchDaemon destructor chain. That's far broader than needed for the goal — and it's the chain that exposes the latent shutdown-ordering bugs (FlexCounterManager doing SAI calls during destruction, ZMQ I/O threads still alive while orchs are torn down) that crashed orchagent.
A narrower fix would have been: signal handler → drain recorder queue → _exit(). No full destructor chain needed.

Signal handlers are always fraught and we should really quantify what we get out of this.

[venkit-nexthop]

also tagging @vpandian-nokia

[venkit-nexthop]

One potential fix could be

--- a/orchagent/main.cpp
+++ b/orchagent/main.cpp
@@ -1106,5 +1106,37 @@ int main(int argc, char **argv)

     orchDaemon->start(heartBeatInterval);

+    /*
+     * PR 4400 added register_graceful_shutdown_signal_handler(SIGTERM/SIGINT)
+     * so start() returns on signal rather than relying on default fatal
+     * action / kernel cleanup. The stated goal was to drain the async
+     * swss.rec worker before exit so pending records are not lost.
+     *
+     * Falling through to `return 0;` runs ~OrchDaemon and all member
+     * destructors, which is unsafe today:
+     *   - FlexCounterManager::~FlexCounterManager issues SAI calls
+     *     (stopFlexCounterPolling -> sai_switch_api->set_switch_attribute)
+     *     during destruction. These round-trip through sairedis's ZMQ
+     *     channel to syncd and park the main thread in zmq_poll while many
+     *     libzmq I/O threads are still alive.
+     *   - Other orchs reached earlier in the reverse-order delete loop have
+     *     already freed buffers that libzmq I/O threads still reference,
+     *     producing jemalloc heap corruption (observed in core zmq.core;
+     *     crashing thread is a libzmq I/O thread inside msg_t::close ->
+     *     je_free_default -> tcache flush -> arena decay; main thread is
+     *     parked in RedisRemoteSaiInterface::waitForResponse from
+     *     ~FlexCounterManager).
+     *
+     * Match the scope of PR 4400's stated goal: drain the async swss
+     * recorder via setAsync(false) (which calls stopAsyncWorker -> join),
+     * then _exit() so kernel cleanup tears down the rest of the process
+     * just like before PR 4400.
+     */
+    if (gOrchShutdownRequested != 0)
+    {
+        Recorder::Instance().swss.setAsync(false);
+        _exit(0);
+    }
+
     return 0;
 }

[vpandian-nokia]

@venkit-nexthop: Could you please add a more explicit reproduction sequence for this issue? In particular, it would help to clarify:

• whether the specific METADATA change matters for reproducing the issue, and if so, which change was used
• whether orchagent receives SIGTERM as part of an automated workflow or as a separate/manual step
• the exact command or sequence used to trigger the failure
• whether the system was idle or actively processing routes/events when the failure was triggered
• whether the crash reproduces consistently

That would make it easier to validate any proposed fix and confirm whether it actually addresses the reported issue.

[venkit-nexthop]

Hi @vpandian-nokia
The problem happened when the following METADATA was removed and docker containers restarted

"localhost": {
               :
            "orch_northbond_route_zmq_enabled": "true",
            "orch_southbound_route_zmq_enabled": "true",
            "route_state_async_publish": "enabled",
               :

I dont think the specific METADATA matters, but I am not absolutely sure. I am not sure if SIGTERM is sent as well. I only saw from the backtrace of the core file that Orchagent is in the destructor path.
The system was idle from what I know. This is part of our automated test and we were in the cleanup path. The crash is somewhat consistent. Though I have not tried this out manually.
I will let you know if the suggested fix I posted above solves the problem or not later today/tomorrow.

[venkit-nexthop]

@vpandian-nokia I have verified that the suggested fix I gave above indeed fixes the issue. The test that used to produce the crash somewhat consistently is working without the crash.

[vpandian-nokia]

@vpandian-nokia I have verified that the suggested fix I gave above indeed fixes the issue. The test that used to produce the crash somewhat consistently is working without the crash.

@venkit-nexthop Thanks for the update and for confirming that the suggested fix avoids the crash in your automation.

I tried to reproduce this issue on my DUT with repeated attempts, but I was not able to hit the crash. If the issue is consistently seen in your setup/automation, the proposed fix seems reasonable from that perspective.

My only remaining concern is that we still do not have a clear step-by-step reproduction sequence outside the automation cleanup flow. That makes it harder to independently validate the root cause and confirm the fix on another setup. If possible, it would be helpful to document the exact test/cleanup sequence that triggers the crash.

Given your validation, I am okay with the suggested fix as a practical way to avoid the crash in the reported flow. However, it would still be good to keep in mind that this may not fully address the underlying concern around cleanup/destructor handling in orchagent.

[venkit-nexthop]

@vpandian-nokia I have verified that the suggested fix I gave above indeed fixes the issue. The test that used to produce the crash somewhat consistently is working without the crash.

@venkit-nexthop Thanks for the update and for confirming that the suggested fix avoids the crash in your automation.

I tried to reproduce this issue on my DUT with repeated attempts, but I was not able to hit the crash. If the issue is consistently seen in your setup/automation, the proposed fix seems reasonable from that perspective.

My only remaining concern is that we still do not have a clear step-by-step reproduction sequence outside the automation cleanup flow. That makes it harder to independently validate the root cause and confirm the fix on another setup. If possible, it would be helpful to document the exact test/cleanup sequence that triggers the crash.

Given your validation, I am okay with the suggested fix as a practical way to avoid the crash in the reported flow. However, it would still be good to keep in mind that this may not fully address the underlying concern around cleanup/destructor handling in orchagent.

@vpandian-nokia since this is a race condition, it is hard to give a clear step-by-step reproduction.

[vpandian-nokia]

@venkit-nexthop Would you be able to create the PR for the suggested fix?

[venkit-nexthop]

@venkit-nexthop Would you be able to create the PR for the suggested fix?

Yes. Since I am going on leave, my colleage @inder-nexthop is going to create a PR.

[vpandian-nokia]

@venkit-nexthop Would you be able to create the PR for the suggested fix?

Yes. Since I am going on leave, my colleage @inder-nexthop is going to create a PR.

@venkit-nexthop Sounds good, thanks. If possible, please include a brief summary of the automation flow where this issue was observed, along with the validation details, in the PR.